Stay safe from APP fraud: a guide for businesses
From invoice scams to CEO fraud, learn how to protect yourself and your business from authorised push payment scams.
You might have heard of authorised push payment (APP) fraud. It’s the most common type of financial scam in the UK, costing the economy £460 million in 2023.
It typically involves a criminal convincing a victim to authorise a payment to them through their bank or a payment service provider. While it mostly impacts consumers, it can also happen to business professionals.
In this article, we examine common types of APP fraud that target businesses, and give tips on how to stay safe.
How does APP fraud affect businesses?
APP fraud scams are called ‘authorised’ because they depend on the victim voluntarily transferring money. There are two main types of APP fraud:
- Malicious payee scams: a victim is tricked into making a payment for goods or services which are not delivered.
- Malicious redirection: a fraudster impersonates someone, eg a bank employee, to trick a victim into making an internet or mobile banking transfer.
When it comes to targeting businesses, malicious redirection (often known as impersonation) is the most common tactic. Typically, a criminal poses as a legitimate supplier, professional or colleague to persuade the victim to transfer money. Let's look at some examples:
Invoice fraud
With invoice fraud, a criminal learns the details of a company’s supplier and impersonates the finance department from that supplier, sending a fake invoice. They may say their payment details have changed and provide new account details, or ask for a payment urgently.
£49.5 million was lost to invoice fraud in the UK in 2022 according to UK Finance. In the EU, numbers are even higher: In 2022, the European Commission faced €1.77 billion cases.
CEO fraud
A criminal poses as a company CEO or senior manager to persuade a staff member to make urgent payments or change payment details for a supplier. They may gain access to a business’s email account by hacking, or use spoofing software to mimic a genuine email.
CEO fraud often happens over email but it can happen over the phone. Requests are often sent when the real member of staff is out of office. £13.4 million was lost to CEO fraud in the UK in 2022, according to UK Finance.
CEO fraud is getting more sophisticated. In February 2024, a finance worker at a multinational firm based in Hong Kong was tricked into paying out $25 million to fraudsters who used deepfake technology to pose as the company’s chief financial officer in a video conference call.
Bank impersonation fraud
Bank or payment provider impersonation fraud is when a fraudster impersonates someone from a financial institution in order to trick a victim into making payments to a fraudulent account.
While impersonating the staff member, the fraudster might tell the victim their account is under threat and they need to make payments to a “safe account”. They might also ask for login details, or ask the victim to install software so they can control their computer remotely. Bank and police staff impersonation scams made up around 1 in 4 (23%) of APP scam losses in the UK in 2022, totalling £109.8 million.
Tech support fraud
Another common type of impersonation fraud involves a fraudster impersonating tech support, often from an internet service provider. They might tell the victim that there is an urgent problem with their computer or internet service, and ask them to install an app to enable remote access to “fix” it. In 2022, impersonation scams involving tech support, utility companies and government departments led to losses of £67.8 million in the UK.
How to spot an APP scam
There are some common warning signs to watch out for which may indicate that you’re being targeted by a fraudster. These include:
- Strange communication: If you receive a communication from a familiar colleague or business partner that doesn’t seem right, get in touch with them directly via an address or details that you know belong to them, to check. Watch out for ‘red flags’ like spelling mistakes, strange grammar, misspelt domain names and broken links in spoofed emails, messages and websites.
- You feel pressured: If you are being asked to transfer money or provide personal details urgently, you may be the target of a scam.
- You’re asked to use an unusual payment method: If a company you have dealt with in the past is asking you to use a new payment method, the request might not be legitimate – always check by contacting them directly via known details.
- You’re asked for personal information: If you receive an email or text message asking you to provide personal information such as a password or address, do not provide it. Genuine companies will never ask you to send these details over text or email.
Take Five, a campaign led by UK Finance has created the ‘Can You Spot Fraud?’ quiz to help businesses better protect themselves against fraud. The quiz takes users through a series of potentially fraudulent situations and shows you how to confidently challenge situations where criminals may be targeting your business. Take the Quiz
Best practices to stay safe
Scammers are always coming up with new ways to exploit payments of all types, but there are some best practices that can help you stay safe:
- Always confirm a change of bank account details with a supplier either by getting in with them directly before you make a payment or transfer any money.
- Criminals can access or alter emails to make them look genuine. If you’re getting in touch with a supplier to check, make sure you use contact details from the company’s official website or documentation.
- If you are making a payment to an account for the first time, or you receive a communication saying that payee bank details have recently changed, transfer a small sum first and then check with the company (using known contact details) that the payment has been received.
- Establish documented internal processes for requesting and authorising all payments and be suspicious of any request to make a payment outside of your company’s standard process.
- Be cautious about any unexpected emails or letters which request urgent bank transfers, even if the message appears to have originated from someone in your own organisation
Reimbursement of APP scam payments for BVNK customers
As part of new UK requirements on APP fraud which come into effect on 7 October 2024, BVNK’s small business customers are entitled to be reimbursed for APP scam payments to the value of £85,000.
To be eligible, the scam payment must have been made through the BVNK platform in GBP via the Faster Payments scheme to a third party, and the business claiming must have less than 10 employees and net assets/revenue under €2 million.
If you’re a small business and think you’ve been a victim of APP fraud while using BVNK, you may be eligible for a refund. Please see our Help Centre for more information on eligibility and how to claim.