Rise of authorized push payment (APP) fraud — what controls are working?

par :name David Moretti · Prévention de la fraude · Apr 10, 2026 · 3 réponses Répondu

Aucune garantie sur le contenu du forum. Les informations, opinions et discussions partagées sur ce forum sont fournies par les membres de la communauté et l'équipe LexFlag et ne constituent pas des conseils professionnels. LexFlag n'approuve, ne vérifie ni ne garantit l'exactitude, l'exhaustivité ou la fiabilité du contenu publié.

Identité des utilisateurs et contenu généré par l'IA. Rien ne garantit que les utilisateurs utilisent leur vrai nom, représentent une organisation ou expriment leurs propres opinions. Les réponses et contributions peuvent être partiellement ou entièrement générées par l'intelligence artificielle.

Vérification indépendante requise. Vous devez vérifier de manière indépendante toute information obtenue sur ce forum avant de prendre toute décision. LexFlag, ses affiliés et les contributeurs déclinent toute responsabilité pour toute perte ou tout dommage résultant de la confiance accordée au contenu du forum.

APP fraud has exploded in our customer base over the past 12 months. Social engineering attacks are becoming incredibly sophisticated — deepfake voice calls, AI-generated phishing emails, and impersonation of trusted authorities.

Our current controls (confirmation of payee, payment delay for first-time recipients) aren't enough. The fraud is happening with the customer's active participation, which makes traditional detection difficult.

What additional controls or detection methods are you finding effective against APP fraud?

David Moretti

Risk Manager · AlphaVentures

Membre depuis Apr 2026

Réponse acceptée

APP fraud is the hardest fraud type to prevent because the customer genuinely authorizes the payment. Here's what's working for us:

Behavioral biometrics — Monitoring how the customer interacts with the banking app during payment initiation. Fraud victims often exhibit different behavioral patterns (longer hesitation, unusual navigation, session sharing indicators).
Real-time intervention — When our system flags a suspicious payment, we trigger an in-app warning with specific scam scenarios. "Are you being asked to move money to a 'safe account'?" is surprisingly effective.
Beneficiary intelligence — We subscribe to a shared fraud intelligence network. If the receiving account has been reported by other banks, we block or delay the payment.
Customer education — Persistent and repetitive messaging about scam tactics. We run simulated scam awareness tests similar to phishing simulations.

None of these is a silver bullet, but layered together they've reduced our APP fraud losses by about 35%.

Priya Sharma

Compliance Consultant · RiskAdvisory Group

Membre depuis Apr 2026

3 réponses

The UK's Contingent Reimbursement Model (CRM) Code and the upcoming PSR mandatory reimbursement requirement are also driving innovation here. When banks have to reimburse victims, the financial incentive to invest in prevention becomes much stronger.

We've also started using payment velocity checks specifically for new payees — limiting the total amount a customer can send to a never-before-used account within the first 24 hours. Customers complain occasionally, but fraud losses from that vector dropped significantly.

John Matcher

Apr 11, 2026 at 1:33 PM

APP fraud is particularly challenging because the customer initiates the payment willingly — they've been socially engineered into believing the payment is legitimate. Traditional fraud controls that look for unauthorized access miss it entirely.

Controls that are actually making a difference:

Confirmation of payee — Checking whether the account name provided by the customer matches the actual account holder at the receiving bank. The UK mandated this and it's significantly reduced impersonation-type APP fraud. If you're in a jurisdiction without a mandate, consider implementing it voluntarily for high-risk payment types.

Contextual warnings at point of payment — Generic fraud warnings don't work. Specific, scenario-based warnings do. "You appear to be making a payment to a new payee shortly after receiving a phone call" is more effective than "beware of scams." Some banks are using dynamic interventions that trigger based on behavioral signals.

Cooling-off periods for large first-time payments — Introducing a delay (even 30 minutes) for payments above a threshold to new payees gives victims time to realize they've been scammed. Most APP fraud relies on urgency — disrupting that urgency is highly effective.

Inbound payment analysis — If you're a receiving bank, monitor for accounts receiving multiple payments from different sources in a short period. Mule accounts used to receive APP fraud proceeds show distinct patterns: rapid inflows from diverse sources followed by immediate withdrawals.

The liability question is still evolving globally. The UK's reimbursement mandate has shifted incentives significantly. Whether other jurisdictions follow remains to be seen, but the direction is clearly toward greater bank responsibility.

LexFlag Team

Apr 14, 2026 at 6:33 AM