An update on our work to prevent authorised push payment fraud

Hey folks, I’m Rich and I look after Fraud & Disputes Risk at Monzo. I wanted to give you a bit of an update as the Payment Systems Regulator (or PSR) has just published fraud data for 2023.

I’m here to share some context behind the latest figures, update you on the work we’re doing in this space and answer any questions.

We’re committed to preventing APP fraud and we’ve been making steady progress

APP Fraud is an issue across the industry and last year victims in the UK lost over £1.17bn according to UK Finance. At Monzo, our priority is clear: to prevent fraud happening in the first place – to stop criminals from profiting and protect our customers from the financial and emotional distress that comes with falling victim.

As we explained last year, this is something we’ve really been investing in, and we’re starting to see that investment pay off. Last year we stopped £4.7 million getting into the hands of fraudsters. And this year we’ve already prevented 55% more fraud than in 2023.

Our approach relies on a combination of human experts and technology to help us proactively protect customers (with preventative security features), identify potential fraud (with machine learning models), and step in to try and stop it (with effective blocks, warnings and other interventions).

The PSR’s latest data shows we’ve reduced both the volume and value of money our customers lose to fraud and reflects some of the early progress we made last year.

In 2023 we invested in preventing impersonation and investment scams

Last year we focussed on reducing the most harmful types of scams – ones that are complex and sophisticated, and can result in customers losing large amounts of money, like impersonation and investment scams.

We’ve done this through a combination of cutting-edge technology to detect risks, and highly-trained fraud investigators to “break the spell” of scams in real-time.

The PSR’s data for 2023 shows we reduced the value of fraud our customers reported by 24% thanks to this focus on higher value scams. If we look at impersonation scams specifically, we reduced the value of fraud our customers reported by 48% last year.

We’re making headway to prevent more purchase scams

While we’ve made significant progress to prevent the most harmful scam types and reduce the overall value our customers are losing to fraud, we know we still see a higher volume of our customers falling victim to fraud.

As we shared last year, this is because we already tend to see a higher proportion of purchase scams as our younger customer base shop online more. To bring that to life, across the industry last year purchase scams increased by 35% in volume last year. But at Monzo we’ve seen them increase by 41%.

76% of APP Fraud (mainly purchase scams) originates online, typically via social media, where there’s currently no incentive for them to reduce fraud, or accountability for reimbursing victims.

Preventing purchase scams is a big focus for us this year, and Chris Wood recently gave a detailed update on our work in this space as we iterate to find genuinely effective ways to intervene when we detect potential purchase scams, without relying on bluntly-applied warning screens we know people are desensitised to.

We’re getting ready to comply with new regulatory requirements around reimbursement

While we’ll always be focused on prevention, reimbursing innocent victims of APP fraud is important to reduce the harm caused by fraudsters.

You’ll see our reimbursement rates are still among the lowest, and as with last year, this is because we’re less likely to reimburse for purchase scams as they’re relatively unsophisticated, lower in value and often not clean-cut cases for reimbursement.

We’re of course working to be ready to comply with the incoming regulatory requirements from the PSR which will land in October this year.

We’re preventing fraud happening through Monzo and returning money to victims

The PSR data for ‘Metric C’ is about money muling, where criminals recruit people to receive fraudulent money into their bank accounts. ‘Mules’ typically keep a small cut of the money for themselves, before they quickly transfer the rest onto someone else’s account. This happens multiple times through a network of different bank accounts. So by the time the money reaches the criminal’s account, it’s really difficult to trace back to them.

We continue to prevent money muling effectively, and this is reflected in the results which show we’ve reduced both the value and volume of fraud we’re receiving even further.

What’s especially effective about our approach is that we work in real time. Our machine learning models leverage a huge number of different signals related to money muling along with intelligence gathered by our skilled team of investigators. We monitor transactions in real time which means we can spot fraudulent payments immediately and our fraud investigators work 24/7 so they can review potentially risky payments straight away. This means we can intercept them before money mules have a chance to send the money on.

We’re developing innovative security features to protect customers

You’ll have hopefully seen we’ve been working to build industry-first security tools to keep our customers’ money safe, approaching this challenge with the same product and design thinking we use elsewhere at Monzo.

Through our Call Status tool we’ve seen more than 4,000 reports of potential fraud this year. We’re going to make it more discoverable in the right way by using it as part of “in the moment” interventions: when we detect an impersonation scam may be happening in real-time, can we surface the tool so you can check if you’re speaking to Monzo or not? We’ll be back soon to share an update with you as we prepare to roll this out.

This week we started rolling out three new security controls which each add an extra layer of security when you’re making larger bank transfers or withdrawing from your savings. We designed them to combat phone theft, shoulder-surfing and impersonation scams.

Fraud and security aren’t the easiest topics to speak about externally or to share our work in a transparent way – as we naturally don’t want criminals to use this information to their advantage.

But as we continue investing in these areas, we’re committed to keeping you in the loop with our progress and I’m sure we’ll be back to pick your brains. I especially want to thank you all for helping us shape our interventions and customer-protections with your feedback, suggestions and challenge on here.

Let me know if you have questions and I’ll answer as far as I can - Thank you, Rich

My main question is when you look at the report APP fraud performance data | Payment Systems Regulator it looks to kinda show Monzo in a bad light in compared to the rest of the industry. Any comments on this?

The report seems to suggest that if you’re scammed as a Monzo customer you’re very unlikely to get your money back?

A mitigating factor could be that it’s much harder to get scammed on Monzo and so anybody that has been scammed has been extremely negligent and so aren’t entitled to a refund? There’s nothing I’ve seen using Monzo that would suggest this is the case though (ignoring the feature currently rolling out).

(Edit) also APP being in capitals suggests it’s not referring to the Monzo app but is an acronym for something else?

(Edit 2) yes, I’ve read the first paragraph and see it’s Authorised Push Payments

Yes, the data looks at Faster Payments and authorised push payment fraud (APP fraud) which is where fraudsters trick you into sending them money.

TL;DR: you’ve gotten worse at this in the last year. Mildly better at preventing them, but when it does happen, worse at reimbursing the fraud.

October’s regulations can’t come soon enough. I just wish Monzo would have jumped before being pushed to protect customers. Something you actually promised to do when neglecting to sign up to the code, but, as it turns out, never fulfilled.

I posted on last year’s thread how my brother was caught out by one of these scams:

Since that post he has been scammed again, and Monzo’s response was unchanged, only this time they moved to close his account in the aftermath of his complaint.

You should be driving the innovation in this space Monzo. Not the regulator. You should be taking care of your customers. Not the regulator.

The proof in your commitments made here and in last year’s response to 2022’s data will be in 2024’s data. And I really hope that turns out to be case.

Please do better.

I partly agree with you, and the report is definitely disappointing

Out of curiosity is there any chance you could share some information about what scams your brother fell for?

I’ve had a relative who I suggested Starling to nearly fall for a scam, and have been nudging them towards Nationwide for a while

Though I can see the logic behind closing the account - I imagine they suspect the reports may be dishonest or just think the customer has become a risk…

With all respect and I don’t mean this in any way of jest, I understand falling for a scam once or twice but after four times I’d be surprised if many banks would keep a customer, at the very least I’d imagine they’d be marked as vulnerable with a high street bank and have every new payee screened with a call from the fraud prevention team

Buying stuff that doesn’t actually exist on Facebook marketplace when he’s drunk. Sober he’d spot it. But drunk, browsing Facebook in the early hours, and ADHD just don’t mix, evidently. I suspect the protections Monzo previewed last year might have helped.

He’ also fallen for the fake Monzo call scam before. Only once mind, never again after the first time. I suspect, since he fell for it one time, he’s on some kind of list because he gets those calls quite often. Though fake Monzo clearly hasn’t got the memo from real Monzo just yet.

Surely there has to be some personal responsibility here? Yes, it is a scam, but you also say that if he was sober he wouldn’t fall for it. A balance to strike. I think a lot of people have lost money on things drunk regardless of if online or not.

I mean, I’m making a guess and inferring my own wits onto him, because I’m not him and I don’t see how anyone could have fallen for it in normal circumstances. To me, they’re too obvious. He very well may have still fallen for it sober, I don’t know. But that’s the nature of APP fraud. They prey on our vulnerable moments in times when we’re far more likely than normal to fall for it.

There’s a duty of care from the banks too and a share in responsibility, given how prevalent this type of fraud is and how often people fall victim to it. They facilitate it after all. The issue is (at the time) Monzo do effectively nothing. Other banks do quite a bit. His main bank prior to Monzo, and the one he went back to (Halifax), are a heck of a lot more proactive, and most importantly, the one time they didn’t prevent it, refunded him in full. So that’s the baseline expectation that’s been set here with respect to this type of fraud.

Does he ever expect to get the money back? No. Does he expect his bank to try to protect him? Yes. The nature of his complaints aren’t that they didn’t refund him or to get his money back, but that they didn’t warn him he might be getting scammed like Halifax do.

Okay that’s fair enough but at the same time there are actions you can take while sober, especially after the experiences i.e not using a Fintech bank as most of them have made their position on refunding clear

I’m not sure that Monzo wouldn’t put a case in for negligence even with the October rules in the scam above, but if you know you’re the kind of person who might get drunk and fall for a scam and you’re vulnerable to that kind of thing really you should stay with Halifax, Nationwide etc - I know that’s not ideal but it’s the best way to stay safe from losing money atleast at the moment

Without the protections in place that they teased last year there would be no case for negligence under the code. Being drunk ≠ being negligent. Ignoring your bank telling you you’re being scammed, on the other hand? They’d have a case there. Not enough possibly to completely exonerate themselves from responsibility (it isn’t with other banks), but enough that it burdens the victim with a greater share of that responsibility.

Things get even more stringent with vulnerable customers too, which his ADHD may qualify him as one. Warning’s aren’t sufficient for proving negligence in those cases, but they’ve been effective at protecting him with Halifax. Monzo appear to want to go much further than simple warnings though, which is good.

Either way, it’s a little bit disappointing we’re only seeing these new measures come in when it’s about to hit the profits

Yes the banks have to do better, but there is a point where the social media companies (hi Meta) need to deal with the sheer amount of scams on their platforms. But they aren’t being held to the same level of financial pain the banks are.

Thanks everyone for your comments, I really appreciate you taking the time and thought to share your views. We aren’t where we want to be vs the industry and the investments we’re making in people and tech are all about improving this. So while we’re moving in the right direction to reduce fraud and definitely starting to see results, we know we have more to do.

The PSR data for reimbursement shows we’ve stayed consistent for the volume of scams we’re reimbursing but the value has gone down from 22% to 17% between 2022 and 2023. This is for a few reasons.

Because we’ve been more effectively preventing higher value fraud like investment and impersonation scams, the average value of the APP scams we’re seeing our customers fall victim to has gone down by 10%.

We already see a disproportionate number of purchase scams, and across the industry purchase scams are growing, reaching their highest level since 2020 and accounting for 67% of all APP Fraud reported (vs 80% of our volume at Monzo).

And as I mentioned, we’re typically less likely to reimburse for purchase scams as they’re usually lower value and less complex – 85% of the purchase scams we see are <£100. This makes it harder for us to detect and intervene without applying a significant amount of unnecessary friction to non-fraudulent payments.

As Chris touched on in his post about our work on purchase scams, we find that showing generic warnings too frequently and in the wrong places isn’t effective at preventing fraud and can actually be harmful as people become so desensitised to them.

We’re trying to provide interventions that actually capture people’s attention and are bespoke to the customer and the transaction they’re attempting to make. Through user research we’re working with fraud victims to understand which interventions would be most powerful.

Preventing purchase scams is a work in progress and something we’re prioritising this year now we’ve made headway with the highest value scam types.

Whilst we’re focussed on doing all we can to prevent fraud, I agree with @sachaz the social media platforms where fraud often originates also need to do their part. Our data shows 66% of APP fraud starts online, typically on social media. Which is why we work with cross-industry organisations like Stop Scams UK, as well as policy-makers to stress the need to tackle fraudulent activity which is proliferating online.

As I say we welcome and are preparing for the new regulatory requirements which will help drive consistent outcomes for customers across the industry. Whilst reimbursement is important, it doesn’t solve the problem, victims will still suffer the same unquantifiable impacts to their wellbeing, and criminals still get the money they’ve stolen, which causes further harm to our society.

I don’t want to comment on your brother’s case specifically, but Alan will be in-touch with you through a DM.

Hi Rich, I commend your efforts for improving the fraud prevention and fraud protection for Monzo customers. That being said, I am a victim of fraud that your team failed to protect. I made all efforts on my side: moving my money to Barclays the moment I saw 3 transactions processed one after the other in a matter of seconds, raising a fraud case straight away, alerting your colleagues not to settle the transaction, following up on my fraud case every few hours to make sure that it is prioritised and all necessary information for the investigation is available etc. Your colleagues’ initial resolution was to refund me for all 3 transactions, as the purchases were made and delivered in USA and I live in London, UK and have never even visited USA. This happened in July 2024. Today, 08-Oct-2024, Monzo decided that I need to pay one of the merchants because they refused to accept the loss on their side, as they delivered the goods. I want to get my money back. I cannot accept that an American thief is enjoying the outdoors furniture that g the hey bought with the money they stole from my Monzo account. I also cannot understand how this would be possible in our day and age, when every card processor / bank is asking for 2FA. I never got any request to confirm the transactions. Each of them was above £100 equivalent. Happy to discuss further over DM and put my 20 years experience in banking, payments, IT and AI to good use. I can perhaps help you find better options to protect Monzo customers. Looking forward to your reply.

This isn’t in monzo control, once it’s gone it’s gone, the merchant is entitled to collect the funds even if you cancel the pending authorisation.

The merchant is generally innocent.

If the goods have been delivered, was this to your address?

Delivery data is visible in some situations and if it’s been delivered to your address it cannot be disputed.

Not all, only with the EU I believe (happy to be corrected).

Somewhere, you’ve leaked your own details (buying online or social media, or possibility of skimming machine).

BIN attack? Data breach? Two very common probable causes of situations like this. It’s not necessarily their fault if their details have been leaked in some way.

If there’s an issue with the chargeback - then you should be able to request the evidence / information that we have from the merchant!