Be Aware of Authorised Push Payment Fraud in Your Business

Authorised Push Payment (APP) fraud is whereby fraudsters tricking victims into making large payments by bank transfer. APP fraud is one of the most prevalent scams with, more than £450million being lost in the first half of 2024. Banks and financial providers were only able to return £121.5million of these losses

These scams are simple, but effective and scammers tend to gain useful information about their targets via the business website, looking to replicate the email addresses of managing directors, CEO’s and finance directors in order to harness their authority s within the business in an attempt to get employees make fraudulent payments.

How to protect yourself and your business from APP fraud:

If anyone asks you to send a payment to different bank details than you were expecting, verify it with the intended recipient before sending. Do not trust the contact details listed in any emails, as they are likely to be the details of the hacker and not the company in question.

When making large payments (even one you are expecting) you can make a small payment first and check that the payment is sent to the correct person before transferring the rest.

Employees who communicate with your suppliers should be informed of what types of information a supplier will and won’t ask forStaff should know the escalation procedure for dealing with suspected fraud. .

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week. You can also report online at actionfraud.police.uk.

For more advice on how to improve your business’ cyber security in an affordable and practical way, please see the National Cyber Security Centre’s Small Business Guide.

For further guidance please contact [email protected]

The NEBRC is a police led non-profit organisation that seeks to educate, inform, and support businesses across the UK on how to protect their business online through good cyber security practices.

Sign up to receive the NEBRC’s free core membership today and stay up to date with the latest cyber security updates and gain access to a wealth of handy resources

Cookie	Duration	Description
CookieConsent	1 year 1 month 4 days	This cookie stores the user's consent state for the current domain.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
hubspotutk	6 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts. It contains an opaque GUID to represent the current visitor.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
_fbp	3 months	Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
__hssc	30 minutes	This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
__hssrc	session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
__hstc	6 months	The main cookie for tracking visitors. It contains the domain, hubspotutk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
lpv*	1 hour	This cookie is part of Pardot and prevents the tracking of multiple page views over a single session.
visitor_id*	1 year 1 month 4 days	Pardot sets this cookie to store a unique user ID.
visitor_id*-hash	1 year 1 month 4 days	Pardot sets this cookie to store a unique user ID.

Be Aware of Authorised Push Payment Fraud in Your Business

Useful Links