Hubbry Logo
Authorised push payment fraudAuthorised push payment fraudMain
Open search
Authorised push payment fraud
Community hub
Authorised push payment fraud
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Authorised push payment fraud
Authorised push payment fraud
Authorised push payment fraud
View on Wikipedia
from Wikipedia

Push payment fraud (also known as "authorised push payment fraud" or APP fraud) is a form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation.[1][2] These authorised frauds can also be related to investment scams, where the victim is tricked into sending money for investments that do not exist, and to romance scams, where the fraudster tricks the victim into thinking they are in a relationship. The opposing type of fraud is known as "pull payment fraud", which occurs when an account holder provides a payee with the relevant bank account details enabling a fraudulent payee to take (or "pull") funds from the payer’s account.[3]

Worldwide

[edit]

Canada

[edit]

A subset of push payment fraud is bank investigator fraud. The fraudster poses as an authority or bank investigator and persuades the victim to transfer the funds from their original account (which is claimed to be "compromised") to another account owned by the fraudster (but obstinately setup for the victim). Banks had refused to reimburse victims for such scams since the victim authorized the movement of funds. The Canadian Anti-Fraud Centre has recorded $11.7 million in victim losses from bank investigator scams in 2025 alone. [4]

United Kingdom

[edit]

Until 2019 in the United Kingdom, because the victims of these frauds authorised the payments, albeit mistakenly, they were typically not fully reimbursed by their banks.[5] In September 2016, Which? raised a super-complaint regarding push payments and calling for changes in legislation to provide better protection for innocent bank customers.[3] The Payment Systems Regulator (PSR) investigated and found within "a short space of time" that the UK banks could work together in a better way to avoid scams and that some banks needed to do more to identify "potentially fraudulent incoming payments". The regulator was also concerned that there was limited information available on the scale and nature of the problem.[6] The PSR initiated a consultation process in November 2017, which was completed in February 2018. In March 2018 a "draft contingent model code" was published.[3]

From May 2019 some victims were able to receive refunds under the Contingent Reimbursement Model Scheme,[7] a voluntary scheme overseen by the PSR which provides protections for customers of signatory firms,[8] subject to a number of exclusions.

New rules where introduced on 7 October 2024 covering claims for reimbursement for amounts up to £85,000.[9]

Ireland

[edit]

KPMG has reported that the Central Bank of Ireland set out its APP fraud banking expectations in its Consumer Protection Outlook Report 2023. The Central Bank requires financial businesses, to operate "effective measures to mitigate the risk of fraud", taking a proactive approach, and helping customers where necessary to recover funds where possible.[10]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Authorised push payment fraud

View on Grokipedia
from Grokipedia
Authorised push payment (APP) fraud, also known as authorised push payment scams, occurs when a fraudster deceives an individual or business into voluntarily initiating and authorising a real-time transfer to the scammer's account under , such as impersonating a trusted entity like a , , or investment firm. Unlike unauthorised fraud involving account takeovers, APP scams exploit victims' trust through social engineering tactics, including phone calls, emails, or websites that create urgency or promise high returns, leading the victim to push funds via systems like the UK's Faster Payments Service. This form of fraud has surged with the adoption of instant payment infrastructures, enabling rapid fund transfers that are difficult to reverse, and primarily affects consumers in jurisdictions with push-based systems, though it is most prominently documented in the UK where it accounted for losses exceeding £450 million in 2024 across over 200,000 cases. Common variants include purchase scams (e.g., fake goods or services), investment fraud promising unrealistic yields, and personal scams like romance or family emergency cons, with criminals often operating internationally and quickly laundering proceeds via cryptocurrency or mules. The economic impact extends beyond direct losses to erode public confidence in digital banking, impose recovery costs on financial institutions, and strain law enforcement, as tracing cross-border flows proves challenging despite international cooperation efforts. Regulatory responses in the UK, led by the Payment Systems Regulator (PSR), have focused on mandatory reimbursement schemes effective from October 2024, requiring sending and receiving payment service providers to share the cost of reimbursing victims up to £85,000 per incident, excluding cases of gross negligence or first-party fraud by the victim. This "world-first" approach aims to incentivize banks to enhance fraud detection, such as through transaction monitoring and customer warnings, while industry initiatives like the Contingent Reimbursement Model have preceded it with voluntary protections. Controversies persist over liability allocation, with critics arguing that shifting burdens to banks may encourage riskier consumer behavior absent personal accountability, though empirical data shows declining loss rates—down 2% from 2023 to 2024—potentially attributable to improved scam awareness campaigns and technological interventions like AI-driven alerts.

Definition and Characteristics

Core Elements and Mechanisms

Authorised push payment (APP) fraud involves a victim being deceived into voluntarily initiating and authorising a real-time from their bank account to an account controlled by the fraudster, typically through social engineering tactics that exploit trust and urgency. The core element is the victim's active consent to the "push" , distinguishing it from unauthorised access or , as the transaction originates directly from the payer's banking interface without intermediary compromise. This authorisation occurs via established rails, such as the UK's Faster Payments Service, where funds move irreversibly once confirmed, often within seconds, amplifying the fraud's efficiency for perpetrators. The mechanism begins with the fraudster establishing contact through channels like phone calls, emails, or messaging apps, impersonating credible entities such as banks, government agencies, or investment firms to build false legitimacy. Victims are then coerced into acting quickly—often under fabricated emergencies like account freezes or urgent refunds—prompting them to log into their online or app and execute the transfer to a or fraudster-controlled account. and psychological pressure, including threats of loss or promises of gain, reduce victim scrutiny, with the appearing legitimate on the bank's end due to the explicit authorisation. Key operational features include the reliance on low-friction payment systems that enable instant settlement without holds, enabling fraudsters to withdraw funds rapidly before detection. Funds may pass through intermediary "" accounts to obscure trails, but the initial push remains victim-driven, placing initial liability on the payer's under standard rules, though schemes have emerged in response. This structure exploits the causal chain of human deception preceding technical execution, where prevention hinges on interrupting the social engineering phase rather than post-authorisation reversal.

Distinctions from Other Fraud Types

Authorised push (APP) fraud is distinguished primarily by the victim's active and initiation of the , typically via real-time bank transfer systems, under deceptive pretenses, rather than through unauthorized access or credential theft. In contrast to unauthorized —such as account takeovers or hacked transactions where criminals gain illicit control of the victim's account —APP fraud involves the victim willingly entering details and confirming the transfer, often believing it to be legitimate, which complicates liability and processes. Unlike card-not-present or , which frequently exploits stolen card details for merchant transactions with built-in mechanisms and issuer protections, APP fraud leverages irreversible push payments through systems like the UK's Faster Payments Service or the US's RTP network, where funds are transferred directly from the victim's account to the scammer's without intermediary processors or easy reversibility. This reliance on social engineering to induce consent, rather than technical breaches or data skimming, sets APP apart from phishing-led credential , as the fraudster does not require ongoing access to the victim's device or account post-authorization. APP fraud also differs from traditional wire or check fraud precursors by exploiting digital immediacy and low-friction interfaces, such as apps, enabling rapid, high-value transfers that evade pre-authorization checks common in slower legacy systems. While all involve , APP's "authorized" nature shifts evidentiary burdens toward proving victim or , often resulting in partial or no absent regulatory mandates, unlike the statutory protections for unauthorized electronic fund transfers under frameworks like the US Electronic Fund Transfer Act.

Historical Context

Pre-Digital Era Precursors

scam, documented as early as the late and proliferating in the , exemplifies an early precursor to authorised push payment fraud, wherein victims were deceived into voluntarily forwarding funds via postal mail in anticipation of a substantial reward. In this scheme, fraudsters posed as intermediaries for a wealthy prisoner allegedly held in , claiming the detainee possessed vast riches—often millions in gold or bonds—but required an upfront payment from the victim to secure release, bribe officials, or cover legal fees. Victims, typically affluent businessmen identified through trade directories, received letters promising shares of the fortune upon remitting small sums, such as travel expenses or bonds, leading to iterative demands for additional "fees" as obstacles arose. By 1898, U.S. authorities recorded numerous instances, including cases where victims lost thousands of dollars in mailed checks or money orders before realizing the ruse. This advance-fee mechanism mirrored modern APP fraud's reliance on social engineering to elicit authorised transfers, predating electronic banking by centuries and relying instead on physical remittances like postal orders or bank drafts. Historical records indicate the scam's spread across and in the 1800s, with variations adapting to local contexts, such as claims tied to or imprisoned aristocrats during political upheavals. U.S. Postal Inspectors in the early documented losses exceeding tens of thousands of dollars annually from such frauds, where victims initiated payments from their own accounts or cash reserves, akin to today's bank-initiated pushes. The scheme's persistence into the fax era of the , particularly from , transitioned these voluntary payment deceptions toward proto-digital formats but retained the core element of victim-authorised disbursements. Other pre-digital confidence tricks, such as or swindles via correspondence, similarly induced victims to mail funds for purported "processing fees" or taxes on winnings, with documented cases in the U.S. as early as the involving fraudulent claims of unclaimed estates. These analogs underscore a consistent causal : perpetrators exploited trust to prompt self-initiated transfers, unmediated by account takeovers, much like APP fraud's distinction from unauthorised access crimes. Empirical evidence from postal fraud prosecutions reveals systemic vulnerabilities in voluntary systems, where absence of reversal mechanisms amplified losses, paralleling challenges in pre-regulatory banking eras.

Acceleration with Real-Time Payment Systems

The introduction of real-time payment systems marked a pivotal acceleration in authorised push payment (APP) fraud, as these infrastructures enabled near-instantaneous and irrevocable fund transfers, minimizing opportunities for intervention or reversal. In the , the Faster Payments Service (FPS), launched on 27 May 2008 by the Payments Council (now under Pay.UK), pioneered domestic real-time retail payments, allowing transfers up to £1 million (later adjusted) to settle in seconds, 24/7. This shift from slower batch systems like , which processed s overnight or in days, empowered scammers to exploit victim authorizations before banks could detect anomalies, as real-time rails provide scant window for monitoring or . Globally, similar systems—such as the US's RTP network (2017) and (2023)—have correlated with APP surges, as instant settlement renders pushed payments effectively final, with scammers often withdrawing funds abroad via accounts within minutes. Post-launch, APP fraud rapidly migrated to FPS, comprising 98% of such payments by volume in recent years, as slower alternatives like saw diminished use for fraudulent transfers. Domestic payment fraud transitioned "almost immediately" to FPS, with losses escalating due to its ubiquity and speed; for instance, Finance data indicate APP incidents reached 195,996 cases with £583.2 million in gross losses by 2021, reflecting compounded growth from the system's maturation. This acceleration stemmed causally from reduced friction: pre-FPS, delayed clearing allowed for potential halts, but real-time finality incentivized scammers to prioritize push mechanisms, exploiting social engineering without needing account compromises. Empirical patterns show over 90% of APP losses now tied to real-time channels, underscoring how these systems, while boosting efficiency, amplified vectors absent robust pre-authorization safeguards. Regulatory acknowledgments highlight this dynamic; the UK's Payment Systems Regulator (PSR) notes FPS's role in enabling "irreversible" scams, prompting mandatory reimbursements from October 2024 to mitigate harms that batch-era fraud rarely inflicted at scale. Internationally, bodies like the observe that fast payment adoption heightens APP efficacy, with projections estimating losses nearing $15 billion by 2028, driven by analogous real-time infrastructures. Thus, real-time systems catalyzed APP fraud's proliferation by aligning technological speed with scammers' operational needs, transforming episodic deceptions into high-volume, low-reversibility crimes.

Typology of Scams

Impersonation and Authority Scams

Impersonation and authority scams represent a core variant of authorised push payment (APP) fraud, wherein scammers pose as trusted individuals, organizations, or officials to exploit victims' compliance and induce voluntary fund transfers via real-time payment systems. These tactics rely on social engineering to establish false credibility, often through unsolicited phone calls (vishing), emails, or messages that mimic legitimate communications from banks, , or government bodies. Victims are coerced into authorizing payments to purportedly "safe" accounts or to resolve fabricated emergencies, with the scammer providing account details that lead directly to or controlled accounts. In bank impersonation schemes, fraudsters contact victims claiming to represent their , alleging account compromise or suspicious activity, and direct them to transfer funds immediately to a "protected" holding account under the bank's control—effectively routing money to the perpetrator. -based variants escalate urgency by mimicking officials from entities like the police or (HMRC); for instance, scammers may assert that the victim's funds are linked to criminal investigations, requiring transfers to "seize" or safeguard assets, or demand payments for alleged unpaid taxes under threat of . Such scams prey on to , with perpetrators using spoofed caller IDs, official-sounding scripts, and fabricated to bypass . These scams differ from unauthorized fraud by securing the victim's explicit consent, often reinforced through repeated confirmations or secondary verifications that the scammer controls. In the UK, where APP fraud is prevalent due to systems like Faster Payments, impersonation tactics contributed to losses exceeding £148 million in 2023 across forms including police, bank staff, and government impersonations. Official data from UK Finance indicates that while purchase and investment scams dominate volume, impersonation-driven cases persist due to their adaptability, with scammers leveraging publicly available personal data to personalize approaches and heighten plausibility. Mitigation challenges arise from the remote nature of initiations, predominantly via telecommunications or online channels, underscoring the need for cross-sector verification protocols beyond victim education.

Investment and Romance Scams

Investment scams in authorised push payment (APP) fraud entail fraudsters deceiving victims into authorizing transfers to bogus vehicles, such as fictitious cryptocurrency schemes or stock trading platforms, under promises of exceptional returns. These operations exploit victims' financial aspirations through initial contacts via advertisements, unsolicited messages, or fabricated online seminars, gradually building urgency to "invest" via push payments on real-time systems like the UK's Faster Payments Service. The scammers often use fabricated testimonials, dashboards showing illusory profits, and pressure tactics to prompt multiple, escalating transfers, with funds routed to accounts or overseas entities for rapid dissipation. In the UK, investment scams drove the overall rise in APP losses, contributing to £257.5 million in total APP fraud for the first half of 2025—a 12% increase from the prior year—despite a decline in case volume, due to their high per-victim value averaging £15,098. Globally, the U.S. Federal Bureau of Investigation reported $4.57 billion in investment scam losses for 2023, many involving authorized electronic transfers akin to APP mechanisms, marking a 38% year-over-year surge. These scams disproportionately affect middle-aged and older demographics seeking retirement security, with fraudsters leveraging algorithmic targeting on platforms to identify vulnerable profiles. Romance scams, another prevalent APP variant, involve perpetrators cultivating fabricated online relationships—typically via apps or social networks—to extract funds through authorized payments framed as emergencies, gifts, or shared "opportunities." Victims, often isolated individuals, are groomed over weeks or months with affectionate communication, shared fabricated life stories, and escalating requests, such as covering medical bills or travel costs, leading to direct bank transfers. These frequently overlap with elements, where "partners" urge victims to co-invest in high-yield schemes, transitioning emotional manipulation into financial exploitation. UK data from the first half of 2025 showed losses rising 35%, amid a broader APP uptick, while reported a 20% increase in cases for the first quarter alone, with average victim losses climbing to £8,000 in 2024 from £5,800 the previous year. In the U.S., inflicted $1.14 billion in losses in 2023, per the , with median per-victim amounts at $2,000, though and global patterns indicate higher aggregates due to repeated extractions. Perpetrators, frequently operating from regions like or , exploit platform algorithms and anonymized communications, evading detection until significant sums are transferred.

Empirical Impacts

Global and Regional Statistics

Authorised push payment (APP) fraud losses have escalated with the adoption of infrastructures, though comprehensive global aggregation remains challenging due to varying definitions and underreporting across jurisdictions. Estimates indicate billions in annual losses worldwide, with imposter and scams as primary vectors. In 2023, global scam pages mimicking financial institutions proliferated at over 2,000 launches per month, facilitating APP schemes. Projections suggest APP fraud will contribute substantially to payment 's of 11% from 2022 to 2027. In the , where Faster Payments enable rapid transfers, APP fraud accounted for £450.7 million in losses in 2024, down slightly from prior years but still comprising a dominant share of personal fraud. The figure includes £365.7 million from purchase, , and romance scams. For the first half of 2025, losses rose 12% year-over-year to approximately £258 million, with 226,306 cases reported—a 4% increase in volume despite reimbursement mandates. United States data highlights APP's scale in a fragmented reporting environment, with imposter scams alone causing an estimated $2.5 billion in losses in 2024, up sharply from prior years. Investment scams, frequently executed via authorised pushes, totaled $4.57 billion in victim-reported losses in 2023, a 38% increase from 2022. fraud incident values peaked at $500 in 2023, reflecting higher-value APP targets. Losses are forecasted to exceed $3 billion annually by 2028 without enhanced safeguards. In , APP losses surged at a 39% from 2018 to 2023, embedded within broader reports of $2.03 billion in 2024. Projections estimate $1.76 billion in APP-specific losses by 2028, driven by online-solicited transfers accounting for nearly half of values. European Union and European Economic Area figures show APP comprising 57% of €1.13 billion in fraudulent transfers during the first half of 2023, equating to roughly €644 million. Card-not-present and social engineering-driven APP variants dominate, with relative fraud rates at 0.031% of value in recent analyses.
RegionKey Statistic (Recent Period)Source Notes
£450.7M losses (2024 full year)UK Finance via ; includes major scam types.
$2.5B imposter APP losses (2024); $4.57B investment scams (2023)Deloitte estimate; FBI IC3 data.
Projected $1.76B by 2028; 39% CAGR (2018-2023)Cybersecurity projections; within $2.03B total scams (2024).
EU/EEA€644M APP (H1 2023, 57% of €1.13B fraud)LSEG data on transfers.

Causal Effects on Victims and Economies

Authorised push (APP) fraud directly results in substantial financial losses for victims, with the average loss per incident in the UK often exceeding several thousand pounds, depleting personal savings, retirement funds, or liquid assets essential for daily living and future security. These losses compel many victims to incur , sell assets, or rely on family support, exacerbating household financial instability and potentially leading to long-term credit damage or in severe cases. Beyond immediate monetary harm, APP fraud inflicts profound psychological and emotional tolls, including heightened anxiety, depression, shame, and , as victims grapple with self-blame for being deceived despite authorizing the payments themselves. Approximately one-third of victims report deteriorated , with effects persisting for months or years, often isolating individuals from social networks and straining personal relationships due to eroded trust and interpersonal conflicts. Physical health consequences, such as stress-induced conditions like or , further compound these issues, sometimes necessitating medical intervention and associated costs. On a macroeconomic scale, APP fraud drains resources from productive economies, with losses totaling £450.7 million in 2024, representing a net transfer of funds—often to overseas criminals—that reduces domestic consumption, investment, and liquidity without generating equivalent economic value. This direct extraction contributes to broader inefficiencies, as victims curtail spending and businesses face heightened caution, evidenced by small and medium enterprises reporting £6.15 billion in foregone transactions due to fraud-related hesitancy in the 2024-2025 financial year. In the , analogous imposter-driven APP losses reached an estimated $2.5 billion in 2024, amplifying systemic drags on growth through diminished consumer confidence and increased financial sector compliance expenditures. Collectively, these effects erode trust in payment systems, prompting reduced participation in digital transactions and perpetuating a cycle of lower economic velocity and higher for verification and recovery efforts.

Institutional and Regulatory Responses

Technological and Procedural Safeguards

Technological safeguards against authorised push payment (APP) fraud primarily involve systems designed to verify transaction details and detect anomalies in real time. Confirmation of Payee (CoP), a service operated by Pay.UK in the , requires payers to confirm that the recipient's name matches the account holder before processing certain payments, aiming to reduce misdirected funds and some APP incidents. Rolled out progressively since 2019, CoP coverage expanded to include payments in 2023 and reached over 400 firms by October 2024, with further extensions to hundreds more participants to broaden its application across payment chains. However, empirical evidence indicates CoP's limitations in fully mitigating APP fraud, as perpetrators frequently exploit name-matching tactics or partial matches, rendering it more effective against errors than sophisticated social engineering scams. Artificial intelligence (AI) and (ML) models enhance detection by analyzing behavioral patterns, transaction velocities, and contextual signals to flag potential APP risks before authorization. A Pay.UK pilot in 2024 tested an AI-driven solution that detected 56% of APP scams in faster payments, demonstrating predictive capabilities through aggregated industry data. Similarly, Mastercard's platform, deployed since 2023, leverages AI to assess scam probabilities in real-time payment requests, intervening prior to fund transfers by prompting additional user scrutiny. Visa Direct employs layered approaches including pre-transaction checks, behavioral signals, account validation, and network-level intelligence via Visa A2A Protect for real-time scam detection. Both Mastercard Move and Visa Direct face similar APP fraud risks in real-time push payments, with Mastercard Move utilizing risk mitigation, fraud analytics, and AI-based Consumer Fraud Risk tools; no reliable sources show significant differences in fraud risk levels between the two. These tools integrate with existing infrastructures to process vast datasets, including device fingerprints and geolocation, though their efficacy depends on continuous model retraining to counter evolving fraud tactics like deepfakes. Procedural safeguards complement technology through standardized internal protocols and inter-institutional coordination to impose friction on high-risk transfers. Under guidance from the UK's (FCA), payment service providers (PSPs) must implement risk-based measures, such as mandatory warnings, transaction holds, or secondary authentications for flagged payments, without unduly disrupting legitimate flows. The Payment Systems Regulator (PSR) mandates PSPs to maintain robust scam prevention processes, including intelligence-sharing via hubs like the Financial Crime Information Sharing Platform, which facilitates collective monitoring of mule accounts and scam patterns. These procedures, enforced since the PSR's 2024 reimbursement regime, require PSPs to assess gross negligence thresholds and document intervention attempts, fostering accountability while empirical data from 2024 shows persistent APP losses exceeding £213 million in the UK alone during the first half of the year.

Mandatory Reimbursement Regimes

In the United Kingdom, the Payment Systems Regulator (PSR) established a mandatory reimbursement requirement for authorised push payment (APP) fraud effective 7 October 2024, applying to Faster Payments and CHAPS transactions. This regime obliges sending payment service providers (PSPs) to reimburse eligible victims—individuals, microenterprises, and charities—for losses up to £85,000 per claim, a cap designed to cover 99.8% of incidents by volume and 90% by value. Reimbursement must occur within five business days of a confirmed claim, with receiving PSPs required to contribute 50% of the amount to the sending PSP, promoting shared responsibility across the payment chain. Sending PSPs may impose an excess fee of up to £100 on consumers found grossly negligent, but full denial applies only in cases of gross negligence by the victim, such as deliberately ignoring warnings. The 's framework excludes claims exceeding £85,000, international transfers, or involving non- accounts, focusing solely on domestic -initiated payments to mitigate administrative burdens. Early implementation data from October 2024 to December 2024 indicated that 86% of eligible claims were reimbursed within the initial three months, though PSPs reported challenges in assessing and coordinating with receiving institutions. By May 2025, the PSR issued a consolidated policy statement affirming the regime's structure while addressing compliance gaps, such as delays in inter-PSP reimbursements. In the , the Payment Services Regulation (PSR), building on PSD3 proposals, mandates full for impersonation fraud victims from their PSP under Article 59, with broader APP fraud protections requiring compensation unless the payment service user acted fraudulently or with . These rules, effective following the regulation's adoption in , emphasize PSP liability for failing , though implementation varies by member state and lacks the UK's fixed caps or shared model. similarly enforces mandatory for APP victims, prioritizing full recovery absent victim culpability, as part of its regional push against real-time scams. Australia's Scams Prevention Framework, under legislative proposals in 2024, contemplates mandatory APP fraud reimbursements but has not yet imposed them, relying instead on voluntary codes and entity-specific obligations. In contrast, the lacks federal mandates, with reimbursements handled via voluntary bank policies or state consumer protections, highlighting divergent approaches to balancing victim relief against incentives for vigilance. These regimes aim to deter by shifting costs to PSPs, yet critics argue they may reduce incentives for victims to exercise caution without robust negligence thresholds.

Liability and Accountability Debates

Victim Negligence and Personal Responsibility

In authorised push payment (APP) fraud, victims initiate and authorise transfers to scammers' accounts, distinguishing it from unauthorised access and placing initial causal responsibility on the individual's decision-making process. Empirical analyses indicate that victims frequently overlook verifiable red flags, such as unverified payee details or urgent demands inconsistent with standard transactions, contributing directly to losses. For instance, common errors include failing to utilise Confirmation of Payee services, which match account names and numbers, and proceeding without independent verification of the recipient's legitimacy despite accessible tools. Regulatory frameworks acknowledge this by incorporating victim accountability thresholds. In the UK, the Payment Systems Regulator's (PSR) mandatory reimbursement regime, effective 7 October 2024, requires payment service providers to refund up to £85,000 per claim for most APP incidents, but explicitly excludes cases of victim complicity or . is defined as a high threshold involving significant carelessness exceeding the minimum standard of caution, such as deliberately ignoring targeted warnings from the sending provider or repeatedly bypassing security prompts without justification; it does not apply to vulnerable individuals and requires case-specific evidence rather than presuming fault for single lapses. Prior to mandatory rules, voluntary codes and ombudsman decisions emphasised shared liability, with the Financial Ombudsman Service rejecting automatic victim blame and instead scrutinising banks' investigations for procedural failures while upholding victim due diligence obligations. Data from UK Finance's 2023 report, covering nearly 175,000 APP cases, highlight that pre-reimbursement prevention relied heavily on individual vigilance, as institutional safeguards alone proved insufficient against social engineering tactics exploiting haste or trust. In jurisdictions like the US, authorised payments generally absolve financial institutions of liability, reinforcing that victims bear primary responsibility for authorising unverified transfers unless proven institutional negligence intervenes. Critics argue that emphasising victim negligence deflects from systemic vulnerabilities, yet first-principles assessment reveals that scammers succeed through exploiting predictable cognitive biases—such as reciprocity or authority deference—rather than inevitable institutional flaws, underscoring the need for personal safeguards like pausing transactions and consulting independent sources. Post-2024 data show 97% of claims resolved within 35 days with high rates, but sustained reductions in APP incidents (down in volume per 2025 preliminary figures) correlate with heightened consumer awareness campaigns promoting over reliance on post-fraud refunds.

Bank and Systemic Failures

Banks have demonstrated inconsistent capabilities in detecting and intervening in APP fraud transactions, with the Payment Systems Regulator (PSR) reporting significant disparities in performance across the 14 largest banking groups in 2023, where fraud losses per £1 million of outbound payments varied widely, indicating lapses in real-time monitoring and protocols. Prior to the mandatory reimbursement requirement effective October 7, 2024, many banks resisted reimbursing victims, attributing losses to customer under Payment Services Regulations, which prompted over 1,000 court claims by 2023 and exposed deficiencies in proactive safeguards like transaction holds for high-velocity or atypical payments. Litigation has highlighted specific bank shortcomings, such as in the 2025 case Philipp v Bank UK PLC, where the victim lost £700,000 in 2018 to scammers impersonating solicitors, yet the court affirmed no general on banks to recover misdirected funds or override authorizations, underscoring banks' historical reliance on customer instructions without sufficient overrides based on internal signals. Similarly, in CCP Graduate School Ltd v National Westminster Bank plc, the in 2025 rejected claims of a " of retrieval," but the case revealed banks' failures to act on patterns like multiple rapid transfers to new accounts, which could have triggered interventions under existing anti- policies. Systemically, the 's Faster Payments Service (FPS), operational since 2008, prioritizes speed—settling transfers in seconds—over reversible safeguards, creating a causal where fraudsters exploit the brief detection window, leading to irreversible losses in 98% of cases as funds disperse across accounts before alerts propagate. This design flaw, compounded by fragmented intelligence sharing among payment service providers (PSPs), has allowed APP fraud to escalate, with data showing £459.7 million in losses in 2023 alone, representing 62% of total losses, despite voluntary codes like the 2019 Contingent Reimbursement Model (CRM) that failed to curb a 12% rise in cases from 2020 to 2023. Delayed mandatory adoption of Confirmation of Payee (CoP), which matches payee details to reduce impersonation, until 2023 further perpetuated systemic gaps, as partial voluntary rollout left in cross-bank transfers. These failures reflect a broader institutional , where banks' incentives aligned more with than deterrence, as evidenced by PSR analyses showing low intervention rates on outbound payments—often under 1% for suspicious APP patterns—prioritizing customer convenience and revenue from transaction volumes over causal risk mitigation through holds or enhanced authentication. The introduction of shared liability under the 2024 PSR rules, splitting reimbursements 50:50 between sending and receiving PSPs up to £85,000, acknowledges these shortcomings but highlights prior over-reliance on victim accountability, with empirical data indicating that without such mandates, prevention investments remained suboptimal.

Prevention Strategies and Future Outlook

Individual and Educational Measures

Individuals can mitigate the risk of authorised push payment (APP) fraud by adopting vigilant verification practices before authorizing any transfer. Essential steps include pausing to reflect on unexpected payment requests, independently verifying the recipient's details through official channels rather than responding to provided contact information, and using tools like Confirmation of Payee (CoP) services, which have facilitated over 2 billion account name checks in the UK as of 2024 to flag mismatches. Additionally, enabling multi-factor authentication (MFA) on banking apps and never sharing one-time passcodes (OTPs) or full account details unless identity is confirmed reduces unauthorized access risks. Contacting banks via verified numbers, such as the UK-wide 159 line for suspicious calls, allows direct confirmation without relying on caller-provided instructions. Key personal safeguards encompass:
  • Refraining from rushed decisions on high-value or unusual transfers, instead consulting trusted advisors or helplines like .
  • Avoiding disclosure of personal or financial information to unverified parties, including shredding documents containing sensitive data.
  • Regularly monitoring accounts for anomalies and reporting suspicions immediately to banks and authorities like Action Fraud within 13 months for potential reimbursement eligibility.
Educational initiatives aim to foster scam recognition through public awareness campaigns, though on their impact remains mixed. The 's to Stop Fraud campaign, launched by UK Finance, promotes a "Stop, Challenge, Protect" —encouraging individuals to halt actions, question legitimacy, and seek independent verification—which has boosted confidence, with 87% of those over 65 reporting ability to spot signs in 2023 surveys. However, research on similar mass-messaging efforts, including those for digital payment s, indicates limited reduction in actual incidents, as behavioral changes often fail to counter sophisticated social engineering. Targeted , such as simulated "friendly scamming" exercises, shows promise for improving identification skills over generic tips, but widespread adoption lags. Regulators like the emphasize ongoing consumer education alongside these, prioritizing skepticism toward urgency-driven requests common in APP scams like impersonation or romance .

Policy Recommendations for Causal Deterrence

To causally deter authorised push payment (APP) , policies must target the incentives and operational enablers for fraudsters, such as low detection rates, rapid fund dissipation, and cross-border anonymity, rather than solely reimbursing victims after the fact. Empirical evidence from regulatory interventions indicates that enabling payment service providers (PSPs) to intervene pre-execution disrupts the causal chain, with delays allowing for verification and freezing of suspicious transactions. For instance, the 's (FCA) policy permits PSPs to delay outbound payments for up to four business days on of , based on indicators like new payees, mismatched names via Confirmation of Payee systems, or patterns of rapid onward transfers by recipients. This measure increases the risk of interception for fraudsters, who rely on instant Faster Payments to evade recovery, as demonstrated by reduced execution times in scams where funds are moved within minutes. Mandatory information sharing among PSPs represents another causal lever, facilitating real-time intelligence on mule accounts and fraud patterns without breaching data protection rules. FCA guidance encourages payer and payee PSPs to exchange details on suspicious activities, such as unusual velocity of incoming funds, enabling collective disruption of fraud networks. Consortium analytics models, aggregating anonymized data across institutions, have shown efficacy in identifying international APP rings by flagging cross-border flows, with trials demonstrating improved detection of synthetic identities used by fraudsters. Complementing this, enhanced identity verification mandates— including biometrics and stepped-up checks for high-risk transfers—raise the operational costs for fraudsters creating mule accounts, as evidenced by lower synthetic identity success rates in systems with robust know-your-customer protocols. On the international front, policies promoting cross-border collaboration address the extraterritorial nature of many APP operations, where fraudsters in jurisdictions like Nigeria or India target UK victims. SWIFT's 2025 AI-driven trials with 13 banks achieved doubled real-time fraud detection across 10 million test transactions through privacy-enhanced data sharing, underscoring the value of standardized protocols for global payment rails. Europol's emphasis on joint operations against payment system fraud, including APP variants, has led to disruptions in card-not-present schemes with similar mechanics, though APP-specific yields remain limited by jurisdictional barriers. To amplify deterrence, regulators should incentivize PSPs via liability adjustments tied to prevention efficacy, such as reduced reimbursement burdens for firms demonstrating low fraud incidence through audited controls, thereby aligning private incentives with systemic risk reduction.
  • Delay and verification protocols: Expand FCA-style payment holds to all real-time systems, calibrated to fraud probability assessments using on transaction metadata.
  • Data consortia mandates: Require PSP participation in shared intelligence platforms, with penalties for non-compliance to ensure comprehensive coverage.
  • Fraudster targeting: Legislate faster for receiving accounts and harsher penalties for facilitators, building on provisions but with dedicated APP task forces.
  • Global standards: Advocate for G20-level harmonization of CoP and verification, reducing safe havens for laundered proceeds.
These interventions, grounded in of pathways, prioritize upstream disruption over downstream compensation, potentially halving APP volumes as projected in regulatory impact assessments.

References

  1. https://www.psr.org.uk/our-work/app-scams/
  2. https://www.fico.com/blogs/what-authorised-push-payment-fraud
  3. https://www.aciworldwide.com/app-fraud
  4. https://www.experian.co.uk/consumer/identity/app-fraud.html
  5. https://www.unit21.ai/fraud-aml-dictionary/authorized-push-payment-fraud
  6. https://www.ukfinance.org.uk/system/files/2024-06/UK%2520Finance%2520Annual%2520Fraud%2520report%25202024.pdf
  7. https://www.tlt.com/insights-and-events/insight/uk-finance-annual-fraud-report-2025/
  8. https://www.group-ib.com/it/resources/knowledge-hub/authorized-push-payment-app-fraud/
  9. https://www.kansascityfed.org/research/payments-system-research-briefings/combating-authorized-push-payment-scams-in-fast-payment-systems/
  10. https://www.atlantafed.org/blogs/take-on-payments/2024/09/23/addressing-authorized-push-payment-fraud-in-us
  11. https://verafin.com/2024/07/pushing-back-the-uks-response-to-authorized-push-payment-fraud/
  12. https://www.freshfields.com/en/our-thinking/briefings/2024/09/authorised-push-payment-fraud-a-new-mandatory-reimbursement-regime-for-uk-psps/
  13. https://academic.oup.com/jfr/article/10/2/174/7716141
  14. https://www.reedsmith.com/en/perspectives/2024/10/authorised-push-payments-fraud-claims-uk-recent-developments
  15. https://corporate.visa.com/en/sites/visa-perspectives/security-trust/what-is-app-fraud-taking-the-fight-to-the-fraudsters-on-the-new-frontline.html
  16. https://www.experian.com/blogs/insights/authorized-push-payment-fraud/
  17. https://lucinity.com/blog/understanding-and-combating-app-fraud
  18. https://www.datavisor.com/blog/fighting-authorized-payment-fraud
  19. https://www.group-ib.com/resources/knowledge-hub/authorized-push-payment-app-fraud/
  20. https://www.skadden.com/insights/publications/2024/04/new-rules-to-tackle-authorised-push-payment-fraud
  21. https://www.psr.org.uk/information-for-consumers/app-fraud-reimbursement-protections/
  22. https://kount.com/blog/authorized-push-payment-app-fraud-is-global-risk
  23. https://www.deloitte.com/us/en/insights/industry/financial-services/authorized-push-payment-fraud.html
  24. https://www.atlasobscura.com/articles/the-9-lives-of-the-spanish-prisoner-the-treasure-dangling-scam-that-wont-die
  25. https://mhnsw.au/stories/general/confidence-tricks-the-spanish-prisoner/
  26. https://mosaicprojects.wordpress.com/2023/07/07/the-19th-century-spanish-prisoner-swindle/
  27. https://news.prairiepublic.org/podcast/dakota-datebook/2022-04-13/the-spanish-prisoner-mail-scam
  28. https://www.researchgate.net/publication/317382347_The_Electronic_Spanish_Prisoner_Romance_Frauds_on_the_Internet
  29. https://theappendix.net/issues/2013/10/proto-spam-spanish-prisoners-and-confidence-games
  30. https://fastpayments.worldbank.org/sites/default/files/2021-09/World_Bank_FPS_UK_FPS_Case_Study.pdf
  31. https://www.ukfinance.org.uk/system/files/2023-05/Annual%2520Fraud%2520Report%25202023_0.pdf
  32. https://info.nice.com/rs/338-EJP-431/images/Fraud_RTP%2520White%2520Paper_Decade%2520in%2520UK_8MAY19.pdf
  33. https://www.ukfinance.org.uk/system/files/2022-06/Annual%2520Fraud%2520Report%25202022_FINAL_.pdf
  34. https://verafin.com/wp-content/uploads/2024/07/app-reimbursement-rtp-frost-white-paper-nasdaq-verafin-20240715.pdf
  35. https://www.psr.org.uk/media/pvwjsf2n/cp24-11-faster-payments-max-reimbursement-sept-2024.pdf
  36. https://www.actionfraud.org.uk/impersonation-fraud/
  37. https://www.starlingbank.com/blog/impersonation-scams-what-you-need-to-know/
  38. https://www.threatmark.com/imposter-fraud/
  39. https://www.ukfinance.org.uk/press/press-releases/over-two-thirds-of-all-app-scams-start-online-new-uk-finance-analysis
  40. https://www.lseg.com/en/insights/risk-intelligence/app-fraud-a-growing-global-crisis-in-payments
  41. https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps600-million-stolen-fraudsters-in-first-half-2025
  42. https://uk.finance.yahoo.com/news/investment-scams-pushing-amount-money-230100447.html
  43. https://www.paymentsjournal.com/fighting-authorized-push-payment-fraud-on-all-fronts/
  44. https://www.fca.org.uk/publications/multi-firm-reviews/combating-romance-fraud-prevention-detection-and-supporting-victims
  45. https://www.thebanker.com/content/4ab986cc-bdf7-4ff7-b7ca-7085fe8aa2a1
  46. https://www.fincen.gov/news/news-releases/fincen-reminds-financial-institutions-remain-vigilant-regarding-potential
  47. https://www.pymnts.com/fraud-prevention/2025/authorized-push-payment-fraud-losses-in-uk-rise-12/
  48. https://home.barclays/news/press-releases/2025/04/barclays-scams-bulletin--romance-scam-reports-rise-20-per-cent-a/
  49. https://www.cnbc.com/2024/07/03/heres-how-to-avoid-romance-scams-which-cost-consumers-1point14-billion-last-year.html
  50. https://www.psr.org.uk/news-and-updates/latest-news/news/new-report-from-psr-shows-how-fraudsters-exploit-major-platforms-to-scam-consumers/
  51. https://www.forbes.com/uk/advisor/personal-finance/what-is-app-fraud/
  52. https://www.paymentsdive.com/news/push-payment-scam-losses-to-surpass-3b-by-2028-report/733870/
  53. https://australiancybersecuritymagazine.com.au/authorised-push-payment-fraud-losses-to-hit-1-76-billion-in-australia-by-2028/
  54. https://www.scamwatch.gov.au/system/files/targeting-scams-report-2024.pdf
  55. https://www.lseg.com/en/insights/risk-intelligence/defeating-app-fraud-securing-global-payments-in-a-risk-filled-landscape
  56. https://www.eba.europa.eu/sites/default/files/2024-08/465e3044-4773-4e9d-8ca8-b1cd031295fc/EBA_ECB%25202024%2520Report%2520on%2520Payment%2520Fraud.pdf
  57. https://www.resolvedclaims.co.uk/blogs/Authorised-Push-Payment-Scams.php
  58. https://post.parliament.uk/research-briefings/post-pn-0720/
  59. https://pmc.ncbi.nlm.nih.gov/articles/PMC12192844/
  60. https://www.theguardian.com/society/2024/oct/23/secret-health-hell-being-scammed-felt-mind-disintegrating
  61. https://www.ukfinance.org.uk/news-and-insight/press-release/fraud-report-2025-press-release
  62. https://tink.com/blog/news/fear-of-fraud-uk-research-2025/
  63. https://www.psr.org.uk/media/tdqf1g2a/psr-app-fraud-survey-2024.pdf
  64. https://www.wearepay.uk/confirmation-of-payee-the-journey-so-far/
  65. https://www.psr.org.uk/news-and-updates/thought-pieces/thought-pieces/the-fight-against-fraud-confirmation-of-payee-rolled-out-to-hundreds-of-more-firms/
  66. https://www.biocatch.com/blog/confirmation-of-payee-effective-against-fraud
  67. https://www.mastercard.com/us/en/news-and-trends/press/2023/july/mastercard-leverages-its-ai-capabilities-to-fight-real-time-payment-scams.html
  68. https://corporate.visa.com/en/products/visa-protect-a2a-payments.html
  69. https://www.mastercard.com/global/en/business/cybersecurity-fraud-prevention/risk-decisioning/a2a-transaction-fraud-monitoring.html
  70. http://www.fca.org.uk/publication/guidance-consultation/gc24-5.pdf
  71. https://www.psr.org.uk/news-and-updates/latest-news/news/groundbreaking-new-protections-for-victims-of-app-scams-start-today/
  72. https://www.psr.org.uk/publications/policy-statements/ps247-faster-payments-app-scams-reimbursement-requirement-confirming-the-maximum-level-of-reimbursement/
  73. https://www.hoganlovells.com/en/publications/uk-app-fraud-what-in-scope-psps-need-to-know-about-the-new-mandatory-reimbursement-regime
  74. https://www.threatmark.com/six-months-of-psr-scam-reimbursement/
  75. https://www.regulationtomorrow.com/eu/psr-issues-consolidated-policy-statement-on-app-scams-reimbursement-requirement/
  76. https://www.aoshearman.com/en/insights/ao-shearman-on-fintech-and-digital-assets/combatting-payment-account-fraud-latest-regulatory-developments-in-the-european-union
  77. https://www.regulationtomorrow.com/eu/app-fraud-mandatory-reimbursement-measures-are-not-the-end-of-the-story/
  78. https://www.onespan.com/sites/default/files/2025-01/OneSpan-White-Paper-APP-Scam-Regulations-EN.pdf
  79. https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd2425/25bd033
  80. https://www.compliancecorylated.com/news/the-global-fight-against-app-fraud/
  81. https://perspectives.bclplaw.com/emerging-themes/people-in-focus/consumers/mandatory-reimbursement-for-app-fraud/
  82. https://www.biocatch.com/blog/scam-victims-reimbursement
  83. https://chargebacks911.com/authorized-push-payment-fraud/
  84. https://www.psr.org.uk/media/as3a0xan/sr1-consumer-standard-of-caution-guidance-dec-2023.pdf
  85. https://www.jdsupra.com/legalnews/app-fraud-uk-psr-consults-on-gross-7141059/
  86. https://www.pinsentmasons.com/out-law/news/push-payment-fraud-victims
  87. https://www.sciencedirect.com/science/article/pii/S2949791425000429
  88. https://www.ukfinance.org.uk/system/files/2025-05/UK%2520Finance%2520Annual%2520Fraud%2520report%25202025.pdf
  89. https://www.psr.org.uk/news-and-updates/latest-news/news/one-year-on-impact-of-app-reimbursement-on-victims/
  90. https://www.psr.org.uk/information-for-consumers/app-fraud-performance-data/
  91. https://thefintechtimes.com/psr-reveals-huge-disparity-in-banks-approaches-to-app-fraud/
  92. https://www.linklaters.com/en-us/insights/blogs/bankinglitigationlinks/2025/august/app-fraud-reimbursement
  93. https://www.clydeco.com/en/insights/2025/08/financial-institutions-exposure-to-the-victims-of
  94. https://baringslaw.com/news-insight/key-legal-cases-in-app-fraud/
  95. https://www.hoganlovells.com/en/publications/uk-duty-of-retrieval-rejected-why-banks-do-not-owe-a-duty-to-recover-funds-lost-through-app-fraud
  96. https://www.tsys.com/insights/2024/07/30/faster-payments-faster-fraud
  97. https://www.hoganlovells.com/en/publications/app-fraud-do-uk-banks-face-an-increased-risk-of-litigation
  98. https://www.mills-reeve.com/publications/authorised-push-payment-fraud-an-ever-growing-problem-met-by-ever-evolving-solutions/
  99. https://www.psr.org.uk/news-and-updates/latest-news/news/psr-publishes-latest-app-scams-performance-report-for-2023/
  100. https://fastpayments.worldbank.org/sites/default/files/2023-10/Fraud%2520in%2520Fast%2520Payments_Final.pdf
  101. https://www.pwc.co.uk/industries/financial-services/understanding-regulatory-developments/psr-sets-the-final-rules-on-app-scam-reimbursements.html
  102. https://www.charlesrussellspeechlys.com/en/insights/expert-insights/dispute-resolution/2024/understanding-app-fraud-legal-strategies--protection/
  103. https://www.fca.org.uk/consumers/fraudulent-payments
  104. https://www.starlingbank.com/blog/protecting-yourself-from-app-fraud/
  105. https://www.actionfraud.police.uk/individual-protection
  106. https://www.takefive-stopfraud.org.uk/
  107. https://www.ukfinance.org.uk/news-and-insight/press-release/eyes-down-remember-take-five
  108. https://www.researchgate.net/publication/378872822_Do_Awareness_Campaigns_Reduce_Financial_Fraud
  109. https://dvararesearch.com/wp-content/uploads/2023/12/Are-Fraud-awareness-Campaigns-Effective_Policy-Brief.pdf
  110. https://greenway-solutions.com/improving-scam-awareness-education/
  111. https://www.fca.org.uk/publication/guidance-consultation/gc24-5.pdf
  112. https://www.cefpro.com/consortium-analytics-to-detect-and-disrupt-international-authorized-push-payment-app-fraud/
  113. https://www.swift.com/news-events/press-releases/swift-ai-innovation-creates-blueprint-banks-stop-fraud-faster-through-cross-border-collaboration
  114. https://www.europol.europa.eu/crime-areas/online-fraud-schemes/fraud-against-payment-systems
Add your contribution
Related Hubs
User Avatar
No comments yet.