Imagine receiving a call from "tech support" claiming your computer has been compromised. They ask for remote access to fix the issue, and once inside, they request payment to fix that non-existent computer problem or that you buy a fake warranty “to ensure it doesn’t happen again.” They might even go so far as to call you pretending to represent your bank, saying someone is currently trying to hack into your account and trick you into transferring money to a "safe" account. 

These are just a few examples of Authorized Push Payment (APP) scams, where fraudsters use deception and manipulation through fear, trust, or emotional bonds to trick people into sending them money.

From fake payment schemes and bogus urgencies, to investment opportunities and romance scams, these tactics leave victims not only with financial losses, but also feeling violated and helpless when they realize they’ve been conned. Moreover, because APP scam victims authorize the transactions themselves, recovering the stolen funds becomes far more difficult than with other types of fraud.

Unfortunately, APP fraud is on the rise — according to ACI Worldwide, losses caused by fraudulent transactions are projected to be as high as $6.8B worldwide in 2027.

APP fraud: Reclaiming lost funds & new APP rules for UK customers

What makes the impact of APP fraud even worse is the difficulty victims face in reclaiming lost funds. Unlike other types of fraud, where transactions are unauthorized, APP fraud involves victims willingly making the payment, even if they were deceived. This leaves them with limited options for recourse. Refund policies also vary significantly across payment services — for example, only 12% of fraudulent Zelle payments are refunded — making it even harder for many victims to recover their money.

However, change is on the horizon with newly proposed laws and regulations aimed at protecting consumers. Notably, the UK is introducing a set of rules that will take effect on October 7, 2024. Under these new regulations, payment service providers must reimburse customers who fall victim to APP fraud. These rules are designed to ease the burden on victims and hold financial institutions more accountable, offering much-needed relief to those affected by these increasingly sophisticated scams.

How to spot the red flags of APP fraud

With new regulations on the horizon, affected businesses must design stronger systems to detect and prevent APP fraud while also educating customers about these risks. Even financial services not covered by these regulations should enhance their fraud prevention efforts to better protect consumers and reduce the threat of fraud.

But how can businesses stop APP fraud when the transactions are made by legitimate users? Even though the payment is authorized, certain signs — such as unusual account activity, changes in behavior, or remote access requests — can indicate APP fraud is in progress, allowing businesses to intervene before it's too late.

One of the most common attack vectors fraudsters use is convincing their victims to share control of their computers through remote control software. Next, they modify legitimate webpages to convince the victim to give them money. This is often referred to as a tech support scam.

A successful tech support scam uses multiple steps to achieve its goal. However, all of them result in monetary loss for the victim. The attack usually starts with a phishing campaign, convincing the user that they are talking to a representative from a well-known institution. What the attacker claims varies, but one of the common approaches they use is telling the victim they might be eligible for some kind of refund.

This is followed by persuading the user to allow the attacker to remotely access their machine to “check if their computer is eligible.” They then run a script that outputs a message saying the victim has been issued a refund. The attacker then acts surprised, claiming they unintentionally submitted an incorrect amount — but in reality, they haven’t sent any money, and the claim is completely fake.

The next step is convincing the victim that the money actually hit their account. To achieve this, the attacker modifies the webpage code to show an incorrect amount of money in the account or a falsified refund transaction. In some cases, they might even send a small amount of money to make the scam seem more credible and simplify the process of altering the displayed information.

Seeing the incorrect amount, the victim is likely to send the difference between the “correct” and “wrong” amount back to the attacker, believing they are fixing a mistake. In doing so, they wind up transferring their own money, causing monetary loss for themselves and, potentially, the financial institution involved. 

As seen in the above example, many tech support scams are perpetrated through the victim's browser. Fortunately, that’s also where the attacker can be stopped with the device intelligence Fingerprint provides.

Preventing APP fraud with device intelligence

Let’s see how this attack can be detected at two different touchpoints. As mentioned earlier, there is a critical step where the attacker needs to gain remote access to the victim’s computer. While we can’t prevent this entirely,  we’ve developed a technique that is capable of detecting known remote control applications like RDP, TeamViewer, and AnyDesk. This allows us to identify when there might be an active screen-sharing session in place.

The second step, page modification, happens when the attacker uses the developer tools available in all major browsers, which allow the attacker to alter the page content — such as account or transaction amounts — in real time. 

Detecting or preventing these modifications is challenging since modern web applications frequently change the page content, creating too much noise. However, it is possible to detect if developer tools are open with our Developer Tools Detection Smart Signal. When combined with an active remote control session, this detection can raise suspicion of fraudulent activity.

Start building smarter APP fraud prevention today

Overall, the Smart Signals combination of Remote Control Detection and Developer Tools Detection provides very strong protection against “tech support” APP attacks, making customers of financial institutions safer while also preventing significant monetary losses.

To learn more about how Fingerprint’s device intelligence can help you detect and prevent APP fraud, including tech support scams and other forms of fraud targeting your customers, contact us today for a personalized demo. Or start a free trial to experience it in action for yourself!