The UK Authorised Push Payment Fraud reimbursement regimeIntroductionOn 7 October 2024, the Payment Systems Regulator (PSR) and the Bank of England introduced a new mandatory reimbursement framework in relation to payment services providers (PSPs) dealing with customers that are victims of Authorised Push Payment (APP) fraud. In the PSR’s own words, APP fraud happens when a fraudster tricks someone (typically a consumer) into sending a payment to an account outside of their control. The most common categories of scams can be classified as follows:•‘malicious payee’—a typical example of this is when a fraudster tricks someone into purchasing goods which do not exist or are never received; and•‘malicious redirection’—by way of illustration, this type of fraud can happen when a fraudster impersonates a member of staff at a bank to get someone to transfer funds out of their bank account and into that of a fraudsterIn-scope payment firmsThe APP fraud reimbursement requirement applies to the following categories of payment firms:•all payment firms participating in the Faster Payments Scheme (FPS) that provide relevant accounts, and•all payment firms participating in the Clearing House Automated Payment System (CHAPS) that provide relevant accountsThese firms were required to comply with the APP reimbursement rules and inform their customers of their rights under the regime by 7 October 2024. Looking past this initial deadline, PSPs were subsequently required to provide data to Pay.UK which they had collated in relation to APP fraud by 6 January 2025. In addition, the PSR directed in-scope PSPs to amend their terms and conditions (if they have not already done so) to provide that they will reimburse consumers as and when required under the APP FPS reimbursement rules by 9 April 2025.An overview of the key requirements applicable to in-scope payment firms and how the reimbursement framework operates is set out below.Overview of the APP fraud reimbursement requirement for participants in the Faster Payments SystemThe reimbursement requirement aimed to introduce, for the first time, consistent minimum standards to reimburse victims of APP fraud by:•requiring PSPs to reimburse all-in scope customers who fall victim to APP fraud in most cases•involving the sharing of costs for reimbursing victims on a 50:50 ratio between sending and receiving PSPs, and•providing additional protection for vulnerable customersThe PSR has published three legal instruments which give effect to the reimbursement requirement:•a specific requirement (PSR: Specific Requirement 1) imposed on Pay.UK to include the reimbursement requirement in the FPS rules•a specific direction (PSR: Specific Direction 20) given to FPS participants, obliging them to comply with the reimbursement requirement and the reimbursement rules, and•a specific direction (PSR: Specific Direction 19) given to Pay.UK to create and implement an effective compliance monitoring regime for in-scope PSPsWho does the reimbursement requirement apply to?The new requirement for reimbursement for victims of APP fraud applies to all participants in FPS that provide ‘relevant accounts’. For the purposes of the APP fraud reimbursement scheme, ‘relevant accounts’ are those which are provided to service users, are held in the UK and which can send or receive payments using FPS, but exclude accounts provided by credit unions, municipal banks and national savings banks. The Faster Payment Scheme is available 24/7, 365 days per year and it facilitates real-time payments of up to £1m. A range of high street banks, building societies, challenger banks, other fintechs and PSPs have connected safely and securely, either directly or indirectly, to the FPS central infrastructure.The PSR has explained that it is increasing protections within Faster Payments because currently the majority of APP fraud is enacted within FPS.What are the key components of the reimbursement obligation?The following are the three key components of the reimbursement obligation:•Claim excess—sending PSPs may apply a claim excess under the new reimbursement requirement up to a maximum of £100 per claim. The sending PSP can decide whether to apply a full excess (£100), a lower excess or no excess to a reimbursable APP scam claim.•Maximum level of reimbursement—there is a maximum level of reimbursement for APP fraud claims (by value) under the reimbursement requirement which, following extended industry consultation was finally set at £85,000 per claim. The PSR has mentioned that this cap, which is also aligned with the current Financial Services Compensation Scheme (FSCS) deposit limit, will mean that 99.8% of all Faster Payments APP scams by volume, and 90% by value, are fully reimbursed. The PSR has expressed the view that this cap will also mitigate potential prudential risks to PSPs, thereby protecting their customers from any potential long-term adverse impacts. The PSR has separately committed to keep this maximum level of reimbursement under review and consider it as part of its 12-month evaluation of the reimbursement regime•Minimum threshold—there is no separate minimum value threshold for APP fraud victimsAre there any exceptions to the general reimbursement obligation?The new rules will include two exceptions to the general reimbursement obligation where:•the consumer seeking reimbursement has acted fraudulently (known as the ‘first-party fraud’ exception), or•the consumer has, with gross negligence, not met one or more of the four standards set out by the PSR under the ‘consumer standard of caution’The consumer standard of caution exceptionThe consumer standard of caution exception applies where a sending PSP can demonstrate that a consumer who has made an APP claim, has, as a result of gross negligence, not complied with one or more of the standards set out below:•the requirement to have regard to interventions—consumers should have regard to interventions made by their sending PSP or by a competent national authority, such as the police•the prompt reporting requirement—consumers should, upon learning or suspecting that they have fallen victim to an APP scam, report the matter promptly to their sending PSP and, in any event, not more than 13 months after the date on which the last APP scam payment forming part of the claim was executed•the information sharing requirement—consumers should respond to any reasonable or proportionate requests for information made by their sending PSP to help them assess a reimbursement claim•the police reporting requirement—consumers should, after making an APP scam reimbursement claim, and upon request by their PSP, consent to the PSP reporting to the police on the consumer’s behalf or request they directly report the details of an APP scam to a competent national authorityIt is noted that the definition of ‘consumer’ for the purposes of the APP fraud reimbursement framework has included both micro-enterprises, smaller charities, and individuals, and the PSR is not proposing to consider these groups differently in respect to the application of these rules.Disapplication of the consumer standard of caution for vulnerable consumersThe consumer standard of caution has been disapplied for vulnerable consumers. Where a consumer is classed as ‘vulnerable’, PSPs would not generally be able to rely upon the consumer standard of caution exception to deny a customer’s reimbursement. This would be the case even in circumstances where the customer has, as a result of gross negligence, not complied with one or more of the four standards set out above under the consumer standard of caution exception.The PSR has defined vulnerable consumers by reference to the Financial Conduct Authority’s (FCA) Guidance for firms on the fair treatment of vulnerable customers. In this respect, a vulnerable consumer is considered to be someone who, due to their personal circumstances, is especially susceptible to harm—particularly when a firm is not acting with appropriate levels of care. The PSR’s guidance further notes that PSPs should evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability, whether temporary or enduring, have led them to be defrauded, and therefore assess whether the customer in question does in fact meet the definition of vulnerable customer for the purposes of the APP scam claim.Time limit for reimbursementThe sending PSP must reimburse any reimbursable APP scam payment to the victim within five business days of the victim making an APP claim. However, the sending PSP may exercise a ‘stop the clock’ provision that enables it to pause the five business-day reimbursement timescale.A PSP can stop the clock if it has asked for additional information to assess the claim and is still waiting for a response. PSPs can only stop the clock for one of the following reasons:•to gather information from the victim(s) (or their agent) or the receiving PSP to assess whether a claim is a reimbursable APP scam claim•to verify that a claims management company is submitting a legitimate claim (by way of illustration, validating that the victim has authorised the company to submit a claim)•to gather additional information from a victim to assess their vulnerability•in cases where the sending PSP has evidence of fraud on the part of the person who made the APP scam claim (first-party fraud), to gather additional information from the receiving PSP, law enforcement or other relevant parties, or•for multi-step scams, to gather additional information from the other PSPs involvedWhen a sending PSP exercises the ‘stop the clock’ provision, the five business-day reimbursement timescale is paused at the point where the sending PSP sends its request for information. The five business-days clock resumes as soon as the sending PSP receives a response.A receiving PSP that receives a request from a sending PSP to provide information in relation to a reported APP scam claim must respond in a timely and accurate manner. The sending PSP can stop the clock as many times as necessary. However, it must close the claim before the end of the 35th business day following the reporting of the APP scam claim by the victim (or their agent) to the sending PSP.An APP scam claim may be closed either by reimbursement of the consumer where appropriate, or by rejection of the claim, with an explanation of the reasons. If a claim for reimbursement is denied, customers will still be able to make a claim via the Financial Ombudsman Service (FOS).Allocation of reimbursement between sending and receiving PSPsWhen an APP scam claim is reported to the sending PSP, then according to Pay.UK’s guidance, it must notify the receiving PSP using the Reimbursement Claims Management System (RCMS) within two business hours of the FPS APP scam being reported by the consumer by submitting the following information, in order to maximise the opportunity for repatriating stolen funds:•the sort code and account number to identify the account from which the payment(s) were initiated•the sort code(s) and account number(s), and/or relevant secondary reference data (for example roll numbers) to identify the account(s) to which the payment(s) were initiated, whether or not the sending PSP has confirmed that such account(s) are/is held in the UK with a receiving PSP•the amount(s) of all FPS APP scam payment(s) reported in the FPS APP scam claim•the date and time at which the FPS APP scam claim was reported by the consumer, and•any proportionate or reasonable evidence held by the sending PSP confirming or explaining that the payment was not made to the recipient intended by the consumer or that the payment was received for a purpose other than that intended by the consumerIf requested by the sending PSP, the receiving PSP must pay the sending PSP 50% of the lower of:•the amount the sending Payment Firm has paid to the victim, or•the required reimbursement amount, if differentThe sending PSP may only claim the amount specified above (the ‘specified amount’) from the receiving PSP after the sending PSP has reimbursed the victim. The specified amount would need to be paid by the receiving PSP within five business days following the notification from the sending PSP that the specified amount is payable.If the sending PSP chooses not to apply the maximum claim excess value (up to £100 per claim), then the receiving PSP may deduct 50% of the maximum claim excess amount (ie, £50) from the specified amount.Where a receiving PSP is able to repatriate funds in an APP scam claim and the sending PSP has already reimbursed the victim, the repatriated funds should be apportioned as follows:•50% each to the sending and receiving PSPs, subject to the following maximum amounts:◦to the sending PSP, the required reimbursement amount, minus the specified amount, and◦to the receiving PSP, the specified amount, not including any amount deducted where the sending PSP did not apply the excess, and•any remainder to the victimNotwithstanding the above, the receiving PSP is not liable to pay any amount in relation to:•any voluntary reimbursement falling outside the scope of the APP fraud reimbursement requirement, or•any payment the sending PSP makes to the consumer after it has closed a claim, whether by reimbursement or rejection. This includes any payment made as a result of a court or alternative dispute resolution decision subsequent to the closing of a claimCompliance and monitoring with the FPS APP scams reimbursement requirementPay.UK has introduced a single reimbursement claim management system (RCMS) that PSPs must use to: (i) manage FPS APP scam claims, (ii) communicate with each other, and (iii) report data to Pay.UK. In-scope PSPs were required to register with Pay.UK as users of its RCMS by 20 August 2024.In-scope PSPs must comply with the FPS rule which requires them to use the RCMS. This aims to ensure that both direct and indirect participants in FPS are brought in scope of the FPS RCMS rule. The deadline for compliance with this rule is 1 May 2025.Under the new requirements on information and record-keeping, PSPs must:•assure themselves of the accuracy and quality of the reported data in the manner required by Pay.UK•provide timely responses to appropriately scoped and reasonable requests for data and/or information from Pay.UK, and•comply with the record-keeping obligations and store data and information on secure systemsPay.UK has also introduced contingency arrangements for the reporting requirements when RCMS is unavailable. Different reporting standards apply depending on whether the unavailability of the system lasts for more or less than 30 days respectively.These requirements in relation to information and record-keeping have primarily been included in Specific Directions 19 and 20.Overview of the APP fraud reimbursement requirement for participants to CHAPSWhat is the CHAPS payment system?CHAPS is a sterling same-day system that is used to settle high-value wholesale payments as well as time-critical, lower-value payments like buying or paying a deposit on a property. The CHAPS system is usually open from 6am to 6pm, Monday to Friday (excluding bank or public holidays in England and Wales).There are over 35 direct participants and several thousand financial institutions that make CHAPS payment through one of the direct participants. Direct participants in CHAPS include the traditional UK high-street banks and a number of international and custody banks. Indirect participants may access the system and make their payments through CHAPS via direct participants. This is known as agency or corresponding banking. The Bank of England is the operator of the CHAPS payment system.Extension of the scam reimbursement protections to consumers of CHAPSIn September 2024, the PSR published its policy statement and Specific Direction 21 (SD 21), expanding the APP scam reimbursement requirement to consumers using CHAPS. The CHAPS APP fraud rules and SD 21 were aligned with the PSR’s approach outlined above in the context of the FPS reimbursement framework. Key features of the rules under the CHAPS reimbursement framework include the following:•the CHAPS reimbursement requirement applies to all PSPs participating in CHAPS that provide relevant CHAPS accounts. As per the PSR’s explanation in SD 21, a relevant CHAPS account means an account that is provided to a service user, is held in the UK and can send or receive payments using CHAPS, but excludes accounts provided by credit unions, municipal banks, financial market infrastructures and national savings banks•the policy start date of 7 October was aligned with the date that the FPS reimbursement requirement entered into force in an attempt to reduce the risk of fraud migrating from FPS to CHAPS•the BoE, as the responsible operator of the CHAPs scheme, has decided that the maximum reimbursement limit for participants to the CHAPS scheme will be £85,000 (same as for FPS participants). The Bank will keep this cap under consideration and has committed to review this limit within 12 months•in-scope PSPs are required to report their compliance and monitoring metrics to the Bank of England on a monthly basis and this information may also be shared with the PSR so that the regulator can monitor compliance with SD 21Distinguishing between a reimbursable APP scam and a civil dispute.In September 2024, the PSR issued guidance to support payment firms in determining whether an APP scam claim is more likely to be a civil dispute rather than a reimbursable claim under the APP reimbursement regime. This distinction is particularly important as civil disputes fall outside the scope of the APP fraud reimbursement framework.In its specific direction to in-scope PSPs which sets out the APP reimbursement requirement (Specific Direction 20), the PSR has defined an APP scam as circumstances in which:‘a person uses a fraudulent or dishonest act of course to manipulate, deceive or persuade a consumer into transferring funds from the consumer’s relevant account to a relevant account not controlled by the consumer, where:•the recipient is not who the consumer intended to pay, or•the payment is not for the purpose the consumer intended’The PSR has further clarified that, if the consumer is party to the fraud or dishonesty, then this does not qualify as an APP scam for the purpose of the reimbursement requirement.Generally, in circumstances where there has been, or appears to have been, an intent to defraud, the PSR guidance indicates that these are likely to constitute APP fraud. To assist firms in distinguishing between these types of claims, the PSR has set out five factors which firms should consider in determining whether a claim is an APP fraud claim or a civil claim:•the communication and relationship between the consumer and the alleged fraudster•the trading status of the alleged fraudster (if applicable)•the alleged fraudster’s capability to deliver goods and services related to the claim•the extent to which the payee deceived the consumer as to the purpose of the payment, and•information held by the receiving PSP(s) about the relevant account(s)Intersection with the Payment Services (Amendment) Regulations 2024The Payment Services (Amendment) Regulations 2024 support efforts to tackle APP fraud, where victims are unknowingly tricked into sending significant sums to fraudsters. These Regulations allow PSPs to delay the execution of an outbound payment transaction by up to four business days from the time the payment order is received, and form part of the UK Government’s overarching aim to deliver a sophisticated fraud strategy that tackles incidents of APP fraud effectively.The Payment Services (Amendment) Regulations 2024, SI 2024/1013 came into force on 30 October 2024, allowing payment firms to delay, for the first time, the execution of an outbound payment transaction by up to four business days from the time the payment order is received for one of the following reasons:•there are reasonable grounds to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by someone else (excluding the payer), and•those grounds are established by no later than the end of the next business day following receipt of the payment orderThe delay may only be used where the payer’s PSP requires further time to contact the customer or a third party, such as law enforcement, to establish whether to execute the payment. Moreover, PSPs would be required to inform customers of any delays, the reasons behind their decision, and what information or actions are needed to help the PSP decide on whether to execute the order (unless doing so would be unlawful). It should be noted that PSPs would be liable for any interest or charges resulting from a delay to payments.The legislation applies to authorised push payments executed within the UK in sterling. Importantly, however, small, medium and large businesses are able to opt out of these provisions with the mutual agreement of their PSP.The FCA’s Dear CEO letters to banks, building societies and payments firms setting out its expectations on implementing the APP fraud reimbursement requirementsOn 7 October 2024, (ie on the same day that the APP fraud reimbursement requirements entered into force), the Financial Conduct Authority (FCA) published two letters respectively to: (i) banks and building societies; and (ii) payments and e-money institutions, by setting out its expectations in relation to the newly introduced APP fraud reimbursement framework.In its Dear CEO letters, the FCA set out its expectations in relation to the new measures aimed to combat fraud and discussed the role of the Consumer Duty. The FCA also explained its data-led approach to monitoring progress in the implementation of the reimbursement requirements by the relevant PSPs. The FCA also specifically set out in the Dear CEO letter to payment firms that these firms must review and adjust their business models and transactions to mitigate against a potential prudential impact of any future APP fraud reimbursement liabilities to their regulatory capital requirements and ongoing liquidity.Anti-fraud systems and controlsThe FCA urged PSPs to improve their anti-fraud systems and controls both at the onboarding stage and later through adequate ongoing transaction monitoring mechanisms. Robust anti-fraud systems and controls during the onboarding stage are aimed at preventing customers from falling victims to APP fraud in the first instance, whereas efficient ongoing transaction monitoring systems can assist in the identification of fraudsters and prevent them from receiving payments from victims.Following the publication of a list with examples of what constitutes good practice on how PSPs can mitigate the risks of APP fraud in 2023, the FCA has been working alongside PSPs to ensure the latter prevent harm to their customers. In this respect, the FCA clarified in its letters that it expects PSPs to:•have effective governance arrangements, controls and data to detect, manage and prevent fraud•regularly review their fraud prevention systems and controls to ensure these remain effective, and•maintain appropriate customer due diligence controls both at onboarding and on an ongoing basis to identify and prevent accounts from being used to receive the proceeds of fraud or financial crimeConsumer DutyThe FCA reminded PSPs of their obligation to avoid causing foreseeable harm to consumers, explaining that foreseeable harm would include a consumer becoming victim to a scam due to the PSP’s inadequate systems to detect and prevent scams or the PSP’s failure to effectively monitor scam warning messages presented to customers.Separately, PSPs were reminded of their obligation to act in good faith by taking appropriate action to rectify the situation where they have identified consumer harm being caused as a result of their actions or inactions. Where this is the case, PSPs must be ready to take the appropriate remedial action, including redress, where appropriate.Additionally, in-scope PSPs must ensure that their customers are adequately supported throughout the lifecycle of a product or service, and they are able to submit a complaint, as appropriate. For that reason, the FCA reiterated PSPs’ obligation to inform their customers of the availability of alternative dispute resolution procedures as well as of the ways to access them. This information must be included in the pre-contractual documentation shared with payment service users.Under the Consumer Duty, PSPs are required to act to deliver good outcomes for consumers. With that in mind, the FCA explained that, in certain circumstances, where it might be difficult or not immediately obvious for consumers to understand the level of protection offered by the PSP (eg because this may vary depending on the type of the payment transaction and whether this qualifies as an intra-firm payment which is not covered under the new APP fraud rules or whether it is routed through FPS or CHAPs, hence benefiting from APP fraud reimbursement protection), that it expects PSPs to ensure that their approach in relation to these type of transactions, that do not otherwise benefit from the APP fraud reimbursement protection, is still compliant with their obligations under the Consumer Duty. In particular, PSPs would be required to contact the FCA to provide an explanation of the steps taken to meet their obligation to produce good outcomes for their customers every time they are planning to provide a lower level of protection for certain types of transactions (eg for ‘on us’ or intra-firm payments where both the sending and receiving payment accounts are held within the same firm or group and are therefore executed via an internal channel rather than through an external payment systems such as FPS or CHAPS).The regulators’ data-led approach to monitoring progressThe FCA and the PSR will jointly use data arising from the reimbursement framework to monitor potential conduct breaches and identify inadequate systems and controls to ensure that consumers are equipped with effective protections from APP fraud and that there are no systemic implications for the broader payments ecosystem.The PSR’s Dear CEO letters to tech firms and social media platforms on publishing fraud enabler dataOn 8 November 2024, the PSR published a Dear CEO letter to tech firms, dated 6 November 2024, regarding its plans to publish data on firms that enable APP fraud. The initiative to publish data on the firms that are most commonly reported as enabling contact between fraudsters and victims runs in parallel with the introduction of the fraud reimbursement framework for payments executed via FPS and CHAPS.Who does the term ‘enabler’ apply to?The PSR has defined an ‘enabler’ as an entity that a victim reported as either:•a platform or service through which the fraudster made contact with the victim, or•a website or platform where the victim saw an advertisement or profile that led to the victimBenefits of publishing fraud enabler dataThe PSR considers the main benefits of the data gathering exercise to be the following:•raising consumer awareness: publicly available data can help consumers decide whether to execute certain payments•raising customer vigilance on the run-up to festive periods (eg Christmas) when more consumers are likely to be shopping online•providing valuable insights: the relevant data would enable PSPs to build dedicated risk profiles of transactions based on the actual manner in which their consumers use platforms and services. Platforms would also be encouraged to collaborate more closely with PSPs to share data across industries, better target interventions and build resilience to stop consumers from being caught out, and•highlighting the platforms and services that are most often exploited by fraudsters: firms would be able to see the extent of fraud originating on their platforms and have a reputational incentive to do more to prevent itFraud enabler data standardisationThe PSR noted that in earlier fraud-related data publications, victims could not always identify the service or platform that enabled contact between them and a fraudster. For that reason, the PSR now aims to standardise the way fraud enabler data is collected in the future by:•ranking firms by the number of times they were reported from fraud victims as an enabler, and•publishing rankings of firms by specific sectors or sub-sector such as the most common enabler recording amongst listing or auction sites, the most common among social media platforms, and so onThe PSR has proposed to publish fraud enabler data every year and expects that it will be able to build greater consistency in its data collection from 2026.Beyond the reimbursement policyIn its policy statement on fighting APP scams (December 2023), the PSR also set out the regulator’s ongoing approach to tackling APP scams, beyond the reimbursement policy. This explained, amongst others, that in parallel to the new rules on reimbursement of APP frauds, PSPs will also be able to utilise data and intelligence-sharing tools to facilitate improved risk detection and fraud prevention.The table below has summarised the key tools aimed to facilitate improved risk detection and fraud prevention:1. The balanced scorecard of APP scam dataIn an important step towards ensuring greater transparency and data sharing, in March 2023, the PSR directed the largest 14 UK banking groups to collect and report data on their management of APP scams using three performance metrics:—Metric A: The proportion of APP scam victims left out of pocket—Metric B: APP scam rates for each sending PSP—Metric C: APP scam rates for each receiving PSP (not including any money that has been returned to victims)The data gathered considered APP fraud where the reported victim is a consumer or small business or charity with an annual income of less than £1 million. All cases included in the data were closed in 2022 (ie the directed PSP completed an investigation of the case and made a decision on whether to reimburse the customer) and occurred across Faster Payments in the UK.The PSR described the rates of reimbursement for many firms as being encouraging and presenting a positive cultural shift across the payment sector. However, the regulator also noted that it expects to see the rate of reimbursement increase with the introduction of the reimbursement requirement in 2024.The PSR will continue to collect data from payment firms over the next 12 months and will publish relevant reports annually.2. Confirmation of Payee (CoP)CoP is a name-checking service that aims to prevent certain types of scams and misdirected payments.In October 2022, the PSR directed about 400 PSPs to implement a system to offer the CoP service to their customers. The regulator’s direction required Group 1 PSPs to implement a CoP system by 31 October 2023, increasing CoP coverage from 92% of Faster Payments transactions to 99%. The regulator explained that all Group 1 PSPs complied by their deadline and the regulator is working with delayed parties to ensure they implement the CoP service at the earliest opportunity.The remaining Group 2 firms (including PSPs that use unique sort codes, or are building societies using alternative reference information) were required to comply by 31 October 2024.3. Enhanced Fraud Data (EFD)The PSR tasked the industry with developing a data and intelligence-sharing tool to facilitate improved risk detection and fraud prevention, for example by stopping or delaying high-risk payments.Pay.UK, with the support of UK Finance is now taking forward a project to deliver EFD. Pay.UK has consulted on the first iteration of data standards to support this information sharing and is working towards building an application programming interface (API) solution through which standardised customer data will be sent.The PSR has noted that it is monitoring progress in this respect and considering whether it needs to take further action, including user its statutory powers to require implementation.4. Scam originationThe PSR has committed to continue working with industry to consider how they can collect data showing where APP scams originate. It has noted that publication of this data can raise awareness of the platforms, such as social media and telecoms firms, who are at the highest risk of being targeted by fraudsters.