A possible way to stop most push payment fraud

Momanns

As others have said, the phone calls would shut down the banking system within hours. Most banking apps now have multiple warning messages but at the minute, the biggest issue is people who believe they are talking to their bank when they are actually talking to fraudsters. People then drop their guard, trust the other person etc etc. The other issue is data theft. Something more viable (in my humble opinion) would be:

1 - Mandatory Confirmation of Payee across all retail banks
2 - Introduction of mandatory biometric payment confirmation (Fingerprint/Facial recognition etc) via the app. This could be a phased introduction.
3 - Make Caller ID spoofing illegal. I can't think of many viable reasons for having this when compared to fraud losses.
4 - Annual fraud reports to be released by banks clearly outlining their losses.

kaMelo

In response,

1. Can't be done. Many smaller building societies use one account held with a big bank and use the reference to allocate money to specific accounts.

2. Mandatory but phased in is a contradiction. It would be discriminatory in requiring a capable device and it is not foolproof.

3. Number spoofing is how non geographic numbers work. It is by design not accident. Without it 0800/0845 etc. Doesn't work.

4. What is the purpose of that?

nyermen

I hear there is some sort of technical issue with why it cant be done, but one thing that would make a big difference imo is to stop number spoofing (cant these issues be resolved or new systems brought in?)

When a fraudster can call you, and show the incoming number as being the same as the one on your bank card, that goes a long way to convincing someone that the caller is really the bank.  
Ditto text messages eg. showing from "HMRC" and "HSBC".

Cant those numbers/names at least be protected from use by other systems/companies.

no i really dont know how it works, you can tell from my tone, but all i hear is its too difficult to stop fraudsters from impersonating bank phone numbers and that seems ridiculous.

eskbanker

It's been accepted by the telecomms industry that number spoofing, while fulfilling a variety of legitimate uses, is open to abuse - as mentioned above there are reasons why it can't just be switched off, but there are plans afoot to take action to minimise misuse:

https://www.ofcom.org.uk/phones-telecoms-and-internet/information-for-industry/policy/tackling-scam-calls-and-texts

Momanns said:

1 - Mandatory Confirmation of Payee across all retail banks

kaMelo said:

In response,

1. Can't be done. Many smaller building societies use one account held with a big bank and use the reference to allocate money to specific accounts.

It can be done, but involves technical changes across all institutions to accommodate Secondary Reference Data - the PSR is pushing for this to be expedited but encountered resistance from smaller players, as outlined at 3.68 onwards in: https://www.psr.org.uk/media/ktonkca3/psr-rp21-1-confirmation-of-payee-response-paper-oct-2021.pdf

kaMelo

nyermen said:

I hear there is some sort of technical issue with why it cant be done, but one thing that would make a big difference imo is to stop number spoofing (cant these issues be resolved or new systems brought in?)

When a fraudster can call you, and show the incoming number as being the same as the one on your bank card, that goes a long way to convincing someone that the caller is really the bank.  
Ditto text messages eg. showing from "HMRC" and "HSBC".

Cant those numbers/names at least be protected from use by other systems/companies.

no i really dont know how it works, you can tell from my tone, but all i hear is its too difficult to stop fraudsters from impersonating bank phone numbers and that seems ridiculous.

But banks and others use the same number spoofing technology, that's how companies can have call centres all over the country, even the world, which all have tens or hundreds of actual phone numbers yet, no matter from whom or where the call comes it shows the same number to the recipient. It is not a flaw, it's by design.

That is why, for decades now, banks have been telling us to never assume the person on the other end of the phone is who they say they are. If anyone can honestly say they've never heard that then they must be living on a desert island.

born_again

MrFrugalFever said:

Daliah said:

Why not go right back to before the Internet and online banking?

No thank you. People just need to learn to take greater care and responsibility. It appears that this country is fixated on blaming everyone else for their misfortune’s but themselves.

You mean like the person that lost over £100K on a romance scam, who kept sending money despite being told by the banks it was a scam & was then taking them to FOS over their inaction...

Momanns

Absolutely - I agree that greater personal responsibility is probably the easiest and most effective solution but fraud is simply too incentivised in terms of how easy it can be to obtain funds vs the chances of getting caught. 'Take 5' and the other campaigns probably help a little but I think there needs to be a greater industry & gov response to tighten controls. 

Re point 4 - I still don't think Joe Public has any idea how large the scale of fraud has become so seeing the figures in black and white may hammer this home. More importantly, if certain banks are more susceptible to fraud, this may encourage customers to move their business elsewhere. Once profit margins start being affected, banks will be more inclined to implement enhanced measures. 

Not perfect I know, but something has to change.

eskbanker

Momanns said:

Re point 4 - I still don't think Joe Public has any idea how large the scale of fraud has become so seeing the figures in black and white may hammer this home. More importantly, if certain banks are more susceptible to fraud, this may encourage customers to move their business elsewhere. Once profit margins start being affected, banks will be more inclined to implement enhanced measures.

To a certain extent, the gross scale of fraud at each bank isn't the key issue affecting customers (and obviously poses some confidentiality issues), as this would need to be highly detailed in order to be meaningful, encompassing all types of fraud, whether related to security breaches, staff embezzlement, card fraud, etc, etc, and to what extent, if any, customers were impacted by each.

However, in the specific context of APP scams, it's likely to be more useful to understand how the bank responds, i.e. what the prospects are of the customer being reimbursed, etc.

Following on from highly variable responses shared in a March 2020 conference call (where anonymised reimbursement rates ranged from 1% to 59% across eight banks), the PSR is proposing that key metrics relating specifically to APP scams should be reported by the main banks, at https://www.psr.org.uk/media/kg0bx5v3/psr-cp21-10-app-scams-consultation-paper-nov-2021.pdf

Metric A: The proportion of APP scammed customers who are left – fully or partially – out of pocket 

• By volume: total APP scam cases where the cost is fully or in part borne by the victim, as a percentage of all the sending PSP’s APP scam cases; and 

• By value: total value of APP scam losses borne by victims, as a percentage of sending PSP’s total APP scam value. 

• Data would be split by scam value (in bands – for example, scams of £0-£1000, £1000-5000, etc) as well as in total. 

Metric B: Sending PSPs’ APP scam rate 

• By volume: total number of APP scam payments by consumers, as a percentage of total number of push payments by consumers; and 

• By value: total value of APP scams involving consumers, as a percentage of total value of push payments by consumers. 

Metric C: Receiving PSPs’ APP scam rate, net of repatriation 

• Total value of APP scam payments received from consumers minus the value repatriated, as a percentage of total value of push payments received from consumer accounts. 

Ergates

"How many of us make payments of more than £1,000 from our personal accounts more than once every few years, if that?"

Quite a lot.

Ergates

eskbanker said:

Momanns said:

Re point 4 - I still don't think Joe Public has any idea how large the scale of fraud has become so seeing the figures in black and white may hammer this home. More importantly, if certain banks are more susceptible to fraud, this may encourage customers to move their business elsewhere. Once profit margins start being affected, banks will be more inclined to implement enhanced measures.

To a certain extent, the gross scale of fraud at each bank isn't the key issue affecting customers (and obviously poses some confidentiality issues), as this would need to be highly detailed in order to be meaningful, encompassing all types of fraud, whether related to security breaches, staff embezzlement, card fraud, etc, etc, and to what extent, if any, customers were impacted by each.

However, in the specific context of APP scams, it's likely to be more useful to understand how the bank responds, i.e. what the prospects are of the customer being reimbursed, etc.

Following on from highly variable responses shared in a March 2020 conference call (where anonymised reimbursement rates ranged from 1% to 59% across eight banks), the PSR is proposing that key metrics relating specifically to APP scams should be reported by the main banks, at https://www.psr.org.uk/media/kg0bx5v3/psr-cp21-10-app-scams-consultation-paper-nov-2021.pdf

Metric A: The proportion of APP scammed customers who are left – fully or partially – out of pocket 

• By volume: total APP scam cases where the cost is fully or in part borne by the victim, as a percentage of all the sending PSP’s APP scam cases; and 

• By value: total value of APP scam losses borne by victims, as a percentage of sending PSP’s total APP scam value. 

• Data would be split by scam value (in bands – for example, scams of £0-£1000, £1000-5000, etc) as well as in total. 

Metric B: Sending PSPs’ APP scam rate 

• By volume: total number of APP scam payments by consumers, as a percentage of total number of push payments by consumers; and 

• By value: total value of APP scams involving consumers, as a percentage of total value of push payments by consumers. 

Metric C: Receiving PSPs’ APP scam rate, net of repatriation 

• Total value of APP scam payments received from consumers minus the value repatriated, as a percentage of total value of push payments received from consumer accounts. 

Part of PSD2 includes a report banks have to fill in on a 6 monthly basis about the type, number and value of fraudulent transactions reported to them (as a proportion of total transactions) - so the data is already gathered.  However, I can see the banks being *very* wary of this being made public as it would contain commercially sensitive information.