PaySim #15
Description
Problem:
PaySim currently simulates account takeover fraud (3rd party fraudsters compromise accounts, transfer funds, cash out), but doesn't include Authorized Push Payment (APP) fraud patterns, which are now the dominant fraud typology globally.
In APP fraud, victims are socially engineered to authorize legitimate transactions to fraudster-controlled accounts. Unlike account takeover, the transactions appear normal because the victim initiates them willingly (under deception).
Solution:
Add new fraud typology to PaySim simulation:
-
Social Engineering Fraudster Agent:
- Creates fake merchant or impersonates legitimate entity (bank, government, utility company)
- Targets victims with "urgent" payment requests
- Uses psychological tactics (authority, urgency, fear)
-
APP Fraud Transaction Patterns:
- Invoice fraud: Fake/altered invoices for services
- Romance scams: Build relationship, then request money
- Impersonation: Pretend to be bank calling about "fraud"
- Investment scams: Fake crypto/stock opportunities
-
Victim Behavior Modeling:
- Victims make multiple smaller payments (trust-building phase)
- Sudden large payment after trust established
- Transactions appear legitimate (customer-initiated, correct credentials)
Regulatory Drivers:
- UK PSR Reimbursement Rules (Oct 2024): Banks must reimburse APP fraud victims
- FinCEN Advisory (2023): Highlighted social engineering as top threat
- FATF Guidance: Identified APP fraud as emerging ML threat
Real-World Data:
- UK: £485M lost to APP fraud in 2024 (up 12% YoY)
- US: $3.4B lost to investment scams in 2023 (FBI IC3)
- 60% of APP fraud involves crypto investment scams
Implementation Approach: