As payment systems become faster and more convenient, fraudsters are quick to evolve their tactics. One threat stands out for its sophistication and devastating impact: authorized push payment (APP) fraud. With APP fraud losses in the US predicted to reach $14.9 billion by 2028 from roughly $8.3 billion in 2024, banks need to take urgent steps to understand this growing threat and protect their customers.
What is authorized push payment fraud?
AAPP fraud occurs when an individual or business is tricked into authorizing a payment directly to a criminal’s account. What makes this crime especially damaging is that the customer, rather than the criminal, initiates the payment — often believing it to be legitimate. This differs from other fraud types where transactions are made without the victim’s knowledge or consent. Once sent, funds are often irretrievable, especially on real-time payment platforms.
APP fraud typically unfolds in stages that could look something like this:
APP fraud typically unfolds in stages that could look something like this:
- Fraudsters first use open-source intelligence, phishing, or malware to select a vulnerable victim.
- They impersonate someone the victim trusts: a bank official, supplier, friend, or even a family member.
- Through urgent requests — say, “We’ve updated our bank details” or “Your account is under threat” — they create panic or pressure.
- The victim authorizes and pushes the payment, which is then immediately siphoned off to mule or offshore accounts.
Why is APP fraud so damaging and increasing quickly?
Real-time payments have transformed the way money moves, but with the added speed comes added risk. From predictions of massive APP fraud losses in the US to worldwide losses more than doubling by 2028, these drastic increases parallel a sharp rise in instant payment fraud.
One of the main reasons that APP fraud deeply affects victims is that they’re often left with little recourse. Since the payment is “authorized,” traditional banking liability protections may not apply. The legislation in many countries doesn’t require banks to reimburse victims.
One of the main reasons that APP fraud deeply affects victims is that they’re often left with little recourse. Since the payment is “authorized,” traditional banking liability protections may not apply. The legislation in many countries doesn’t require banks to reimburse victims.
Who is most vulnerable to APP scams?
Consumers — particularly older adults — are frequent targets of impersonation scams. But with today’s AI-enhanced scams, digital natives are also being tricked by fraudsters, along with businesses (especially SMEs), primarily through invoice and supplier fraud. In fact, any person or entity conducting regular bank transfers can be caught off-guard, especially as fraudsters leverage deepfake technology and phishing for ever-more convincing deception.
Common APP fraud scenarios
A few common APP fraud scenarios that banks and issuers are encountering include:
- Invoice and supplier scams: Attackers pose as suppliers or service providers and alter payment instructions, causing businesses to send funds directly to the criminal.
- Investment scams: Victims are lured into fake investment opportunities with promises of high returns and urgency.
- Property purchase scams: Fraudsters intercept legitimate communications related to property transactions, modifying banking details at the crucial moment.
- Impersonation/CEO fraud: Criminals fake emails or calls from executives or trusted authorities instructing staff to urgently send money.
How can banks and credit unions fight APP fraud?
Education and communication
Financial institutions must educate both customers and employees about the threat landscape. Training people to spot the red flags, such as urgency, requests for secrecy, or changes in payment instructions, is key.
Layered authentication and device intelligence
Multi-factor authentication (MFA) and strong device intelligence can have a significant impact on fraud prevention strategies. Mobile network–based and biometric authentication systems make it significantly harder for attackers to succeed. Entersekt, for example, equips banks with advanced context-based authentication and behavioral analytics that help spot and block fraudulent push payments before they’re executed.
Real-time monitoring and AI analysis
Fraud detection can’t wait for daily batch processing. Banks must leverage AI and machine learning to identify and halt suspicious transactions as they happen. As fraudsters increasingly use AI to craft deepfakes and personalized phishing, only advanced security countermeasures like dynamic risk-based authentication stand a chance.
Digital payments regulatory response
In the UK, reimbursement for APP fraud is mandatory through their Payment Systems Regulator (PSR), while other countries like Singapore, Australia and the US are in the early stages or planning to implement reimbursement regulations. In the EU, the Third Payment Services Directive (PSD3) will also help shift liability away from customers.
Financial institutions must educate both customers and employees about the threat landscape. Training people to spot the red flags, such as urgency, requests for secrecy, or changes in payment instructions, is key.
Layered authentication and device intelligence
Multi-factor authentication (MFA) and strong device intelligence can have a significant impact on fraud prevention strategies. Mobile network–based and biometric authentication systems make it significantly harder for attackers to succeed. Entersekt, for example, equips banks with advanced context-based authentication and behavioral analytics that help spot and block fraudulent push payments before they’re executed.
Real-time monitoring and AI analysis
Fraud detection can’t wait for daily batch processing. Banks must leverage AI and machine learning to identify and halt suspicious transactions as they happen. As fraudsters increasingly use AI to craft deepfakes and personalized phishing, only advanced security countermeasures like dynamic risk-based authentication stand a chance.
Digital payments regulatory response
In the UK, reimbursement for APP fraud is mandatory through their Payment Systems Regulator (PSR), while other countries like Singapore, Australia and the US are in the early stages or planning to implement reimbursement regulations. In the EU, the Third Payment Services Directive (PSD3) will also help shift liability away from customers.
Five ways banks can protect customers from APP fraud
- Educate staff and customers frequently on scam tactics.
- Verify every payment and change in payment instructions using out-of-band or biometric authentication.
- Deploy contextual and device-based authentication.
- Monitor all transactions in real time, using AI to flag outliers.
- Collaborate — share intelligence across the ecosystem and participate in real-time threat information sharing.
By partnering with a trusted provider like Entersekt, banks can protect customers from today’s evolving scams and fraud and continue to build their trust.
