Guide

Authorized Push Payment (APP) Scam

As real-time payments become more popular, authorized push payment fraud becomes more pervasive. Here’s what you need to know about APP scams.

On This Page

What are push payments?

Push payments refer to any situation in which a payer initiates a transaction and sends or “pushes” money to a payee. By comparison, most traditional payment types require the payee to initiate the transaction by requesting or “pulling” money from the payer. Cash payments are perhaps the most straightforward example of push payments, but other common examples include direct deposits, bank transfers, wire transfers, digital wallet payments and other alternative payment methods.

Why are push payments popular with consumers?
  • Extra security: Payers do not have to share their personal information or account credentials with payees
  • Control of the timing: Payers can only make a payment when they have sufficient funds in their accounts
  • Faster than pull payments: Preauthorization allows for more rapid payments reconciliation

What is authorized push payment fraud?

Authorized push payment fraud, or APP fraud, happens when a fraudster convinces a payer to authorize a payment under false pretenses. They are a form of confidence-based fraud and include scams that attacks the human element in the payments chain.

According to ACI Worldwide’s Scamscope Fraud Report, losses to APP scams are expected to reach a compound annual growth rate (CAGR) of 11% from 2022 to 2027, reaching a total of USD $6.8 billion.

It’s important to note that “APP fraud” is a U.K.-specific classification; other global regions may use different terminology to classify this type of fraud. The Federal Reserve recently launched the Fraud Classifier Model, an online tool to help U.S. consumers classify fraud independent of payment type.

What are common examples of APP scams?

APP fraud can take many forms; some of the most common APP scams include:

Purchase Scams

A purchase scam occurs when a consumer believes they are making a legitimate payment for goods and services, when in reality, the product does not exist. Purchase scams typically take place online or through social media platforms, with scammers offering deals that are too good to be true. After making a payment, usually through a direct bank transfer of what seems like a trustworthy seller, the consumer never receives the product as promised. 

Investment Scams

In an investment scam, fraudsters target potential investors with opportunities that offer high returns for seemingly low risk. These scams often involve elaborate setups, including professional-looking websites and persuasive sales pitches, to convince individuals to invest in stocks, property, rare commodities or other speculative ventures. The investments are either nonexistent or worthless, and the money transferred to the scammer is lost. 

Advanced Fee Scams

Advanced fee scams involve convincing the victim to pay upfront fees with the promise of receiving something of greater value in return, such as a loan, contract, prize money or a high-paying job. The scammer insists that paying these fees is necessary to unlock the supposed larger payment; however, once the fees are paid, the promised money or offer never materializes, and the scammer disappears. 

Romance Scams

In a romance scam, a fraudster creates a fake identity — typically on a dating app or website — and enters into a romantic relationship with a victim. The scammer builds trust and emotional commitment over time, eventually asking the victim for money, often for emergencies, medical expenses or travel costs purportedly to visit the victim. Romance scams are especially insidious because, compared to other forms of APP fraud, they prey on the emotional vulnerability of individuals seeking companionship.

INVOICE & MANDATE SCAMS

This type of APP fraud targets businesses by impersonating legitimate suppliers or contractors. The fraudster sends a fake invoice that closely resembles one from a genuine supplier, often with new payment details, leading a business to pay the fraudster instead of the actual entity. Alternatively, the scam may involve altering payment mandates directly within the victim’s bank. 

CEO Scams

A CEO scam, also known as a business email compromise, involves impersonating a high-ranking executive or trusted manager within a company to authorize fraudulent wire transfers to a bank account controlled by the scammer. Typically, an employee responsible for managing wire transfers is tricked into sending the money under the guise of a confidential or urgent business matter. 

Impersonation Scams

With an impersonation scam, a fraudster poses as a trusted figure, such as a police officer, bank official or government representative, and demands payments or sensitive financial information under false pretenses. The scammer often creates a sense of urgency and uses intimidation tactics to coerce the victim into making quick decisions, leading to unauthorized access of funds or financial information.

How do real-time payments increase the risk of APP scams?

Push payments offer rapid settlement and reconciliation for faster payment services and real-time payment systems, which means they are irrevocable and irreversible. While this doesn’t make real-time payments inherently riskier than traditional payments, it does make them an attractive target for scammers.

What is the impact of APP fraud?

APP scams skyrocketed during the pandemic, making it the top cause of financial loss due to crime. New techniques included posing as a government official requesting payments for COVID-19 vaccines, romance scams on dating platforms and impersonating delivery companies to exploit the rise in online shopping.

Samscope Fraud Report in 2022

$587.2M

in losses in 2022

$934.7M

predicted losses for 2027

10%+

CAGR by 2027

According to the Scamscope Fraud Report, the U.K. saw USD $587.2M in losses to APP fraud in 2022, and is predicted to see USD $934.7M in losses for 2027 — a 10% CAGR.

Finextra also reports that banks paid £207 million of the £479 million cost of APP fraud in 2020, amounting to 43%. These figures paint a troubling picture about the very real threat APP scams pose to banks and individuals alike.

Beyond the financial cost, APP fraud presents a serious threat to banks’ reputations. If a scammer were to repeatedly pose as a particular institution, it could lead customers to associate that bank’s brand with fraudulent practices causing reputational damage. This poses a direct threat to banks’ ability to remain top of wallet, which is especially concerning for U.S. banks, which earn substantial revenue from interchange fees. It is within banks’ best interest to educate their customers about APP fraud, warn them of any potential scams and invest in comprehensive fraud management solutions.

How have government institutions responded to APP fraud?

In June 2023, the Payment Systems Regulator (PSR)  — a UK-based statutory body and economic regulatory agency — introduced a landmark rule mandating reimbursement for victims of APP scams. This rule shifts some of the financial burden from consumers to banks, prompting financial institutions to implement more robust security measures against APP fraud, including enhanced security systems and consumer education programs, while splitting the liability to repay the victim 50-50 between the sending and receiving bank. 

With this rule in place, receiving banks find themselves responsible for fraudulent transactions for perhaps the first time. This change requires them to develop new strategies for detecting anomalies in both incoming and outgoing transactions, as well as scrutinize who is removing money from their customers’ accounts — new territory for most fraud analysts. 

In addition to the PSR’s rule, the Financial Conduct Authority (FCA) recently amended the Payment Services Regulations 2017, enabling payment service providers (PSPs) to delay the execution of outbound payment transactions made through the Faster Payment Service by up to four business days if they have sufficient grounds to suspect fraud. 

Prior to this amendment, PSPs were required to process and finalize these transactions within one business day of receiving an outbound payment order. By extending this period to four days, investigators have more time to look into suspected transactions, enabling PSPs to prevent fraudulent activity and protect consumers.

PSPs can delay the execution of outbound payment transactions made through the Faster Payment Service by

up to 4 days

These rules will force both sending and receiving banks to find a way to share fraud intelligence and account reputation analytics in real time — another first in fraud prevention history.

Why are governments creating new regulatory frameworks to address APP fraud?

With the rise of real-time payments, it has become clear that fraudsters and criminals are taking advantage of the ever-present ‘human’ element in the authentication chain.  The challenges that this presents requires a helping hand in the form of regulation to force an additional focus on transaction monitoring, specifically around incoming payments.  

Until we are in a position to share responsibility equally among the other actors that enable scams to flourish (such as social media platforms, internet service providers and telcos), splitting liability across the sending and receiving banks forces that new focus — necessitating real-time decision-making for both inbound and outbound payments. 

Looking ahead, ongoing discussions in Parliament are engaging those other stakeholders, including social media platforms, internet service providers and telecommunications companies, in the fight against APP fraud. The goal is to establish a united front to stop this type of fraud at its play of origin, rather than rely solely on banks as the last line of defense.

What is a bank’s liability with APP fraud?

A bank’s liability for APP fraud depends entirely on the market in which it operates:

U.K.

  • In accordance with the PSR’s mandatory reimbursement requirement, 100% of APP fraud liability lies with banks — 50% with the sending bank and 50% with the receiving bank for each case.

United States

  • Liability for APP fraud primarily lies with victims unless they can prove that their accounts were hacked or otherwise compromised.

India

  • Whether banks or individuals are liable for APP fraud is unclear. Victims are usually regarded as liable the first time they are scammed, with the understanding that the bank will implement strong security measures thereafter, such as text messaging the customer to confirm the authenticity of the transaction. Should these measures fail, banks tend to be held at least partially liable. 

How can banks protect themselves against APP fraud?

There are a wide variety of measures banks can take to mitigate the risk of APP fraud; some of the most impactful include:

  • Monitoring inbound and outbound transactions using Anti-Money Laundering and Know Your Customer processes to identify and disrupt possible mule accounts
  • Enhancing existing fraud management platforms,  with biometrics and behavioral profiling
  • Building world-class machine learning algorithms to support risk-based authentication
  • Engaging in real-time intelligence sharing and collaboration with other banks to monitor fraudulent activity across accounts
  • Leveraging intelligence from social media platforms to make APP fraud and other scams that originate through these platforms harder to execute
  • Integrating two-way customer communication and customer education campaigns using automated messaging tools
  • Empowering users to detect and decline scam merchants in real time — without creating an additional workflow for your fraud operations team — using scam alerts automation
  • Using scam alerts automation to enable your users to detect and decline scam merchants in real time without creating an additional workflow for your fraud operations team.

What are banks doing to protect consumers from APP scams?

Statutory bodies and regulatory agencies such as the PSR have made a concerted effort to protect consumers against APP fraud. The mandatory reimbursement rule is the latest such example; it was preceded by the Contingent Reimbursement Model (CRM) Code, a set of expectations for detecting and responding to APP scams, enforced by the APP Scams Steering Group.

Beyond adhering to the expectations set forth by the mandatory reimbursement requirement and the CRM Code, other ways banks should protect their customers include:

  • Educating consumers on how to spot scams, particularly through social media platforms
  • Monitoring transactions and leveraging advanced technology to identify anomalous activity and proactively warn consumers of potential fraud
  • Working closely with other banks to share intelligence and identify risk transactions in real time
  • Taking full advantage of new regulatory allowances for extended investigation times on suspicious transactions and engaging directly with potential victims to authenticate transactions

How does ACI Worldwide help banks prevent APP fraud?

ACI Worldwide delivers a wide variety of fraud management solutions for banks that leverage real-time monitoring, adaptive machine learning algorithms, behavioral biometrics and network intelligence to create a multilayered fraud prevention strategy. We also offer fully managed, automated, AI-driven fraud scoring services to help organizations increase fraud detection rates, reduce false positive rates and substantially reduce fraud losses.

Contact us today to speak to a specialist about ACI’s anti-fraud solutions and services.

Who’s truly responsible for APP fraud?

Find out in this free, on-demand webinar from FinExtra, featuring insights from the experts at ACI Worldwide.