Over many years UK banks have made significant investment into fraud prevention measures to help control traditional types of fraud.
This includes frauds where criminals execute unauthorised transactions on a victim’s account, as well as automated attempts to extort funds such as malware attacks.
This investment has also been helped by new regulations designed to reduce these types of fraud, such as strong customer authentication, part of Payment Services Directive Two (PSD2).
This investment and change, however, has created unintended consequences. Criminals who stop succeeding do not just go away; a bad actor will always be a bad actor. They simply change their tactics and approach in order to continue to try and monetise.
Rather than targeting banks directly, fraudsters are now using a range of social engineering strategies to target victims directly, convincing them to make transactions on their behalf.
The result from the perspective of the bank is a customer-authorised transaction (known as authorised push payment fraud, or APP), which is notoriously much harder to detect than one made by a fraudster.
APP scams come in many shapes and sizes, including investment scams, purchase scams and impersonation scams.
As the problem of APP shows no signs of slowing down either in the UK or globally, one of the core challenges faced by the industry is who becomes liable for APP losses when payments are authorised by customers themselves?
Since 2020, Britons have lost more than £2.6bn to investment fraud. This is an alarming figure despite only capturing the scams that are reported.
Under-reporting remains a problem, with victims of scams often feeling vulnerable or ashamed to share their experiences with family, the bank or law enforcement.
Authorised fraud has become so acute that banks across the globe face pressure to reimburse victims for lost funds instead of leaving them to absorb the cost.
First things first, though, banks and financial services providers, including brokers and advisers, need to be aware of them if they are going to have any hope of identifying them and stopping them.
Shifting scam tactics
Getting down to the foundations of APP, UK Finance highlights eight core scam types within two categories:
- malicious payee – purchase scam, investment scam, romance scam and advance fee scam; and
- malicious redirection – invoice and mandate scam, CEO fraud, impersonation: police/bank staff, and other types of impersonation.
Though they naturally vary in frequency and severity, each scam has the potential to cause significant emotional and financial strain for those who fall victim. The real challenge for banks is the growing sophistication of these authorised scams, as they are becoming more difficult to distinguish from legitimate transactions.
As banks have access to the latest technology to detect fraud, bad actors also have the latest tools at their disposal. Generative AI is being used to create convincing scams that manipulate people into handing over money to criminals.
Fraudsters who already succeed regularly now have access to AI so powerful it can create images, scripts, videos and voices in seconds. Two years ago, this wasn't possible. Today, headlines of millions lost in a five-minute attack are becoming commonplace.
