The UK’s leading retail payment authority Pay.UK has announced a new service that will provide significant added protection for online bank payments. It is designed to combat increasingly widespread authorised push payment fraud, where people are conned into sending money through their online bank to the wrong account.
At present, when a user enters the details of an electronic payment, the bank only verifies the sort code and account number. While there is typically the option to enter the name of the payee, this is not checked by the bank during the verification process.
This exposes users to what is known as authorised push payment fraud, where criminals are conning them into making expected payments to the wrong account. Here the user will enter the correct name of their intended recipient, but the wrong account number or sort code, provided to them without their knowledge by the criminal.
This is often achieved by phishing, where a user receives an email that looks like it comes from a trusted source but is actually from a criminal, or account takeover attacks. These are on the rise, and involve a hacker gaining control of a genuine email account and sending emails to contacts posing as the original owner.
In severe cases, these kinds of attacks have led to individuals sending the entire balance of payment for a new house over to a criminal.
Confirmation of Payee: Making names part of the verification process
Under the new service being outlined by Pay.UK, the name of the payee will be included as part of the verification process, making these kinds of attacks much harder to pull off.
Dubbed Confirmation of Payee, it will allow banks to check the name on the account a person is sending money to with the name they have provided.
If the name is a perfect match, the payment will proceed as normal. If it is similar, but not quite the same, the person sending money will receive the correct name of the account they have entered the details of. Assuming it matches their expectations, they can update the payee name option and proceed with the payment.
However, if there is no match, as would be the case if a criminal had supplied them with a different account number and sort code, they would be informed the name was wrong. In this case, the payment would not go through, and they would be advised to contact the person or organisation they are trying to send money to.
Making contact would either allow them to correct a genuine error or expose the attempted authorised push payment fraud.
“Confirmation of Payee will let you check you have the correct name for the person or business you’re paying, giving better protection against certain types of fraud, and helping to stop accidental mistakes too,” said Paul Horlock, Pay.UK chief executive.
Combatting authorised push payment fraud
While the system will not resolve all types of payment scams, it should provide a valuable tool in combatting authorised push payment fraud.
The system will be available for banks, building societies and other similar organisations to roll out from 2019.
There will also be a consultation by the Payment Systems Regulator about making it mandatory for such organisations to implement the scheme. This will occur in the first half of 2019, following a consultation with potential participating organisations.