When criminals try to attack systems, there are typically signals that financial institutions (FIs) can use to weed them out. But how do companies stop—or even detect—fraud when the person sending the funds has authorized the transaction?
That’s the case with APP fraud, where fraudsters manipulate their victims—through social engineering and other forms of deception—to send them funds.
Below, we dig into what this form of fraud is, how it works, common types, and how organizations can combat the different methods criminals will use.
What is Authorized Push Payment (APP) Fraud?
Authorized Push Payment (APP) fraud is a type of fraud that occurs when victims are persuaded—through social engineering scams—into transferring money to fraudsters. Typically, fraudsters employ impersonation techniques to pose as a legitimate person or institution, adding credibility to their scam.
Most authorized push payment fraud attempts use real-time payment systems, as payments are instant and irreversible. Criminals get immediate access to the funds, and neither the victim nor financial institution can reverse the payment. Even worse, the payment has technically been authorized by the victim, making this very difficult for institutions to detect—let alone prevent.
How Does Authorized Push Payment (APP) Fraud Work?
Essentially, a fraudster tricks an unsuspecting victim into authorizing a payment to a seemingly legitimate person or entity for a seemingly legitimate reason. What the victim doesn’t know is that they are a victim of social engineering, and have been tricked into sending funds.
While APP fraud can be conducted in a variety of nuanced ways, the basics are typically the same:
- The fraudster investigates their victim to find personal details or information that they can use in their scam.
- The fraudster reaches out to the victim and requests a payment—misrepresenting who they really are, the nature of the payment, and even impersonating other individuals or entities.
- The victim authorizes the payment, often initiating the payment themselves.
- The fraudster receives the payment—which is irreversible.
- The fraudster typically then moves the money out of the account so it can’t be recovered by the victim or FI after investigation.
In almost all cases of APP fraud, criminals misrepresent who they are and the nature of the payment. In many cases, they even impersonate other individuals or entities, using phishing schemes to acquire personal details and other information they can leverage in these scams. In all instances, the fraudster uses some form of social engineering to trick the victim into making the payment.
This can be done using direct, brief attacks (like phishing) or elaborate, long-lasting social engineering techniques (like romance scams). For example, a fraudster could impersonate a financial institution, and send out spam emails that claim the recipient owes a banking fee and request that they pay it urgently via the link provided. These require little time investment from the actual fraudster, and are sent out hoping at least some people will engage with the request. Other schemes—like romance scams—are more elaborate. Fraudsters gain the victim's trust over long periods of time, developing personal relationships with the victim. They then exploit that trust to conduct APP fraud.
Fraudsters often employ a sense of necessity in their requests—they make the victim believe they absolutely need the money they are requesting, and could even claim that it’s the difference between life and death. This motivates the victim to actually make the payment, as they believe the fraudster is in need.
Fraudsters also create a sense of urgency to give their victims little time to think through or deliberate on the payment. The hope is that the victim will make the payment without really considering or checking the authenticity of the request. Criminals do this in a number of different ways, from creating sympathy to scaring victims.
They could claim that they need the funds for a medical procedure, drawing on the victim’s sympathies; or they could claim they are a law enforcement agency looking to recoup unpaid tax funds, threatening legal action if the victim doesn’t pay up. Either way, the aim is to create a sense of urgency and give the victim little time to think through their decision. This makes victims more likely to comply—and also helps them acquire stolen funds faster.
Types of Authorized Push Payment Scams
There are a myriad of ways that fraudsters can actually conduct these scams, all of which involve misrepresentation—or outright impersonation—to trick the victim. Let’s look at specific types of authorized push payment fraud scams that criminals conduct, as well as how to detect and prevent each method.
In invoice fraud, the victim is tricked into paying a fraudulent invoice. Through a combination of social engineering, impersonation, and falsified documentation, fraudsters convince the victim to pay a seemingly legitimate invoice.
For individuals, these often target regular payments like electricity, gas, internet, or cable services. For businesses, this can involve single invoices, but it can also mean having the business change their payee in their systems—resulting in continuous payments being made to a fraudster.
How to Detect and Prevent Invoice Scams:
Unfortunately, fraudsters are exceedingly talented at performing invoice fraud, falsifying documents that are often very difficult to distinguish from legitimate ones. As customers authorize the payments, some responsibility falls on them to verify their payees. Financial institutions should do everything they can to educate customers about how they can safeguard against APP fraud attacks.
FIs themselves should be careful about who they list in their systems as payees for their customers. By restricting fraudsters from setting up, they can eliminate the fraud from happening to their business (and customers). Transaction monitoring and KYC checks are essential tools to check that a transaction—and the payee themselves—are legitimate.
In romance fraud, fraudsters engage in fake romantic relationships to commit fraud, exploiting the personal connection they make with their victims to gain cash and other valuables.
While not always the case, most romance scams end with a criminal performing some version of APP fraud. Although the fraudster could request other valuables, they often request money in the form of authorized push payments. In almost all romance schemes, fraudsters impersonate other individuals and use social engineering tactics to gain the trust and sympathy of their victims. Once they think they have developed enough of a relationship, they request real-time payments from the victim.
How to Detect and Prevent Romance Scams:
A major issue here is that the victims have authorized the purchase. It’s very difficult to detect, as their other account activity will remain the same. Again, institutions will need to hone in on the transactions themselves to look for abnormalities. They’ll also need to leverage previous transaction and account activity of the user to help determine when a transaction falls outside of the norm. Major changes in behavior should be flagged and investigated further to stop romance scams from continuing and escalating.
Personal Relationship Scam
In a scheme very similar to romance scams, fraudsters impersonate a family member or friend of the victim, requesting money via a push payment.
To perform this, the fraudster typically has to have personal information about their victim, so they can pose as a relative or acquaintance. This information itself is often acquired through other forms of fraud and crime, such as phishing, hacking, or the black market. As with romance scams, fraudsters typically impart a sense of urgency to convince the victim the payment is vital and needs to be sent quickly.
How to Detect and Prevent Personal Relationship Scams:
For victims, the biggest step is to verify someone is who they claim to be before making a payment. Financial institutions themselves will need to look to the same methods of detection and prevention for romance fraud—leverage both transaction and activity monitoring to identify abnormalities in payment and user behavior, flagging suspicious activity for review.
Property Funds Scam
In property fund scams, victims are tricked into paying costs associated with property purchases to a fraudster. The funds associated with real estate deals are undoubtedly significant, and this fraud results in serious repercussions for victims.
For fraudsters to be able to infiltrate this exchange, they typically need to acquire information regarding the sale of the home—typically by intercepting communications between the buyer or seller, real estate agent, or even the financial institution. Fraudsters use false documentation, impersonation, and social engineering to convince the victim to change the payee in the property purchase. They then receive the funds themselves and make off with the money.
How to Detect and Prevent Property Fund Scams:
The difficulty here is that the customer authorizes the payment, making it hard for FIs to stop the fraud from happening. Each time an FI denies this request, they risk preventing a legitimate customer from conducting business—so they want to be sure it’s fraudulent before intervening. Unfortunately, this leaves customers largely responsible for protecting themselves against APP fraud.
As an FI, it’s essential to communicate with customers about how they can check the legitimacy of their payments and authenticate their payees. Organizations themselves should perform transaction monitoring and some form of KYC verification to insulate customers from these threats. While it’s not foolproof, these validations can ensure institutions flag transactions that could involve suspicious individuals or entities before the payment is processed.
Account Takeover Fraud
In account takeover (ATO) fraud, criminals gain direct access to the victim's account, and then exploit this access to commit fraudulent activity.
In the case of APP fraud, they exploit their control of the victim’s account to perform authorized push payments themselves—without actually requiring authorization from the account holder. This cuts out the need for the fraudster to perform social engineering and actually coerce the victim into making the payments themselves, which is often one of the most difficult and time-consuming components of APP fraud.
How to Detect and Prevent Account Takeovers:
While this type of fraud doesn’t involve the social engineering element, it still involves impersonation—making identity verification extremely important. These checks should be performed not just at onboarding, but periodically to ensure accounts haven’t been compromised.
But this isn’t enough to actually detect all instances of account takeover fraud, and especially not in a timely manner. Use as many signals as possible to understand if a user’s account has been compromised—check for changes in transaction patterns or to the user's account (such as passwords, address details, or contact information).
A home renovation or contracting scam is essentially a more complicated spin on an invoice scam, in which the victim is tricked into paying the costs of the renovation to the fraudster instead of the legitimate contractor.
Fraudsters use phishing and other investigative methods to find information on home renovations taking place. Once they acquire enough information on a job, they infiltrate the deal, submitting their own invoice to the homeowner, posing as the legitimate contractor. Once the victim pays the invoice, the fraudster disappears with the payment. The fraud isn’t discovered until the victim receives the legitimate invoice from the legitimate contractor.
How to Detect and Prevent Contractor Scams:
As this is essentially a version of invoice fraud, many of the same prevention and detection techniques apply here. Review payees diligently before listing them for customers. Monitor transactions and user activity to identify changes in behavior that could signal fraudulent activity—allowing you to catch it and stop it.
Learn How to Detect and Prevent APP Fraud with Unit21
Given the nature of authorized push payment fraud—and the fact that these payments are, in fact, authorized by the payers—it’s one of the hardest types of fraud to detect and prevent.
Customer onboarding is one of the first tools to use, as it allows companies to verify the identities of their customers. In many ways, this is the first preventative measure in stopping criminals from exploiting your business to commit fraud. But user onboarding is only so effective, as the fraudsters have to actually be operating on your platform for this to help. Criminals can also get past this with tactics like ATO fraud, so it can’t be the only tool you use to prevent APP fraud.
Transaction monitoring is going to be a vital tool in the detection and prevention of APP fraud—after all, we are talking about payments here. Being able to identify suspicious activity by screening individual transactions for signals will be essential for stopping instances from occurring. Analyzing previous transaction patterns will allow teams to more readily identify when suspicious behavior is occurring.
Beyond this, event and activity monitoring can provide even more signals to guide decision-making about fraudulent activity. Since APP fraud offers so few signals to FIs, any additional identifiers are essential in effectively combating it. With activity monitoring, risk teams can flag when behavior falls outside typical patterns for that particular user, and immediately follow up—either escalating the case for investigation or halting the transaction.
With these tools at their disposal, risk management teams can mitigate the impact of fraudsters on customers—and the business. Schedule a demo to learn how Unit21 can help your team catch and stop APP fraud.