top of page
Search

APP Scams and Fraud - Prevention Is Better than Reimbursement

Writer's picture: Richard EmeryRichard Emery
2 days ago6 min read
Hooded figure holding a phone; text reads "Tackling APP Scams and Fraud: Why Prevention Must Come Before Reimbursement" with an image of Richard Emery.

APP Scams and Frauds have a much wider impact than the financial loss because the victims and their families are likely to suffer from high levels of stress, distress and worry, especially where one partner in a relationship “losses” their joint savings.  This means that, even if the banks do reimburse the victims, which they are sometimes reluctant to do, APP Scams and Frauds are far from “victim-less” crimes, and everyone concerned needs to invest more in their prevention.

 

The banks are increasingly asserting that the “problem” lies with the social media and message service providers, and to some extent I agree, but this is far from the whole story.

 

I see APP Scams and Fraud as a “journey”, which is why I use both words.

 

The journey begins with the “Scam” which is the ….

  • “please re-arrange your delivery” email or text message - I got one of these a few days ago and it almost caught me out because I was wating for a delivery which should have arrived earlier the day.

  • “your TV licence is due for renewal” - how many of us know when it really is due?

  • “you’ve been awarded a special prize” - please just complete the short questionnaire (and give us all your personal details!)

  • “I’m calling from your bank because there has been suspicious activity on your account and we need to “secure” it from fraud - only it is the fraudster who is calling you.

 

The “Fraud” is when the victim actually pays money to the fraudster.  It might be:

  • for an investment that doesn’t actually exist

  • for a builder as a ‘deposit” to buy material for your project

  • to pay for an airfare for a son/daughter who is unwell and needs to fly home

  • transferring money to a new “safe” account.

 

The range of scams and frauds is limitless but can be summed up in this definition from the Fraud Act 2006:

Fraud by false representation

  1. A person is in breach of this section if he -

    1. dishonestly makes a false representation, and

    2. intends, by making the representation -

      1. to make a gain for himself or another, or

      2. to cause loss to another or to expose another to a risk of loss.

  2. A representation is false if -

    1. it is untrue or misleading, and

    2. the person making it knows that it is, or might be, untrue or misleading.

 

Preventing Scams

In response to the banks’ concerns about the role of social media and message services I’m prepared to ask some challenging questions:

 

  1. Why do email services hide the sender’s real email address?  I would be instantly suspicious if I was shown that the sending address for my “parcel re-delivery message” came from fraudster@anywhere-in-the-world.co.


  2. Would it be possible to establish an international register of company names, with their linked domain names and email addresses to make it harder for fraudsters to spoof them?


  3. Should sending an email be free?  The economy of email fraud starts with emails being free to send.  What if service providers charged us to send them?  0.01p/mail would cost nothing to ordinary people but would add a significant cost to fraudsters who send out millions.

 

None of these are practical, but I’m just making the point that we may have to think the unthinkable if we are going to make a dent in the ever-increasing rise in scams.

 

Preventing Fraud

So now I come to some rather more serious propositions:

 

24-hour Payment Delay - first payment

Fraudsters exploit the Faster Payment System (FPS) by manipulating their victims into making high value payments before they have time to stop-n-think or take-five.  Do consumers, small businesses and charities really need to be able to make high value payments to new payees instantly?  I assert that they don’t.

 

Over the last 5-6 years I have asked countless people a simple question: “When was the last time that you made a payment of over £500 to a new payee and did not have their account details at least 24-hours before they needed the money?”

 

The response is almost always silence, but just sometimes it is:

  • “when I needed to pay £50,000 to my solicitor for the deposit on my house purchase”; except that this is almost certainly not your first payment to them because you will have already paid something for their fees, and if they say that this payment has to go to a separate “holding” or “escrow” account, then it will be fraud.

  • “to pay a deposit to my builder for materials”; except that they will almost certainly be happy to know that they will get it tomorrow.

  • “to take up a limited time investment opportunity that expires at midnight”; really?

 

I admit that I did get one genuine example.  The person was buying a car from a private seller.  If they could pay the £10,000 for it then and there, they would be able to drive it away.  But let’s be realistic.  In these very rare cases a simple phone call to your bank, a high-level security process, confirmation of the payee’s account details, and the payment can be authorised.

 

I propose that 24hrPD would be mandatory unless the account holder gave at least 72-hours’ notice that they wanted to withdraw from it and would accept the risk of fraud.

 

24-hour payment delay - always

There are some situations where the fraudster would manipulate their victims into making an initial lower value payment but then come back later for higher amounts.  This is most likely to happen with Romance Scams and certain types of Investment Fraud.

 

One example was an older person who wanted to try crypto currency and agreed with her son that she would invest a modest sum, just to see how it went.  This modest sum overcame the 24hrPD and allowed the fraudster to manipulate her into making multiple high value transactions over the following weeks.

 

I propose that the account holder should be able to “opt-in” for 24hrPD for all payments over a certain amount of their own choosing.

 

2nd Party Notification (2ndPN)

The implementation of 24hrPD creates a time-window that not only gives the bank time to review the transaction but also allows them to notify a “2nd party” such as a son/daughter, parent or carer.  The 2nd Party would not have any direct access to, or control over, the account.  This is very different from a Power of Attorney or similar schemes.

 

2ndPN would simply mean that when the account holder does certain things, such as creating a new payee or authorising a high value payment, the bank sends a message to the 2nd party, thus allowing them to contact the account holder and make sure that all is OK.

 

I can evidence a case where the victim had paid over £500,000 to the fraudsters and it was only stopped when her son phoned to ask how she was, and she responded by saying: “I’m not meant to tell you this but I’m helping the FCA to trap a fraudster in my bank!!!”

 

Payment Intervention

I believe that if all three of the above points were implemented it would both reduce the number of occasions when the banks needed to intervene quickly and allow them to more considered interventions.  A payment delay would, for example, allow them to contact the beneficiary bank and, if necessary, put them on notice of the possibly of a fraudulent inbound transaction.

 

I disagree with the new regulation that allows banks to delay payments for up to 4 days because I believe that the delay is in the wrong place.

 

In-bound Credit Delay

The current Payment Systems Regulations (PSR2017) require the beneficiary bank to credit their customer’s account within 2 hours of receiving the funds from the sender’s bank.  This gives them very little time to consider the risk of fraud.

 

I propose that the beneficiary bank should be allowed to hold the inbound payment “in suspense” for up to 4 business days if they have a reasonable basis for suspecting that it might be the result of fraud or deception.  This might be triggered by contact from the sender’s bank.

 

Interest, charges etc would be calculated as if the payment had been credited, but it could not be withdrawn until it was cleared.

 

The reasons for putting the delay at this point in the process include:

  • the beneficiary bank can see all that is happening on the account and review it against the account profile.

  • if a payment is delayed when it shouldn’t have been, and this results in a loss or costs to the beneficiary, and dispute is between two parties who have a business relationship.


Data Sharing - without courts orders

Whilst recognising the need for appropriate levels of data protection I propose that the banks, Police and a limited number of statutory organisations should be able to ask a bank for disclosure of a limited, clearly defined, amount of data from a customer’s account without the need for a court order.

 

The circumstances and data that I have in mind include:

  • A list of the sort code, account number and value of receipts and payments over a limited date range, but without any other details of the payees or beneficiaries.  This would allow an investigating authority to gain an understanding of the account activity and then decide if they needed to apply for full disclosure.

  • Details of any other statutory organisations who have asked for details of the account to show that other parties are also investigating the account.

     

This is a complex issue but I believe that it should be considered as it would save time and resources for the Police and the courts.


Comments

Post: Blog2_Post
  • LinkedIn
  • X
  • Facebook

© Global Anti Scam Alliance (GASA)

bottom of page