The UK has seen a 41% increase in payer manipulation fraud, (or as they call it, Authorised Push Payments fraud or APP), in the last year. And, unless banks take a proactive approach, they could soon face some stiff regulatory pressure.
This is the warning from Entersekt as the UK’s annual fraud report notes there was a 39% rise in impersonation scams with imposters masquerading as banks and police staff, and a 33% rise in fraudsters pretending to be other officials.
The UK communications regulator, Ofcom, reported that eight out of ten surveyed people had been targeted with scam texts or calls, which the regulator said were intended to convince consumers that they were from trusted organisations such as banks, the NHS, or other government departments.
“There is no doubt that this is an attack vector across the world right now,” says Gerhard Oosthuizen, chief technology officer of Entersekt. “Our usual methods of protection are being tested by the human form factor.
“We know that traditional two factor authentication protects the customer from typical phishing attacks where the fraudster has stolen your username and password. However, with payer manipulation fraud, the fraudster actually uses the customer themselves to perform and ‘bypass’ all the MFA protection put in place by the bank – and coaches you through the full journey, including advising you to ignore all the warnings the bank might have put into the customer journey.
“By adding a sense of urgency the customer does not pay that much attention to what they’re doing – they are just following the direction of the person they trust, and whom they believe is protecting them.
“These calls sometimes go on for hours as they convince the account holder to add a beneficiary or transfer their money into a ‘safe account’, which is actually one which the fraudster uses to steal the money from. This manipulation is causing untold damage to people and families and banks are expected to take action,” he adds.
“South African banks and their partners are seriously applying ourselves to addressing this issue. We are currently exploring a number of different ways to address this including looking at ways to detect dubious actions.
“For instance, when you see money moving between accounts in a suspicious manner or being cashed out into crypto accounts after some account switching, you could delay the transaction and reconfirm the payment with the client a while later.
“Destination account verification offerings are another way local banks are trying to protect their customers,” Oosthuizen explains.
APP fraud has risen in the UK since it introduced real-time payments via the Faster Payments scheme in 2008. One of the problems with these immediate payments is that they are irrevocable, which means that victims of APP fraud can’t reverse the payments when they realise they have been tricked.
“South African banks are currently implementing our own rapid payment system and having it exposed to additional risk at the outset could impact its uptake. When it comes to the RPP there are a number of potential pitfalls,” Oosthuizen says. “Fortunately, the work already done by the UK banks and their regulator gives us good insight into how to tackle the challenges ahead.
“It is also comforting that the collaborative work by the local banks and their focus on building strong fraud prevention into the system from the start should also give local consumers some confidence when the RPP goes live. Furthermore the initial amount supported on RPP is set to R3 000 to prevent one incident from causing large losses.”
Regulators take action
The UK is not sitting idly by, and while the majority of banks are all working to address the issue, the lack of consistency and action from some has forced the UK Payment Systems Regulator to implement a raft of measures to combat the growth in these scams.
These include mandating banks and other payment providers to make reimbursement to victims, placing the responsibility on the banks to refund the loss.
Among the proposals on the table from the regulator is a mandatory name checking service, Confirmation of Payee (CoP), and consumer reimbursements for all banks, as well as active monitoring. The regulator is also determined that when a bank does not use CoP, then they should not be allowed to use Faster Payments.
“We need people to trust our payment system,” Oosthuizen stresses. “South African needs a collaborative, industry response to this and we need more context with pooled data to see trends.
“We are working together to find ways to consolidate data and get ahead of the fraudsters by learning from other markets, and applying our own South African technology to solve this problem. Entersekt is already working with various global and local players to try to see how we can further protect clients.
“The takeaway is that fraudsters steal from everyone, and this type of attack can only be solved by industry collaboration and innovation. These types of attacks are enabling us to start accelerating that,” Oosthuizen concludes.