Explainer: APP fraud around the world

Paula Albu, Junior Editor at The Paypers, examines how APP fraud manifests across key markets and what regional differences reveal about the global state of fraud prevention.

In the first explainer on Authorised Push Payment (APP) fraud, we explored the fundamentals, defining the concept, outlining the main scam typologies, and sketching the profile of typical victims. But understanding APP fraud in theory is only the starting point. In practice, this type of fraud does not follow a single pattern. It evolves continuously, adapting to local payment infrastructures, user behaviors, and regulatory environments.

In the second part, we move beyond definitions and examine how APP fraud unfolds in real-world contexts. From the UK’s highly developed instant payment landscape to Australia’s frameworks, fraudsters continuously tailor their approaches to exploit specific vulnerabilities. At the same time, reimbursement frameworks are evolving globally, as banks, payment service providers (PSPs), and regulators work to define responsibility and protect users in an increasingly complex ecosystem.

The urgency is evident. As payment systems become faster, more accessible, and embedded into everyday life, fraud moves at the same pace, often quicker than institutions can respond. The rise of artificial intelligence and emerging models such as agentic commerce further complicates the picture, blurring the line between legitimate and fraudulent interactions.

A global threat with local patterns

APP fraud is, at its heart, a global phenomenon. The underlying mechanism is simple: a victim is manipulated into authorising a payment to a fraudster. Yet the way this manipulation takes place varies significantly across regions.

This variation is not random. It reflects the characteristics of each payment ecosystem: the level of digitalisation, the types of payment methods in use, the regulatory frameworks in place, and even cultural attitudes towards trust and authority. The more advanced the digitalisation, the more sophisticated the scams. In other regions, fraudsters rely more on direct human interaction and social engineering.

The threat is also growing. Fraudsters are leveraging advanced technologies to scale and refine their attacks. AI-generated messages, voice cloning, and personalised phishing campaigns are making scams increasingly convincing. As a result, financial institutions are under pressure to respond quickly, balancing the need for security with the demand for optimal user experiences.

Understanding APP fraud requires a regional perspective. Only by examining how it manifests in different environments can we identify the patterns and vulnerabilities that drive it.

United Kingdom, where the numbers are stark

The United Kingdom provides one of the clearest examples of how APP fraud has evolved alongside modern payment systems. With the broad adoption of real-time payment infrastructure, the UK has become a highly efficient and exposed market.

Data shows that total fraud losses reached GBP 1.17 billion in 2024, with APP fraud accounting for GBP 257.5 million, up 12% in value. Yet the number of APP incidents fell by 20%. Additionally, according to Ofcom, 87% of UK adult internet users have encountered content online that they believed to be a scam or fraud, and nearly half (47%) have engaged with it.

Among the most common types of fraud in the UK are impersonation fraud (51%), counterfeit goods scams (42%), investments, pension, or ‘get rich quick’ scams (40%), and computer software service or ransomware scams (37%).

Victims are most commonly contacted via a direct message or a group message (46%), online advertisements (20%), or influencer and user-generated content (6% and 4%). Financially, two in five victims (42%) lost between GBP 1 and GBP 99, while one in five (21%) lost GBP 1.000 or more.

A notable concern is that 17% of victims took no action at all. Many believed their report would not make a difference, or they felt too ashamed to come forward.

In response, the UK introduced new reimbursement rules in October 2024 via the Payment Systems Regulator (PSR), aiming to protect the victims of APP scams. Once the scam is reported, the customer’s PSP must issue the refund within five business days, or within 35 days if more time is required. The costs are split equally between the sending and receiving banks, with reimbursement capped at GBP 85.000 per case. In the first six months of the PSR policy being in place, around 109.000 claims were reported by consumers, and 77.000 of those were in scope for reimbursement, with 87% of the money lost to APP scams returned to victims. In the first year, UK banks paid GBP 173 million in APP fraud claims under the PSR regime, underlining the scope of the financial commitment now placed on financial institutions.

The PSR mandatory reimbursement framework has prompted financial institutions to implement additional controls and warnings, contributing to a reduction in APP fraud incidents, a sign that interventions are starting to have an effect.

The UK case represents a significant shift in how APP fraud is addressed. Rather than placing the responsibility solely on the customer, it recognises fraud as a systemic issue that requires coordinated action across the ecosystem. As a result, the UK is increasingly seen not only as a high-risk market but also as a benchmark for how fraud can be managed and mitigated.

Europe, where APP fraud adapts to the region and the customer

Across Europe, similar fraud patterns are emerging, driven by the growing adoption of instant payments and digital banking services.

However, unlike the UK, the European landscape is more fragmented. Differences in payment infrastructure, regulatory approaches, and customer behavior mean that APP fraud does not develop uniformly across the region.

The 2025 Report on Payment Fraud, issued by the European Banking Authority (EBA) and the European Central Bank (ECB), assesses payment fraud reported by the industry across the European Economic Area (EEA) at EUR 4.2 billion in 2024. Most payment fraud by value arose from credit transfers and card payments. To be more specific, in 2024, the total value of fraudulent credit transfers sent by PSPs in the EU/EEA amounted to EUR 2.5 billion, and the value of fraudulent card transactions amounted to EUR 1.3 billion.

On a country-by-country basis, fraud patterns vary considerably. For credit transfers, the highest fraud rate by value was recorded in Slovenia (0.006%), while Lithuania led in volume terms (0.015%). The highest levels were reported for France, with over 52.000 fraudulent transactions, in volume terms, and Germany, totalling EUR 72.2 million, in value terms. Slovakia experienced the largest fraud rate by volume (0.011%) and the highest fraud rate by value (0.044%).

Fraudulent card payments were the lowest in Latvia (22.489 transactions) and the highest in France (over 7.1 million transactions) in volume terms. France also reported the highest card fraud value, amounting to EUR 484 million.

For merchants, the effects of fraud are significant. According to payabl.’s Fraud in Europe: Counting the cost for retailers and shoppers report, more than half of businesses (52%) say fraud has led to reputational damage for their brand, rising to two-thirds (67%) of larger businesses, and 21% of consumers never return to a retailer they were defrauded by.

The regulatory response is also evolving. The EU’s Instant Payments Regulation (IPR) mandates Verification of Payee (VoP) across member states, with compliance deadlines set for 2025 and 2027. Meanwhile, the proposed Payment Services Directive (PSD3) and Payment Services Regulation (PSR1) aim to expand PSP liability for fraud losses and mandate measures such as IBAN-name matching to prevent misdirected payments.

United States, where speed needs safety nets

In the United States, APP fraud has expanded and adapted to the rapid growth of real-time payment solutions. The new systems offer speed and convenience but also introduce familiar risks: once a payment is authorised, recovery becomes significantly more difficult.

The ACI Worldwide 2024 Scamscope Report shows that impersonation, advance payment, and investment scams generate the highest losses, with romance scams also prominent. The FBI’s 2024 Internet Crime Report recorded over USD 16.6 billion in losses from internet-enabled crimes, which includes APP fraud.

The US Faster Payments Council estimates that by 2028, between 70% and 80% of all US financial institutions will be enabled to receive real-time payments, and between 30% and 40% of them will be enabled to send instant credits. High-volume use cases include invoicing, government payments, taxes, wallet funding, online banking, and gaming.

On this basis, it is expected that financial service providers will have strong fraud risk controls. While platforms like Zelle, Venmo, and Cash App have implemented some controls, these remain insufficient to combat real-time scammers.

The most common scams are impersonation scams (18%), advance payment scams (18%), investment scams (14%), invoice scams (14%), romance scams (12%), purchase scams (11%), authority scams (11%), and other (2%). More than 30% of victims chose not to continue with their existing financial institution, negatively impacting consumer trust and confidence.

The US still lacks federal or state laws requiring reimbursement for victims of APP fraud. While the Electronic Fund Transfer Act covers unauthorised transactions, it does not protect consumers tricked into approving payments. The Protecting Consumers from Payment Scams Act has been introduced in Congress, but is not expected to pass in the near term. Some states have begun allowing PSPs to delay suspicious transactions, with a focus on protecting elderly and vulnerable consumers.

Australia: progress, but reimbursement remains voluntary

The Targeting Scams Report by the National Anti-Scam Centre shows that Australians reported losses totalling USD 2.18 billion in 2025, an increase of 7.8% from 2024. Compared to the previous years, there is a notable change: 2022 marked the year with the major losses (USD 3.1 billion), but in 2023 (USD 2.7 billion) and 2024 (USD 2.0 billion), the losses decreased.

Top scam types by loss for 2025 include investment (USD 837.7 million), payment redirection (USD 166.8 million), romance (USD 139.9 million), phishing (USD 97.6 million), and remote access (USD 69.9 million).

However, unlike the UK, Australian banks are not mandated to reimburse victims of scams. In an expert view published on The Paypers, Rob Neely discusses how the Australian Government's recently introduced Scams Prevention Framework (SPF), in January 2025, provides a structured, economy-wide response to the growing fraud epidemic. SPF introduces mandatory, enforceable obligations across banks, digital platforms, and telcos, the primary sectors facilitating scams. Its principal goals include preventing scams before they reach consumers, detecting scam attempts swiftly, and actively disrupting fraudulent activities.

In July 2025, Australian banks launched Confirmation of Payee (CoP) technology as part of the Scam-Safe-Accord, a joint initiative between the Australian Banking Association (ABA) and the Customer Owned Banking Association (COBA), backed by USD 100 million in investment, enabling name-to-account matching to prevent customers from being tricked into sending funds to fraudsters.

Reimbursement frameworks: a global patchwork

One of the most important takeaways from the regional picture is that victim reimbursement remains uneven across the globe. According to the Global Anti-Scam Alliance, consumers worldwide lost USD 422 billion to APP fraud and scams in 2025, yet the predictions may vary depending on where they live.

The UK stands out as one of the most advanced jurisdictions, with mandatory reimbursement now in force and a clear liability split between sending and receiving banks. Australia is moving in the right direction with the SPF, but reimbursement remains voluntary for now. In the EU, regulatory harmonisation is underway but not yet complete. The US remains the most notable gap, with a large, fast-growing, real-time payments market with no federal reimbursement mandate.

While reimbursement frameworks provide customer protection, the ultimate goal must be to prevent losses from occurring in the first place through technological solutions and improved consumer education. Reimbursement, as several payment leaders noted, addresses the consequences of fraud, not its causes. An effective response would be a coordination between banks, telcos, social media platforms, regulators, and law enforcement working together to disrupt scams before they reach the payments system.

Fraud prevention is also closely tied to consumer behavior patterns. According to the payabl report, fraud does not operate in a vacuum. It intensifies during periods of heightened consumer activity. Events such as Black Friday and Cyber Monday have quickly become global phenomena, with merchants offering various discounts to consumers. Black Friday and Cyber Monday are the most likely times of the year for fraud spikes (37%), ahead of other periods of increased traffic, such as summer holidays (33%), January sales (30%), tax refund season (25%), and back-to-school/university season (24%).

What changed in April 2026

The regulatory picture for payments in Europe started to change, with a first step from theory to practice. On 23 April 2026, the European Parliament and the Council of the EU agreed on the final texts of PSD3 and PSR, marking the conclusion of a legislative process that has been closely watched across the payment industry.

The finalised framework clarifies several key areas:

On unauthorised payments, refunds remain mandatory, but PSPs may delay reimbursement by up to 15 business days where fraud is suspected, provided the delay is justified, and an investigation is ongoing.
On impersonation fraud, PSPs are required to fully reimburse victims where the fraud occurs via their own channels, with the burden of proof on the PSP to demonstrate user fraud or gross negligence.
Mandatory IBAN-name checks are also confirmed, with refund liability triggered in cases where failure results in misdirected payments.

The framework also extends the discussion to liability. When it comes to telecom and social media platforms, specific liability rules were on the table during the trilogies but did not make it into the final texts. PSPs do, however, retain a right of recourse against hosting service providers where illegal content on their platform contributes to fraud losses.

The texts are now undergoing legal-linguistic review before publication in the Official Journal of the European Union, expected in June/July 2026.

Conclusions

APP fraud is no longer a niche threat: it is a systemic challenge embedded in the architecture of modern payments. As real-time payment infrastructure expands globally, so does the attack surface available for fraudsters.

The common thread across all regions? The urgency. Financial institutions, regulators, payment providers, and technology companies must work together to share data, align standards, and invest in fraud prevention infrastructure that can keep pace with the sophisticated attacks. The question is no longer whether action is needed, but how quickly and how effectively it can be delivered.

This article is part of The Paypers’ Explainers section. To access other educational materials from this section, click here. If you have suggestions about other topics that could be included in this section, we invite you to write to us at editor@thepaypers.com.

Want to keep exploring? Check out these other explainers:

About Paula Albu

Paula Albu has experience in content writing and editing, as well as being a creative storyteller. As a Junior Editor at The Paypers, she investigates Web3 technologies along with the latest trends and regulations in banking and fintech. Paula is committed to turning complex industry topics into engaging, accessible content that resonates with readers and creates a meaningful connection. She is available via LinkedIn or at paula@thepaypers.com.

Explainer: APP fraud around the world - threats and reimbursement