News and developments

Dealing with authorised push payment (APP) fraud in the UAE

What is authorised push payment (APP) fraud?

APP fraud is where victims are induced by a fraudster to make a payment from their own account to an account controlled by the fraudster. This type of fraud is becoming increasingly prevalent and more sophisticated.

The type of potential victims is not limited to private individuals. Businesses of all sizes, and even governments, are frequently among the victims.

A common method of carrying out APP fraud is via compromised company email accounts whereby the fraudster intercepts a legitimate email chain between business-to-business parties and requests that the payer uses the payee’s updated bank account details for an upcoming (legitimate) payment. In this instance, the fraudster communicates via an email address which appears to be a genuine email address of the payee, but with a very minor difference which is undetected by the payer. In one recent case in the context of a construction project, we have seen this method becoming more elaborate in that the fraudster also arranged for a (forged) signed and stamped copy of the notice of changed bank account details to be delivered by an unknown person to the payer’s site office.

Other common examples of APP fraud include a fraudster pretending to be the CEO or high-level management of a company, a bank representative, or an investment advisor, and persuading a victim to transfer funds under an apparently legitimate and usually urgent pretext. Fraudulent websites selling non-existent goods and services are also used.

APP fraud in the UAE

The UAE has long grappled with an array of financial crimes and scams, from investment schemes, to gold trading and cryptocurrency scams. APP fraud is simply one of the latest iterations and is perhaps more efficient and more difficult to trace.

Attacks seeking to compromise business email correspondence saw a jump of 29% in the UAE, according to the 2024 State of the Phish report by Proofpoint.

It was reported in 2023 that 86% of the UAE organisations targeted in phishing attacks had fallen prey to at least one of the attempts. Nearly half of these attacks caused direct financial loss, according to the same report. Government agencies are also becoming increasingly targeted by cyber criminals. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government, said in June 2023 at a conference in Tel Aviv that the UAE was thwarting 50,000 cyberattacks a day, from ransomware to cyberterrorism.

What steps should victims take?

While the UAE is not alone in the battle to combat this type of scam, it should not be assumed that the steps to be taken and tools available for seeking recovery are the same as in other jurisdictions. Indeed, there are a number of nuances. Certain protections for consumers and other victims of financial crime which are available in the UK and Europe do not exist in the UAE. At the same time, law enforcement authorities and court procedures can be remarkably efficient and effective, which can be an advantage over other jurisdictions.

If the payer has become a victim of APP fraud, they should take the following steps as soon as possible.

    1. Phone the paying bank to notify it of the fraud and request reversal of the transfer instruction. If possible, contact a specific individual within the bank (e.g. anti-fraud unit, branch manager, or relationship manager).
    2. Phone the receiving bank to notify it of the fraud, request rejection of the transfer and blocking of the receiver’s account.
    3. Immediately send written confirmation of these requests to the paying and receiving banks.
    4. Lodge a criminal complaint. If in the emirate of Dubai, the complaint should be lodged online via the e-crime unit of the Dubai Police. If the receiving bank is outside the UAE, phone the police of that jurisdiction to report the fraud and request to open a criminal file.

Every minute counts in APP fraud cases, as fraudsters will want to put the funds beyond the victim’s reach as quickly as possible.

The intended payee should immediately take steps to verify their IT security to determine whether they have been compromised, and make discreet enquiries about possible internal involvement. Depending on the circumstances, it may be necessary to engage an external forensic IT consultant to determine the source of the compromise. Steps should also be taken to ascertain whether the impersonators have sent fraudulent information to any other clients/customers, and take corrective action accordingly. It may also be necessary for the intended payee to take the lead with any reports to law enforcement – in at least one case we have seen that the police will not investigate the complaint without the intended payee’s involvement, given that (i) they were the party impersonated by the fraudsters; (ii) the police will want to test whether there was internal involvement.

Claims against the bank

Absent any knowledge of actual fraud or red flags, there is no principle of UAE law which would render the paying bank liable for following the customer’s legitimate instructions simply because the customer was induced into issuing the transfer instruction by fraud. Further, most UAE banks have very tight contractual terms which seek to exclude virtually all liability that may arise in relation to executing transfers validly instructed, or from failing to action a customer’s reversal request within any specific period of time or at all.

The DIFC or ADGM courts may have jurisdiction if the paying and/or receiving bank is located there or the terms and conditions for the account refer disputes to those jurisdictions. Under DIFC and ADGM law, the approach to bank liability will essentially reflect English law. Under English law, banks are subject to the ‘Quincecare duty’ which requires that they refrain from executing a payment instruction if and for so long as the bank is “put on inquiry” in the sense that it has reasonable grounds for believing that the instruction is an attempt to defraud the customer. However, as clarified in in Philipp v Barclays Bank UK plc [2023] UKSC 25, the Quincecare duty has no application to APP fraud given that it involves a clear and valid instruction from the customer.

The even more recent case of Larsson v Revolut [2024] EWHC 1287 (Ch) has left the door open for a dishonest assistance and/or knowing receipt claim against the paying or receiving bank. However, such an action would require (at least) wilful blindness by the bank in the face of actual doubts, which would be exceedingly rare.

Aside from direct actions against the bank, it is possible to obtain disclosure orders from the DIFC or ADGM Courts in the form of a Norwich Pharmacal Order or a Bankers Trust Order requiring the bank to disclose information which would assist in identifying wrongdoers and/or to enable the claimant to trace and/or preserve funds transferred to another by fraud.

Victims should be mindful that onshore UAE banks take a very strict approach to any disclosure of banking information of customers, even where it is apparent that there has been a fraud. In our experience, obtaining disclosure orders from the onshore banks without an existing claim against the wrongdoer is also unrealistic.

Claims against the fraudsters

The major obstacle is often identifying the fraudsters. In the UAE, it may be more advantageous for the victim to rely on a more prosecutor-led approach. The authorities will almost invariably be able to take action to identify the wrongdoers and freeze accounts more rapidly than pursuing the same via the civil courts. A criminal prosecution also provides for the victim to pursue their civil rights as part of the criminal procedure and obtain access to the prosecution evidence. Having said that, it is prudent to pursue civil remedies urgently in parallel. In the event that the authorities reject the complaint or fail to pursue it with sufficient speed, the victim will need to rely on the civil procedures discussed above.

If the receiving bank account is outside the UAE, steps may need to be taken in that jurisdiction, such as approaching banks or the civil courts to request a freeze of the fraudsters’ account, disclosure orders and/or pursuing a criminal prosecution. However, depending on the jurisdiction, banks may take a very strict approach to releasing any customer information to third parties without a court order.

Dispute with the counterparty

In parallel with efforts to trace and recover funds from the fraudsters, where a payment intended for a genuine counterparty has been directed to a fraudster's account, the question of who is responsible between the payer and the counterparty inevitably arises. Determining who is at fault largely depends on the terms of any contract and whether the payer was on notice of red flags or failed to take proper care when verifying the account details. For example, if contract terms require that certain types of communications (such as updates to bank account details) must be exchanged via a specific document management system, and the payer relies on information received by a different method, this will be highly relevant.

The paying party should not assume that it is responsible to the counterparty merely because the funds were paid to the fraudsters account instead of being actually received by the counterparty. It is vital to seek legal advice on this point, as it affects the appropriate strategy, including as to whether the paying party should be considering re-paying any part of the amount.

When and why instruct lawyers

Ideally, lawyers should be instructed as soon as it is discovered that funds have fallen into the hands of fraudsters, or as soon as possible after the urgent steps of giving notice to the banks and police.

Lawyers may have established contacts within the police to ensure that any complaint is being considered urgently, as well as the appropriate personnel within the bank, which can assist in ensuring that any reversal requests are actioned by the bank without delay. Engaging lawyers quickly will also enable the victim to determine which measures should be taken as a priority, in which jurisdictions, and to ensure that the victim does not compromise its position vis-à-vis the counterparty, in terms of responsibility for the loss of the funds.

Authors: Josh Kemp, Abdulla Al Roken and Arthur Dedels