Mark Kenkre explores new models of online banking fraud

Mark Kenkre, Partner and Head of the Investment Fraud and Mis-Selling Team, explores new models of online banking fraud and highlights avenues for reform, in Solicitors Journal.

Mark’s article was published in Solicitors Journal, 5 May 2022, and can be found here.

An Authorised Push Payment Fraud (APPF) occurs when an individual is tricked into making a payment from their bank account into an account controlled by a fraudster, who often purports to be a representative of a legitimate organisation such as the bank, a contractor or even the police.

Fraudsters target victims in many ways, and the introduction of online banking has made APPF more appealing to criminals as the transfer of money can happen in real time. This means fraudsters can instantly move funds across multiple accounts which makes tracing and recovering the payment increasingly difficult.

It couldn’t happen to me…

The following are the most common types of APPF incurred in the UK:

• Invoice fraud

This occurs when a fraudster hacks into an individual’s email account, then pretends to be a contractor or company that was hired to carry out work. The fraudster will often issue a fake invoice for these works, of which the victim pays, in the belief that they were paying the company who actually completed the work in question.

• CEO fraud

This occurs when a fraudster impersonates a high-ranking employee from the victim’s organisation and requests that the victim transfers funds.

• Impersonation fraud

This occurs when fraudsters pose as a legitimate organisation such as a bank or a police officer. The fraudster will often inform the victim that they need them to move large sums of money to a ‘safe’ account which they later uncover as belonging to the fraudster.

Whatever next?

Looking to the future, we envisage there will be an increase in fraudsters targeting individuals purchasing a property due to the large transactions involved with the sales process, and posing as representatives from energy suppliers due to the recent increase in the energy price cap. Property purchase will likely be of particular interest to fraudsters as they can intercept correspondence between parties and alter payment information which results in large payments being made directly into the fraudster’s account.

Representatives from the financial industry, consumer groups and the financial regulator have been working collaboratively over the past few years to increase consumer protection in the hope of reducing the number of APPF that occurs within the UK. The pinnacle of this work has to be the implementation of the Contingent Reimbursement Model Code (CRM Code), a voluntary code that requires signatory banks to take active steps to protect their customers and to reimburse those who have fallen victim to APPF. As part of the CRM Code, banks are expected to educate their customers regarding APPF, to consider the vulnerabilities of the customer, and to provide adequate warning to the customer if they consider a transaction to be at risk of APPF.

Stop! Are you sure you want to make this payment?

Many customers will be unaware that banks have technology which allows them to check that the recipient’s name matches that which is registered to the account number and sort code provided by the customer. In turn for this protection, banks expect consumers to pay close attention to any warnings which they issue regarding potential fraudulent transactions, and consumers must have a reasonable basis for believing that the payment was for genuine goods or services and that the recipient was legitimate.

There is no doubt that the CRM Code is most certainly a step in the right direction. However, there is considerably more that needs to be done in order to reduce the level of APPF in the UK. This is reflected in statistics prepared by UK Finance which found that a total of £479m was lost as a result of APPF across the 149,946 cases reported in 2020. This is a considerable increase to the losses incurred in 2019 – the year in which the CRM Code was implemented – which has led to increasing calls for the CRM Code to be mandatory, as opposed to voluntary. This would not only ensure that customers are afforded requisite protection from APPF, but will incentivise the banks to adopt stringent measures to prevent instances of APPF in the future.