The Payment Systems Regulator (PSR) has announced an industry-wide action plan to tackle push payment scams. A push payment is where a bank or other payment service provider (PSP) is instructed to transfer money from a customer’s account to another account. When a customer gives consent for a transaction to be processed, it becomes an authorised push payment.
Push payment scams are the second biggest cause of payment fraud in the UK, claiming £100m from 19,000 people between January and June 2017 alone. Authorised push payment scams occur when customers are tricked into authorising payments to an account that doesn’t belong to their intended payee.
From a digital security perspective, authorised push payments scams are a type of man-in-the-middle attack. These attacks happen when digital communications between two systems are intercepted by an outsider. There are several forms of man-in-the-middle attack, but two are especially common.
Email hacking: Hackers intercept email communications between an organisation and its customers. They use this tactic to take advantage of scenarios where a customer is about to transfer money. Businesses, such as law firms or builders, are prime targets due to the large sums of money typically involved in a transaction.
Once they have breached company’s systems, the hackers will monitor emails, or even VOIP calls, until the company requests payment from its customer; the hackers will then intercept the communication. Their aim is to trick the customer into paying the money into their account instead. They do this by sending emails that are indistinguishable from the company’s genuine ones. By changing account details, customers unwittingly transfer thousands of pounds to the fraudsters, in the belief that it is a legitimate account.