“As an industry, we’ve actually created APP fraud.” It’s a strong statement from HSBC’s Jamie Byles, but we do indeed find ourselves facing a catch-22 situation. “As we improve one particular channel, one particular area... we push fraud into another area.”
And at present, that area is Authorized Push Payments (APP) fraud, with bad actors and fraudsters switching their focus to customers, and attempting to coerce them into making large transfers that from a bank’s perspective seem legitimate, and thus hard to detect.
That’s made all the easier by the high availability of technologies such as dynamic puppeteer kits that scammers can easily obtain online and tailor to their targets. And these are just a few of the reasons why Authorized Push Payment (APP) fraud continues to be a global concern, one that carried a bill for victims of £479 million in 2020 in the UK alone.
And with this low barrier to entry for criminals, it’s a problem that’s growing exponentially. In 2020, social engineering scams accounted for 57% of all fraud losses (UK Finance).
The problem extends far beyond the commonplace mobile device vectors. As Jamie reminds, the internet and social media sites are awash with too-good-to-be-true deals, with the fraudsters surfing the wave of trending consumer tastes to seemingly offer popular products. The scale of the issue impacts multiple industries and sectors and it’s significant enough that there have been repeated calls for the UK government to expand the scope of the Online Safety Bill to include fake adverts and scams.
But what about the customers themselves? “There has to be an element of responsibility on the part of the consumer,” says Lloyd Emmerson of Lloyds Bank, who has frequently seen customers caught out by fraud, despite the bank having done everything possible to prevent it. “There has to be an element of shared ownership.”
That’s an opinion that’s verified by 77% of respondents to our recent survey felt that they shared some degree of responsibility for protecting themselves against fraud, along with banks and merchants.
“These landscapes are hard areas to solve for,” warns UK Finance’s Dianne Doodnath. And indeed they are, particularly when you consider factors such as the rise and rise of smishing and vishing, the alarmingly authentic-looking website pages created by Puppeteer kits and the regional challenges of fighting fraud, with some territories imposing legal restrictions on using customer demographic data to detect fraud and scams. And as bad actors cast their nets ever wider – with APP making its presence felt beyond the traditional targets in the finance sector to e-commerce and beyond – it’s only going to get harder.
It’s a complex topic, and one which Callsign’s Ryan Gosling recently tackled, hosting a webinar that explored the trends, the attack vectors, and the defenses available to businesses.
Joined by Jamie Byles (Group Head of Fraud Risk WPB - Compliance, HSBC), Dianne Doodnath (Principal, Economic Crime at UK Finance) and Lloyd Emmerson (Fraud Lab Lead Product Owner, Lloyds Bank), it’s invaluable viewing for any business at risk from APP fraud.