• Finance industry stops £2 in £3 of attempted unauthorised fraud
  • Purchase scams revealed as the most common type of authorised push payment scam
  • Criminals use social engineering to commit fraud, fuelled by information gained from data breaches

A total of £503.4 million was stolen by criminals through authorised and unauthorised fraud in the first six months of 2018, new data from UK Finance shows.

During the same period, the finance industry prevented £705.7 million of unauthorised fraud, equivalent to £2 in every £3 of attempted unauthorised fraud.

Newly-collected data, published for the first time, reveals that purchase scams were the most prevalent authorised push payment (APP) scam in the first half of 2018, accounting for almost two thirds of reported APP cases with a total of £19.4 million lost. In these scams the victim pays in advance for a product or service, such as a car, electronics or a holiday rental, which is never received or does not exist. It often takes place online, through auction websites or social media.

There was a total of 3,866 reported cases of impersonation scams in the first six months of 2018. In these scams the criminal purports to be from the police, bank and other organisations and tricks the victim into transferring money, often claiming there has been fraud on the account. The nature of these scams means the victim is often persuaded to transfer a significant sum, with an average loss in a police and bank impersonation scam of £11,402 and in other impersonation scams of £7,504.

Katy Worobec, Managing Director of Economic Crime at UK Finance, said:

“Fraud and scams pose a major threat to our country. The criminals behind it target their victims indiscriminately and the proceeds go on to fund terrorism, people smuggling and drug trafficking, whether or not the individual is refunded. Every part of society must help to stamp out this menace, especially by stopping the data breaches which increasingly are fuelling fraud.

“The finance industry is committed to fighting back, investing millions in security systems and cyber defences to protect customers. We have brought in new standards to ensure scam victims get the help they need from their payments provider; we are supporting law enforcement in disrupting the criminals and freezing stolen money; and we are assisting the government in improving intelligence sharing to extinguish the threat.”

Authorised push payment (APP) scams

The APP scams data for January to June 2018 shows:

  • A total of £145.4 million was lost due to APP scams, split between personal (£92.9 million) and non-personal or business (£52.5 million) accounts.
  • In total there were 34,128 cases of APP scams, split between personal (31,510 cases) and non-personal (2,618 cases) accounts.
  • Financial providers were able to return a total of £30.9 million of the losses in the first half of 2018.

In an APP scam, the account holder is duped into authorising a payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses. UK Finance has been working with consumer groups and the Payment Systems Regulator on proposals to tackle these scams and to establish an industry code which clearly establishes the circumstances in which APP scam victims will be reimbursed by their payments provider.

UK Finance began collating data on APP scams for the first time last year. In the first half of 2017 there were 19,370 cases of APP scams reported, with £101.2 million in losses. However, the data published today is not directly comparable with the 2017 figures. At the start of 2018, new industry guidelines2 were introduced which have improved the identification and reporting of APP scams. Four additional banks also began reporting the data to UK Finance this January.

In context, there was a total of over 4.2 billion bank transfers made in 2017.

The enhanced data on APP scams, collated since the start of 2018, provides a breakdown by different scams, payment types and payment channels. The data shows the most prevalent type of APP scams were purchase scams, accounting for 63 per cent of cases. While CEO fraud had the least number of cases, it resulted in the highest average case value of £23,055.

Malicious payee (where the victim authorised a payment for what they believe are for legitimate purposes, usually to obtain goods or services, but it is a scam)3:

Scam type Number of cases Total amount stolen Average case value
Purchase 21,483 £19.4m £903
Advance fee 3,646 £6.0m £1618
Investment 1,359 £20.9m £15,305
Romance 571 £5.3m £9,282

Malicious redirection (where the victim intends to pay a legitimate payee, but the criminal instead directs them to authorise a payment to fraudulent third party)4:

Scam type Number of cases Total amount stolen Average case value
Invoice and mandate 2,856 £49.3m £17,262
Impersonation (police and bank) 1,947 £22.2m £11,402
Impersonation (other) 1,919 £14.4m £7,504
CEO fraud 347 £8.0m £23,055

Unauthorised fraud

The unauthorised fraud data on payment cards, remote banking and cheques for January to June 2018 shows:

  • Combined total losses decreased by 2 per cent year-on-year to £358.0 million.
  • Losses due to unauthorised transactions on payment cards fell 2 per cent year-on-year to £281.2 million. The industry helped prevent £493.5 million in attempted unauthorised card fraud.
  • Losses due to unauthorised remote banking fraud totalled £73.6 million, flat compared to 2017. Banks prevented £137.8 million of attempted unauthorised remote banking fraud.
  • Cheque fraud losses fell 41 per cent to £3.2 million. This is the lowest half-year total on record. £74.3 million of attempted unauthorised cheque fraud was prevented.
  • There were 1,036,376 reported cases of unauthorised financial fraud, a rise of 10 per cent compared to the year before.

In an unauthorised fraudulent transaction, the account holder themselves does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party. In the vast majority of cases, victims of unauthorised fraud would receive a full refund.

Industry action

The finance industry is tackling authorised and unauthorised fraud by:

  • Helping customers stay safe from fraud and spot the signs of a scam through the Take Five to Stop Fraud campaign, in collaboration with the Home Office.
  • Working with consumer groups as part of the APP Scam Steering Group set up by the Payment Systems Regulator, to develop an industry code clarifying the circumstances in which the victims of authorised push payment scams will be reimbursed by their payments providers.
  • Joining with government and law enforcement to deter and disrupt the criminals responsible and better trace, freeze and return stolen funds.
  • Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need.
  • Delivering the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place. The system is now operational in every police force area and in the first six months of this year prevented £14.6 million in fraud and led to 100 arrests.
  • Sponsoring a specialist police unit, the Dedicated Card and Payment Crime Unit, which tackles the organised criminal groups responsible for financial fraud and scams. In the first half of 2018, the Unit prevented £25 million of fraud and carried out 84 arrests and interviews under caution.
  • Working with the Information Commissioner’s Office to establish guidance on how information about APP scams can be shared between UK Finance members, so they can protect their customers, while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
  • Hosting the Government-led programme to reform the system of economic crime information sharing, known in the industry as Suspicious Activity Reports, so that it meets the needs of crime agencies, regulators, consumers and businesses.

Staying safe

Tony Blake, Head of Fraud Prevention at Dedicated Card and Payment Crime Unit, said:

“Criminals are after your money and they are clever at getting it, impersonating people and organisations to groom even the savviest into acting. If you get a call, text, email or social media message asking for your personal or financial details or to transfer money, it could be a scam so stop, think and Take Five. Check every request is genuine by doing some research and contact the organisation using the details from their official website, a latest bill or statement.”

To stay safe, customers are urged to follow the advice of the Take Five to Stop Fraud campaign:

  • A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
  • Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
  • Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number.

Behind the data

Intelligence indicates that social engineering, in which criminals groom and manipulate people into divulging personal or financial details or transferring money, was the key driver of both unauthorised and authorised fraud losses in the first half of 2018.

Impersonation and deception scams are an all too common form of social engineering, where a fraudster contacts their victim by phone, text message, email or social media pretending to be a genuine person or organisation, such as a bank, the police, a utility company or a government department. The criminal then either tricks the individual into revealing personal or financial information, which is used to facilitate unauthorised fraud, or persuades their victim to authorise a payment to them.

Data theft also continues to be a major enabler of fraud and contributor to fraud losses. This occurs particularly through third-party data breaches, but also includes mail intercepts, malware and phishing. The stolen data is either used by criminals to commit fraud directly, for example card details are used to make an unauthorised purchase online, or it is used to target individuals in impersonation scams. Criminals also use the publicity surrounding data breaches as an opportunity to commit fraud, sometimes posing as the affected organisation.

Notes to Editor

  1. The full set of authorised and unauthorised fraud and scams data for January to June 2018, including breakdowns by fraud type, is available here. UK Finance has also today published a report on fraud threats and what the industry is doing to protect consumers. (Please note these figures and the report are both strictly embargoed until 23.00hrs Monday 24 September 2018). The fraud data for 2017, published in March, is available here.
  2. The industry best practice guidelines set out principles for APP claim reporting standards:
    • Banks will have 24-hour, 7-day dedicated staff trained in scam management to deal with and process APP scam complaints.
    • The customer will only have to deal with their own bank or account provider. The victim’s bank will act as the intermediary between the victim and the beneficiary bank, and will be the victim’s sole point of contact.
    • Banks have agreed on a set of necessary information, to be collated by the victim’s bank following APP scam complaints.
    • The victim’s bank will collate and provide this information to the beneficiary bank and the latter will proceed with its investigation into the alleged scam.
    • The beneficiary bank will conduct an investigation, recover funds where possible and appropriate, and return funds to the victim if it can.
    • The banks will also collaborate more widely with each other on information to support investigations and protect victims.
  3. Types of malicious payee scam:
    • Purchase scam: In a purchase scam, the victim pays in advance for goods or services that are never received. These scams usually involve the use of an online platform such as an auction website or social media. Common scams include the apparent the sale of a car or a technology product, such as a phone or computer, advertised at a low price to attract buyers. Criminals also advertise fake holiday rentals and concert tickets. While many online platforms offer secure payment options, the criminal will persuade their victim to pay via a bank transfer instead.
    • Advance fee scam: In an advance fee scam, a criminal convinces their victim to pay a fee which would they claim would result in the release of a much larger payment or high value goods, however no such payment exists. These scams include the criminal claiming that the victim has won an overseas lottery or that gold or jewellery is being held at customs and a fee must be paid to release the funds or goods.
    • Investment scam: In an investment scam, a criminal convinces their victim to move their money to a fictitious fund or to pay for a fake investment. The criminal usually offers high returns to entice their victim. These scams include investment in items such as gold, property, carbon credits, land banks and wine.
    • Romance scam: In a romance scam, the victim is convinced to make a payment to a person they have met, often online through social media or dating websites, and with whom they believe they are in a relationship. The ‘relationship’ is often developed over a long period and the individual is convinced to make multiple, generally smaller, payments to the criminal.
  4. Types of malicious redirection scam:
    • Invoice and mandate scam: In an invoice or mandate scam, the victim attempts to pay an invoice to a legitimate payee, but the scammer intervenes to convince the victim to redirect the payment to the scammer’s account. This type of fraud often involves email interception or compromise. It includes criminals targeting consumers posing as conveyancing solicitors, builders and other tradespeople, or targeting businesses posing as a supplier, and claiming that the bank account details have changed.
    • Impersonation (police and bank): In this scam, the criminal contacts the victim purporting to be from either the police or the victim’s bank and convinces the victim to make a payment. Often the fraudster will claim there has been fraud on the victim’s account and they need to transfer the money to a ‘safe account’ to protect their funds. However, the criminal actually controls the recipient account. Criminals may pose as the police and ask the individual to take part in an undercover operation to investigate ‘fraudulent’ activity at a branch.
    • Impersonation (other): In this scam, a criminal contacts the victim purporting to be from an organisation other than the police or the victim’s bank and asks the victim to make a payment. Fraudsters pose as organisations such as utility companies, communications service providers or government departments and claim that the victim must to settle a fictitious fine or to return an erroneous refund. The scams can often involve the criminal requesting remote access to the victim’s computer.
    • CEO fraud: CEO fraud is where a victim attempts to make a payment to a legitimate payee, but the scammer manages to intervene by impersonating the CEO of the victim’s organisation to convince them to redirect the payment to the scammer’s account. This type of fraud mostly affects businesses. The criminal will either access the company’s email system or use spoofing software to email a member of the finance team with what appears to be a genuine email from the CEO with a request to change payment details or make an urgent payment to a new account.
  5. UK Finance is a trade association formed on 1 July 2017 to represent the finance and banking industry operating in the UK. It represents around 300 firms in the UK providing credit, banking, markets and payment-related services. The new organisation brings together most of the activities previously carried out by the Asset Based Finance Association, the British Bankers’ Association, the Council of Mortgage Lenders, Financial Fraud Action UK, Payments UK and the UK Cards Association.
Criminals steal £500m through fraud and scams in the first half of 2018