Consumer & Commercial Payments
May 21, 2025
As APP fraud grows more sophisticated, banks must move beyond transactional checks and use behavioural signals to intervene before money moves.
Authorised push payment (APP) fraud is no longer a fringe threat—it’s now the most advanced form of digital deception today. And it’s growing smarter, faster, and more personal.
Last year, losses exceeded £450 million in the UK alone. Victims sent the money themselves, but they were being manipulated.
To many, that makes APP scams seem unsolvable. But they’re not. Most of these scams don’t begin with a phone call; they begin long before, with reconnaissance, setup, and signals that can be detected in the session or across prior ones.
In today’s scams, criminals no longer force their way in. They guide victims to act, coaching them through transferring money themselves. But behind the emotional manipulation sits something more calculated: technology used to enable and scale the con.
Spoofed websites make fake interfaces look convincing. Remote access tools give scammers control behind the scenes. Deepfakes and scripted voice calls build credibility and urgency. Each part of the scam is designed to feel real and work.
But this kind of fraud doesn’t happen in a single moment. It unfolds in stages: reconnaissance, session manipulation, and remote access. Each stage is supported by tech, and each stage leaves behind signals.
With the right telemetry in place, these signals can be detected. With session intelligence, they can be acted on before the payment is made, while the scam is still unfolding.
Most fraud detection systems are designed to catch anomalies after the fact: unusual transactions, flagged devices, or known malware. But APP scams don’t always look suspicious. The victim logs in, uses their own device, and authorises the payment. But APP fraud slips through the cracks because it doesn’t look suspicious on the surface.
The customer logs in as usual. They’re on their own device. The payment is authorised. Everything appears normal until it’s not. That’s because the real signals aren’t in the transaction. They’re in the journey leading up to it, and most banks simply aren’t looking there.
APP fraud doesn’t rely on unauthorised access. The user logs in, uses their own device, and completes the transaction. Everything appears genuine until it’s too late.
But that doesn’t mean the signals weren’t there.
With the right telemetry, banks can observe:
Individually, these might not set off alarms. But together, they tell a story—a story of someone being manipulated.
This is where the shift begins: from reactive fraud detection to proactive contextual insight. It’s not just about better tools, it’s about asking better questions earlier in the customer journey.
APP fraud doesn’t begin at the point of payment. It starts much earlier and doesn’t end when the money moves.
Each scam unfolds across multiple stages, and each one presents a chance to act:
With real-time visibility, banks can trace this journey and spot opportunities to intervene before it’s too late.
Regulators like the UK PSR are already shifting liability back to banks, even for authorised payments. But customer expectations go further: they don’t just want their money back, they want to feel safe.
To protect customers, banks must stop treating fraud as a back-office problem and start thinking like behavioural analysts. The earlier they act, the stronger their defences and the safer their customers.
Proactive protection is no longer optional. It’s a competitive advantage.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
