Authorized Push Payment Fraud and APP Scams

Authorized push payment fraud is one of the hardest problems in modern banking risk because the real customer sends the money. The login may be valid, the device may be familiar, and the payment may be approved, but the customer’s decision may have been engineered by a scammer.

A customer receives a call from someone claiming to be from the bank. The caller sounds calm, professional, and urgent. They say the customer’s account is under attack and the money must be moved to a safe account. The customer opens the real banking app, passes authentication, confirms the transfer, and sends the money.

From the bank’s system view, much of the transaction may look legitimate. The real customer logged in. The customer used a known device. The customer passed authentication. The customer approved the payment.

But the reason for the payment was fake.

That is the core challenge of authorized push payment fraud, often called APP fraud. Unlike account takeover, where a criminal gains control of an account, APP fraud happens when the real customer is manipulated into sending money to a criminal-controlled account.

Authentication can prove who made the payment. It cannot always prove whether the customer was rushed, coached, deceived, threatened, emotionally pressured, or following a scammer’s script.

That is why APP fraud now sits at the center of the banking fraud debate. It connects instant payments, AI scams, mule accounts, social engineering, reimbursement policy, consumer protection, and fraud analytics. It also forces banks to ask a harder question than traditional fraud systems were built to answer:

Did the real customer send the payment freely, or did a criminal manufacture the customer’s intent?

For related context, see EdEconomy’s guide to how U.S. financial institutions are using AI to combat fraud and the bank scam prevention field guide for fraud analysts.

Key Takeaways

Authorized push payment fraud occurs when a scammer deceives a victim into approving a payment to a fraudulent recipient.
APP fraud is difficult because the customer may pass authentication and approve the payment inside the bank’s normal digital flow.
Instant payments compress the detection window because funds can become available quickly and may be difficult to recover.
Generative AI makes scam stories more believable through better messages, fake profiles, voice cloning, deepfakes, and personalized scripts.
Banks need layered controls that combine scam-specific prompts, recipient-risk scoring, mule detection, behavioral analytics, claims data, and human review.

What Is Authorized Push Payment Fraud?

Authorized push payment fraud occurs when a scammer tricks a victim into authorizing a payment to an account controlled by the fraudster. The U.K. Payment Systems Regulator describes APP fraud as a situation where a person is deceived into sending money to a fraudster by bank transfer.

In plain English, APP fraud is a scam where the victim sends the money because they were deceived.

That makes it different from many traditional fraud categories. In unauthorized fraud, the customer says, “I did not make this transaction.” In authorized push payment fraud, the customer may say, “I made the payment, but I was tricked into doing it.”

Fraud type	Who initiates the payment?	Typical customer claim	Main control challenge
Unauthorized fraud	The criminal or an unauthorized actor	I did not make this transaction.	Identify account takeover, stolen credentials, device compromise, or unauthorized access.
Authorized push payment fraud	The real customer, under deception	I made the payment, but I was tricked.	Detect manipulated intent, risky recipients, scam pressure, and mule-account activity.

The distinction matters because many banking controls were designed around authorization. If the right customer logs in, uses the correct credentials, passes multifactor authentication, and confirms the transfer, then the payment may pass through the system as valid.

APP fraud breaks that logic. The criminal does not always need to steal the password. The criminal only needs to control the story.

Common APP fraud scenarios include fake bank representative scams, safe-account transfer scams, romance scams, investment scams, purchase scams, fake invoice scams, business email compromise, government impersonation, family emergency scams, tech support scams, marketplace scams, cryptocurrency scams, and military-family emergency scams.

In many cases, the scammer’s goal is not to bypass authentication. The goal is to convince the victim to authenticate themselves.

Why APP Fraud Is Growing

APP fraud is growing because several trends are converging at once.

First, digital banking has made payments easier and faster. Customers can now send money from a phone in seconds. That convenience is valuable, but it reduces the time available for fraud teams to detect, interrupt, and recover suspicious payments.

Second, instant payment rails are changing the risk window. The Federal Reserve Bank of Kansas City has warned that the speed and irrevocability of fast payments make them attractive to fraudsters committing APP scams. Once funds are available, recovery may be difficult.

Third, scams often begin outside the bank. The manipulation may start on social media, a messaging app, a fake investment website, a spoofed call, a dating platform, a marketplace listing, or an email thread. The bank may see only the final payment, not the full deception journey.

Fourth, generative AI is improving the quality and scale of scam stories. A 2024 review in Artificial Intelligence Review found that generative AI can amplify social engineering through realistic content creation, advanced targeting and personalization, and automated attack infrastructure. For APP fraud, that means better scripts, more believable messages, fake investment sites, voice clones, and personalized pressure tactics.

EdEconomy covered the broader AI arms race in AI vs. AI in Banking Fraud: The 2026 Battle Over Instant Payments. Authorized push payment fraud is one of the clearest examples of that battle because AI does not need to defeat the bank’s security controls directly. It can persuade the customer to move the money.

The U.K. Is the Global Case Study

The U.K. has become the most important global case study for APP fraud because it has moved further than most countries on reimbursement.

The Payment Systems Regulator’s APP fraud reimbursement protections started on October 7, 2024. The framework covers many eligible victims of APP scams over Faster Payments and CHAPS, and the PSR set a maximum claim level of £85,000, which it said would cover more than 99% of claims.

The first major data after implementation shows both the value and the limits of reimbursement. The PSR’s Q4 2025 reimbursement dashboard reported that, across the first 15 months of the regime, 89% of reimbursable APP scam losses had been reimbursed to victims, representing £243 million returned. It also reported that 82% of claims were closed within five business days.

That is a major consumer-protection development. But reimbursement does not automatically stop the next scam.

UK Finance’s 2026 Annual Fraud Report said its members reported £1.28 billion in payment fraud losses in 2025. Its detailed report also showed that APP fraud losses rose 19% to £576.4 million, while the number of APP fraud cases rose 7%.

The policy lesson is uncomfortable but important: reimbursement can protect victims after the scam, but it does not by itself prevent the scam from happening. If criminals can still manipulate victims, recruit mule accounts, and cash out quickly, then the financial system still has a prevention problem.

This does not mean reimbursement is a failure. It means reimbursement is one layer of a broader fraud-control system. Banks still need better prevention, better recipient intelligence, and stronger cross-sector disruption of scam infrastructure.

Why Banks Struggle to Stop Voluntary Scams

Banks struggle with APP fraud because the payment can look legitimate at the surface level.

A traditional fraud system may ask: Is this the real customer? Is the device familiar? Did the customer pass authentication? Is the account in good standing? Is the transaction within normal limits? Did the customer approve the payment?

In APP fraud, the answer to many of those questions may be yes.

The real problem is deeper. Why is the customer sending money? Who told the customer to send it? Is the customer being coached? Is the recipient account risky? Is this a newly created payee? Is the customer under urgency, fear, secrecy, or emotional pressure? Is the receiving account acting like a mule?

That is why APP fraud is not just a payments problem. It is a decision-manipulation problem.

Authentication answers the question: who sent the money? Authorized push payment fraud requires another question: was the customer’s decision engineered by a scammer?

The second question is much harder to automate. The bank may not see the scammer’s phone call. It may not see the WhatsApp messages. It may not see the fake investment site. It may not know that the customer has been groomed for weeks in a romance scam or coached for an hour by a fake bank employee.

From a fraud analytics perspective, the suspicious signal is not always the transaction itself. It may be the story behind the transaction.

For more on real-time banking controls, EdEconomy’s FedNow fraud detection guide explains why instant payments require faster decisioning, multi-signal models, and analyst-ready workflows.

APP Fraud Risk Signals Banks Should Monitor

No single signal proves APP fraud. The better approach is to combine sender behavior, recipient risk, payment context, and scam typology.

First-time payee: The customer is sending money to a new recipient, especially at an unusual amount.
Recent account changes: Password reset, phone number change, new device enrollment, or contact information update shortly before payment.
Long or unusual session: The customer spends more time than normal in payment screens, copies and pastes instructions, or appears to follow scripted steps.
Unusual payment purpose: Notes or customer explanations suggest safe-account transfers, investment opportunities, urgent bills, crypto deposits, family emergencies, or secret instructions.
Recipient risk: The receiving account is new, has high inbound velocity, has unrelated senders, or drains funds quickly.
Velocity pattern: The customer sends multiple payments below review thresholds or rapidly increases payment size after an initial test transfer.
Cross-channel pressure: A branch, call center, or digital session indicates the customer is on the phone, nervous, evasive, or repeating phrases likely supplied by a scammer.
Mule behavior: The recipient account is connected to prior claims, suspicious devices, synthetic identities, rapid cash-out behavior, or other accounts in a suspicious network.

The strongest programs combine these signals rather than relying on a single red flag. A first-time payee is common. A first-time payee plus high value, unusual session behavior, risky recipient intelligence, and scam-specific language is a different risk profile.

The Psychology: APP Fraud Attacks Trust and Speed

APP fraud works because it targets human behavior. The scammer creates a story that compresses the victim’s verification window.

A fake bank employee creates fear: your account is being drained. A fake investment adviser creates scarcity: this opportunity closes today. A romance scammer creates emotional obligation: I need help and only you understand. A fake marketplace seller creates pressure: others are interested, so send the deposit now. A business email compromise attack creates authority: the CEO needs this invoice paid immediately.

These tactics are not random. They are designed to make the customer act before they slow down, call someone else, check the source, or question the story.

That is why generic warnings often fail. A customer who is already under pressure may click through a warning because the scammer has prepared them for it. The scammer may even coach the victim on what to say if the bank asks questions.

Better payment design should interrupt the scam script. Instead of asking only, “Are you sure?” the bank should ask questions that name the actual scam pattern. Has someone claiming to be from your bank told you to move money to a safe account? Are you being told to keep this transfer secret? Are you sending money to an investment promoted online? Has anyone told you what to say to the bank?

Fraud prevention is not only about telling customers to be careful. It is about designing moments that help customers pause.

AI Makes the Scam Story More Believable

Generative AI raises the stakes because it makes deception cheaper, faster, and more personalized.

Scammers can use AI to draft convincing bank messages, imitate customer service language, generate fake investment materials, translate scams into multiple languages, create fake profile content, mimic tone, and produce realistic voice or video impersonations.

This matters for APP fraud because the attack surface is not only the account. It is the customer’s belief.

An AI-generated scam does not have to hack the bank. It only has to make the customer believe the transfer is urgent, safe, profitable, or necessary.

Voice cloning and deepfake-style impersonation are especially concerning. EdEconomy’s article on AI voice cloning scams targeting military families explains how fake emergency calls can exploit distance, fear, and family trust. The same psychology applies to APP fraud. A scammer who can sound like a trusted person, bank employee, executive, or family member has a better chance of convincing the victim to authorize the payment.

For banks, the lesson is clear. Detecting synthetic media is useful, but it is not enough. Fraud controls must also detect manipulated intent, risky recipients, and scam typologies inside the payment journey.

Why Mule Accounts Matter

APP fraud does not end when the customer sends the money. It often moves into a mule network.

A mule account is an account used to receive, move, or cash out illicit funds. Some mule accounts are opened with synthetic or stolen identities. Others belong to people recruited through fake jobs, romance manipulation, social media, or promises of easy money. Some mules know they are helping criminals. Others are deceived.

Mule detection is one of the most important parts of APP fraud defense because the sending bank may see a legitimate customer, while the receiving bank may see the risky account.

This creates a data fragmentation problem. The sending institution knows the victim’s behavior. The receiving institution may know whether the beneficiary account is newly opened, receiving funds from unrelated victims, quickly draining balances, or sending funds onward through multiple hops.

The BIS Committee on Payments and Market Infrastructures has emphasized the need to address fraud in faster and cross-border payments, including the importance of better information sharing. In APP fraud, the receiving side matters because the fraudster’s ability to profit depends on cash-out.

Recipient-risk scoring, confirmation of payee, account-age signals, inbound velocity, outbound velocity, and network behavior are therefore essential. Graph analytics can also help. EdEconomy’s article on graph analytics for account takeover fraud focuses on ATO, but the same concept applies to mule networks. Fraud becomes easier to see when accounts, devices, counterparties, phone numbers, IPs, and transaction paths are connected.

The U.S. Problem: Different Language, Same Risk

In the U.S., consumers may not use the phrase authorized push payment fraud. They are more likely to search for Zelle scam, bank transfer scam, payment app fraud, wire scam, fake bank call, safe-account scam, will my bank refund scam money, I sent money to a scammer, or payment app refund scam.

But the underlying issue is similar. A customer is manipulated into sending money.

The Kansas City Fed describes APP scams as especially important for fast-payment systems because the victim is the authorized party initiating the payment. Once the payment is executed, recovery may be difficult because funds can become available quickly.

The Federal Trade Commission reported that U.S. consumers lost $12.5 billion to fraud in 2024, up $2.5 billion from 2023. It also reported that the largest losses by payment method happened through bank transfers or payments, followed by cryptocurrency.

The FBI’s 2025 Internet Crime Report said losses reported to IC3 surpassed $20 billion, with investment-related fraud as the largest component, followed by business email compromise and tech support scams. These categories overlap heavily with APP fraud behavior because victims may be persuaded to send money to fake platforms, fake vendors, fake support agents, or impersonators.

In the U.S., the liability question remains unsettled. Unauthorized electronic transfers are generally treated differently from authorized scam payments. That distinction creates frustration for victims because the loss feels like fraud either way. Operationally and legally, however, the bank may view the claim differently depending on whether the customer authorized the transfer.

If a real customer sends the payment under deception, who should bear the loss: the customer, the sending bank, the receiving institution, the payment network, the telecom provider, or the platform where the scam began?

There is no simple answer. But the scale of losses means the question will not go away.

Why Human Judgment Still Matters

AI is essential in APP fraud detection, but it cannot solve the entire problem alone.

AI can help detect unusual payment amounts, first-time payees, new devices, abnormal session behavior, high-risk recipients, mule-account patterns, suspicious velocity, risky payment corridors, scam-related text patterns, repeated beneficiary exposure, and customer behavior that differs from prior activity.

These signals matter. Real-time models can help banks intervene before money leaves the account. Event-driven systems can also help fraud teams react faster, especially when payments move across channels. For more on that architecture, see EdEconomy’s article on event-driven fraud detection with Kafka and real-time streaming.

But APP fraud also requires interpretation. A fraud analyst may need to ask whether the customer is repeating language supplied by a scammer, whether the payment purpose matches a known scam typology, whether the customer is unusually nervous or evasive, whether the recipient is linked to prior claims, and whether the customer is trying to move money to a safe account, cryptocurrency platform, or unknown investment opportunity.

The Federal Reserve’s ScamClassifier model is useful here because it helps the payments industry classify, report, analyze, and identify scams in a consistent way. Consistent classification matters because APP fraud is not one scam. It is a family of scams with different behaviors, risk signals, and prevention strategies.

AI can prioritize the alert. A human analyst may still be needed to understand the story.

What Banks Can Do About APP Fraud

There is no single solution to APP fraud. Banks need layered controls that combine prevention, detection, friction, education, reimbursement, and post-event intelligence.

1. Improve scam-specific prompts

Generic warnings are often too weak. Instead of asking “Are you sure?” banks should use scenario-specific prompts. Has someone claiming to be from your bank told you to move money to a safe account? Are you sending money to someone you met online? Has anyone asked you to hide the reason for this transfer? Are you being told this payment is urgent or confidential?

Good prompts should be specific enough to interrupt the scam script.

2. Use risk-based friction

Not every payment should be delayed. But high-risk payments may need cooling-off periods, stronger warnings, step-up verification, callback requirements, delayed release, or enhanced review for large first-time payments.

The goal is not to make banking painful. The goal is to slow down the exact moments where criminals depend on speed.

3. Score the recipient, not just the sender

APP fraud often looks legitimate on the sender side. The receiver may be more suspicious. Banks should evaluate account age, inbound payment velocity, outbound cash-out behavior, number of unrelated senders, beneficiary name mismatch, links to previous claims, device and identity signals, and rapid movement to crypto, wires, or other accounts.

4. Strengthen mule-account detection

Mule accounts are the cash-out layer of APP fraud. Strong mule controls may include graph analytics, network scoring, abnormal inbound and outbound ratios, new-account monitoring, rapid balance depletion alerts, device reuse detection, identity-risk scoring, and consortium or network intelligence.

5. Build better scam-intake workflows

When a customer reports a scam, the bank should capture structured data: scam type, contact channel, platform where the scam started, phone numbers, emails, usernames, URLs, recipient account details, timing of payments, customer narrative, whether the customer was coached, whether remote access tools were involved, and whether cryptocurrency was used.

This data can improve future detection and support faster recovery attempts.

6. Connect fraud operations to education

Customer education works best when it is specific. Banks should explain common scripts: safe-account scams, fake bank fraud department calls, fake investment platforms, romance-to-investment scams, fake marketplace sellers, fake invoice changes, family emergency scams, and fake tech support scams.

The more specific the warning, the more likely the customer recognizes the pattern.

7. Share intelligence across sectors

Banks cannot solve APP fraud alone. Many scams begin on online platforms, social media, messaging apps, telecom networks, fake websites, or email infrastructure. The payment is often the final step.

Stronger prevention requires collaboration among banks, payment networks, fintechs, telecom providers, social media platforms, domain registrars, law enforcement, regulators, and consumer-protection agencies. The fraud chain is cross-sector. The response needs to be cross-sector too.

What Consumers and Families Can Do

APP fraud prevention is not only a bank issue. Families also need simple verification habits.

Create a family code word for emergencies.
Use a callback rule with a known number, not the number supplied by the caller.
Never move money during a phone call with someone creating urgency.
Use a two-person confirmation rule for large transfers.
Wait before sending money to a new person, investment, or business.
Never lie to the bank about the payment purpose.
Check official websites directly instead of clicking links.
Have a plan for elderly parents, deployed family members, or relatives under emotional pressure.

The best rule is simple: if someone creates urgency around moving money, slow the payment down.

The Future of Authorized Push Payment Fraud Prevention

Authorized push payment fraud is forcing banks to rethink what authorized means in a digital payment environment.

The customer may be real. The login may be real. The device may be real. The transfer may be approved. But the customer’s decision may have been manufactured.

That is the future fraud problem. Banks cannot rely only on identity, device, and authentication signals. They also need to understand payment intent, recipient risk, behavioral pressure, scam typology, and cross-bank mule activity.

This does not mean banks should block every unusual payment. It means fraud prevention must become more context-aware.

The future of APP fraud defense will likely include real-time transaction analytics, AI-assisted scam detection, recipient-risk intelligence, confirmation of payee, mule-network detection, scam-specific payment journeys, better customer prompts, faster claims intake, stronger reimbursement processes, cross-sector intelligence sharing, and human-in-the-loop escalation.

The hardest fraud to stop is no longer always the transaction the customer denies. Increasingly, it is the transaction the customer approved because a scammer controlled the story.

APP fraud changes the central question for banking risk. The old question was: did the customer authorize the payment? The new question is: did the customer authorize the payment freely, or was that decision engineered by a scammer?

Banks that can answer that second question will be better prepared for the next era of payment fraud.

Authorized Push Payment Fraud: Why Banks Struggle to Stop APP Scams