Authorised Push Payment (APP) fraud is, unfortunately, gaining momentum in the UK, and scamsters seem to be targeting the property industry heavily. The reason why this should be the case is obvious: the ‘rewards’ for their efforts are disproportionately high when compared to other industries they could target. Therefore, anyone making transactions within the property sector needs to be aware of what’s going on. Knowledge is, after all, power.
If you’ve never heard of APP scams before, or if you’re wondering what’s going on at a higher level to protect consumers, this post is for you. We’ve also outlined our own experience and given you a couple of pointers as to how to protect yourself against the threat.
First, though, let’s answer the obvious question...
What is Authorised Push Payment (APP) fraud?
APP fraud is a relatively unsophisticated deception, but it is extremely effective due to the way in which it is delivered. Fraudsters gain access to an individual’s information, usually via a hacked email account, and then present themselves as a company with whom the hacked account owner is already doing business.
From there, the con artist will ask for a payment to be made to a bank account that is supposedly held by the legitimate company they are pretending to be. While this may sound like it would set alarm bells off if you were to receive such a request, the scammers are cunning enough to bide their time and wait for the most opportune moment in which to strike.
They will monitor email threads between consumers and businesses to look for payment dates and details, then use the information they have gathered in order to ask for a transaction to be made at a time when the victim may expect a payment request to hit their inbox. Completion day on a property purchase, for example.
The victim would be expecting to pay their solicitor for conveyancing services, settle stamp duty charges, transfer deposits, etc. on that day, so receiving such an email from the firm they have been dealing with wouldn’t necessarily be deemed as a red flag event...especially as they’ll have lots of other things going on at the same time.
While some may question it, others will make the payment and the fraudster walks away with the cash as the majority of transfers are now made via real-time payment schemes. Take Howard Mollett’s case as a shocking prime example.
Types of APP fraud
While the property industry is clearly a favourite target of scammers initiating APP fraud, the problem can affect pretty much anyone with access to online banking. Remember, the hackers will have already accessed your email account, so they’ll be able to perfectly replicate an invoice from someone you may have paid in the past without issue.
Another common deception is when the fraudster pretends to be a contractor you may have hired to carry out work for you. Again, it is common practice to exchange emails with tradespeople these days, so a hacker will have a blow-by-blow account of the work completed and the likely amount due. All that remains is for them to rustle up an invoice and hit send, presenting you with what you will naturally feel is a legitimate request for payment.
Although not as common as the other methods mentioned, account takeovers can also occur should you divulge bank details via email. Doing so may well open yourself up to hackers who will then hit your bank account with multiple push payments, sending funds to various accounts of their choosing. Some may be picked up by fraud protection measures, but many will not.
The vast majority of victims are consumers (88% according to UK Finance), but businesses are not immune to the problem. The fake invoice scam that is so commonly run on individuals can also target companies, too, but this time around the hacker will play the part of a supplier rather than contractor.
The targeted business will commonly be persuaded to amend their records, changing the bank account details they hold for their suppliers to that of the fraudster. Once completed, the con artist is then free to request payments which can run into many thousands of pounds.
How we were targeted
As a prominent agent, we naturally appear on the radar of scamsters from time to time and we were recently hit with an attempted APP fraud. Here’s what happened...
The fraudsters targeted our accounts department by replicating our director’s email address, so any correspondence they chose to send would appear as if the email had come from him. Over the course of the day, they sent out numerous emails ‘warming up’ a colleague in accounts department for a very large transfer by asking questions such as:
- Will you be able to make a transfer today?
- I need you to make this payment today.
- Please let me know once you have made the payment...etc.
It was only when the accounts department phoned our director informing them we had reached our payment limit for the day, so they therefore wouldn't be able to make the payment, that the scam was discovered. On another day the payment would have been made. It was for £19,000! We now have a code word in place to thwart any further attacks.
The scam is simple, but effective. They probably went on to our website, created an email address with the display name our the managing director, and then simply targeted a member of the accounts team using the false email account by sending them an message requesting they make a payment.
What are the authorities doing about APP fraud?
At present, banks are under no obligation to refund any money lost to a scam. Unlike credit card fraud, APP swindles are often put down to the negligence of the victim and not redeemed, something that is increasingly being regarded as hugely unfair. Thankfully, things may soon be about to change.
Consumer group Which? have submitted a ‘super-complaint’ to the Payment Systems Regulator (PSR) over the growing problem, with the request that banks shoulder greater responsibility for real-time bank transfer scams. In turn, the PSR has promised to look into the complaint made by Which? and also conduct an investigation themselves into what can be done to protect those affected by this type of fraud.
What you can do to protect yourself from APP fraud
Proactively protecting yourself from this kind of fraud can be difficult, as hackers can strike at any time. However, changing passwords frequently and using long and complicated alphanumeric strings - including upper and lower case letters along with special characters - is a good place to start, but these can be a pain to use. To help with this, password managers such as LastPass are highly recommended.
While frequently changing your email account’s password may scupper some scammers, others may still get through, so the best line of defence will always be your common sense. If anything at all seems fishy, be suspicious. In fact, be suspicious even if all seems well! You simply cannot be too careful.
Give the company asking for payment a ring to see if the request is legit. Dig out old paper records or search Google for the company in question to find their contact details - do not under any circumstances use the contact details listed in the email, as these are likely to be those of the hacker, not the genuine company.
If you are requested to make a significant payment (even if it is one you are expecting) via email, making a small payment first and then checking that the recipient is who it is supposed to be before transferring the rest can help protect your money. While it may be more inconvenient to make two payments instead of one, it’s a small price to pay if you want to keep your finances safe and avoid joining the tens of thousands of people who have already been adversely affected by APP fraud.
Finally, if you own a business that could potentially be targeted with APP fraud, make it a matter of course to call the beneficiary of payments over a set amount. Also, agree a ‘safe word’ with your accounts department and insist they call you before making any payment over a certain figure, it could save you thousands. Similarly, alarm bells should ring if you are ever asked to make a payment to alternative bank account to a regular beneficiary or supplier. Be on your guard...it’s a real threat.