The Payment Systems Regulator (PSR) has announced an industry-wide action plan to tackle push payment scams.
Push payment scams are the second biggest cause of payment fraud in the UK, claiming £100m from 19,000 people between January and June this year alone. The consequences can be devastating for individuals and businesses alike. So far, financial organisations, including banks, PayPal, and WorldPay, have returned just £25m to victims of these scams.
What is an authorised push payment?
A push payment is where a bank or other payment service provider (PSP) is instructed to transfer money from a customer’s account to another account. When a customer gives their consent for a transaction to be processed by their payment service provider, it becomes an authorised push payment.
Authorised push payment scams occur when a customer is tricked into authorising payments to an account that doesn’t belong to their intended payee.
From a digital security perspective, authorised push payment scams are a type of man-in-the-middle attack. These types of attacks happen when digital communications between two systems are intercepted by an outsider.
Common forms of man-in-the-middle attacks include:
A hacker will intercept email communications between an organisation and their customers. They use this tactic to take advantage of scenarios where a customer is about to transfer money. Businesses such as law firms or builders are prime targets, due to the large sums of money typically involved in a transaction.
Once they have breached a company’s systems, the hacker will monitor conversations between a business and a customer. When the company requests payment from their customer the hacker will then intercept the communications. Their aim is to trick the customer into paying money into their account instead. They do this by sending emails that are indistinguishable from the company’s genuine emails. By changing the account details, customers unwittingly transfer thousands of pounds to the fraudsters in the false belief it is the company’s legitimate account.
Using a portable Wi-Fi node, such as a Pineapple device, a hacker will broadcast a free Wi-Fi hotspot from a public place, such as a coffee shop, and give it a legitimate sounding name. It is impossible for you to know whether ‘Starbucks Free Wi-Fi Hotspot’ belongs to Starbucks or an opportunistic hacker. The hacker will seek to exploit anyone who connects to their hotspot, by spoofing unsecured web pages to collect log-in details, or by breaking the connection with you once you log in to your online banking, leaving the connection to your account open for themselves to access.
How to tackle these attacks?
Companies need to ensure their communications are secure and authenticated. For example, emails should always be encrypted and verified both on receipt and at opening. These verifications should be part of the process and not effected by the receiver switching off the read receipts such as in Outlook. Likewise, if data is stored in the cloud and clients directed to the services the site should be secured with encryption with the keys held outside of the hosting provider of the service and always with a secure communication tunnel between the client and the data source.
The users also need to be aware that communications they receive could be compromised and so they need to take care in checking the validity and even double checking the instructions with the originator.
How is the PSR proposing to tackle these attacks?
The PSR is working to strengthen the prevention level and increase user’s protection.
Victims of these attacks aren’t covered for losses under current legislation. However, one strand of the PSR’s approach is to launch a consultation regarding a contingent reimbursement in the event of these scams. This would shift a large proportion of liability from customers to financial organisations.
The direct consequence will be that banks and PSPs will have to reinforce their identification and authentication mechanisms, as well as their transaction data analytics systems, to reduce the number of accounts used to receive money fraudulently.
To find out more about protecting your organisation and your customers from cyber-crime, contact us on 0844 586 0040.