APP to app: How to avoid email and text fraud

3 June 2021


5 min read

Peter Cornforth

Peter Cornforth

APP scammer creating phishing program

Online fraud has blossomed, and it’s easy to become a victim






In recent months we’ve seen a dramatic increase in fraudsters exploiting our increased volume of online shopping to con innocent victims into sending vast sums of money and personal details. The latest research published by UK Finance suggests that 149,946 incidents of Authorised Push Payment (APP) fraud were reported in 2020 with gross losses of £479 million.







Fraud can begin with an unthreatening, exceptionally well-crafted, email or text message sent en masse to addresses that have somehow previously leaked onto the internet.  Messages will compel you to urgently update your details or send money to complete a transaction.  The realism of the message combined with the urgency is enough to convince many of us to act and comply with the fraudster’s demands.







It’s so easy for fraudsters to engage in this type of activity, as buying bulk lists of email addresses is cheap.  They only need a small number of responders to fall for the scam to make the business case stack up.






Your only recourse, as a victim, is to contact your bank to seek help.  Most high street banks have signed up to a voluntary industry code to reimburse customers who’ve fallen victim.  However—as reported by Which?—only 46% of losses have been reimbursed. Not great odds, then.



Prevention is better than cure





The financial services industry’s voluntary code contains a commitment by enrolled banks to educate customers on the risks associated with APP fraud.  Many will be familiar with communications from their bank instructing them to never click on a link asking for payment.  Sage advice indeed.












Unfortunately, many of these same banks also invest in, or offer directly, services asking customers to click on payment links consequently normalising this fraud vector.   The real issue that the industry needs to deal with is that the business case for delivering services over email and SMS is currently too good for banks and fraudsters to ignore.







Thankfully, it’s now possible to implement online payments without asking recipients to click on a dodgy link with ‘who knows what’ level of threat hiding behind it.







Request to Pay is an alternative communication channel that was launched last year.  It securely forges a secure communications channel between banks and payment service providers.  In other words, access to it is controlled by regulated companies who must abide by the rules and regulations for the use of the service.







How Request to Pay works






As a payer you choose which payment app/mobile bank app you want to receive your requests.  You can then instruct your billers to send you payment requests to that app.  Each biller must then send you a pre-authorisation message to confirm that you do indeed want to establish that payment relationship. The above process vastly limits potential fraud as it:







  1. Ensures that providers are regulated and follow scheme rules
  2. External third parties cannot send you a Request to Pay message
  3. No one can send you unsolicited messages
  4. You receive all of your messages in an app that you have chosen and trust
  5. You do not share your payment details with anyone






This makes it much harder for a fraudster to implement a phishing attack, whilst also ensuring that banks and payment providers have an outstanding business case; so, they can reap commercial rewards while complying with their own voluntary code.







For all of us, as bill payers, the introduction of Request to Pay is good news





In addition to minimising APP fraud, other great benefits include the ability to see all of your bill payment requests in one place enabling you to prioritise which ones you want to pay first.


  As Request to Pay a communication tool you can also request to part-pay or ask for a payment deadline extension from your biller to help you manage your money more effectively.  As you have the choice of which app you want to use you can choose what payment methods you want to use to pay for your bills.  You have more freedom than before but with greater security.






There are benefits for billers too






Industry adoption of Request to Pay is bad news for fraudsters, but the added security it offers to banks and bill payers doesn’t come at the expense of billers.







Billers pay a fixed price for each request sent meaning no variable costs of payment processing.







Where the payer may use different payment methods, the biller receives a bank transfer from the payer’s provider each and every time meaning they now have only one process to manage.







Lastly, as it is an end-to-end communication channel, the transaction reference numbers needed for reconciliation are immutable, meaning they’re carried unchanged from being specified by the baller at the start of the request to the payment of the request saving thousands in messy reconciliation processes.







The future of bill payment without the phishing risks






Request to Pay will soon become the normal way to pay bills as deployments continue to roll out. In the UK, the standard was launched in 2020, Europe standard launches in June 2021, with services planned or piloting in Australia, Canada and the US.