Colette Finnieston: Individuals and businesses must stay vigilant on fraud

Whether you are a technophile or technophobe, most people are alive to the need to be vigilant to cyber risks.

Whether you are a technophile or technophobe, most people are alive to the need to be vigilant to cyber risks.

Whilst the crude scams are well-known and easy to spot, there are a huge number of more sophisticated ones targeting individuals and organisations going about their daily business.

Sign up to our Opinion newsletter

Sign up to our Opinion newsletter

Authorised push payment (APP) fraud is a huge risk to individuals and businesses alike. This is where a fraudster tricks an individual or organisation into sending payment to an account operated by the fraudster, rather than the account of the intended payee.

It is not new but, in a marketplace where financial transactions are more or less entirely conducted electronically, it has become all the more prevalent.

Figures from UK Finance show that, in 2018, £354.3 million was lost to APP scams, which can take various guises. For example, a house purchaser receives an email purporting to be from their solicitor, providing account details for the house deposit. However, the email is from a fraudster, with the account details of the fraudster’s account. Many individuals’ life savings have been lost this way.

Then there is invoice fraud, where the fraudster intercepts bona fide invoices, changes the account details, receives payment, then disappears with the customer’s money – with the supplier still unpaid.

This can have devastating effects for individuals and businesses alike.

The duped payer might argue that it was vulnerabilities in the intended payee’s systems which allowed the fraudster to intercept and amend payment details. This is a route that can potentially lead to ongoing legal arguments and could cause business relationships to break down.

Some fraud victims might have insurance in place to cover such eventualities. However, to make a successful claim, the policy-holder will in most instances require to show they (or their employees) met a required standard of vigilance.

Some businesses look to the individual who made the payment. There have been recent reports of a Borders firm which has sued one of its employees. The employee was deceived into transferring almost £200,000 to online fraudsters and accused of gross negligence. The employee claimed she was not properly trained to spot the scam. The outcome of that case is awaited with interest.

Many might assume their bank will reimburse them in instances of fraud, including APP. This isn’t always the case. Unless the customer can show wrongdoing on the part of the bank, they would have no right to reimbursement of funds.

However, following campaigns by consumer groups, the Payment Systems Regulator has established the APP Scams Steering Group. This Group has agreed a voluntary code (to be followed by those banks which are signatories) to apply to consumers and small businesses. The code comes into force on 31 May and signatory banks will be announced then. It will deal with APP frauds from that date.

Provided the customer has done everything expected of them in terms of the code, they will be reimbursed. If the bank failed to meet the standards expected of it in terms of the code, it will have to reimburse the customer. If both bank and customer did everything expected of them, the code provides that the customer will still be reimbursed. The exact details of the long-term funding of reimbursement in “no fault” instances have still to be worked out. Many banks are, understandably, resistant to becoming indemnifiers against online payment fraud.

Whilst the introduction of the voluntary code is welcome for consumers and small businesses, not all banks will be signatories and there is, as yet, no agreed long-term funding for refunds in “no fault” cases. Small businesses will need to show they followed their own internal procedures for approval of payments. The code will not assist businesses with more than 10 employees or with turnover of more than 2 million euros.

Ultimately individuals and businesses need to remain vigilant to APP fraud and make sure they have systems in place to prevent it, where possible.

Fraudsters’ methods are constantly evolving and total prevention will likely not be possible. Keeping up to date with current threats and putting systems in place to try to avoid them, might well assist in making a claim to recover the funds – from banks, insurers or third parties.

Colette Finnieston is a senior associate, Clyde & Co