Authorized push payment fraud has been the talk of the Senate in recent months – and it’s no wonder why. With this type of fraud expected to double over the next four years, putting over $1.5 billion in the hands of criminals, it’s businesses that stand to lose the most.
Authorized push payment fraud can cause significant financial damage to companies. It can also lead to reputational wounds, which many find harder to recover from. In this article, learn how to spot APP fraud and stop fraudsters in their tracks.
For more information on all the types of B2B payment fraud, download our free fraud report with trends and insights.
What is authorized push payment fraud?
Authorized push payment fraud (APP) relies on your trust in technology. With Internet banking becoming fairly mainstream in the US (and even more popular among European suppliers), cybercriminals have taken over this ‘security measure’ and turned it into a weapon.
When you’re making a genuine payment for your business, an authorized push notification might come through to one of your devices. It requires you to consent to the payment and acts as a second security measure past your banking login.
Authorized push payments help verify that it’s really you.
Unfortunately, those committing crimes have been able to turn this security measure into a vessel for fraud. The fraudsters are successful by using social engineering tactics, just like through CEO fraud or false invoice fraud. They make it seem like you have a genuine payment to make, and that it needs to be urgent. But once you accept the push notification, a real-time payment occurs and the money is never seen again.
How does authorized push payment fraud work?
Most authorized push payment scams begin with a data breach. At least that’s what happened to TalkTalk, a leading British communications business.
Real world threats
In 2015, hackers were able to access the details of millions of TalkTalk customers, including their home addresses, phone numbers, and bank details. Then, the cybercriminals actually contacted TalkTalk customers over the phone under the ruse that there was an account problem.
By quoting the customers’ real details, they appeared convincing as genuine TalkTalk employees. But the scammers were installing malware at the same time. Customers were told to click a button for a “compensation payment” deposited to their account (which required an authorized push payment notification). But upon accepting the notification, money was quickly taken from their accounts.
What began as a data breach damaged TalkTalk’s reputation and trust with their customers. This is why it’s important to protect your business.
Other common authorized push payment scams
Authorized push payment fraud can also target businesses in other scenarios, through:
- CEO fraud
- False vendor fraud
In the first scenario, social engineering tactics are used to pressure an employee into sending money to a perpetrator pretending to be their CEO. By claiming urgency is needed, the employee might not double-check with their CEO in person or spot a spoofed email address – sending the money. It’s also much harder to check if you’re working from home.
During false vendor fraud (also known as fake invoice fraud), hackers could intercept a real invoice and change the details to their own. They could also create a new invoice from scratch for goods never received by your business. Either way, these fraudsters put pressure on employees to pay with urgency using real-time payment methods. Therefore, an authorized push notification is typically accepted without special interest.
Trustpair can help prevent both scenarios through our dedicated vendor data management platform. We continuously detect any changes in supplier credentials (even for international suppliers). Checking payments before execution allows us to block any suspicious transfer. This way, your people have confidence in the legitimacy of their contacts and decisions. Contact one of our fraud experts right away!
Why is authorized push payment fraud on the rise?
More of us are choosing to work with digital payment methods since they’re fast, (usually) error-free, and simple to work with. Your suppliers like receiving their invoice payments instantly and your internal team of accountants like that transactions are recorded automatically.
However, the increased use of instant bank transfers also increases the volume of push payment notifications and therefore heightens the risk of fraud.
In some jurisdictions, the regulators make sure that this step is part of every payment. For example, the UK’s Strong Customer Authentication regulation requires a push notification or a code sent to one of your devices before the payment can be made. While America’s own SOX Law isn’t quite the same, push payment fraud is still on the rise.
Moreover, authorized push payment fraud is on the rise because people are working from home. Between 2019 and 2021, the number of people working from home tripled – and many still haven’t returned to the office full-time. With remote working comes remote finances, which make it harder to check requests for payment and easier for fraudsters to act.
How to protect your company against authorized push payment fraud?
While fighting against authorized push payment fraud may seem like a mountain to climb, there are some surefire ways to protect your business against bogus payment requests:
- Encourage policy/procedure following even in ‘one off’ situations
- Open communication and sharing between departments
- Work with a dedicated payment platform for extra security
First and foremost, it’s important to develop the right controls in your fraud prevention plan. This means creating an approval matrix that requires at least two pairs of eyes for any payment, for example.
Here, segregation of duties is important in order for corporations to maintain efficiency and control. Giving different responsibilities to varying members of staff should preserve the integrity of your finance function – leaving no room for internal fraud.
Once policies are created though, they must be followed. In a country where the average company’s legal budget greatly outweighs the rest of the world, policy negligence is the last thing you want to be spending money on.
Ensuring your people follow the procedures you set could be as easy as “setting and forgetting”. But others may have to create incentives and deterrents, depending on the behavior of staff.
Poor information sharing is one of the biggest reasons for thieves’ success in business. With a lack of defined roles (and a dedicated anti-fraud department), no one takes full ownership over anti-fraud policies. More often than not, the idea of preventing fraud falls into an abyss as primary functions take over.
On the other hand, companies promoting good interdepartmental communication are able to manage risks more effectively. Since different teams receive varying levels of training around fraud in payments, an open channel encourages knowledge sharing.
Plus, encouraging those on different teams to build good relationships not only increases the chances of detecting suspicious activity. It can actually build your efficiency and productivity across the board, too.
Dedicated fraud prevention platform
Probably the most foolproof way to protect against authorized push payment fraud specifically is by working with a dedicated anti-fraud payment platform, like Trustpair.
By providing account validation in real-time, you benefit from a clear risk management report before engaging with a potential new supplier. Moreover, your people are automatically alerted as soon as any anomalies within the historical payment pattern are spotted. So you have the tools to successfully prevent fraud, instead of simply detecting it after you transfer money or sensitive information to a phony caller.
Working with huge enterprises and growing partners, we’ve got a 100% record in the fight against fraud.
Demo Trustpair’s dedicated anti-fraud payment platform here.
The risk of APP fraud affects those in finances the most – the people who are dealing with online banking or payments each and every day. To protect yourself and your business against fraudulent or suspicious transaction requests, keep your company’s financial information private and secure. You should also check payment details (like account number, card information, and social security number) against a verified database to ensure you’re sending money to a legitimate merchant. If you have been compromised by a scammer or think you’ve had malicious software (like spyware) installed on your system, inform your financial institution and IT department immediately
Note: this advice might also be used against phishing and other ponzi schemes or general internet fraud attempts