Authorized Push Payment and Social Engineering: How to Fight Back

When fraud occurs as a result of scams and social engineering, organizations can struggle to stop it. This is because when legitimate customers fall prey to online imposter scams—for instance, in the case of authorized push payment fraud (APP)—the impact from losses can snowball, affecting not just the customer, but the organization at which the fraud took place.

In fact, according to the FTC, American consumers reported losing over $2.3B to imposter scams in 2021. Meanwhile, across the pond, UK Finance reported that losses due to authorized push payment fraud rose by 71% in the first half of 2021 in the UK, the same report stating that the amount of money stolen through this type of scam even overtook card fraud losses.

Ultimately, financial institutions need to find ways to effectively combat thes massive losses that can come from APP fraud before they’re left footing the bill.

Let's start with a couple of definitions.

In cybercrime, social engineering involves manipulating human vulnerabilities for financial gain. These scams typically entice victims to unknowingly divulge data, spread malware, or grant system access.

Since social engineering is predicated on human psychology, these types of crimes are particularly manipulative and effective.

Common Types of Social Engineering Scams

Phishing Scams: take place when bad actors create fake emails and websites that trick victims into divulging personal information. People think they are partaking in legitimate transactions, when they are really handing information directly to criminals. Once the sensitive data is divulged, bad actors use it to perpetrate larger crimes like identity theft and financial fraud.

Spear Phishing Attacks: are a specialized form of phishing that focuses on specific individuals or groups. Using emails as the attack vector, spear phishing scams incorporate personalized details tailored to the target's interests or circumstances - such as recent news or financial records. Often, these messages convince victims to open a link or attachment that contains malicious software.

Smishing Scams: focus specifically on fraudulent text messages as attack vectors. The term “smishing” blends “SMS” (short message service) with “phishing.” Using smishing texts as a vehicle, criminals fool victims into sending money, divulging personal information, and downloading malware.

Vishing Attacks: use deceptive phone calls and messages to trick people into disclosing sensitive info - such as login credentials, personal data, and credit card numbers. After the sensitive information is acquired, bad actors proceed to undertake larger crimes like identity theft and checkout fraud.

Authorized push payments (APP) are bank transfer payments that individuals make themselves - usually using online methods like websites and mobile apps. Performed by entering the recipient’s account details on an e-banking platform, APPs are often used to transfer large sums of money.

APP fraud occurs when a criminal tricks a victim into sending a payment directly to a bank account through deceptive means.

Common Types of APP Fraud

Purchase Scams: are predicated on the sale of fictitious goods or services. Oftentimes, a fraudster will get people’s attention through a fake sale or promotion. After the victim falls for the ruse and makes a payment, the criminal vanishes without delivering on their end of the deal. 

Romantic Scams: take place when a bad actor poses as a potential romantic partner. After a rapport is created between the two parties, the criminal continues to manipulate the victim to build trust. Once the victim is emotionally invested in the new relationship, the fraudster escalates the scam by requesting money.

Invoice Fraud: occurs when a criminal sends a sham invoice to a legitimate business. In some cases, the fraudster creates a fake business as a cover for perpetrating the crime. In another example, the bad actor steals a legitimate invoice and changes information to reroute payments.

Advance Fee Scams: have been particularly damaging to elderly people in recent years. With these crimes, victims are tricked into thinking they won some sort of prize. However, before they can claim their winnings, victims must pay an advance fee. Once the money is transferred, the fraudster vanishes.

CEO Fraud: scams are made possible when a criminal gains access to a victim’s work email account. Once they’ve made entry, the criminal impersonates an executive or member of the human resources department to request a work-related payment. Often, victims don’t think twice about sending the money out of trust for their superiors.

Investment Scams: are another example of a bad actor creating a fake business for nefarious purposes. Posing as a legitimate financial advisor, the fraudster then tricks the victim into investing money. As seen with similar crimes, people are often lured into investment scams with exclusive opportunities that promote a sense of urgency.

Property Funds Scams: focus on the real estate industry. Since real estate investments involve large sums of money, these crimes can be detrimental to victims. With property fund scams, fraudsters intercept communications between victims and legitimate realtors. After that, the criminal changes payment information to divert funds to fraudulent accounts.

Personal Relationship Scams: take place when a bad actor pretends to be someone’s friend or family member. These scams are particularly effective when a fraudster has access to a familiar social media or email account. Once trust is established, the criminal prompts the victim to send money - often under the guise of a phony crisis like a medical emergency.

Among the various types of online fraud, APP scams and social engineering come with several unique challenges. These challenges exist primarily due to the fact that the criminal doesn’t interact with the organization’s digital properties directly—they interact with the organization via the consumer who falls for the scam. In turn, protective measures like multi-factor authentication (MFA) are of limited use.

Consumer education is a great starting point for financial institutions to stop social engineering and APP fraud. If customers are able to spot fraudulent activity on their own, it saves a lot of time, effort, and money for online service providers.

Due to systemic problems with social engineering and APP scams, certain regulatory bodies are starting to hold financial institutions to higher standards of mutual verification. While banks utilize Know Your Client (KYC) standards to prove customer identity, users should receive the same level of assurance from providers. To illustrate, new legislation in the UK forces financial service providers to reimburse their customers who fall victim to APP scams. In turn, such financial consequences motivate banks in the UK to employ stronger mutual assurance measures.

Regardless of consumer education or new policies, financial institutions need to think critically about how they can effectively intervene with the user directly in order to prevent APP fraud from happening, and at which point in the journey this type of intervention should occur.

Fraud prevention is frequently addressed at two key points of the user journey: at the point of authentication and at the point of transaction. However, given the user is legitimate and should be able to authenticate into their account without issue, this could leave the transaction as the only point of defense. It is common practice to require additional approvals to transfer large sums of money, but even that won’t stop a scammed user from making a costly mistake.

It is important to note that consumer education remains critical, forming the first line of defense against fraudsters. Merchants should:

• Clearly communicate payment requests

• Educate customers about APP fraud warning signs

• Advise customers on what to do if they suspect a scam

That being said, consumer education will never fully eliminate the problem. Fraudsters are tricky and intelligent, and even a wary consumer can be scammed if they are approached in the right way at the perfect time. Financial institutions must therefore build a strong second line of defense to cover those cases where consumers have not realized that they are being scammed.

There are several methods available to address this, and a canny organization may implement several of them to provide a more layered defense.

Challenge the Action

But, in order to mitigate this type of fraud, it isn’t enough to focus on detection. Rather, financial institutions need to find a way to intervene directly and cause the user to think critically about their actions. This is easier said than done, but can be accomplished by adapting the user’s experience based on perceived risk. Rather than putting a request for MFA in front of a suspicious transaction, it is more useful to challenge the user in a different way, by making them think critically about their actions.

Typically, the fraudster has already done significant work to get the user to trust them, but the user can be made to question that trust. Users who appear to be at risk of authorizing a fraudulent payment can be taken down another path: instead of immediate access to the “transfer” button, it could be enough to present them with a warning screen that alerts them to the possibility of fraud and asks them several questions about how they know the payee, whether they are confident in what they are paying for, and so on.

Sometimes, encouraging the customer to stop and think is enough to stop them from putting a payment through.

Most organizations have multiple counter-fraud measures and technologies deployed. Fraud prevention is generally additive in nature, with new defenses layered on top of existing ones in an effort to keep up with new fraudster tools and tactics. Unfortunately, adding new technology or making significant adjustments to existing tools take time, money, and a variety of approvals.

This is because change control processes and governance can be very rigid, leaving financial institutions in a difficult position. Fraudsters are unencumbered by comparison and able to move more quickly, causing fraud teams to feel like they can never quite keep pace. Understanding the tools available to fight scams and social engineering and actually putting them into practice are two very different things.

Financial institutions can circumvent this particular challenge by lifting their fraud policies out of individual applications into a centralized fraud hub that allows for quick and easy policy changes without code. With this in place, fraud teams can adjust their policies to react to potential scams in a variety of ways, choosing mitigation paths that rely less on standard tools like MFA or identity verification and more on other types of challenges. The benefit of this approach is that it is easy to track the performance of these policies, testing and adjusting as needed in real time.

Another way for financial institutions to stop fraudsters is to implement policy-based access management on the workforce side. In turn, limiting access privileges for employees reduces potential risks associated with social engineering and APP scams like CEO fraud.

Scams and social engineering are challenging to address, but the right combination of tools and tactics can ensure that your organization is up to the task.

Ping Identity takes an integrated approach to fraud prevention, combining tools for fraud detection, decisioning, mitigation, and orchestration in one platform. Our fraud decisioning and orchestration tools allow organizations to easily aggregate fraud signals from a variety of sources, including Ping’s own detection tools as well as external ones, and build out policies that allow for flexible mitigation at any point throughout the user journey. Modifying and testing policies inside our decisioning hub is quick and easy, and our fraud prevention experts are ready to share their experience in preventing fraud losses from APP scams and social engineering.