When trust becomes the target: understanding APP fraud

In this explainer, Paula Albu from The Paypers dives into the evolving world of APP fraud, examining its definitions, types, and the profile of victims, while exploring how key players in the ecosystem are responding to these threats.

These days, the world seems to move faster than ever. Our cars, our schedules, our communications – all are accelerating. Money is no exception: payments settle instantly, investments move in seconds, and financial decisions are executed at unprecedented speed. 

But fraud has adapted to this pace.

Authorised Push Payment (APP) fraud has emerged as one of the defining risks of the real-time payments era. Unlike traditional forms of fraud, which rely on stolen credentials or breaches, APP fraud targets the moment of trust. Victims actively authorise payments to accounts controlled by fraudsters. Because the user technically approves the transaction, banks often detect it too late, and, in many cases, the funds are not recovered.

The speed and complexity of modern payments amplify both opportunity and risk. Victims are not necessarily naive: they are very often digitally confident, financially stable, and comfortable executing transfers quickly. Yet this confidence can become a vulnerability. In a world where money moves in real time, hesitation can be the only breaking point, and criminals exploit that immediacy.

As instant payments expand globally, APP fraud is no longer a local or isolated problem. From its early surge in the UK to increasingly sophisticated schemes worldwide, authorised push payment scams are emerging as a defining risk of the real-time payments era. Understanding why these scams succeed, how they operate, and who they target is now essential for banks, businesses, and customers alike. 

From UK phenomenon to global pattern

Although APP fraud is now a global concern, the United Kingdom provides the clearest early case study.

Data shows that total fraud losses reached GBP 1.17 billion in 2025, with APP fraud accounting for GBP 257.5 million, up 12% in value. Yet the number of APP incidents actually fell by 20%.

Meanwhile, consumer protection improved. By Q3, 88% of APP losses (around GBP 173 million) were reimbursed under the new framework introduced by the Payment System Regulator, demonstrating how regulation is beginning to reshape incentives across the ecosystem.

As online transactions became more widespread, so did the speed of payments, further amplified by digital banking innovation and the growing use of AI-driven tools. Fraudsters are deploying increasingly sophisticated methods to target and defraud victims.

The growing number of cases and affected customers has drawn the attention of the Financial Conduct Authority (FCA), which highlighted significant variability in how firms are managing fraud controls and customer outcomes. In its multi-firm review, the FCA noted that while many UK banks and payment service providers have invested in detection tools and fraud prevention systems, critical gaps remain in governance, management information, and the handling of customer complaints.

In some instances, weaknesses were identified in how firms support victims once a scam has occurred, reinforcing the need for stronger oversight and a more consistent anti-fraud framework across the industry.

Regulatory intervention followed. In October 2024, the Payment Systems Regulator (PSR) implemented the new APP fraud reimbursement regulations, aiming to compensate victims of this type of fraud up to GBP 85.000 within 5 days. Additionally, the Reimbursement Claims Management System (RCMS) was introduced – a centralised solution designed to optimise the management of APP scam claims. The system primarily supports Payment Service Providers (PSPs), helping them handle claims more efficiently while ensuring consistent processing and reporting.

Meanwhile, globally, internet-enabled fraud losses have reached record levels. Industry projections suggest that APP fraud losses could climb to USD 7.6 billion by 2028 across six leading real-time payment markets (US, UK, India, Brazil, Australia, and UAE). Investment scams, impersonation schemes, and bank transfer fraud continue to generate billions in reported losses annually. While terminology differs across jurisdictions, the mechanics often resemble APP fraud: deception leading to an authorised yet irreversible payment.

APP fraud is therefore no longer a regional concern. It is increasingly emerging as a structural feature of real-time payments ecosystems.

Why APP fraud matters now?

APP fraud is not a new topic in the fintech landscape. What is new is its scale, sophistication, integration with AI, and its close alignment with the infrastructure of modern payments.

Risk has grown with the rapid global expansion of real-time payment systems. Unlike card payments, which benefit from chargeback mechanisms and delayed settlement, account-to-account transfers are typically final. Once authorised and executed, funds can be dispersed across multiple accounts within minutes, often across jurisdictions, making recovery increasingly unlikely.

At the same time, fraud has migrated. As card authentication strengthened through tokenization, biometrics, and Strong Customer Authentication (SCA), criminals shifted tactics. Instead of attempting to bypass security control, they exploit the human layer. APP fraud bypasses technical defenses entirely by persuading the victim to act willingly.

The economic and technological environment further amplifies this risk. Financial uncertainty fuels investment scams, while AI-driven tools have improved the realism of social engineering techniques. From convincing phishing emails to synthetic voice calls impersonating executives or family members, the barrier to producing credible deception is lower than ever. 

The numbers reflect this shift. Recent studies suggest that voice cloning can now fool up to 80% o listeners, representing a 680% YoY increase in effectiveness. Globally, one in ten adults report encountering an AI voice scam, and 77% of those targeted report financial losses.  

Regulatory attention is also intensifying this topic. The UK’s reimbursement regime signals a shift in how responsibility is allocated, and similar debates are emerging across Europe and North America. APP fraud is no longer treated as consumer negligence; it is increasingly framed as a systemic payment risk requiring coordinated oversight.

In 2026, regulatory developments are expected to further reshape the response to APP fraud. In the EU, PSD3 and PSR will introduce stronger safeguards, including liability for impersonation scams, real-time payee verification (CoP-like), and tying fraud to AMLD6/AMLA oversight. Additionally, in the US, the Consumer Financial Protection Bureau (CFPB) eyes similar RTP rules amid FedNow growth.

Most importantly, APP fraud challenges a foundational assumption of digital finance: that authorisation equals consent. When consent can be engineered through psychological pressure, the assumption becomes fragile.

This is why APP fraud matters now more than ever. It sits at the intersection of instant infrastructure, social engineering, behavioral manipulation, and evolving regulatory expectations. As real-time payments continue to scale globally, the ability of financial institutions to manage this risk will influence trust in the broader ecosystem. 

Understanding APP fraud – who, how, and why

Authorised Push Payments fraud is not a typical type of scam. The payment is initiated and authorised by a legitimate user, which makes it particularly insidious: the victim is manipulated into choosing to send money, share data, or grant access.

APP fraud can take various forms, with fraudsters exploring different victims, vulnerabilities, and mechanisms. The most common ones are:

• Impersonation scams that involve criminals posing as banks, law enforcement, or public authorities to induce victims to transfer funds to a safe account.
• Hi Mom scams, where fraudsters pretend to be a family member in desperate need of cash, again playing on the emotional heartstrings.
• Invoice and supplier fraud targets businesses by redirecting legitimate payments to altered account details.
• Investment scams persuade victims of all types to invest in fictitious businesses, funds, or securities with promises of high returns.
• Pig butchering scams are particularly insidious as they involve building a relationship with victims to get increased funds from them over time. This type of fraud can include romance scams, which combine elements of investment with sharing personal or intimate details to build relationships. Small payouts may be offered initially to encourage larger transfers over time.

It cannot happen to me - Profile of a victim

You might think so. But the victims are not only the ones you would expect.

Jorij Abraham, Managing Director of the Global Anti-Scam Alliance (GASA), highlights that anyone can get scammed. Certain tendencies increase risk, such as being impulsive, overly optimistic, or very active online. Other factors include being a male (with slightly higher susceptibility), having an immigrant background (it makes them less familiar with local rules and processes), and having been a prior victim.

Interestingly, younger generations and highly educated individuals can be more susceptible. Confidence in recognising scams can sometimes create a false sense of security, making people less cautious when confronted with fraudulent cases.  

Better prevent than lose money

Even though many victims are familiar with digital payments, consumer education and awareness remain the first line of defence against APP fraud. Understanding the types of scams, the tactics fraudsters use, and the psychology behind urgency can prevent victims from acting too impulsively.

Several simple things go a long way:

• Verify the request – always confirm payment instructions, especially when it seems urgent or unexpected. Contact the requesting party using verified contact information, but from a different device from the one on which you were contacted.
• Fight the urgency – fraudsters tend to create a sense of urgency to cloud judgment. Take time to assess the situation.
• Enable two-factor authentication and other security features on banking apps or online payment platforms.
• Keep families and close contacts informed. For example, establish some safe words or signals to verify urgent requests.

When it comes to businesses, action is multifaceted. Payment service providers and banks must implement robust detection tools, monitoring systems, and governance processes.

European banks and financial institutions are already implementing various strategies to mitigate APP fraud. Confirmation of Payee (CoP) verifies that the recipient’s name matches the account details provided, reducing the possibility of funds being misdirected. While not yet standardised across all of Europe, CoP has been highly effective in countries where it is implemented, such as the UK and the Netherlands.

In 2026, the tech stack is expected to build an ecosystem to prevent APP fraud. Under the upcoming PSD3 (expected in Q1-Q2 2026 with a 21-month transition), payee verification mechanisms like CoP will become mandatory for credit transfers and instant payments. Payment service providers will need to check whether the beneficiary’s name matches the IBAN before executing a transfer, warning or blocking users in cases of mismatches.

At the same time, financial institutions are increasingly deploying AI behavioural biometrics, analysing micro-behaviours such as keystroke speed, swipe patterns, and hesitation to detect signs of stress often linked to social-engineering scams.

Another layer involves Data sharing between FIUs and banks: the 2026 plan them to share suspect lists instantly with FIUs (fraud cops) via APIs, like a group chat warning ‘Block transfers to this account NOW!’ before funds reach scammers. This approach helps flag unusual patterns across the ecosystem, such as multiple rapid transfers, as red flags.

Therefore, the solution to combat APP fraud scams involves collaboration across the ecosystem. Banks, fintechs, and fraud solution providers must share insights, develop rulesets for detecting unusual behavior, and coordinate processes for recovery and dispute management. 

Who takes responsibility when no one is guilty?

APP fraud sits at the intersection of consumer behaviour, institutional processes, and regulatory oversight. Consumers are responsible for vigilance, but institutions must create safer systems and respond promptly when incidents occur.

Beyond reimbursement obligations, banks and PSPs face operational costs, investigation burdens, and technical expenses to manage claims, improve monitoring, and defend fraudulent real-time payment flows. Vulnerable users, who may not be deemed negligent even when deception occurs, raise the stakes for institutional accountability.

APP fraud is not simply an individual problem; it has become a systemic risk that requires coordinated industry and regulatory action. 

APP fraud in the real-time era

APP fraud illustrates a paradox of the modern financial world. The technologies designed to make payments faster, more optimal, and accessible can also create opportunities for manipulation.

Ultimately, fraudsters target the only element that remains consistently exploitable: human behaviour.

Managing this risk will require more than a technical solution and customer education. It will depend on stronger collaboration between financial institutions, regulators, technology providers, and customers.

In the second part of this series, we will map how APP fraud manifests across different countries and payment ecosystems, examining which scam typologies are most common in each region and why. We will also explore how reimbursement frameworks are evolving globally and how banks, payment service providers, and regulators are aligning their responsibilities to address the growing risk. 

 

This article is part of The Paypers’ Explainers section. To access other educational materials, click here. If you have suggestions about other topics that could be included in this section, we invite you to write to us at editor@thepaypers.com.