-
Finance industry stops £2 in £3 of
attempted unauthorised fraud
-
Purchase scams revealed as the most
common type of authorised push payment
scam
-
Criminals use social engineering to
commit fraud, fuelled by information gained from data
breaches
A total of £503.4 million was stolen by
criminals through authorised and unauthorised fraud in the first
six months of 2018, new data from UK Finance
shows.
During the same period, the finance industry
prevented £705.7 million of unauthorised fraud, equivalent to £2
in every £3 of attempted unauthorised fraud.
Newly-collected data, published for the first
time, reveals that purchase scams were
the most prevalent authorised push payment (APP) scam in the
first half of 2018, accounting for almost two thirds of reported
APP cases with a total of £19.4 million lost. In these scams the
victim pays in advance for a product or service, such as a car,
electronics or a holiday rental, which is never received or does
not exist. It often takes place online, through auction websites
or social media.
There was a total of 3,866 reported cases
of impersonation scams in the first
six months of 2018. In these scams the criminal purports to be
from the police, bank and other organisations and tricks the
victim into transferring money, often claiming there has been
fraud on the account. The nature of these scams means the victim
is often persuaded to transfer a significant sum, with an average
loss in a police and bank impersonation scam of £11,402 and in
other impersonation scams of £7,504.
Katy Worobec, Managing Director of Economic
Crime at UK Finance, said:
“Fraud and scams pose a major threat to our
country. The criminals behind it target their victims
indiscriminately and the proceeds go on to fund terrorism, people
smuggling and drug trafficking, whether or not the individual is
refunded. Every part of society must help to stamp out this
menace, especially by stopping the data breaches which
increasingly are fuelling fraud.
“The finance industry is committed to fighting
back, investing millions in security systems and cyber defences
to protect customers. We have brought in new standards to ensure
scam victims get the help they need from their payments provider;
we are supporting law enforcement in disrupting the criminals and
freezing stolen money; and we are assisting the government in
improving intelligence sharing to extinguish the
threat.”
Authorised push payment (APP)
scams
The APP scams data for January to June 2018
shows:
-
A total of £145.4 million was lost due to APP
scams, split between personal (£92.9 million) and non-personal
or business (£52.5 million) accounts.
-
In total there were 34,128 cases of APP
scams, split between personal (31,510 cases) and non-personal
(2,618 cases) accounts.
-
Financial providers were able to return a
total of £30.9 million of the losses in the first half of
2018.
In an APP scam, the account holder is
duped into authorising a payment to be made to another
account. If a customer authorises the payment
themselves, current legislation means that they have no legal
protection to cover them for losses. UK Finance has been working
with consumer groups and the Payment Systems Regulator on
proposals to tackle these scams and to establish an industry code
which clearly establishes the circumstances in which APP scam
victims will be reimbursed by their payments
provider.
UK Finance began collating data on APP scams
for the first time last year. In the first half of 2017 there
were 19,370 cases of APP scams reported, with £101.2 million in
losses. However, the data published today is not directly
comparable with the 2017 figures. At the start of
2018, new industry
guidelines2 were introduced which have
improved the identification and reporting of APP scams. Four
additional banks also began reporting the data to UK Finance this
January.
In context, there was a total of over 4.2
billion bank transfers made in 2017.
The enhanced data on APP scams, collated since
the start of 2018, provides a breakdown by different scams,
payment types and payment channels. The data shows the most
prevalent type of APP scams were purchase scams, accounting for
63 per cent of cases. While CEO fraud had the least number of
cases, it resulted in the highest average case value of
£23,055.
Malicious payee (where
the victim authorised a payment for what they believe are for
legitimate purposes, usually to obtain goods or services, but it
is a scam)3:
|
Scam
type
|
Number of
cases
|
Total amount
stolen
|
Average case
value
|
|
Purchase
|
21,483
|
£19.4m
|
£903
|
|
Advance fee
|
3,646
|
£6.0m
|
£1618
|
|
Investment
|
1,359
|
£20.9m
|
£15,305
|
|
Romance
|
571
|
£5.3m
|
£9,282
|
Malicious
redirection (where the victim intends to pay a
legitimate payee, but the criminal instead directs them to
authorise a payment to fraudulent third
party)4:
|
Scam
type
|
Number of
cases
|
Total amount
stolen
|
Average case
value
|
|
Invoice and
mandate
|
2,856
|
£49.3m
|
£17,262
|
|
Impersonation (police and
bank)
|
1,947
|
£22.2m
|
£11,402
|
|
Impersonation
(other)
|
1,919
|
£14.4m
|
£7,504
|
|
CEO fraud
|
347
|
£8.0m
|
£23,055
|
Unauthorised
fraud
The unauthorised fraud data on payment cards,
remote banking and cheques for January to June 2018
shows:
-
Combined total losses decreased by 2 per cent
year-on-year to £358.0 million.
-
Losses due to unauthorised transactions on
payment cards fell 2 per cent year-on-year to £281.2 million.
The industry helped prevent £493.5 million in attempted
unauthorised card fraud.
-
Losses due to unauthorised remote banking
fraud totalled £73.6 million, flat compared to 2017. Banks
prevented £137.8 million of attempted unauthorised remote
banking fraud.
-
Cheque fraud losses fell 41 per cent to £3.2
million. This is the lowest half-year total on record. £74.3
million of attempted unauthorised cheque fraud was
prevented.
-
There were 1,036,376 reported cases of
unauthorised financial fraud, a rise of 10 per cent compared to
the year before.
In an unauthorised fraudulent
transaction, the account holder themselves does not provide
authorisation for the payment to proceed and the transaction is
carried out by a third-party. In the vast majority
of cases, victims of unauthorised fraud would receive a full
refund.
Industry
action
The finance industry is tackling authorised and
unauthorised fraud by:
-
Helping customers stay safe from fraud and
spot the signs of a scam through the Take Five to Stop Fraud
campaign, in collaboration with the Home
Office.
-
Working with consumer groups as part of the
Payment Systems Regulator’s Steering Group to develop an
industry code clarifying the circumstances in which the victims
of authorised push payment scams will be reimbursed by their
payments providers.
-
Joining with government and law enforcement
to deter and disrupt the criminals responsible and better
trace, freeze and return stolen funds.
-
Implementing new standards to ensure those
who have fallen victim to fraud or scams get the help they
need.
-
Delivering the Banking Protocol – a
ground-breaking rapid response scheme through which branch
staff can alert police and Trading Standards to suspected
frauds taking place. The system is now operational in every
police force area and in the first six months of this year
prevented £14.6 million in fraud and led to 100
arrests.
-
Sponsoring a specialist police unit, the
Dedicated Card and Payment Crime Unit, which tackles the
organised criminal groups responsible for financial fraud and
scams. In the first half of 2018, the Unit prevented £25
million of fraud and carried out 84 arrests and interviews
under caution.
-
Working with the Information Commissioner’s
Office to establish guidance on how information about APP scams
can be shared between UK Finance members, so they can protect
their customers, while calling for new powers on information
sharing to allow banks to share data to detect and prevent
financial crime better.
-
Hosting the Government-led programme to
reform the system of economic crime information sharing, known
in the industry as Suspicious Activity Reports, so that it
meets the needs of crime agencies, regulators, consumers and
businesses.
Staying
safe
Tony Blake, Head of Fraud Prevention at
Dedicated Card and Payment Crime Unit,
said:
“Criminals are after your money and they are
clever at getting it, impersonating people and organisations to
groom even the savviest into acting. If you get a call, text,
email or social media message asking for your personal or
financial details or to transfer money, it could be a scam so
stop, think and Take Five. Check every request is genuine by
doing some research and contact the organisation using the
details from their official website, a latest bill or
statement.”
To stay safe, customers are urged to follow the
advice of the Take Five to Stop
Fraud campaign:
-
A genuine bank or organisation will never
contact you out of the blue to ask for your PIN, full password
or to move money to another account. Only give out your
personal or financial details to use a service that you have
given your consent to, that you trust and that you are
expecting to be contacted by.
-
Don’t be tricked into giving a fraudster
access to your personal or financial details. Never
automatically click on a link in an unexpected email or
text.
-
Always question uninvited approaches in case
it’s a scam. Instead, contact the company directly using a
known email or phone number.
Behind the
data
Intelligence indicates that social engineering,
in which criminals groom and manipulate people into divulging
personal or financial details or transferring money, was the key
driver of both unauthorised and authorised fraud losses in the
first half of 2018.
Impersonation and deception scams are an all
too common form of social engineering, where a fraudster contacts
their victim by phone, text message, email or social media
pretending to be a genuine person or organisation, such as a
bank, the police, a utility company or a government department.
The criminal then either tricks the individual into revealing
personal or financial information, which is used to facilitate
unauthorised fraud, or persuades their victim to authorise a
payment to them.
Data theft also continues to be a major enabler
of fraud and contributor to fraud losses. This occurs
particularly through third-party data breaches, but also includes
mail intercepts, malware and phishing. The stolen data is either
used by criminals to commit fraud directly, for example card
details are used to make an unauthorised purchase online, or it
is used to target individuals in impersonation scams. Criminals
also use the publicity surrounding data breaches as an
opportunity to commit fraud, sometimes posing as the affected
organisation.
Ends
For more information please call the UK Finance press
office on 020 7416 6750 or email press@ukfinance.org.uk
Notes to
Editor
-
The full set of authorised and unauthorised
fraud and scams data for January to June 2018, including
breakdowns by fraud type, is available here. UK
Finance has also today published a report on fraud
threats and what the industry is doing to protect
consumers. (Please
note these figures and the report are both strictly embargoed
until 23.00hrs Monday 24 September 2018). The
fraud data for 2017, published in March, is
available here.
-
The industry best practice guidelines set out
principles for APP claim reporting
standards:
-
Banks will have 24-hour, 7-day dedicated
staff trained in scam management to deal with and process APP
scam complaints.
-
The customer will only have to deal with
their own bank or account provider. The victim’s bank will act
as the intermediary between the victim and the beneficiary
bank, and will be the victim’s sole point of
contact.
-
Banks have agreed on a set of necessary
information, to be collated by the victim’s bank following APP
scam complaints.
-
The victim’s bank will collate and provide
this information to the beneficiary bank and the latter will
proceed with its investigation into the alleged
scam.
-
The beneficiary bank will conduct an
investigation, recover funds where possible and appropriate,
and return funds to the victim if it can.
-
The banks will also collaborate more widely
with each other on information to support investigations and
protect victims.
-
Types of malicious payee
scam:
-
Purchase scam: In a
purchase scam, the victim pays in advance for goods or services
that are never received. These scams usually involve the use of
an online platform such as an auction website or social media.
Common scams include the apparent the sale of a car or a
technology product, such as a phone or computer, advertised at
a low price to attract buyers. Criminals also advertise fake
holiday rentals and concert tickets. While many online
platforms offer secure payment options, the criminal will
persuade their victim to pay via a bank transfer
instead.
-
Advance fee scam: In an
advance fee scam, a criminal convinces their victim to pay a
fee which would they claim would result in the release of a
much larger payment or high value goods, however no such
payment exists. These scams include the criminal claiming that
the victim has won an overseas lottery or that gold or
jewellery is being held at customs and a fee must be paid to
release the funds or goods.
-
Investment scam: In an
investment scam, a criminal convinces their victim to move
their money to a fictitious fund or to pay for a fake
investment. The criminal usually offers high returns to entice
their victim. These scams include investment in items such as
gold, property, carbon credits, land banks and
wine.
-
Romance scam: In a
romance scam, the victim is convinced to make a payment to a
person they have met, often online through social media or
dating websites, and with whom they believe they are in a
relationship. The ‘relationship’ is often developed over a long
period and the individual is convinced to make multiple,
generally smaller, payments to the
criminal.
-
Types of malicious redirection
scam:
-
Invoice and mandate
scam: In an invoice or mandate scam, the victim
attempts to pay an invoice to a legitimate payee, but the
scammer intervenes to convince the victim to redirect the
payment to the scammer's account. This type of fraud often
involves email interception or compromise. It includes
criminals targeting consumers posing as conveyancing
solicitors, builders and other tradespeople, or targeting
businesses posing as a supplier, and claiming that the bank
account details have changed.
-
Impersonation (police and
bank): In this scam, the criminal contacts the
victim purporting to be from either the police or the victim’s
bank and convinces the victim to make a payment. Often the
fraudster will claim there has been fraud on the victim's
account and they need to transfer the money to a 'safe account'
to protect their funds. However, the criminal actually controls
the recipient account. Criminals may pose as the police and ask
the individual to take part in an undercover operation to
investigate ‘fraudulent’ activity at a
branch.
-
Impersonation
(other): In this scam, a criminal contacts the
victim purporting to be from an organisation other than the
police or the victim's bank and asks the victim to make a
payment. Fraudsters pose as organisations such as utility
companies, communications service providers or government
departments and claim that the victim must to settle a
fictitious fine or to return an erroneous refund. The scams can
often involve the criminal requesting remote access to the
victim’s computer.
-
CEO fraud: CEO fraud is
where a victim attempts to make a payment to a legitimate
payee, but the scammer manages to intervene by impersonating
the CEO of the victim's organisation to convince them to
redirect the payment to the scammer's account. This type of
fraud mostly affects businesses. The criminal will either
access the company’s email system or use spoofing software to
email a member of the finance team with what appears to be a
genuine email from the CEO with a request to change payment
details or make an urgent payment to a new
account.
