Fighting back against fraud: How to protect your profits from Authorised Push Payment (APP) schemes and fraudsters

APP fraud is fast becoming one of the biggest threats to UK businesses.

In 2023, it was responsible for more than £500m of theft from businesses and individuals. For those with the awareness of what it looks like and the ability to counteract it, it can be straightforwardly prevented. But without this crucial (and ever evolving) knowledge, it can be easy to become a victim.

Many APP scams are opportunistic and conducted at scale, so you might only need to be more difficult to deceive than another business to stay relatively safe. Like burglars who see a house alarm system, fraudsters might well move on if your security and readiness is too high to warrant the effort of overcoming it.

However, for more targeted and sophisticated attempts, you need more advanced protection.

In this article, we’ll discuss how to implement preventative measures, how to respond to incidents of fraud, and show examples of industry best practice.

(If you would like an introduction to APP fraud and how it works, read this article.)

Recognising the signs of APP fraud

Vigilance is your primary defence in keeping your profits out of the hands of APP fraudsters. If you can recognise suspicious activity before any transactions can be made, you’ll save a lot of time, money, and effort.

When you’re on the lookout for red flags, keep these common tactics in mind:

• Urgent requests, deadlines, and time-sensitivity

If you receive a communication using high pressure techniques, even if it seems legitimate at first, this should warrant further investigation. Fraudsters use this tactic to create panic, so that you won’t take the time to consider and investigate the request.

• Unusual or alternative payment methods

Most repeat business transactions utilise the same method as previous payments, and whilst suppliers may wish to change provider (e. g. from BACS to Faster Payments), this should always be investigated and validated. Be particularly vigilant against being asked to use unusual payment methods, like gift cards.

• Unfamiliar contacts

Posing as a trusted contact is a common tactic for APP fraudsters, but they can also attempt to deceive you by posing as a new starter, contractor, or temporary worker.

• Errors, typos, and tone-of-voice

Look out for mistakes in emails or phone calls that suggest the person you’re speaking to may not be familiar with your language, systems, or procedures. Also keep an eye out for an unfamiliar tone-of-voice, especially in emails where you’re familiar with the writing style of the payee.

• Visuals and branding

Many fraudsters can now effectively imitate branded assets like company letterheads or email signatures. Many scams are caught out when employees notice outdated or retired versions of logos or graphics.

• Requests for personal information

If you’re being asked for identifiable or secure information (like bank account details or passwords) then you’re very likely to be speaking with a scammer. Most banks or financial institutions try to prevent fraud for their customers by clarifying that they would never request this type of data through any means of communication.

Implementing preventative measures

As scams become more sophisticated, both technologically and psychologically, we recommend implementing strong fraud prevention procedures and training:

• Staff training

Regular formal training for your employees is vital, even for those not involved in payment procedures. Any member of staff can ostensibly be manipulated into playing a role in a fraudulent payment. Provide them with regular updates on how to identify and report suspicious activity.

• Robust authentication

Implement strong authentication measures, including and especially multi-factor authentication, to protect your payment process from being compromised.

• Regular security updates

Keep your software and systems up-to-date with the latest security patches. Whilst APP fraud doesn’t usually involve hacking or unauthorised access to accounts, the techniques they use will be combatted by new features from your banks and payment providers – so make sure you’re always using the latest version of any systems.

• Review payment procedures

The vulnerabilities exploited by APP fraudsters are often based on weaknesses in corporate payment procedures. Fraudsters will endeavour to learn about and circumvent your safety protocols, so regular reviews are critical to ensure they stay secure and compliant with best practice.

• Phishing filters

Your online security plays a key role in catching early-stage APP fraud attempts, which often come in the form of phishing emails. Using a robust filter will capture many of these before they reach your employees’ inboxes.

Responding to incidents

Thankfully, most victims of unauthorised fraud cases are legally protected against losses. In 2023, 62% of APP fraud losses were reimbursed.

But financial loss is only one of the many impacts suffered by businesses as a result of APP fraud – you may still incur damages from a damaged reputation, fines, or increased operational costs due to investigation and resolution of the incident.

If you do become the victim of APP fraud, we recommend a multi-step response process:

• Report it

Contact your bank, financial institution, payment provider, and local police force immediately to report the fraudulent transaction. This is an important legal step, as it is part of your due diligence and may form the basis of any insurance claim or defence against fines.

• Gather evidence

Collect any evidence related to the fraud immediately – whilst it remains fresh and available. Emails, phone records, bank statements, and witness statements of what happened.

• Close the gap

Review your security measures and fix the vulnerability which has been exploited to make the fraudulent payment – with improved payment procedures, software updates, or updated internal processes.

• Talk to the Payment Systems Regulator

From 7 October 2024, the PSR will introduce mandatory reimbursement rules which makes payment services providers liable for reimbursing customers.

For a deeper dive into APP fraud, including discussions of real-life scenarios and best practices to prevent fraud, download our free guide: