Authorised push payment fraud is a type of fraud in which people are manipulated to change the payment details of an expected payment to the account of fraudsters. Although it is not exclusively a type of cyber-fraud, since the notification of payment detail changes could also be made by telephone or letter, it has become an increasingly popular method of cyber-fraud through its use of email. This attack is a kind of man-in-the-middle attack.
The general approach is for fraudsters to hack into emails of their targets using various methods (social engineering, malware). From these emails, they can find planned payments which the victim is expecting to make, and contact them with the details of a new bank account for the payment to be forwarded to. The victim, being unaware that anything is amiss, then proceeds to change the details of the forthcoming payment.
- Because the payment is willingly made by the victim, banks can avoid being held responsible for refunding the victims of this type of crime.
- Property transactions have become a popular target of this kind of fraud, particularly because they can involve huge sums of money.
- The best way to prevent this kind of fraud is to make contact with the supposed party requesting the new payment details using a method which cannot be spoofed (such as a phone call or personal visit) using the contact number or address that is known to be associated with the party (and not those provided in the payment change email).
Last updated: 9 June 2018