My daily constitutional and nefarious activities
Issue 287 | 12 March 2022
My daily constitutional
It takes me 26 minutes to complete my daily “Village 360” walk.
A daily constitutional equating to 1,560 seconds - a short walk through the village, a quick look at the boats in the canal, a wander along the estuary and, finally, across a field to return home - all enhanced by listening to Barb MacLean’s excellent Fintech Playlist.
However, some people choose to spend their equivalent 1,560 seconds in a much more nefarious manner - by scamming the citizens of the UK.
Sadly fraudsters do not limit their fraudulent activity to coincide with my walking habits. Which? have calculated that between July 2019 and the end of June 2021 a total of £854 million was lost across 306,573 cases of APP fraud, and only 42 per cent of losses was returned to the customer.
UK Finance takes a wider definition of fraud in its “2021 Half Year Fraud Report”:
In the first half of this year, criminals stole a total of £753.9 million through fraud, an increase of over a quarter (30 per cent) compared to H1 2020. The advanced security systems used by banks prevented a further £736 million from being taken.
Over the previous editions, our reports showed the largest fraud losses were due to unauthorised fraud committed using payment cards. However, in the first half of 2021, criminals focused their activity on authorised push payment (APP) fraud, where the customer is tricked into authorising a payment to an account controlled by a criminal.
Using tactics such as scam phone calls, text messages and emails, as well as fake websites and social media posts, criminals seek to trick people into handing over personal details and passwords. This information is then used to target victims and convince them to authorise payments.
If you like maths, here’s the (eye watering) sum.
Based on figures from UK Finance from July 2019 to June 2021, Which? have calculated that £495 million has not been reimbursed, meaning customers have been left to shoulder net losses at a rate of £4.7 million a week, £676,881 a day or £28,203 a hour.
Payments:Unpacked is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Authorised Push Payment (APP) scams happen when a person or business is tricked into sending money to a fraudster posing as a genuine payee. These types of scams can have a devastating impact on the people who fall victim to them.
The Payment Systems Regulator (PSR) has stated that it expects to see more action from financial institutions to stop these scams from happening and to better protect people if they do fall victim.
There are eight types of APP scams which are either:
‘malicious payee’, for example, tricking someone into purchasing goods which don’t exist or are never received.
‘malicious redirection’, for example a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into that of a fraudster.
Protecting people from APP Scams
The PSR has, helpfully, published an infographic of their work to protect people from APP Scams:
Getting the right protections for everyone
The growing problem of APP scams has seen people lose devastating amounts of money. More needs to be done and while voluntary industry measures have helped some victims, there are many institutions which have yet to step up to the mark and protect people properly – including social media firms.
The range of steps we plan to take will show people which banks and building societies are likely to respond to frauds in the right way and will put the onus on financial institutions to get better at detecting and preventing scams.
We are also setting out the way to make reimbursement mandatory for those blameless victims so that, when the law is changed, we are ready to act as quickly as possible to get protections to the people who need them.
Chris Hemsley, Managing Director of the PSR
In November 2021, the PSR set out three measures that they believe will help tackle these devastating crimes:
Publication of fraud data by banks: Banks and building societies in the 12 largest banking groups in Great Britain and two largest banks in Northern Ireland outside those banking groups must publish data on their performance in relation to APP scams, on reimbursement levels for victims, and which banks and building societies’ accounts are being used to receive the fraudulent funds; and
Improve scam prevention: Industry will improve intelligence sharing to enhance detection and prevention of APP scams.
Reimbursing victims: Developing how best to make reimbursement mandatory to victims of APP scams once legislative changes have been made.
The PSR’s consultation closed in January 2022 and it is expected that the PSR will publish its conclusions soon.
Legislating to address any barriers to regulatory action
HM Treasury has stated that legislative changes will be made by the Government to provide for mandatory reimbursement for scam victims.
Push payment fraud is posing an escalating risk to UK customers, with increasingly sophisticated scams that can be detrimental to people’s lives.
The Government’s position is that liability and reimbursement requirements on firms need to be clear so that customers are suitably protected. It is welcome that the Payment Systems Regulator is consulting on measures to that end, and to help prevent these scams from happening in the first place.
The Government will also legislate to address any barriers to regulatory action at the earliest opportunity.
John Glen, Economic Secretary to the Treasury
Contingent Reimbursement Model (CRM) Code
In 2018, the PSR set up a steering group of industry and consumer representatives, led by an independent chair, to develop a voluntary, industry CRM Code. The final Code came into force in May 2019.
The CRM Code aims to reduce both the occurrence and impact of APP scams, and is designed to give people the confidence that, if they fall victim to an APP scam and have acted appropriately, they will be reimbursed. It sets out standards for signatory Payment Service Providers (PSPs) – a group including the largest banks in the UK – and for customers who are covered by the Code (consumers, micro-businesses and small charities).
The Lending Standards Board (LSB) oversees the Code and its members, and the PSR monitors the operation of the Code and the impact it has on the number of APP scams. The Financial Ombudsman Service adjudicates on disputes between banks and customers on decisions under the Code.
Help me out here ... how can 'pay by link' even be a thing?
UK Finance’s reference to using tactics such as scam text messages and emails is interesting.
Demands for mobile payments are on the rise. Consumers want to move money quickly and easily, but they also have clear ideas about security. They care not to expose their devices to link attacks that are fast becoming the most perilous attack surface for consumers to have to deal with.
Phil Cracknell, former Cabinet Office Cyber Security Lead, and notable CISO advisor believes that the industry should be thinking hard about any decisions to adopt pay by link, regardless of the safeguards framed around it:
Owing to the rampant growth in phishing attacks, security practitioners like me have been working tirelessly to discourage users to click on links that might not be safe. Now it seems we’re saying—‘You know how I’ve been advising you for years not to trust links, well some of them are now okay.’ I think it’s confusing and, my suspicion is, others would agree.
Confirmation of Payee - Confidence and Trust
In 2020 the Confirmation of Payee (CoP) service was formally launched in UK to help reduce fraud and misdirected payments.
Confirmation of Payee helps protect consumers and businesses from certain types of fraud and misdirected payments by letting them know if the account name they have entered matches the account name of the recipient.
The Confirmation of Payee service seeks to give businesses and consumers greater assurance that they are sending payments to the intended recipient.
Whilst not a silver bullet, the implementation of Confirmation of Payee is expected be an effective way of combatting Authorised Push Payment Scams (e.g. where a fraudster tricks their victims into willingly making a large bank transfer to them).
Confirmation of Payee also helps to avoid payments being sent to the wrong account due to ‘fat fingers’ (keyboard errors) when we type in somebody’s Sort Code and Account Number.
For the benefit of the PSP’s, to protect the payer and to thwart the fraudster we are pleased to see that the Confirmation of Payee service will soon achieve service ubiquity (mandated by the regulator) and will no longer be left as an optional extra.
The majority of us will not need to worry about different phases or whether or not the sending / receiving bank has adopted the COP service.
Service ubiquity will mean that we will all have greater confidence when we make online payments, increase the trust we have in our banks and play a greater part in thwarting the (APP) fraudster.
Unpacking Confirmation of Payee (CoP) - a Payments:Unpacked podcast with Paul Simpson at SurePay.
Last week’s edition of Payments:Unpacked featured a case study on SurePay’s implementation of Confirmation of Payee (CoP).
Thwarting the fraudster
The amount of APP Fraud that is committed whilst I take my daily constitutional amble around the village is eye watering and I salute anyone or anything that seeks to thwart the fraudster protect the citizens of the UK.
Focussing on post fraud event action, Which? says the current reimbursement lottery leaves many victims facing an uphill struggle to recover their money, as the code has been applied inconsistently and often wrongly by many firms. It believes that a reimbursement obligation should be placed on payment providers, with clear liability rules set out in legislation.
While commitments to make reimbursement mandatory were a huge win for consumers, it’s vital that the government introduces the right legislation that will ensure victims get fair and consistent treatment. The regulator must also ensure it is ready to introduce and enforce mandatory reimbursement rules the moment that this legislation is passed.
Rocio Concha, Which? Director of Policy and Advocacy.
It is clear that post event measures such as the Contingent Reimbursement Model, intelligence data sharing and publishing of fraud data by banks are important tools to address the financial and life impacting implications of APP fraud.
However, as an industry we must redouble our focus on preventing the fraud from occurring in the first place.
The introduction of Confirmation of Payee has been a fantastic innovation and service ubiquity will mean that soon we will all have greater confidence when we make online payments, increase the trust we have in our banks and play a greater part in thwarting the (APP) fraudster.
Initiatives like Request to Pay offer the chance to transform bill payments without resorting to insecure SMS and email messages as the communications channel.
And, of course, we mustn’t forget the need to communicate the need to always “Take Five” when making payments online.
Help grow Payments:Unpacked’s audience
If you enjoy reading Payments:Unpacked please share the word with your friends and colleagues - sharing the newsletter makes such a difference to growing the newsletters audience.