An update on our work to prevent purchase scams

Hi everyone

Last year we shared some of the things we’ve been working on to tackle fraud here at Monzo. And we wanted to come back with a bit of an update about how we’ve evolved this work over the past year, how it’s been going and what you can expect next. Today we’ll be focusing on purchase scams.

But first, let me introduce myself.

I’m Chris, I’m a Senior Fraud Analyst. It’s my job to understand the types of Fraud and Scams that Monzo customers are at risk of falling victim to, and work with our product teams to come up with ideas for how to stop them from happening.

An overview of purchase scams

A purchase scam is when someone attempts to buy goods or services from a seller, typically one they met online. A customer will make the payment by bank transfer and expect to get what they paid for.

But the fraudulent seller will take the money and end all communication with the buyer, leaving the customer with no goods and no refund.

Purchase scams primarily start on social media. We recently reviewed a sample of purchase scam claims from this year and found nearly 40% started on Facebook alone, through public posts or on Marketplace.

People were often buying tickets for things like music concerts or sporting events like football matches.

We see fraudsters using a combination of tactics to entice people to pay:

• The event may have limited tickets available and given the high demand, the fraudster will put pressure on the buyer.
• They may sell tickets very close to the time of the event, sometimes days before, to encourage customers to buy immediately.
• The fraudster might lower the price, so it feels like a deal that’s hard to resist.

They’ll always ask for money up-front, before sending the items.

Purchase scams are on the rise, up 34% in 2023 vs the previous year according to UK Finance. And now it’s summer, the festivals, concerts and sports events – from Glasto to the Euros – all offer fraudsters opportunities to run purchase scams.

In fact, they’re by far the most common type of authorised push payment fraud in the UK: 67% of all APP scams reported in 2023 were purchase scams.

What we see at Monzo reflects this, though because the demographic of our customer base are more likely to be on social media and shop online, we actually see a higher concentration.

Preventing purchase scams

Our aim at Monzo is to detect and prevent fraud before it happens. But doing this for purchase fraud comes with some unique challenges.

People are desensitised to warnings

Our user research shows people tend not to trust warnings. Fraudsters know this and abuse it, to push even the most suspicious buyers over the line.

People tend to feel like warnings are ‘generic’ or think ‘this is just what banks do now’. We’ve heard people say ‘it’s like terms and conditions’ that you scroll past and accept without really paying attention’.

Banks expose customers to so many of these screens, sometimes on transactions which are actually safe, which enhances this problem and erodes trust in the warnings.

We need to repair this trust by showing customers we can accurately detect fraud, and giving them tailored warnings, relevant information and meaningful education to cut through the noise and show people they should take these interventions seriously.

Lower value, one-off transactions that start on social media mean purchase fraud is difficult to detect

We know the majority of these scams start on social media sites we don’t have visibility of. Then compared to other types of scams like fake investment scams, purchase scams are typically lower in value and often involve one or two transactions.

The average purchase scam is for over £200 vs other types of fraud which are for £900-1,300 and involve multiple transactions.

This makes purchase fraud difficult to detect. There’s often nothing obviously unusual or risky about these payments that’d indicate to us we should ‘intervene’. And we don’t want to show you warning screens for every single transaction!

Our approach

At Monzo our primary goal is to prevent fraud before it happens, which means we have to accurately detect fraudulent transactions, then intervene in the right way to stop people going ahead with the payments.

To do this with purchase scams, we’ve really focussed on customer experience, using our quantitative and qualitative insights to inform our designs. We’ve also been running experiments to understand how effective different approaches are.

In every fraud intervention we design, our aim is to protect our customers, without causing unnecessary friction to people making genuine transactions.

We’ve experimented extensively with warning screens

Iteration #1: we tested different messages

The first warning screens we tried were focussed on delivering a message to customers based on the following three ideas:

• the urgency of the issue – you could be getting scammed right now
• the idea that their money was being stolen
• the notion that if they listened to our warnings now, they’d save themselves trouble later

375×812 21.5 KB

375×812 21.4 KB

375×812 21.5 KB

These screens were able to stop 25% of customers from making transactions we deemed risky. But we thought we could do better…

Iteration #2: Education

We then tried a screen that focussed on educating customers about how much fraud happens in the UK. It aimed to give them a sense of how risky the payment they were trying to make was compared to other payments Monzo customers make.

375×812 28 KB

This iteration was able to stop 30% of customers from making transactions we deemed risky.

Iteration #3: Personalised education

We experimented with educational screens that were personalised to the customer’s own spending history. We told customers how risky this payment was compared to the rest of their spending.

623×1600 162 KB

637×1600 155 KB

Unfortunately these personalised screens weren’t more effective than the generic education ones we tried in iteration #2. Our experiment found they were able to stop about 23% of customers making transactions we deemed risky.

But we’ve found payment blocks most effective at preventing purchase fraud

After warning screens, we wanted to experiment with adding a lot more friction. What if we actually prevented customers from making payments we think are risky?

Iteration #4: Payment block

In this next iteration, we blocked payments that we detected were higher risk for purchase fraud. We’d actually stop the customer from making the payment and provide them with education around scams. Then we’d ask them to get in touch with us if they were confident the payment was safe and they still wanted to make it.

746×1330 59.9 KB

746×1326 71.8 KB

We found that while 1 in 6 customers would still contact us to make the payment, the payment block was 60-70% effective at preventing fraud.

This is the version we’ve actually now implemented in place of the warning screens we tested in the past.

Iteration #5: Payment block and unblock experiment

We’re looking to refine this further, and are currently testing a variation of the payment block that lets the customer unblock their payment themselves, but provides them with some more specific education about the signs of potential fraud in the journey.

The impact so far

With our new approach and design changes, we’ve prevented over £1 million worth of transactions going into the hands of fraudsters.

As the approach we’ve implemented involves blocking payments, we’ve also put a lot of work into improving our detection for purchase scams, so we’re only interrupting payments that are genuinely risky, and not inconveniencing customers otherwise! The current experiment is showing positive early signs, with over 60% fewer interruptions to the payment flow for purchases.

Closing thoughts

Fraud is a constantly changing environment, and defending against it is an ever-evolving process. To stay on top of it and protect our customers, we need to be agile and adaptable as new threats emerge.

We’d really welcome input from the community here on thoughts or ideas for how we can keep developing our work here!

My only ask here is please allow a customer to still unblock the payment without speaking to CS, this feels to me anyway the ‘right’ level of friction.

Fully blocking it and having to speak to Monzo CS to unblock seems very restrictive and a huge hassle for the genuine reasons of buying items of facebook marketplace etc. Plus given the inconsistency of Monzo CS, I can’t imagine it’ll end well.

This is great news and I’m glad that Monzo is proactive in its direction. However, unless I’m mistaken it is still not signed up to the Authorised Push Payment (APP) Scam Code/ Contingent Reimbursement Model Code (CRM code), which most other banks are. Is this something on the cards?

Yea, great, because your CS team are so responsive. Most people probably just give up at this point whether the transaction was genuine or not (I know I would - and then pay with a different bank if I was sure it was not a scam) so your figures will be skewed.

Separately though, I HATE that banks have to do bullshit like this to save people from themselves. And also hate that there are so many scammers of course.

Finally, a bank has actually heard customers on this.

Screens look good to me, providing you’re intelligent with showing them to me. The £10 in sending to my brother for the 500th time doesn’t need a warning. Yet I always get one.

One thing that seems to be missing here from last time is the temporary escrow method. Not outright blocking it, but holding it for a brief period, for the sender to take some time to think, go through your educational materials, and then make a decision.

Will that still be part of your approach? Out of everything that was shared previously, it was that approach that really stuck out to me as striking the perfect balance in protecting against this kind of fraud. In the many discussions I’ve been a part of over the years on this, the one thing folks always wind up circling back to is simply slowing the process down, not stopping it. Our infrastructure is too fast now. There’s always a sense of urgency, and folks don’t have time to think until after the fact.

I think banks now have to do something about it now because the problem is not being dealt with effectively where it is increasingly arising (social media). I reported a whole host of fake stuff on Facebook recently. The reports were all declined. I wish it wasn’t necessary, but we are where we are I think.

So I like this. I like that it adds friction. And I think it’s right to test adding ability to unblock it yourself. If CS are responsive, that’s great, but it’s not always the experience. My only issue with unblocking yourself is that people just do it because they want to pay.

I know from experience with another bank that if a genuine payment gets blocked it’s a slight annoyance, although one I’m quite happy to accept to keep my money safe!! In that situation I had to call in to the bank to speak to their fraud team to tell them it was a genuine payment and why I wanted to make it. So I think it’s important to minimise the interruptions, but I think all of this is a necessary step for sure.

Reading through the announcement post for the first time, I processed iteration#2 (generally all Monzo transactions in that period) to be ‘oh, better be careful here’, whereas iteration#3 (a warning based on MY history) processed as ‘I’ll be the judge of that thank you.’

#2 had a bigger shock-value to me for whatever reason.

Anyway, great work. I get the extra friction may cause frustration in most genuine instances but that impact fraud figure saved is eye-watering.

That just uses a pool of money to pay customers back.

Monzo also do this based on the same, if not very similar, guidance in refunding customers.

Where negligence occurs, the other banks don’t refund from the pool of money either.

Monzo just use their own pockets, not everyone else’s.

This is soon going to be mandatory for all banks in October. It’s why Monzo are now taking the problem seriously and investing a lot into these efforts to try to prevent it.

If you allow the customer to unblock the transaction and it turns out to be fraudulent, who is liable? Does that change when the new rules come into effect?

Probably the customer given the block and the message. Possibly still both if an argument gets made that the bank never should have unblocked it at their request. Particularly where it involves a vulnerable customer.

Liability usually falls somewhere in the middle. It depends how negligent the customer was (the bank has to prove the customer was negligent) and what steps (if any) the bank took to prevent it. The bank’s share of the liability gets split equally between the customer’s bank and the fraudster’s bank.

• All UK Payment Service Providers will be required to reimburse their customers for APP fraud losses, but there will be a ‘standard of consumer caution’ applied which could see reimbursement claims denied. Under this standard, customers might not be reimbursed if the financial provider can demonstrate the customer hasn’t been careful or cooperative enough – customers need to pay attention to warnings about suspected APP fraud attempts from their bank, they should notify their bank about the fraud in good time, they should share information about the fraud with their bank, and they should consent to fraud details being reported to the police. The PSR says failure to comply with just one of these requirements is not enough for a claim to be denied and that ‘the onus will be on the bank to prove that [the customer] acted with gross negligence.’ The exception does not apply to vulnerable customers. Banks and financial providers also have grounds to refuse a claim under the CRM Code, though they have to consider a wider range of factors before doing so.

Good to see . Let’s hope customer service can keep up with everyone who’s trying to get a payment confirmed so that they can buy that thing…

This is very good to see

Another great set of features but also relies incredibly on responsive customer service to work properly, my recent interactions with CS were good so hopefully improvements have been made

It would be nice if you could reach out rather than have the user contact you themselves, do the contact buttons on the block screen take you straight into a chat or to the help menu?

As you noted people are often buying tickets last minute, in the case that the purchase isn’t a scam having to wait days in a queue to speak to somebody could mean you don’t get to buy the tickets and miss out

They could move the customer-shy teams to telephony, and tap a button to call directly from the app to the fraud team to discuss.

I say customer shy, as Monzo is predominantly chat service based, and as they transition to multi channel teams, I know some hated the idea and still hate it to this day in some teams.

Many of the negative reviews online are about lack in methods of contact when trying to speak to someone about payment/account blocks.

Just needs to be managed of how that is possible, just not a number anyone and everyone can call.

Account under review? No option to call, monzo will reach out via chat.

Stood in a car showroom and need to make a payment for a car but it’s been held? Tap here to connect to a telephony colleague to resolve it.

It’s important to emphasise that we only implement this block on payments that we think are risky – and we’re improving the accuracy of our detection so we can be confident most of the transactions we block are actually potential fraud.

We are also planning to rollout a payment block that customers can remove themselves if they’re confident they’re not being scammed.

And we’re working on asking a few more questions about risky transactions so we can get even better at deciding the right messaging and controls to show.

Later in the year, we’ll be rolling out some useful checks that customers can do to make a more informed decision whether they should remove the block or not.

The temporary escrow is something we’re still exploring – and we have other ideas too! Something we really love the idea of is building a way to give customers a short window to claw back payments.

There’s no blanket answer here. Both now and after the regulation changes, we’ll always need to look at the bigger picture with a scam when assessing for reimbursement. The warnings we showed are one factor among many.

So, a couple of intitial thoughts.

First off, another tip of the hat to Monzo and the team involved simply for engaging with its customer base (admittedly only a small part of it) and explaining its rationale on something so important.

Secondly, thankyou for sharing the headline research results over the effecctiveness of your various approaches.

I was surprised that iteration #3 was less effective than iteration #2.

Meaningful education around social engineering is a tough nut to crack and something which, I think, should be given far greater emphasis in young people’s education. I wish you well in your attempts.

It’s re-assuring to be party to the pro-active approaches to protecting customers (and obviously therefore, protecting Monzo’s own resources).

The balance of getting that necessary friction right must be hugely challenging. Whenever a line is drawn, there’s someone the wrong side of it.

I wouldn’nt mind betting that for every case that reaches the headlines of the red tops with claims of disinterested and unhelpful banks, there are many others who remain quiet but who are extremely grateful for their bank’s vigilance and intervention.

Good work.