Newly-collected data, published for the first time, reveals that purchase scams were the most prevalent authorised push payment (APP) scam in the first half of 2018, accounting for almost two-thirds of reported APP cases with a total of £19.4 million lost. In these scams, the victim pays in advance for a product or service, such as a car, electronics or a holiday rental, which is never received or does not exist. It often takes place online, through auction websites or social media.
There was a total of 3,866 reported cases of impersonation scams in the first six months of 2018. In these scams the criminal purports to be from the police, bank and other organisations and tricks the victim into transferring money, often claiming there has been fraud on the account. The nature of these scams means the victim is often persuaded to transfer a significant sum, with an average loss in a police and bank impersonation scam of £11,402 and in other impersonation scams of £7,504.
Katy Worobec, Managing Director of Economic Crime at UK Finance, said “Fraud and scams pose a major threat to our country. The criminals behind it target their victims indiscriminately and the proceeds go on to fund terrorism, people smuggling and drug trafficking, whether or not the individual is refunded. Every part of society must help to stamp out this menace, especially by stopping the data breaches which increasingly are fuelling fraud. The finance industry is committed to fighting back, investing millions in security systems and cyber defences to protect customers. We have brought in new standards to ensure scam victims get the help they need from their payments provider; we are supporting law enforcement in disrupting the criminals and freezing stolen money; and we are assisting the government in improving intelligence sharing to extinguish the threat.”
The APP(Authorised push payment )scams data for January to June 2018 shows:
- A total of £145.4 million was lost due to APP scams, split between personal (£92.9 million) and non-personal or business (£52.5 million) accounts.
- In total there were 34,128 cases of APP scams, split between personal (31,510 cases) and non-personal (2,618 cases) accounts.
- Financial providers were able to return a total of £30.9 million of the losses in the first half of 2018.
In an APP scam, the account holder is duped into authorising a payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses. UK Finance has been working with consumer groups and the Payment Systems Regulator on proposals to tackle these scams and to establish an industry code which clearly establishes the circumstances in which APP scam victims will be reimbursed by their payments provider.
UK Finance began collating data on APP scams for the first time last year. In the first half of 2017 there were 19,370 cases of APP scams reported, with £101.2 million in losses. However, the data published today is not directly comparable with the 2017 figures. At the start of 2018, new industry guidelines were introduced which have improved the identification and reporting of APP scams. Four additional banks also began reporting the data to UK Finance this January.
In context, there was a total of over 4.2 billion bank transfers made in 2017. The enhanced data on APP scams, collated since the start of 2018, provides a breakdown by different scams, payment types and payment channels. The data shows the most prevalent type of APP scams were purchase scams, accounting for 63 per cent of cases. While CEO fraud had the least number of cases, it resulted in the highest average case value of £23,055.
Malicious payee (where the victim authorised a payment for what they believe are for legitimate purposes, usually to obtain goods or services, but it is a scam):
|Scam type||Number of cases||Total amount stolen||Average case value|
Malicious redirection (where the victim intends to pay a legitimate payee, but the criminal instead directs them to authorise a payment to a fraudulent third party):
|Scam type||Number of cases||Total amount stolen||Average case value|
|Invoice and mandate||2,856||£49.3m||£17,262|
|Impersonation (police and bank)||1,947||£22.2m||£11,402|
The unauthorised fraud data on payment cards, remote banking and cheques for January to June 2018 shows:
- Combined total losses decreased by 2 per cent year-on-year to £358.0 million.
- Losses due to unauthorised transactions on payment cards fell 2 per cent year-on-year to £281.2 million. The industry helped prevent £493.5 million in attempted unauthorised card fraud.
- Losses due to unauthorised remote banking fraud totalled £73.6 million, flat compared to 2017. Banks prevented £137.8 million of attempted unauthorised remote banking fraud.
- Cheque fraud losses fell 41 per cent to £3.2 million. This is the lowest half-year total on record. £74.3 million of attempted unauthorised cheque fraud was prevented.
- There were 1,036,376 reported cases of unauthorised financial fraud, a rise of 10 per cent compared to the year before.
In an unauthorised fraudulent transaction, the account holder themselves does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party. In the vast majority of cases, victims of unauthorised fraud would receive a full refund.
The finance industry is tackling authorised and unauthorised fraud by:
- Helping customers stay safe from fraud and spot the signs of a scam through the Take Five to Stop Fraud campaign, in collaboration with the Home Office.
- Working with consumer groups as part of the Payment Systems Regulator’s Steering Group to develop an industry code clarifying the circumstances in which the victims of authorised push payment scams will be reimbursed by their payments providers.
- Joining with government and law enforcement to deter and disrupt the criminals responsible and better trace, freeze and return stolen funds.
- Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need.
- Delivering the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place. The system is now operational in every police force area and in the first six months of this year prevented £14.6 million in fraud and led to 100 arrests.
- Sponsoring a specialist police unit, the Dedicated Card and Payment Crime Unit, which tackles the organised criminal groups responsible for financial fraud and scams. In the first half of 2018, the Unit prevented £25 million of fraud and carried out 84 arrests and interviews under caution.
- Working with the Information Commissioner’s Office to establish guidance on how information about APP scams can be shared between UK Finance members, so they can protect their customers while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
- Hosting the Government-led programme to reform the system of economic crime information sharing, known in the industry as Suspicious Activity Reports, so that it meets the needs of crime agencies, regulators, consumers and businesses.
Tony Blake, Head of Fraud Prevention at Dedicated Card and Payment Crime Unit, said “Criminals are after your money and they are clever at getting it, impersonating people and organisations to groom even the savviest into acting. If you get a call, text, email or social media message asking for your personal or financial details or to transfer money, it could be a scam so stop, think and Take Five. Check every request is genuine by doing some research and contact the organisation using the details from their official website, a latest bill or statement.”
Intelligence indicates that social engineering, in which criminals groom and manipulate people into divulging personal or financial details or transferring money, was the key driver of both unauthorised and authorised fraud losses in the first half of 2018.
Impersonation and deception scams are an all too common form of social engineering, where a fraudster contacts their victim by phone, text message, email or social media pretending to be a genuine person or organisation, such as a bank, the police, a utility company or a government department. The criminal then either tricks the individual into revealing personal or financial information, which is used to facilitate unauthorised fraud or persuades their victim to authorise a payment to them.
Data theft also continues to be a major enabler of fraud and contributor to fraud losses. This occurs particularly through third-party data breaches, but also includes mail intercepts, malware and phishing. The stolen data is either used by criminals to commit fraud directly, for example, card details are used to make an unauthorised purchase online, or it is used to target individuals in impersonation scams. Criminals also use the publicity surrounding data breaches as an opportunity to commit fraud, sometimes posing as the affected organisation.