The Front Page of Fintech

The largest fintech community in the world. Subscribe to our newsletter to stay up to date on the latest in news opinions, and all things financial technology.

Image Description

The Front Page of Fintech

The the largest fintech community in the world. Subscribe to our newsletter to stay up to date on the latest in news opinions, and all things financial technology.

Image Description

Navigating APP Fraud: How Fraudsters Are Targeting The UK! - TWIF UK & EU Long Reads

Part One in a series of Long Reads on APP Fraud from Kartik Dabbiru

Navigating APP Fraud: How Fraudsters Are Targeting The UK! - TWIF UK & EU Long Reads
Photo by Zanyar Ibrahim / Unsplash
💡
Editors note

This is a part one in a series of Long Reads on APP fraud from Kartik Dabbiru.

If you are interested in guest writing a Long Read or have a topic you want us to cover, please reach out.

Picture this: You're scrolling through Facebook Marketplace, when suddenly you spot a last minute deal that's too good to avoid. It's the latest iPhone 16, barely used, with a massive discount on the price. The seller's profile also looks legit.

You message the Seller, and they're super prompt and with a valid reason why they need to part with the iPhone. The Seller says they can't meet in person because they're "out of town," but they'll ship the phone to you right away if you transfer the money.

You think, "What could go wrong?" and send over £500 via bank transfer. The seller promises to send you the tracking number once the funds hit their account.

But guess what? That tracking number never materialises. The seller stops responding to your messages and your bank account is £500 lighter with no shiny new iPhone to show for it.

Congratulations, you've just been purchase scammed. The goods were never real, the profile was probably stolen or fake, and your hard-earned money is now in the wind. 

This is the reality for many across the UK, where nearly £341 million was lost to Authorised Push Payment (APP) fraud in 2023 alone.

With the new APP fraud Reimbursement regulations that took effect on 7th October, the UK Payment landscape is poised for significant changes. In the part-1 of this long read, we explore the evolution of fraud, the rise of APP fraud in the UK, and the key regulatory developments in the UK.


Why do we  need to pay attention to the growing threat of APP fraud in the UK?

APP fraud has become a significant issue across the UK, impacting individuals, families, and businesses alike. In 2023, 44% of all fraud in the UK was linked to these scams, resulting in nearly £341 million in losses. As online transactions become more common, the speed of payments increase and the rapid pace of AI led developments, fraudsters are deploying increasingly sophisticated methods to rampantly target and defraud victims. 

The UK Financial Conduct Authority (FCA) has highlighted that while firms have made strides in implementing anti-fraud measures, significant gaps remain, particularly in how payment and banking institutions handle and resolve complaints related to APP fraud. The FCA's review found that many institutions  are still not adequately prioritising the protection of their customers, leading to inconsistent outcomes and, in some cases, prolonged financial harm to victims.

The UK Payment Systems Regulator (PSR) has recently implemented the new APP fraud Reimbursement Regulation on 7th October 2024. This new regulation mandates all in-scope UK Payment Service Providers (PSP) to compensate victims of APP fraud up to £85k within five days (but can "stop the clock" for investigations up to a maximum of 35 days). In addition, both the sender and receiver PSP are deemed equally liable to compensate the victim which effectively enables the sender PSP to claim up to 50% of the compensation from receiver PSP. Lastly, Pay.UK is building RCMS (Reimbursement Claims Management System) which in-scope PSPs need to integrate with and share fraud data. RCMS is expected to help PSPs investigate fraud incidents efficiently so that the victim of fraud can be compensated promptly. Eventually, the hope is to build enough data on fraud within RCMS that it can be used to detect and prevent fraud from happening. 

It’s crucial for everyone to understand the evolving landscape of APP fraud to resolve fraud promptly and comprehensively. But before we talk about APP fraud, it is helpful to understand the evolution and dynamics of fraud and how fraudsters have adapted in line with rapid changes in technology and the rise of digital payments.


The evolution of fraud

The development of payment networks and interconnected financial systems have been a double-edged sword, enabling rapid, convenient transactions while simultaneously creating new opportunities for fraud and significantly fewer opportunities/time to detect and stop fraud. To understand the current landscape of APP fraud, it’s important to trace how Payment fraud has evolved alongside these technological advancements.

Early payment systems and the onset of fraud

Initially, payment systems were relatively straightforward, involving cheques and manual transfers, which were slow but easier to monitor. Early fraud schemes typically revolved around forged cheques and identity theft, exploiting the lack of sophisticated verification systems. As payment methods advanced with the introduction of credit and debit cards, fraudsters shifted tactics, leading to the rise of card-present fraud where physical cards were stolen or cloned.

The Financial Industry responded with innovations like magnetic stripes, PIN codes, and eventually chip-and-PIN technology, which significantly reduced card-present fraud. However, this led fraudsters to adapt once again, turning to more complex schemes, particularly with the advent of online banking and e-commerce.

The digital shift and the surge in online fraud

The internet era brought about a revolution in Banking and Commerce, allowing consumers to conduct transactions from anywhere in the world. However, this convenience came with new risks. Card-not-present (CNP) fraud, where card details were stolen and used for online purchases, became a major issue. Phishing attacks also surged, with fraudsters using deceptive emails and websites to trick individuals into revealing sensitive information about their identity and/or card details.

As online transactions grew, so did the complexity of fraud tactics, fraudsters began leveraging the anonymity of the internet to launch sophisticated schemes, making it increasingly difficult for Financial Institutions, Law Enforcement and Regulatory bodies to combat these crimes effectively.

The advent of Faster Payments System and the emergence of APP fraud

In 2008, the UK introduced the Faster Payments System (FPS), which allowed near instantaneous bank transfers, revolutionising the speed and efficiency of financial transactions. However, the rapid nature of these transactions also created new vulnerabilities. Unlike traditional bank transfers, which took days to process and could often be reversed, FPS transactions were completed within seconds, leaving little time to detect, monitor and stop fraudulent activities.

Loss per million transaction / Faster Payment Speed:​​

Year

fraud Losses / Million Transactions

FPS Transaction Speed

FPS Adoption Status

Source

2008-2012

Low (initially negligible)

Near-instantaneous (seconds)

Early adoption phase, low fraud due to limited use.

PSR, Pay.UK

2013-2017

Increasing steadily

Near-instantaneous (seconds)

Growth in real-time payments led to a rise in fraud.

PSR, UK Finance

2018-2022

Variable; peaking in 2022

Near-instantaneous (seconds)

APP fraud became a major issue with higher transaction volumes.

PSR, UK Finance

2023

£266 per £1 million at Metro Bank and TSB

Near-instantaneous (seconds)

Significant increase in APP fraud rates per million transactions.

PSR, Pay.UK, UK Finance

This environment gave rise to Authorised Push Payment (APP) fraud, where criminals manipulate victims into authorising payments to accounts controlled by fraudsters. These scams often exploit social engineering tactics, such as impersonating a trusted entity or creating a false sense of urgency via a last minute, too good to be true deal, to convince the victim to transfer funds. The speed of FPS makes it particularly challenging to recover funds once the transaction is completed, leading to significant financial losses.


What is APP fraud?

Authorised Push Payment (APP) fraud is a sophisticated scam where victims are deceived into authorising payments to fraudsters, believing they are transferring funds to legitimate entities. These scams frequently involve impersonation—whether it’s a bank representative, a trusted service provider, or even a known business contact or a love interest. The sense of urgency created by the fraudster, combined with the victim’s obtained trust in the impersonated entity, leads to the victim authorising the transaction which is usually irreversible.

Common tactics deployed by fraudsters include:

  • Purchase scams
  • Claim that there's a suspicious activity on your account and that you need to move funds immediately for safety
  • Impersonate your lawyer or realtor (a trusted counterparty) to steal house deposits
  • Pretend to be a supplier and requesting payment to a new account
  • Increasingly, Artificial Intelligence (AI) is being used to imitate voices and even faces of colleagues or family members.

The global landscape of APP fraud

Before delving into the specifics of APP fraud in the UK, it's essential to understand the broader global context. APP fraud has become a growing concern worldwide as digital payment systems have proliferated. This type of fraud has seen significant growth, fuelled by the rapid expansion of online banking, mobile payments, and faster payment systems.

  • Global growth of APP fraud: According to a 2023 report by the Global Banking & Finance Review, APP fraud has seen a steady increase globally, with estimated losses reaching over $5 billion in 2022. This represents a 15% increase from the previous year, highlighting the rising threat posed by fraudsters who exploit faster payment systems and social engineering tactics.
  • Regional Breakdown:
    • North America: In the United States and Canada, APP fraud is closely linked with the rise of real-time payments. The Federal Trade Commission (FTC) reported that in 2023, fraud losses in the U.S. exceeded $10 billion. The growing adoption of Zelle and other instant payment platforms has been a significant factor, with fraudsters taking advantage of the immediacy of these transactions.
    • Europe: Europe, particularly the UK, has seen some of the highest rates of APP fraud. The European Banking Authority (EBA) and European Payments Council (EPC) noted that in 2022, total losses from fraud across the EEA reached €4.3 billion. The region has been proactive in implementing strong customer authentication (SCA) measures under the PSD2 directive, which has helped mitigate some risks, yet fraudsters continue to adapt their tactics.
    • Asia-Pacific: The Asia-Pacific region is experiencing rapid growth in digital payments, and with it, a corresponding rise in APP fraud. In 2022, scam losses in the region were estimated at $5 billion, according to a Oliver Wyman report. Countries like Australia and Singapore have reported significant increases in fraud cases, with Singapore alone seeing a 25% year-on-year increase in 2022.
    • Latin America: In Latin America, where digital financial inclusion is rapidly expanding, fraud is also on the rise. The Federal Trade Commission Development Bank (IDB) reported that losses in the region reached $240 million in 2022. The region's relatively lower implementation of anti-fraud measures compared to Europe and North America has made it a target-rich environment for fraudsters.
    • Australia: APP fraud has continued to rise significantly. According to a report by ACCC, Investment scams caused the most financial harm ($1.3 billion), followed by remote access scams ($256 million) and romance scams ($201.1 million). This growth is closely tied to the expansion of real-time payment systems, which fraudsters are increasingly exploiting.

Driving factors behind global APP fraud

The global rise in APP fraud is driven by several factors:

  • Expansion of instant payment systems: As more countries adopt instant payment systems, the risk of APP fraud increases. The immediacy of these transactions leaves little time to detect and stop fraud, making them an attractive target for criminals.
  • Increased digital banking adoption: With the COVID-19 pandemic accelerating the shift to online banking, more consumers are engaging in digital transactions, often without fully understanding the risks involved, leading to a higher incidence of fraud.
  • Faster onboarding of customers: Financial Institutions are themselves hindered by the balance in needing to meet the demands to onboard clients quickly and not having adequate controls in place to handle the exponential growth.
  • Sophisticated social engineering: fraudsters are becoming increasingly adept at using social engineering tactics to manipulate victims into authorising payments. These schemes often exploit emotional triggers such as urgency, fear, or trust in authority.
  • Regulatory gaps: In some regions, the lack of stringent regulations and uniform anti-fraud measures makes it easier for fraudsters to operate. While Europe and Singapore have made strides in regulation, other regions are still catching up.
  • Lack of communication: Globally, a significant challenge in combating APP fraud is the insufficient communication and data-sharing among banks, payment service providers (PSPs), and regulators. Reports from the ECB, EBA, and PSR highlight how these gaps allow fraudsters to exploit weaknesses, as the lack of coordinated efforts hinders real-time fraud detection and response. 
  • Social Networks: Wide-spread use of social media gives fraudsters easy access to victims. Estimates indicate that 80% of scams originate via Meta.

In part-2 of the long read, we will dive deeper into APP fraud and the recently implemented APP fraud reimbursement regulation in the UK.

A big thank you to Jessica Patel, Karshik Ramdhonee, Nicole Bossieux and Thelma Badu-Yankson for collaborating and proof-reading the long read.