Collaborating with TSB and UK industry to combat opportunist fraudsters

On 26 September 2019, Vocalink, a Mastercard company announced a partnership with TSB to deliver Confirmation of Payee. The service, called Verify Account Name, is one of the first in the UK and leverages Mastercard's expertise in sophisticated analytics-led financial crime solutions. It uses account names and historical payment data to help financial institutions and their customers tackle rising incidences of misdirected payments and authorised push payment (APP) fraud, providing confidence in every payment.

The scale of APP fraud is eye watering. According to UK Finance, a total £455.8 million was lost in 2019 alone, including £317.1 million in personal losses and £138.7 million in non-personal losses or losses to business, in a total 122,473 cases. This type of crime is soaring, up by more than a fifth on the previous year, and now estimated to affect one in four people.

APP fraud takes many forms, but is in essence a scam in which a fraudster tricks an unwitting victim into sending a payment to an account they control. “Banks' defences have become more and more robust, so the ability of a criminal to — for want of a better phrase — hack into a bank account is now virtually impossible,” explains Ashley Hart, formerly* head of fraud at TSB. But APP fraudsters are opportunistic: “All they need access to is the customer, and people are very reachable.” During the coronavirus pandemic, criminals have preyed on people’s changing behaviours, anxieties, and generalised uncertainty, and incidences have increased massively.

Fraudsters are preying on people’s changing behaviours, anxieties and uncertainty

Since the beginning the coronavirus pandemic, the UK and other countries have recorded a spike in push payment for purchase scams, in which a fraudster advertises something for sale, accepts payment, but doesn’t follow through on delivering it. They’ve been responsive to people’s changing behaviours when it comes to the kind of goods they’re touting.

At the beginning of lockdown, people began shopping online for goods that were difficult to obtain in supermarkets: electronics; clothing; toilet paper. “Fraudsters capitalised on that,” says Hart. As the number of deaths from coronavirus passed 20,000 in the UK, criminals joined digital marketplaces and social media to sell fake testing kits and personal protective equipment. Now, as things are opening back up, they’re changing their bait. “We're starting to see more aspirational purchase scams: things like motorhomes, caravans and holiday cottages being advertised for rent or sale that simply don't exist.”

Another type of APP fraud is a safe account scam, in which a fraudster posing as a person’s bank contacts them to say their account has been compromised. The person panics, and is commonly too flustered to think rationally. ‘Don’t worry,’ the fraudster says. ‘We’ve opened a new account for you. All you have to do is transfer your balance across.’ Of course, that new account is owned by the fraudster and any money the person transfers into it is subsequently lost.

These deceptions are nothing new, but fraudsters are having greater success with fictions that are especially believable in the current context. Hart offers an example: “With so many people working at home, your broadband probably is running slower than it was before. So, when you get that call out of the blue from someone claiming to be [your broadband service provider]… it sounds believable.” This is a common set-up for remote access scams — where a fraudster tricks a victim into unwittingly handing over their account details.

When the fraudster, playing the part of the broadband technician, says ‘I can help you; all you need to do is provide access to your computer’, the person doesn’t think twice about granting their request. Of course, once a fraudster has access to a person’s computer they can discover their internet banking credentials, and empty a person’s bank account before they’ve even noticed. The impact can be devastating.

These are simple confidence tricks, but fraudsters also use incredibly sophisticated technologies to make their cons seem more legitimate. “They're not aiming [technology] at the bank account, because that won’t be successful” explains Hart. “They're aiming it at the customer.” Techniques include spoofing numbers: “It looks like it’s your bank calling, which increases that initial trust, and makes the fraudster’s work a little bit easier.“ This, coupled with people’s heightened anxiety at present, is a deadly cocktail for fraudsters’ success.

Anyone can be targeted by APP fraud. It’s not just the elderly or the digitally unsavvy, as many would expect; in fact, 18–35-year-olds are among the most common demographic to fall victim. “They probably have a larger online presence; they're probably more used to interacting with strangers on social media…,” offers Hart. That’s where the fraudsters approach them, pretending to be a peer.

Businesses, too, can fall foul of APP fraud. The same remote access scams are particularly effective on company executives working at home, and tend to be far more lucrative for a fraudster than targeting an individual. Other scams include invoice redirection fraud, where a fraudster poses as a business’s supplier to request payment into an account they control. The business remains none the wiser until the real supplier contacts them to say they haven’t been paid — the first payment is lost and the debt is still owed.

As we noted in last year’s UK business fraud report, 37 percent of business owners have either been a target of attempted payments-related fraud or know a business that has, and lost thousands of pounds in the process. 10 percent of business owners contemplated closing their business as a result. Twelve percent of UK bosses and entrepreneurs who have had to deal with the fall-out from crippling payments fraud reported problems with their relationships with family and friends as a result.

Combatting authorised push payment fraud with Confirmation of Payee

Though the UK payment industry couldn’t have foreseen the events of the past few months, it has long recognised the significant and rising threat of fraud. In 2018, Pay.UK, the UK’s leading retail payment authority, introduced Confirmation of Payee to help prevent misdirected payments and certain types of APP fraud.

Confirmation of Payee is a framework for checking the name that’s given to the one that’s registered for the recipient’s bank account when a person makes a new payment or sets up a new beneficiary, in addition to the account number and sort code. 30 June 2020 marked the deadline for the UK’s six largest banks to implement Confirmation of Payee; an encouraging number of other financial institutions have also signed up voluntarily.

“The fantastic thing about [Confirmation of Payee] is that it gives the customer complete confidence that the account they are about to pay into is definitely registered in the name they think it is,” says Hart.

But Vocalink’s research has found 60 percent of UK accounts have three or more name variations associated with them, and 80 percent of transactions are sent to accounts with three or more name variations. For example, you might have a business account that is associated with RH Plumbing, RH Plumbing Limited, Plumbing and Robert the Plumber. Statistically — the total number of name variations can exceed a staggering 1,300 for a single account. Seeking an exact name match runs the risk of unnecessarily flagging many legitimate payments. Hart: “It’s the long-running debate over ‘how do I balance a good user experience with keeping our customers safe’.” 

TSB is leveraging Vocalink and Mastercard’s financial crime solution to Verify Account Name to deliver effective confirmation of payee while catering for variations in name spelling and format. By using historical payments data and sophisticated algorithms, our solution helps financial institutions match the vast majority of account name, sort code and account number combinations with a high degree of accuracy even when name variations are high. The solution is readily available to implement with minimal IT impact.

In Hart’s experience, “the more intelligence and insight the Vocalink solution gives us, the better we're able to confirm a payment request is going to a genuine recipient.” If we can match the name a person gives for the account they’re paying into to the name that’s registered on the account, he says, “we can provide a seamless experience for more people”. If the name doesn’t match, the person is alerted to a potential fraud. “[It] causes the customer to stop and question the interaction they're having.” Early results from other banks that are live with the service show the alert is just enough to break the fraudster’s spell, helping to stop people and businesses falling victim to authorised push payment fraud.

Securing people’s trust in digital payments and banking

“Banking is all about trust,” asserts Hart. “Banking electronically is a step further — you never see your money, so you have to have confidence in the system… Deploying a cutting-edge technology [like Verify Account Name] to deliver confirmation of payee provides reassurance that their payment is going where they think it's going.”

It’s just one element of a comprehensive strategy to 'Prevent, Protect & Pursue' fraud. “We're holding workshops in communities across the UK to help people understand the threat of fraud and offer useful advice on how to stay safe,” Hart explains. 

But fraud does and will continue to happen. Falling victim can cause a person to lose confidence and trust in digital payment and banking technologies. In April 2019, TSB announced a UK banking first, a Fraud Refund Guarantee, to ensure the bank’s 5.2 million customers are protected if they are an innocent victim of fraud – whether it’s unauthorised transactions on their accounts or customers tricked into authorising payments to fraudsters. “It goes a long way towards taking the sting out of the crime that they've been a victim of and, at least in a financial sense, help to make them feel whole again.”

TSB’s customers have had a surprising extra response: “It encourages them to be more honest with us and share all the information they can about how a fraud has occurred.” This feeds back into the strategy. Working in collaboration with police forces around the UK, that intelligence is used to pursue fraudsters more successfully.

Industry collaboration and shared intelligence is also helping to pursue lost funds. TSB is one of the financial institutions that participates in Vocalink’s Mule Insights Tactical Solution (MITS), which traces the movement of stolen and illicit funds across the UK payment network to identify suspect criminal networks of accounts and enable financial institutions to shut them down. Nearly two years since going live, hundreds of thousands of accounts have been investigated and thousands have been shut down. Multiple, large, well-concealed money laundering rings have also been uncovered.

We’re making great strides in the battle against financial crime, but recent months have demonstrated how opportunistic fraudsters will continue to target the weakest link in the chain. The future will likely bring fantastic innovations in payment and banking technologies, but we have to be there for every customer, whether they choose to use the latest tools or not, and secure all channels — including legacy systems — to keep the criminals at bay. We've recently tested a new financial crime solution with TSB, which uses artificial intelligence and network-level data insights to help Prevent Retail Payment Fraud. Hart notes: "The results are really exciting; if we can develop and deploy this technology quickly it will be the closest thing to a game-changer that I've seen in years."

Initiatives like Confirmation of Payee and MITS are not a silver bullet, but industry collaboration will be. “Collaboration is the thing that will defeat the criminals; if we all work together, we all share insights,” declares Hart. This is especially evident in our recent work as part of a Retail Payments Taskforce, also working closely with HMRC to ensure that payments made as part of the Government’s financial support for people and business during coronavirus are made safely and at scale to the accounts to which they are intended.

By coming together to identify and prevent criminal activity, people and businesses can trust that we’re making every effort to win the war on financial crime.

Want to learn more about how TSB and Vocalink are partnering to combat authorised push payment fraud? Watch John Lyons, Payments Director at TSB and Vocalink CEO Gregor Dobbie in conversation on how Confirmation of Payee and our Verify Account Name solution will benefit and protect UK people and businesses from sending money to the wrong bank account or falling victim to authorised push payment fraud.

* Hart was head of fraud at TSB until September 2021