Authorised Push Payment (APP) Fraud Explained: What It Is and How to Prevent It

Sarah thought she was protecting her money when she received an urgent call from her "bank's fraud department" warning her about suspicious transactions. The caller knew her name, her bank, even recent purchases she'd made. Panicked, she followed their instructions to "secure" her account by transferring her funds to a "safe account." Within hours, £15,000 had disappeared forever.

Sarah isn't alone. She's one of millions of victims caught in the web of Authorized Push Payment (APP) fraud, a sophisticated criminal enterprise that has become the fastest-growing financial crime in the digital age, alongside the likes of Browser Fingerprinting and Spoofing. Unlike traditional fraud where criminals steal your card details, APP fraud is far more insidious. It tricks you into willingly handing over your money to criminals who have mastered the art of psychological manipulation.

What is Push Payment?

A push payment is a transaction initiated and authorized by the payer, who actively sends funds to the recipient. Unlike pull payments, where the payee requests the money, push payments give control to the sender. Common examples include bank transfers, wire transfers, and digital wallet transactions via Apple Pay or Google Pay.

What is Authorised Push Payment Fraud?

Authorized Push Payment (APP) fraud is a type of financial crime in which criminals deceive victims into voluntarily transferring money from their own accounts to accounts controlled by fraudsters. The key distinction of APP fraud lies in the word "authorized." Unlike traditional fraud, where criminals steal card details or hack accounts, victims themselves initiate and approve these transactions through legitimate banking channels.

Fraudsters achieve this by impersonating trusted entities such as banks, government agencies, utility companies, or investment firms, creating elaborate deceptions that convince victims they are making legitimate payments or protecting their money from genuine threats.

The mechanics of APP fraud rely heavily on social engineering and psychological manipulation rather than technical hacking. Criminals contact victims through phone calls, text messages, emails, or even fake websites, presenting urgent scenarios that require immediate action.

Common tactics include fake bank security warnings about suspicious account activity, investment opportunities with guaranteed returns, romance scams where criminals build emotional relationships over time, or purchase frauds involving non-existent goods or services. The fraudsters often possess enough personal information about their targets – obtained through data breaches, social media, or previous scams to make their impersonation highly convincing and credible.

APP Fraud Examples

These scams take many forms, often relying on social engineering and urgency. Let’s look at some common examples to understand how APP fraud plays out in the real world:

• Bank Impersonation Fraud

A victim receives an urgent phone call from someone claiming to be from their bank's fraud department. The "bank representative" warns that suspicious activity has been detected on the account and that fraudsters are attempting to steal money. They explain that to protect the funds, the victim needs to immediately transfer money to a "secure account" that the bank has set up.

The victim, believing they're protecting their money, transfers thousands of pounds to what they think is a safe account. In reality, they've sent their money directly to the fraudster's account. The real bank never called, criminals obtained the victim's information through data breaches or previous scams.

• Investment Fraud

Victims are contacted through social media, dating apps, or professional networking sites by someone offering exclusive investment opportunities in cryptocurrency, forex trading, or other high-return schemes. The fraudster builds trust over weeks or months, often sharing fake screenshots of successful trades and testimonials from other "investors." They pressure victims to start with small investments that show impressive returns on fake platforms, encouraging larger investments.

Victims transfer increasingly large sums, believing they're building wealth. When they try to withdraw their "profits," they're told they need to pay taxes, fees, or penalties first. Eventually, the fake platform disappears, and all money is lost.

• Romance Fraud

Criminals create fake profiles on dating websites or social media platforms, often using stolen photos of attractive people. They target lonely individuals seeking companionship. Over months, the fraudster builds an emotional relationship with the victim, sharing personal stories, expressing love, and making future plans.

Eventually, they create an emergency situation, they're stuck abroad, need medical treatment, or have a family crisis, and desperately need money. Victims, emotionally invested in the relationship, send money to help their "partner." The requests continue with increasingly elaborate stories until the victim realizes they've been deceived.

Technology to Detect and Stop APP Fraud

With losses exceeding billions globally and sophisticated social engineering tactics evolving rapidly, traditional security measures fall short. The solution lies in advanced detection technologies that can identify fraudulent behavior patterns before victims complete transactions:

• Real-Time Behavioral Analytics

It forms the backbone of modern APP fraud detection. Machine learning algorithms analyze user behavior patterns in real-time, flagging unusual activities such as rushed transactions, atypical payment amounts, or deviations from historical spending patterns. These systems learn from millions of transactions to identify subtle behavioral indicators that suggest manipulation or coercion.

• Advanced Device Intelligence

This goes beyond traditional device fingerprinting to detect sophisticated spoofing attempts. Modern solutions analyze over 500 unique device attributes, including hardware configurations, browser characteristics, and environmental factors that are difficult to replicate. This technology can identify when fraudsters attempt to masquerade as legitimate users through device manipulation.

• Natural Language Processing (NLP)

NLP monitors communication channels for fraud indicators. By analyzing text messages, emails, and even voice patterns during phone-based transactions, NLP systems can detect social engineering attempts, urgency tactics, and impersonation schemes commonly used in APP fraud.

• Multi-Layered Risk Scoring

It combines multiple data points to create comprehensive risk assessments. These systems evaluate transaction context, user behavior, device characteristics, and external threat intelligence to generate real-time risk scores that enable intelligent intervention decisions.

How to Avoid Authorised Push Payment (APP) Fraud

The good news? Most APP fraud can be prevented by recognizing warning signs and following key protective measures. Recognizing the red flags is key:

• Urgency and Pressure Tactics

These are the most common warning signs. Legitimate organizations rarely demand immediate action or threaten severe consequences for delays. Be suspicious of phrases like "act now," "your account will be closed," or "transfer money immediately to secure your funds."

• Unexpected Contact

Always a reason for alarm. If someone claims to be from your bank, government agency, or law enforcement and contacts you unexpectedly about suspicious activity or required payments, hang up and call the official number directly.

• Requests to Move Money "For Safety"

Classic APP fraud tactic. No legitimate bank or government agency will ever ask you to transfer money to a "safe account" or to help with an investigation. These are always scams. Romance and Investment Opportunities that seem too good to be true usually are. Online relationships that quickly turn to financial requests, or investment schemes promising guaranteed high returns, are common APP fraud methods.

How do government agencies react to APP Fraud

Government agencies worldwide are taking increasingly aggressive action against Authorized Push Payment (APP) fraud, implementing comprehensive regulatory frameworks that shift liability, mandate reimbursements, and enhance prevention measures. Here's how key jurisdictions are responding:

• India's Regulatory Response

The Reserve Bank of India (RBI) released a comprehensive circular on January 17, 2025, laying down regulatory prescriptions and institutional safeguards applicable to all regulated entities, including commercial banks and financial institutions.

In July 2024, the RBI issued revised Fraud Risk Management Directions that mandate banks to adopt Board-approved fraud risk management policies, with roles and responsibilities clearly defined for boards of directors.

Banks must now review their fraud prevention policies at least once every three years, with detailed roles and responsibilities outlined for board oversight. The RBI has established strict classification and reporting requirements for fraud incidents, emphasizing the principles of natural justice before classifying cases as fraudulent.

• United Kingdom Empowering Victims

Starting October 7, 2024, UK payment service providers must reimburse victims of APP fraud, with new regulations by the Payment Systems Regulator resulting in £267.1 million being reimbursed to victims by banks in 2024. Payment service providers must share liability equally with other involved parties, with full reimbursement capabilities now a core regulatory requirement.

The UK's aggressive approach is showing results, with APP fraud losses dropping by 2% to £450.7 million in 2024, and the number of APP fraud cases falling by 20% to under 186,000 – the lowest level in recent years.

• Singapore's Responsibility Framework

Singapore implemented its Shared Responsibility Framework on December 16, 2024, allocating duties and liabilities among financial institutions, telecommunications companies, and consumers to combat phishing scams.

Singapore's framework assigns specific roles to banks and telecoms in cases of phishing scams with direct Singaporean connections, though gaps remain in covering broader transaction types.

• Australia's Emerging Framework

In September 2024, the Australian government introduced the Scam Prevention Framework (SPF) for public consultation, reflecting the country's unique priorities and challenges Reserve Bank of India. The Commonwealth Fraud and Corruption Control Framework came into effect on July 1, 2024, supporting Australian Government entities in effectively managing fraud and corruption risks.

Key Regulatory Trends

As losses continue to mount, regulators are no longer treating this as just a consumer awareness issue; they’re reshaping the legal and compliance landscape. From mandatory reimbursement rules to stricter liability frameworks and AI-driven compliance expectations, regulators are pushing institutions to take more responsibility for both prevention and redress:

• Liability Shifting

Governments are increasingly placing responsibility on financial institutions and service providers rather than victims, fundamentally changing the economic incentives for fraud prevention.

• Cross-Industry Collaboration

Regulators are mandating cooperation between banks, telecommunications companies, and technology platforms to create comprehensive defense ecosystems.

• Mandatory Reimbursement

The UK's model of mandatory victim reimbursement is being studied globally, with other jurisdictions considering similar approaches.

• Real-Time Intervention

New regulations allow payment service providers to delay outbound payment transactions by up to four business days to enable fraud detection and prevention