Fighting Authorized Push Payment (APP) Fraud Post Payment

Fighting Authorized Push Payment (APP) Fraud Post Payment

Payment scams are rampant. The Federal Trade Commission (FTC) shows that consumers filed a staggering 2.5 million fraud reports in 2023, amounting to more than $10 Billion in losses. Of those reports, 853935 were imposter scams, marking an increase from 2022. In addition, 80% of businesses reported attempts of fraud activity last year. Everyone is at risk.
What makes these numbers particularly concerning is that scammers are getting sneakier. Of course, some sophisticated hackers may use more advanced techniques (account takeovers, deep fakes, credential stuffing, etc), but those fraud types require extensive resources and effort. Instead, plenty of bad actors simply trick a customer or employee into willfully giving away funds or company information. Such a scam is anonymous and low-cost—giving rise to the Authorized Push Payment (APP) security threat.

Since APP fraud fools the victim into initiating a legitimate transfer, it is a fraud type that is hard to identify and deflect. Plus, it creates several problems that

impact merchants and businesses: loss of customer trust, company asset risk, and exposure to costly chargebacks.

Let’s explore APP fraud and the best strategies you can adopt to protect your business:

Evolution of ATO

Authorized Push Payment fraud refers to scams that trick victims into authorizing a payment to a fraudulent account. The fraudster uses social engineering and convincing tactics to manipulate and deceive their targets (often achieved by posing as trusted individuals or businesses). The victim, who acts in good faith, voluntarily sends money of their own volition.

Since the account or cardholder initiates the transfer, the money is “pushed” (rather than “pulled” like when a hacker drains account funds). The transfer, coming from the authorized user, appears legitimate. That makes APP fraud particularly difficult in terms of fund recovery.

While APP scams often focus on consumers, merchants and businesses are not immune. Employees might believe they are working with a known supplier and send over sensitive information. Service reps might not catch compromised customer accounts. Some fraudsters may even pose as clients to backdoor a company’s systems. Companies that do not prepare adequate defenses can be exposed to unwanted risk.

Types of APP fraud

With the success of impersonation schemes, fraudsters created numerous subtypes of APP fraud. Here are some common ones:

Invoice fraud: The scammer sends false payment papers with altered bank details that request payments from your business.
Mandate fraud: Fraudsters pose as third-party services and ask for company account changes.
CEO fraud: A criminal will pose as chief officers and ask for payments from company employees.
Employee/Impersonation fraud: A scammer will pose as a government official or industry rep and convince an employee to divulge company assets.
Charity fraud: Fraudsters will create fake charities and ask companies for donations or sponsorship.
Procurement fraud: Some criminals pose as vendors and hope for upfront payments or deposits.
Purchase scams: Bad actors sell you goods that are never delivered.

What Are the Signs of Possible APP Fraud?

APP fraud is sequential. The schemes start with innocent-looking connection requests that build into trust. But over time, the relationship is leveraged for legitimate-looking payment requests designed to deceive. Without consideration of this broader transaction context, the insidious actions often go undetected—until it is too late.

What should businesses look for when it comes to APP fraud? In short, any actions that depict a criminal acting as a client or employee. Here are some common signs:

Incorrect billing info:: Note any slight modifications, discrepancies, multiple accounts, mismatched details, or wrong numbers on all accounting and transaction data.
Unusual payment actions:Look for large or irregular amounts with all outflows. That can look like fast checkouts, first-time purchases from a new account, high-value item sales with a history of low-cost purchases, multiple unit purchases for the same high-demand item, or shipments to different addresses. The same goes for payment or transfer attempts made by varied devices, novel payment methods, foreign accounts, etc.
Suspicious communication: Impersonators must first build a relationship with the targeted victim to enact their schemes, and they often make initial contact through standard channels. So random vendor requests, unexpected emails, strange language, incorrect grammar, or odd documentation all hint at a scam or phishing attempt.
Strange stakeholder behavior: Look for out-of-character actions from all third-party providers, employees, or stakeholders. Unexpected urgency, a penchant to avoid verifications, attempts at workarounds, location changes, out-of-hours requests, etc all count.

How to Defend APP Fraud: The Multi-Layered Approach

While tracking such suspicious activity is useful, solely waiting for the signs of possible APP fraud is a reactive approach. By the time you catch the activity, the scam is well underway. Plus, you only address the issue at a payment level as an isolated incident. Such methods miss the needed context of these socially dependent schemes.

Instead, a strategy that shores up defenses throughout the entirety of the scam, from first contact to the final activity, provides far more comprehensive safeguards. To that end, FUGU adopts a multi-layered approach that tracks the entire sequence of APP fraud.

1. Monitor:

Watch customer actions across the entire payment journey. Detect and assess unusual patterns that do not match normal behavior thresholds as the transaction occurs.

2. Establish algorithms and context-aware models:

Traditional detection efforts use standard rules that cannot adjust to evolving data as the transaction progresses. Instead, use machine learning to assess subtle patterns that static models miss. For example, a series of transactions that on their own seem okay can be seen as an alert when placed inside real-time contexts, such as changes to communication patterns, browsing behavior, historical actions between payee and payer, etc.

3. Conduct manual review:

The bulk of your systems will work with automated reviews and provide alerts when necessary. Once identified, escalate flagged activity to trained employees. Humans provide yet further contextual awareness (emotional, social, intuition, language styles, etc) that can confirm or deny the presence of APP fraud.

4. Run additional verifications:

Run additional tests to gain further context once an order is noted as high risk and carries a strong likelihood of fraud. Biometrics, encrypted verification links, two-factor payment approvals, or device and domain verifications, all provide needed data and process-based protections. Be sure to cross-reference any suspicious activity with your advanced fraud service solutions.

5. Engage in post-transaction protection:

Just because a fraudulent transaction executes does not mean the APP fraud sequence ends (nor should your defenses). There are numerous post-sale protections you can employ.

For example, you could use transaction reversals to stop an order mid-process (note, you will likely require tools that collect post-payment data as you must promptly show evidence of fraud). You can also invest in insurance that covers a portion of lost funds. Dispute resolution tools can win back significant amounts of lost revenue due to chargebacks filed by customers after a fraud incident. Lastly, work with other industry players: some governments have fraud refund programs, many banks and payment providers offer payment recalls, and intermediaries (SWIFT) can stop fund transfers.

How FUGU’s Strategy Addresses APP Fraud

With this knowledge, FUGU supports partner organizations at each step of the transaction lifecycle. Most APP fraud solutions are static and fragmented, which leads to exploitable gaps (and fails to address evolving cyber threats). Instead, we accomplish protection with a multi-tiered prevention suite:

Risk scoring: AI-driven analysis of all orders flags signs of APP fraud (e.g. rushed checkouts) and automates further verification.
Behavioral analysis: Customized thresholds and merchant-tailored risk profiles detect deviations (e.g. refund abuse, impersonations, strange device locations, fingerprints consistent with fraud rings, etc) from usual patterns.
Data monitoring: FUGU tracks all order activity, requests verifications when needed, and compiles all data for informed decision-making. New signals create a transaction trail (crucial for post-transaction protections) that adjusts risk scores to those new contexts. This is also crucial to limit false positives.
Post-payment protections: We engage in complete monitoring across all platforms post-sale to detect fraud that may not be visible pre-sale or when viewing such platforms in isolation. For example, post-payment verification and risk scoring can make it harder for stolen credentials to be used fraudulently after a phishing attack.

In short, our advanced tools closely search each transaction for the escalating series of actions a fraudster takes as they execute APP fraud.

Conclusion

APP Fraud, since it involves push payments, is a challenge to manage. Fragmented and isolated defenses do not address the sequential nature of this socially-based fraud type. Still, despite the difficulties, inaction is a costly affair—merchants cannot afford to ignore the issue.

That’s why FUGU offers a multi-tiered solution. Complete life cycle monitoring, context-aware systems, and post-transaction support provide a comprehensive answer to APP fraud. For more on our payment fraud and chargeback liability solution, contact us!