How banks and fintechs can turn the tide on the rise of banking scams

As banking scams hits the mainstream, we’re taking a closer look at ATO and APP fraud.

Andy Cohen, talk show host, executive producer of the Real Housewives television franchise, and “Bravo-lebrity,” recently made headlines when he announced he had been the victim of a bank scam. According to Cohen, he lost a significant amount of money from fraudsters wiring funds out of his account after an elaborate phishing attack. Three years before that, another Bravo star shocked fans when she was arrested for being the ringleader of a nationwide telemarketing fraud scheme that targeted thousands of people, mainly made up of unsuspecting elderly folks.

But banking scams aren’t just happening inside the Bravoverse…

At this point, it seems like we all know someone who has been (an attempted) victim of a banking scam. As fraudsters have become more sophisticated and started to enlist the help of generative AI, they have been able to fool even the most savvy customers.

US consumers lost a record $10B to fraud last year, with imposter scams making up nearly a third of those total fraud losses. With the influx of scams, legislators are looking for more ways to protect victims, even directing their attention to P2P payment scams.

In Alloy’s 2024 Fraud Benchmark Report, authorized push payment (APP) fraud — which is often used synonymously with banking scams — was cited as the most common type of fraud seen by banks, fintechs, and credit unions. APP fraud was also named as the biggest driver of fraud losses for organizations.

With all this buzz around banking scams and APP fraud, there are a lot of questions.

• What types of fraud are linked to bank scams?

• Who’s liable if a customer gets scammed?

• What are banks and fintechs required to do to protect their customers?

• What are banks and fintechs doing to educate their customers from becoming victims?

We explore these questions and more below.

What are some common types of fraud resulting from banking scams?

A banking scam is when a bad actor tricks a legitimate user into either sending them money or granting the fraudster access to their bank account. There are two main types of fraud that occur as a result of banking scams: account takeover (ATO) fraud and authorized push payment (APP) fraud.

What is account takeover (ATO) fraud?

ATO fraud occurs when fraudsters gain unauthorized access to a target’s bank account. Once a fraudster has control of an account, they will often change the passwords and begin to transfer money out of the account themselves before the legitimate account owner can get back into the account to stop it.

Learn more about account takeover fraud here

What is authorized push payment (APP) fraud?

APP fraud — often also called an imposter scam — occurs when a fraudster swindles an authorized user into transferring money to a bad actor, often using social engineering scams.

With APP fraud being such a hot topic, let’s dive into some common channels and tactics used to carry out APP fraud.

Top channels used in APP fraud

Fraudsters typically prefer channels where the funds are sent in real-time to steal money during bank scams, such as wire transfers, P2P payment services — like Zelle or Venmo — and the UK’s Faster Payment System (FPS). Real-time payments are processed quickly and have varying levels of irrevocability.

To combat this, regulators in the UK proposed a new draft law earlier this month that would enable banks and fintechs to delay bank transfers and payments for up to four days if APP fraud is suspected.

Read our blog, Real-time payments: RTP vs. FedNow, to learn more about the various types of real-time payments, their processing speed, and whether or not they are reversible.

Fraudsters also expose channels such as ACH, including external transfers, as another means to move funds.

Common scam tactics used in APP fraud

Social engineering scams: When a fraudster impersonates a legitimate party (like an employee from the victim’s bank) and reaches out to a target through an everyday social interaction — like email (phishing), text message (smishing), or phone (vishing) — to trick them into sending money to a fraudster. Social engineering scams are also commonly used to execute ATO fraud. These scams have only gotten more sophisticated and realistic as a result of AI.

Vulnerable adult and elder abuse: This type of fraud involves the targeting of elderly adults or adults that have some type of cognitive impairment to trick them into sending money under false pretenses.

Romance scams: This type of scam, made popular by MTV’s Catfish TV show, occurs when a fraudster creates a fake online identity and starts a relationship with an unsuspecting target, eventually manipulating the victim into sending them money or expensive gifts.

Investment scams: This type of scam occurs when a fraudster convinces victims to invest money into stocks, crypto, real estate, etc., under false pretenses. Fraudsters may present victims with fake information about a real investment, or they may make up a fake investment opportunity altogether. Investment scams can often result in victims losing large amounts of money, sometimes even their life savings.

Learn more about these scams in our fraud types deep dive guide.

Who is liable for money stolen from APP fraud?

Legal and financial responsibility for any money stolen during these scams is not a one-size-fits-all approach.

Historically, the sender of a push payment has been liable for the transaction. If an individual is a victim of a scam and sends a wire, then they will be in a loss position unless the bank is able to successfully recover the funds or reimburse the client. However, the recovery of the funds is not guaranteed.

We have also experienced a liability shift with some transaction types when a scam victim is involved.

In June 2023, EWS announced they would begin reimbursing consumers for certain types of imposter scams.

In March 2024, the National Clearing House Association (NACHA) – the organization that manages the ACH network in the U.S. – announced new rules requiring fraud monitoring of ACH payments, with the goal of reducing widespread APP fraud. In the UK, the Payment Systems Regulator (PSR) announced new rules in December 2023 to protect consumers from APP fraud. The new PSR and NACHA rules are both set to go into effect in October 2024, making October an important turning point in the fight against APP fraud.

With that said, there are many factors that play into whether or not stolen funds can be recovered by the bank/fintech or if the bank/fintech must reimburse the client for losses that cannot be recovered. These factors include things like the channel the money was stolen from, the type of scam, and the level of client involvement.

Goodwill credit for scam victims

Despite the nuances in a bank/fintech’s legal responsibilities for fraudulent transactions resulting from scams, organizations often choose to reimburse the client with goodwill credit to maintain the customer relationship even if they are not technically on the hook for the lost funds.

How leading banks and fintechs prevent scams from happening in the first place

Because authorized accounts and/or credentials are being used to send the money during APP fraud and ATO fraud, they can be difficult to detect – and even more challenging to resolve in a way that maintains customer trust.

So, how can organizations prevent their customers from ever falling victim to these scams?

Robust fraud controls at onboarding

It all starts with new customer onboarding. There is a shared responsibility between the sending and receiving banks to keep bad actors out of their systems. Comprehensive fraud checks at the time of customer onboarding will prevent fraudsters from ever having accounts they can funnel fraudulent money into in the first place.

Learn more about Alloy’s onboarding solution

Step-up authentication methods

Step-up authentication methods add additional layers of security against unauthorized account access. Step-up authentication methods that are most useful in preventing scams include multi-factor authentication (MFA) and selfie ID verification.

Learn more about step-up authentication here

Pop-up messages

Many financial institutions and fintechs use pop-up messages to force customers to take an extra second to think about who they are sending money to and require a double opt-in before sending the payment.

A focus on identity over transactions

When banks/fintechs focus solely on monitoring transactions (and do not include identity risk management), they can only ever catch the scams after a fraudulent transaction has taken place. This approach would mean that the money had already been stolen by the time the bank detected the fraudulent behavior — and as money is moving faster, your chances to actually retrieve the fraudulent funds are diminishing.

Instead, focusing on building an evolving risk profile for each customer, outlining their typical behaviors, devices, and channels can help you spot an anomaly after a client has become a target of a scammer, but before a fraudulent transaction has occurred.

Learn more about how an Identity Risk Solution can help you proactively manage ongoing fraud risk.

Customer education programs

As part of the Risk Management program, banks are required to have fraud training and education programs for both employees and customers. That said, there are no specific metrics a bank must adhere to for client education.

As scams have become more and more common, banks and fintechs have amped up their customer education programs to better arm their clients against common banking scams using new and creative mediums.

For example, after Early Warning Services announced plans to reimburse for some Zelle scams, Zelle went viral when they released their video campaign starring actress Christina Ricci as a member of the “S.A.F.E. Squad,” a fictional P2P fraud-fighting team. The video series uses dramatized scenarios of Ricci’s fraud-fighting team working to stop P2P fraud as a creative way to educate viewers on how to avoid common scams.

5 tips for banks and fintechs building out their customer fraud education strategy

1. Consider all of your channels as a platform to educate customers. Prioritize channels where you see the most activity. Understanding how your customers are interacting with your banking services will ensure you are making the right allocation of investment into the right channels.

2. Educate your customers on an ongoing basis. You can’t just send one email and call it a day. Build out a strategy that includes educating your customers regularly on the different types of scams and fraud risks they may face.

3. Use examples and language that your customers can understand. We all know there are a lot of complicated terms and acronyms in financial services. Save those for internal education programs. When educating your customers, use relatable terms and examples.

4. Tailor what scams you educate most about to what fraud schemes you see most commonly. If you’re seeing an increase in a certain type of scam, be proactive about educating customers on how they can spot that activity before it happens to them.

5. Strike the right balance between education and fear-mongering. It’s easy to sound pessimistic when talking about all the different scams your customers can possibly fall victim to. Keep the focus on providing them with the tools to protect themselves, and ensure them that you have their back in the fight against fraudsters.

The importance of “the moment of truth”

In banking, your overall customer experience is only as good as your fraud processes. Banking professionals often use the term “the moment of truth” to describe the moment in which a customer is victimized by a fraudster.

At this moment, how the bank/fintech responds to the fraud incident has a lasting impact on the customer.

Did the client know where to call and how to report the activity? Was the activity detected and the client loss prevented? If money was successfully moved out of the client’s account, did they get it back? How quickly was the issue resolved, and did the client receive clear, concise, and timely communication from the bank?

Once fraud is experienced, it is imperative the client feels their situation is being handled properly and there is empathy associated. The sooner a bank/fintech can identify the client is at risk, the better. This interaction can define the client's relationship with the financial institution in the future, and alert them to secure any other bank accounts they may have at other financial institutions.

If the situation is handled well, then a client may be more inclined to deepen their relationship with the bank and expand the products and services they are using. When a client has a negative experience, they may be more inclined to move their account relationship to another financial institution.