[Nextgrid]

> Maybe all payments take 2 weeks to settle

I'm not sure how that would help with regards to APP fraud. APP fraud is possible because scammers are successfully able to social-engineer people into sending their money away despite the various warnings (including on the payments UI in bank apps, or - in the US where this scam uses gift cards - to not tell the cashier or the bank what you're buying the gift cards for). I would expect the same social-engineering to be able to convince the user to not raise the alarm during the 2 week cooldown period.

I think the problem with APP fraud is a lack of user education (and maybe consequences - users expect the bank to always make them whole and so don't take security seriously) as well as insufficient enforcement on the other side - not enough is being done to prevent scammers from operating (why is it still possible for them to robocall and spoof UK numbers? why is there no AML/KYC equivalent before being able to place calls?) and getting away with it.

[avianlyric]

> I would expect the same social-engineering to be able to convince the user to not raise the alarm during the 2 week cooldown period.

It would be interesting to test this. Having read through a number of APP fraud cases, including victim statements. One persistent theme is that the pressure cooker environment that scammers create to get victims to send money is very effective as getting them to ignore warning signs. But after they've sent the money, and the immediate pressure is off, they quickly realise they've been scammed.

I strongly suspect that introducing even short delays of a few hours would be very effective. Especially if the victim is immediately made aware that a delay has been introduced. This give the victim a little time to cool-off and realise that they've been scammed, and then hopefully alert the bank.

[mvc]

Haha I wonder if you've read my case. I was scammed out of 100k this year.

The scammer had control of my solicitor's email and timed the attack perfectly so I was absolutely convinced I was sending money to the right place.

Didn't realize until a few days later when the solicitor called me wondering where the money was. The two week thing might have helped us but the scammer would probably just time their attack differently. Although it would increase the time they have to keep the fish on a hook.

[avianlyric]

Not sure if you managed to get your money back. But if you didn't, go research the contingent reimbursement model (CRM). Pretty much every major bank has signed up to it, and the CRM requires banks to reimburse victims, if the scam is sophisticated and the victim took reasonable steps to avoid the scam.

A basic house deposit payment redirection scam should be covered, assuming you have evidence that the emails were sent from your solicitors email address.

[mvc]

Yep I did. Thanks.

[pfranz]

> I think the problem with APP fraud is a lack of user education (and maybe consequences - users expect the bank to always make them whole and so don't take security seriously) as well as insufficient enforcement on the other side

We know that banks don't want to discourage people from spending money or using their services, but even as a consumer I hate dealing with chargebacks.

My significant other doesn't watch their credit card statement and signed up for some LinkedIn service that was never used for like 6 months. LinkedIn isn't going to refund money that far back and chargebacks won't go back that far, either. I don't think any lesson was learned.

Maybe I'm more sympathetic to merchants and avoid charge backs? If I don't recognize a charge, I usually assume I don't recognize the merchant and investigate and reach out to them first. I feel like half the time I do have to issue charge backs the bank invalidates my card (even though I know it was not lost or stolen). I feel like they're penalizing me.