The global fight against APP fraud

As global volumes around online payments have risen over the past few years, crimes related to payment fraud have increased exponentially. A large percentage of these frauds fall into the authorised push payment (APP) category, where individuals are persuaded to authorise a payment under false pretences.

APP fraud ranges from tricking a person into clicking on a malicious link on a website, to sending fake invoices, to relationship and romance scams, with scammers employing social engineering techniques to deceive consumers or businesses into making payment transfers.

According to Nicola Harding, consultant and expert in fraud and financial crime prevention, APP fraud rates are much higher than most people think, “particularly [people] outside of the industry”.

Itʼs a view shared by Kjeld Herreman, founding partner at Paylume, a Brussels-based consultancy specialised in payments and fraud prevention. He believes not many people are “aware that if APP fraud were a company, it would likely be listed on the Euronext 100”.

Meanwhile, the prevalence of real-time payments initiatives has added to concerns about the impact and scale of APP fraud, since the use of instant payments, and even crypto exchanges, can mean the funds are irretrievable.

UK schemes

The UK is among the countries to have introduced reimbursement schemes for individuals who are victims of APP fraud, coinciding with an increase in public information campaigns.

According to data from industry body UK Finance, UK consumers lost £459.7 million to APP fraud across more than 232,000 cases in 2023 — though this was down on the previous yearʼs £485 million. Over the past four years, losses have reached almost £2 billion, and APP fraud now accounts for about 40% of all payment fraud, which itself is the most reported type of crime in the UK, Harding says.

In the banking sector, some institutions lost more than £200 for every £1 million of Faster Payments transactions. Smaller payment firms, which collectively handle just 17% of transactions, were linked to 38% of APP fraud losses.

“[The fall in losses] is likely linked to banks and payment firms tightening controls and ramping up warnings in the run up to the new Payment Systems Regulator (PSR) rules that came into force in October 2024,” said Harding. “Those rules make reimbursement mandatory in most cases. It’s a sign that APP fraud is not untouchable, and that interventions are starting to bite.”

Mitch Trehan, chief compliance officer at Allica Bank, says that before the UK imposed reimbursement regulation, some in the industry felt the change would make little difference, because it would not affect the criminal.

“What has happened in practice is that financial institutions have implemented additional controls to warn potential victims, and this in turn is leading to a reduction in APP fraud. It appears people are now being more cautious,” he added.

Since October 7, 2024, the PSR has required banks to reimburse consumers who are victims of APP fraud: 50% by banks sending funds and 50% by banks receiving funds to a maximum limit of £85,000. The UKʼs 50/50 reimbursement model is unique, but it is not the only country taking action against payment fraud.

According to a PSR spokesperson, an overall lower volume of APP scam claims were made after October 7. However, there has been an increase in reimbursements between the last quarter of 2024 and the first quarter of 2025. 

“In the first six months of the PSR policy being in place, we have seen around 109,000 claims reported by consumers, and 77,000 of those were in scope for reimbursement under our policy; 87% of the money lost to APP scams was returned to victims, totalling £66 million. UK Finance reported a 68% reimbursement rate in 2023,” the spokesperson said.

US ecosystem

The United States, whose instant payment capabilities are less mature than other regions, reported over $16 billion in losses due to internet-enabled crimes, which includes APP fraud, according to the FBI’s 2024 Internet Crime Report. Just in the second quarter of 2025, the Federal Trade Commission (FTC) reported that payment methods connected to cryptocurrency and bank transfer and payment resulted in the highest number of reported losses to fraud, with over $467 million and $609 million, respectively.

According to Cheryl Gurz, vice president of product management for real-time payments (RTP) at The Clearing House (TCH), a banking association and payments company, one of the more persistent “urban myths” is the worry that “faster payments means faster fraud”.

“When I hear: ‘faster payments, faster fraud’, Iʼm like: stop. What do you mean? Explain it to me,” said Gurz. “Most of it’s being said by banks and people that have never sent a real-time payment.”

She explains the US is made up of a broad ecosystem ranging from large, global banks to smaller community banks, with over 9,000 financial institutions. Because fraud is in the news, smaller banks now have a heightened level of concern regarding various types of payment fraud. They often don’t run centralised compliance and fraud departments and instead rely on third-party vendors. This concern is compounded by the recent rollout of instant payments in the US over the past few years, which makes a payment irreversible once initiated.

Gurz argues that banks in the US are required to focus on risk and compliance, and fraud prevention is part of that focus. “Everyone says a message must go out in 15 seconds, round-trip,” she says. However, that “15 seconds” doesn’t start until the bank completes all the necessary fraud validations and makes the determination to release it.

“That could take hours, it could take days. It’s when your bank is done its due diligence. They know their customers, do their multi-factor authentication, and they have many fraud analytic tools.”

More than 80% of the payments on the TCH network originate from business accounts, while 7% of accounts are consumer and 13% from bank-developed online payments service Zelle.

Fraud fears and regulation

Fears tied to APP fraud on platforms such as Zelle have drawn regulatory attention in the US. Volante’s 2025 Faster Payments Barometer survey found 78% of all surveyed organisations planned to begin their implementations with receive-only capabilities, whereas just 22% intended to launch complete send-and-receive services.

However, according to the 2025 Association of Financial Professionals Payments Fraud and Control Survey, current fraud rates on faster payment rails are significantly lower than for traditional payment systems. Real-time transactions face less fraud than cheques, wires or automated clearing houses. The report revealed that 63% of firms report paper cheque fraud, while fraud related to RTP on the US service FedNow was only 2%.

According to Volante’s survey, 35% of respondents said account takeover fraud ranks as the top worry regarding instant payments, followed closely by APP fraud, at 30%. Other risks, including synthetic identity and invoice fraud, carry more moderate urgency (10% to 15%). Meanwhile, so-called money mule activity — when fraudsters use individuals to transfer stolen funds — occupies a lower but still significant tier of concern, at less than 5%.

Looking at APP fraud, the US lacks federal or state laws mandating reimbursement for victims, as outlined in the 2025 Vixio Payments Compliance Outlook report. While the Electronic Fund Transfer Act covers unauthorised transactions, it does not protect consumers tricked into approving payments. There is a bill in Congress, the Protecting Consumers from Payment Scams Act, which would require reimbursement. However, the current Congress is not expected to pass the bill into law.

Earlier this year, the Consumer Financial Protection Bureau (CFPB) examined digital payment platforms, fining the parent company of online money transfer platform Cash App $175 million for weak fraud prevention. Some US states have started allowing payment service providers (PSPs) to delay suspicious transactions, with a focus on protecting elderly and vulnerable consumers.

Europe addresses APP

In the EU, the third iteration of the Payment Services Directive (PSD3), the first Payment Services Regulation (PSR1), and the Instant Payments Regulation (IPR) all address APP fraud.

These will require verification of payee (VoP) across member states, with compliance deadlines in 2025 and 2027. The proposed PSR is expected to introduce liability for APP fraud, requiring PSPs to issue refunds unless consumer negligence is proven. They must also implement transaction monitoring, share fraud-related data, and educate consumers.

The final PSR text is still under negotiation, with potential changes to fraud liability rules.

Paylumeʼs Herreman reports that, according to the Financial Action Task Force (FATF), fraud is now the dominant type of proceeds-generating crime globally.

“With strong customer authentication having become the norm in Europe, a significant portion of fraud is achieved through manipulation of the payer,” he added. Measures to combat APP fraud often shift liability from the victim to the payment service providers, which can create a “moral hazard” because “the efficacy of the approach is often questioned”. However, the introduction of VoP, “especially in combating invoice fraud”, shows promise.

Regional initiatives

Australia experienced more than $1.8 billion in APP losses in 2023. In July 2025, Australian banks launched the scam-fighting confirmation of payee (CoP) technology, which enables names to be matched to accounts and prevents customers from being tricked into sending funds to fraudsters. Forming part of the Scam-Safe Accord — a joint initiative between the Australian Banking Association (ABA) and the Customer Owned Banking Association (COBA) — banks have invested $100 million into this new technology. 

Meanwhile, the Monetary Authority of Singapore (MAS) and the city-stateʼs Infocomm Media Development Authority (IMDA) implemented the shared responsibility framework (SRF) in relation to phishing scams on December 16, 2024. The SRF allocates responsibility between financial institutions, telecommunications companies and consumers, with compensation for losses where a party has breached its duties.

According to fraud expert Harding, the fight against APP fraud includes banks, regulators and other cross-sector bodies such as tech platforms and telecoms. Banks are using warning screens, behavioural analytics, and name-matching checks, for instance, she says — but while “these do stop some scams, especially the first-time ones, fraudsters adapt quickly, often coaching victims to ignore the warnings”.

Regulators in the UK have “gone further than anywhere else”, adds Harding. However, it does shift the cost of fraud on to the industry, and “it did receive criticism at the time for being too heavy-handed and lacking in overall guidance around how financial institutions should tackle APP fraud”.

While the UK is ahead globally in tackling APP fraud, losses are still high because the vulnerabilities remain: faster payments, fragmented responsibility and the psychology of social engineering. “The best results come when fraud is treated as an ecosystem problem, not just a banking issue. Until prevention catches up with the ingenuity of criminals, APP fraud will stay higher than most people imagine,” Harding added.