Rise of authorized push payment (APP) fraud — what controls are working?

by :name David Moretti · Fraud Prevention · Apr 10, 2026 · 3 replies Answered

No Reliance on Forum Content. The information, opinions, and discussions shared on this forum are contributed by community members and LexFlag Team and do not constitute professional advice. LexFlag does not endorse, verify, or guarantee the accuracy, completeness, or reliability of any content posted.

User Identity & AI-Generated Content. There is no guarantee that users are using their real names, represent any organization, or express their own personal views. Replies and contributions may be partially or fully generated by artificial intelligence.

Independent Verification Required. You must independently verify any information obtained from this forum before making any decisions. LexFlag, its affiliates, and contributors accept no liability for any loss or damage arising from reliance on forum content.

APP fraud has exploded in our customer base over the past 12 months. Social engineering attacks are becoming incredibly sophisticated — deepfake voice calls, AI-generated phishing emails, and impersonation of trusted authorities.

Our current controls (confirmation of payee, payment delay for first-time recipients) aren't enough. The fraud is happening with the customer's active participation, which makes traditional detection difficult.

What additional controls or detection methods are you finding effective against APP fraud?

David Moretti

Risk Manager · AlphaVentures

Member since Apr 2026

Accepted Answer

APP fraud is the hardest fraud type to prevent because the customer genuinely authorizes the payment. Here's what's working for us:

Behavioral biometrics — Monitoring how the customer interacts with the banking app during payment initiation. Fraud victims often exhibit different behavioral patterns (longer hesitation, unusual navigation, session sharing indicators).
Real-time intervention — When our system flags a suspicious payment, we trigger an in-app warning with specific scam scenarios. "Are you being asked to move money to a 'safe account'?" is surprisingly effective.
Beneficiary intelligence — We subscribe to a shared fraud intelligence network. If the receiving account has been reported by other banks, we block or delay the payment.
Customer education — Persistent and repetitive messaging about scam tactics. We run simulated scam awareness tests similar to phishing simulations.

None of these is a silver bullet, but layered together they've reduced our APP fraud losses by about 35%.

Priya Sharma

Compliance Consultant · RiskAdvisory Group

Member since Apr 2026

3 replies

The UK's Contingent Reimbursement Model (CRM) Code and the upcoming PSR mandatory reimbursement requirement are also driving innovation here. When banks have to reimburse victims, the financial incentive to invest in prevention becomes much stronger.

We've also started using payment velocity checks specifically for new payees — limiting the total amount a customer can send to a never-before-used account within the first 24 hours. Customers complain occasionally, but fraud losses from that vector dropped significantly.

John Matcher

Apr 11, 2026 at 1:33 PM

APP fraud is particularly challenging because the customer initiates the payment willingly — they've been socially engineered into believing the payment is legitimate. Traditional fraud controls that look for unauthorized access miss it entirely.

Controls that are actually making a difference:

Confirmation of payee — Checking whether the account name provided by the customer matches the actual account holder at the receiving bank. The UK mandated this and it's significantly reduced impersonation-type APP fraud. If you're in a jurisdiction without a mandate, consider implementing it voluntarily for high-risk payment types.

Contextual warnings at point of payment — Generic fraud warnings don't work. Specific, scenario-based warnings do. "You appear to be making a payment to a new payee shortly after receiving a phone call" is more effective than "beware of scams." Some banks are using dynamic interventions that trigger based on behavioral signals.

Cooling-off periods for large first-time payments — Introducing a delay (even 30 minutes) for payments above a threshold to new payees gives victims time to realize they've been scammed. Most APP fraud relies on urgency — disrupting that urgency is highly effective.

Inbound payment analysis — If you're a receiving bank, monitor for accounts receiving multiple payments from different sources in a short period. Mule accounts used to receive APP fraud proceeds show distinct patterns: rapid inflows from diverse sources followed by immediate withdrawals.

The liability question is still evolving globally. The UK's reimbursement mandate has shifted incentives significantly. Whether other jurisdictions follow remains to be seen, but the direction is clearly toward greater bank responsibility.

LexFlag Team

Apr 14, 2026 at 6:33 AM