Authorized push payment fraud (APP) is rapidly growing as a problem, but many businesses remain unprotected. This insidious type of fraud involves a bad actor pretending to be a legitimate vendor, employee, or business partner. Then, the bad actor uses this false identity to trick businesses into sending a payment to them.
As a business, you have to send payments to your vendors, employees, and partners. Unfortunately, these payment processes are a target for fraudsters. Besides the upfront losses involved, a fraudulent payment can damage relationships with your vendors, lead to late payments, and result in wasted time combating the scam.
To help you detect and prevent authorized push payment scams, we’ll dive into what these scams look like, common red flags, and ways you can prevent them from happening.
TL;DR
- APP fraud is when a business is tricked into approving a payment to a bad actor.
- To succeed, the scam artist creates a sense of urgency. They use social engineering to take on an actual recipient’s identity, so you believe that the payment is going to your intended recipient.
- While there are many different types of APP scams, fraudsters often rely on business email compromise, invoice redirection, payment and disbursement fraud, or bank-detail change requests.
- After the funds are sent to the scam artist, it can be difficult to recover them. If the bank is alerted quickly, it may be possible to reverse the payment if it is still pending.
- Demands for confidentiality, urgent requests, last-minute changes to banking information, and sudden adjustments to your normal workflow are all red flags to watch out for.
- Requiring verification after account changes, payment delays for new payees, dual authorization, and similar measures can help prevent APP fraud.
- The best employee training focuses on real-world scenarios and a pause-and-verify approach. Encourage workers to always come forward if they suspect fraud.
- Through PayCompass, you can gain better visibility into your payment flow. Automatic alerts and advanced fraud detection tools can help you prevent and mitigate APP fraud.
What Is Authorized Push Payment Fraud?
At its heart, authorized push payment fraud is when a payment is technically authorized, but the sender is manipulated by a bad actor. The fraudster typically uses social engineering to get the individual to initiate a payment. For instance, a fraudster may create a fake email address that is slightly different from a vendor’s email address. Then, they will ask to update the vendor’s bank information.
How Authorized Push Payment Fraud Works
Although there is some variation, a typical authorized push payment scam will generally go through the following steps.
- Research: First, the scam artist researches the victim. They may look up the vendors you use or key people at your organization. Additionally, the fraudster will look up how you structure invoices, emails, and other data so that their fraudulent messages appear genuine.
- The Ask: The scam artist will send an email that requests an immediate contractor payment, a vendor invoice, or something similar. The request is normally paired with a sense of urgency and a request for confidentiality, so you have less time to slow down and discover the fraud. While APP fraud can happen in other ways, most cases involve email.
- Authorization: The fraudster will do everything possible to get you to skip verification steps. If they are successful, you or the targeted individual at your organization will approve the payment.
- Rapid Laundering: To avoid having the funds frozen or clawed back, the fraudster will quickly transfer the money to a different account.
- Aftermath: At some point, the business realizes that the funds have been stolen. In many cases, it is too late to get the money back by the time the fraud is discovered.
Why It’s Damaging for Merchants
APP fraud is one of the fastest-growing types of fraud. By 2028, this form of fraud is expected to account for $14.9 billion in losses in the United States alone.
For merchants, this type of fraud can be incredibly damaging. Because it often involves fast, hard-to-reverse bank transfers, the money typically vanishes with the fraudster. In many cases, fraudsters impersonate actual vendors. As a result, the merchant may have to deal with unpaid invoices, late penalties, and disgruntled vendors as well.
APP fraud can disrupt your cash flow, create an added administrative burden, invite scrutiny from government auditors, and negatively impact your relationships with vendors. High-value theft can harm employee morale. Over the long run, you will also spend more on implementing preventative tools.
What Are Some of the Most Common Types of Authorized Push Payment Scams?
While each case is a little different, there are a few basic types of push payment scams that you’ll generally encounter.
Invoice Redirection Scams
With this type of scam, the scammer is trying to intercept a legitimate B2B payment or invoice. For example, they may have gotten hold of an invoice from your landscaper. Then, they may impersonate the landscaper and request a change to the landscaper’s bank details at the last minute.
If this scam is successful, you don’t just lose money to the scammer. Your real vendor will go unpaid, which can lead to penalties, contract disputes, and a disgruntled contractor.
Vendor Bank-Detail Change Requests
With this type of fraud, the scam artist asks to update the bank details for a current vendor. They may say that the update is needed because of a merger, an audit, or a similar reason. Once this fraud occurs, it can take weeks or months for the business to realize that payments are going to the wrong account.
Business Email Compromise
In a business email compromise scam, the scammer gains access to a corporate email account or creates a spoof account. For instance, they may create an email address that is just one or two letters different from your corporate account.
Once this account is made or accessed, the scammer will typically send emails to the accounts payable or your finance department with a request for payment. They’ll pose as a corporate officer or someone in your finance department so that you are more likely to approve the payment. Often, the scammer will use urgent language and say that the payment must be kept confidential. They’ll also ask you to circumvent the normal payment workflow.
Payout and Disbursement Fraud
With payout and disbursement fraud, the fraudster manages to divert an authentic payment. For instance, they may gain login credentials for a vendor. Then, they can use these credentials to update payout information.
Similarly, disbursement fraud can happen because of an account takeover, support ticket fraud, or phishing. Often, affiliate marketing programs, gig economy sites, and online marketplaces are targeted because of the number of potential payouts involved and the automated nature of these sites.
Before You Send a Bank Transfer: A Fraud Prevention Checklist
To help you avoid becoming a victim of an authorized push payment scam, we’ve compiled a checklist of steps you should take before authorizing any type of payment.
- Verify the Recipient: First, use a trusted source to verify that the person is who they say they are. Make sure the account number and other information are accurate.
- Be Wary of Last-Minute Requests: Scams rely on a sense of urgency. If you get a last-minute, urgent request, pause and double-check that the request is genuine.
- Exercise Caution: Pay attention to unusual wording or abnormal queries. If something seems abnormal, question it.
- Call the Recipient: Don’t rely on the phone number or contact information in the email. Instead, find the recipient’s phone number in your records or in another trusted location. Then, call them to verify that the request is genuine.
- Add Extra Safeguards: To protect your company, update your payment operations with internal safeguards. For example, require 1099 contractor payments to be approved by two different people. Delay the payment process so that it takes longer, giving your company more time to detect fraud. You should never have a single person in charge of reviewing, authorizing, and sending payments.
- Log Payment Change Requests: If a payment change is requested, there should be a log tracking when the request was made, who made it, and why.
- Stop Questionable Transfers: Immediately stop any questionable transfer. You can always send the payment later if it is legitimate, but you may not be able to get the money back if the request was invalid.
- Contact Your Bank: If you believe that a transfer wasn’t legitimate, immediately reach out to your bank. Moving fast is important because banks can stop pending transactions in some cases.
Common Red Flags To Watch Out For
These scams rely on getting you to process payments outside of your normal workflow. The scam artist creates a sense of urgency so that you skip normal verification steps and processes. The following red flags are a sign that you need to slow down and spend extra time verifying the source of the payment request.
- The request is urgent or time-sensitive.
- Your existing supplier suddenly requests an update.
- The request is outside of your standard approval workflow or authorization process.
- You were told to keep the request confidential.
- The request says the delay will cause penalties or account freezes.
- The email address or phone number is slightly different from the recipient’s normal account.
- The payment amount is higher or lower than normal.
- The request arrived outside of your company’s normal business hours.
- You received a payment request from someone at your company who isn’t responsible for handling payments.
Some part of the invoice or documentation is incorrect or missing.
How To Train Your Team To Spot Authorized Push Payment Fraud
The right fraud protection and prevention can help you detect and stop APP fraud before it happens. Whether you are concerned about 1099 or ACH fraud, the following steps can help you train your team members on how to spot, report, and avoid this kind of fraudulent attack.
- Use Real Examples: During your fraud prevention training, use real-world scenarios to train workers on APP fraud. For example, you may want to use emails that request a payment update, immediate payment, or an invoice change. Encourage workers to spot red flags, so they are prepared to detect fraudulent emails on their own.
- Pause and Verify: The most important thing workers can remember is to pause and verify. APP fraud relies on a sense of urgency because emergency situations get people to skip normal operational steps. There is no payment in existence that cannot wait a few hours for verification to take place.
- Create Verification Protocols: Workers should know how to verify requests and who to call. When someone emails asking to update their banking information, the employee should know exactly who to call and what to do to verify that the request is legitimate.
- Encourage Reporting: Some workers are nervous about reporting fraudulent emails. Make sure workers know that it is okay to report suspected fraud and be wrong. It’s more important to err on the side of caution.
- Test Workers: Periodically, send out emails to test employees. This helps them learn what fraud looks like and how to report it.
- Continue Training: Once the initial training is over, plan on quarterly training updates. By doing so, you can easily review any policy updates and recent fraud attempts.
Top Operational Controls for Preventing Authorized Push Payment Fraud
As a business, there are a few steps you should take to update your payment monitoring system and operational controls. These measures can help you reduce your overall risk without slowing down legitimate payments.
- Required Verification for Bank-Detail Changes: If someone requests an update to their bank details, it should trigger mandatory verification. Verification should never be based on the contact details that were in the request.
- Add Delays: While you can keep your normal payments at the same speed, it’s a good idea to automatically slow down any payments that involve recently changed information or new payees. Fraudsters rely on speed. A 72-hour delay won’t impact legitimate payments, but it can hinder fraudulent ones.
- Require Dual Authorization: If all of your payments are handled by one person, fraudsters only have to steal one person’s information to access funds. Protect your company by requiring one person to create the payment and a second person to authorize it.
- Use Secure Portals: Instead of relying on email, use secure portals for payment instructions.
- Create Alerts: Set up automatic alerts for instances when bank details change right before payment or the payment is different from the historical norm.
- Create Stricter Controls for High-Risk Payments: If you’re dealing with high-value payments, mass payouts, or international payments, you should automatically require verification and stricter controls.
What To Do If You Detect Fraud
From fraudulent wire payments to payroll fraud, it’s essential to be proactive about spotting and reporting suspected fraud. If authorized push payment fraud occurs, you and your employees should take the following steps.
Contain the Problem
The first step is to prevent the issue from spreading. Stop any current or future payments. Put a hold on the account while the investigation is underway. You’ll also want to save system logs so that they can be used during the investigation.
Contact the Bank
Next, call your bank to ask for a payment recall or a freeze on the account. While it’s not always possible, you may be able to get the payment back if you move quickly enough. You’ll need basic information, such as the transaction ID, date of the payment, payment amount, and your receiving bank details.
Collect Evidence
You should preserve key evidence, like emails, IP logs, audit trails, bank confirmations, and similar information. Avoid forwarding or editing email evidence because you want the metadata and timestamp preserved.
Report the Fraud
Report the fraud to your local law enforcement agency. You should also let your cybersecurity or incident-response provider know about the fraud.
Tell Your Team
Internal stakeholders, like your payroll, accounts payable, and finance departments, should be aware of the fraud. This helps to prevent the same fraudster from trying the same trick again.
Once you have completed these steps, get your IT department and legal teams involved. You need to update your protocols and training so that similar cases are prevented in the future.
How PayCompass Supports Fraud Prevention
At PayCompass, we have years of experience in helping merchants with real-time payments, ACH payments, wire transfers, and other payment types. We have developed high-level fraud prevention tools and monitoring techniques, so you can spot and mitigate fraudulent payments before they become a problem.
Through advanced monitoring and payment setup guidance, you can reduce your exposure level across different bank and card payment flows. Our tools detect fraudulent transactions early, so you have more time to request a recall, stop a pending transfer, or work with your bank to freeze funds where possible. Plus, our centralized records and comprehensive logs make recordkeeping easier.
Final Thoughts
While fast, instantaneous payments have made it easier to conduct transactions, these same qualities also make fraudulent transactions easier for criminals. Authorized push payment scams rely on a sense of urgency and fast payment processes. If the scam is successful, it can damage your company’s reputation, cost you money, and disrupt your operations.
Fortunately, it is possible to prevent APP fraud. Through employee training, improved operational protocols, and advanced technology, you can keep authorized push payment fraud from harming your bottom line. If a scam does occur, you can mitigate its impact by freezing the account, contacting your bank, and notifying the authorities.
At PayCompass, we have advanced fraud detection and prevention tools that can protect your company from bad actors. To learn more about how we can help, reach out to our payment processing experts today.
Ready to Transform the Way You Do Business?
Don’t settle for less when it comes to payment processing. With PayCompass, you get smarter, faster, and more reliable solutions tailored to your unique needs. Join thousands of businesses who trust us to keep their business moving forward.
Similar Posts
MCC 7011: Hotels & Lodging (Description and Payment Processing Impact)
The United States hotel market size is estimated at $263.21 billion. Most of these companies will be assigned merchant category code (MCC) 7011. Because hospitality transactions involve cancellations, advance bookings, incremental adjustments, and no-show charges, they require specific types of payment processing services. The MCC 7011 (hotels) classification has a direct impact on interchange rates, […]
MCC 5993: Cigar Stores & Tobacco Shops (Description and Processing Impact)
The United States is the fifth-largest producer of tobacco in the world. In a typical year, the country produces around 359 million pounds of tobacco. While some of that tobacco is sold abroad, a great deal of it ends up being sold to American consumers. If you are considered a cigar store or tobacco shop, […]
MCC 5812: Restaurants & Eating Places (Description and Payment Processing Impact)
Merchant category code (MCC) 5812 is given to restaurants and eating places by the merchant’s payment processor or acquirer. From fraud monitoring to credit card rewards, this code plays a major role in your company’s payment processing setup. It can affect your approval rates, processing fees, and dispute patterns. To learn more about how MCC […]
MCC 5511: Car & Truck Dealers (Description, Risk Profile, and Processing Tips)
Each year, more than $1.5 trillion is spent in the United States on vehicles and parts. Due to the high-value transactions, deposits, financing, and refund complexity involved, the MCC 5511 (automobile/cars) designation is considered moderate to elevated risk by payment processors. If your company falls under this code, understanding how to improve your account approval […]
MCC 4722: Travel Agencies & Tour Operators (Description, Examples, and Processing Impact)
If you run a travel-related business, you will be assigned a specific merchant category code known as MCC 4722. This code represents the specific risks and challenges associated with the travel industry. From how customers receive credit card rewards to the payment processing fees you pay, this code can affect all aspects of your payment […]
Cascading Payments Explained: How Cascading Retries Reduce Failed Payments
No matter what type of business you operate, payment failures are bound to happen. By being strategic about how you approach these failures, you can recuperate lost revenue. Failed transactions can lead to a higher churn rate, so companies need the right retry strategy to process these payments. With cascading payments, transactions can be distributed […]
Payment Processor Down: A Merchant Playbook for Keeping Sales Moving
With a standard payment processor, you can expect 99.9% uptime. This works out to 43 minutes of downtime or less each month. However, top-tier payment processors experience just five minutes of downtime each year. Even with the best processors, downtime can still happen. When a payment processor outage does occur, the costs can quickly add […]
Authorization Optimization: How To Improve Payment Authorization Rates
Whenever a payment fails, a decline reason code is created that explains the exact failure reason. These codes can vary between payment processors, although many processors use the same ISO 8583 codes used by Visa and Mastercard. As a merchant, understanding these codes is essential for authorization optimization. Once you understand why transactions are declined, […]
Accepting Multiple Payment Methods: A Practical Guide for Businesses
As a merchant, your cash flow can quickly take a hit if you are only accepting a handful of payment methods. Today’s shoppers use buy now, pay later (BNPL), digital wallets, cash, cryptocurrency, and cards to pay for their transactions. If you don’t have the capacity to accept multiple payment methods, it’s going to quickly […]
Payment Service Provider: What It Is and How To Choose the Right One
Accepting payments isn’t as straightforward as just handing over cash. With credit cards, debit cards, and mobile payments, an entire web of interactions takes place in the background each time a card is swiped. Besides the basic transaction processing, this network of activity also works to inspect for fraud, authenticate the payment information, verify that […]