The modern financial landscape has created fertile ground for authorized push payment (APP) fraud, where victims are tricked into willingly transferring money under false pretenses. The expectation for real-time banking and instant payment settlement means transactions are often completed in seconds—leaving little room for reversal. Cross-border payments have become routine, even for everyday consumer purchases.
At the same time, advancements in artificial intelligence have made it easier for criminals to craft convincing scams. The FBI’s Internet Crime Complaint Center says losses from investment scams alone reached $4.57 billion in 2023 – up 38% from the year before. LSEG Risk Intelligence’s analysis shows that global APP fraud losses could reach $331 billion by 2027.
Addressing APP fraud requires a comprehensive approach, ranging from consumer education to advanced biometrics. In a PaymentsJournal webinar, Aravind Narayan, Global Director of Digital Identity and Fraud Proposition at LSEG Risk Intelligence,and Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research, discussed the tools available to financial institutions to counter this growing threat.
Why the Problem Is Growing
Consumers no longer find it unusual when someone asks for a payment immediately. What was once a red flag now feels routine, thanks to the rise of instant payments. In 2024 Same-Day ACH surpassed a billion transactions for the first time, up 45% on a year-over-year basis. But once that money leaves an account, the transaction is typically irreversible—often completed in 10 seconds or less.
Digitally savvy consumers can buy and sell goods across borders with ease, but that global reach makes fraud more difficult to detect. Each country has its own regulatory framework, and cross-border transactions involve at least two jurisdictions. This complexity slows investigations and delays potential reimbursements.
The fight against fraud has also become more challenging with the rise of AI. Today, generative AI enables criminals to easily write well-constructed, convincing emails that appear to come from executives or trusted contacts.
On the consumer side, AI-assisted grandparent scams are also increasing. A few seconds of someone’s voice from social media or a video clip is enough to create deepfakes using widely available tools.
“The CFO of a company in Hong Kong called for an urgent meeting with his direct reports in a Zoom call,” said Narayan. “None of the six people on the call could detect that the individual posing as the CFO—who they all knew—was not actually the real person. It was a deepfake live video call. He told them the company has some financial challenges and needed to move to a different type of business, and urged them to send millions to his account.”
While this is an extreme example, these types of intra-business attacks are a real threat. Business Email Compromise (BEC) accounted for 21,489 complaints and $2.9 billion in reported losses in 2023.
Anytime an employee receives a message from someone claiming to be another employee and requesting a large sum of money, the company must have clear procedures in place that encourage questioning the request. It’s also recommended to implement a second layer of verification, especially for large transfers. If the person is seeking sensitive information, the breach could potentially lead to a much larger security issue.
Claiming Responsibility
In the UK, liability for these authorized transactions shared among the various financial institutions involved. In the U.S., it has typically fallen 100% on consumers, although that is starting to shift.
For example, Nacha—which oversees the ACH network—is implementing new rules that will require all non-consumer ACH participants to monitor for fraud and return suspect payments by mid-2026. This signals a move toward shared responsibility, similar to models already in place in regions like the UK.
“When a scam starts with social media, the telecom may be able to stop fraud before it reaches that consumer,” said Pitt. “Instead of just saying the customer is 100% liable for everything that’s a scam, maybe we should share some of that liability with the bank or with the social media company. That will help build customer trust and let consumers know that you’re doing what you can to help them out.”
UK banks also place greater emphasis than their U.S. counterparts on consumer education to fight APP fraud.
“I recently had someone come over to do building work in my house,” said Narayan. “When I was sending them money, I got frustrated because I had to click seven times: Are you sure? Are you sure this is not a scam? Did you really know this account? Are you sending money to the right individuals? It’s frustrating, but at the same time it’s giving me a good assurance that they care about my money.”
Pushing Toward Stronger Identity Verification
Some businesses have begun implementing some type of verification, like age, as a first step. But the real opportunity lies in going further, using things such as identity verification and account verification intelligence so businesses truly know who they are transacting with. This kind of proactive verification can help prevent fraud rather than just reacting to it after the fact.
“You want to have sufficient measures of fraud prevention to make sure you know who is coming into your platform,” said Narayan. “Whether it’s Booking.com, Meta or Google, they should know who they are doing business with, because then they can share any sort of relationship and behavior attributes with a financial institution to prevent fraud before it happens.”
As it stands, too many financial service providers treat consumer education as a check-the-box exercise, simply posting content on their websites because regulators require it.
“I think that’s a really bad approach,” said Pitt. “A lot of businesses are worried about causing too much friction and losing their customers. But scammers frequently try to foster a sense of urgency: Act now or you won’t get your Social Security benefits, or something like that. This few seconds of asking ‘Are you sure?’ will essentially snap our brain out of that panicky feeling and help somebody avoid becoming a victim.”
Authorized, Not Voluntary
When talking about authorized push payment fraud, the key word is authorized, not voluntary. The victim authorizes the payment to the criminal’s account under the false belief that they are dealing with a legitimate recipient. Voluntary implies that someone is doing something of their free will.
“This terminology may sound like just wordplay, but it’s not,” said Pitt. “It is authorized because they made the transaction, but it is not voluntary. I’ve seen firsthand in jury trials how this terminology can actually affect the outcome of the case. Somebody can be found not guilty by a jury if the term authorized is used, even though it’s based on deception.”
Behavioral analytics could offer a promising solution to this problem. Is the victim showing signs of hesitation? Are they typing different than usual? Are they accessing their account in an unusual way? Recognizing these anomalous behaviors can help banks detect situations where a customer may be under coercion.
“Imagine being able to block a transaction because the bank sees that that individual has been on the phone for a longer time,” said Narayan. “That could mean somebody’s actually causing that individual to send money. They could stop that payment from happening because they’re monitoring that this individual is actually on the phone to a potential fraudster.”
In the future, it may be possible to anticipate these attacks and identify who the next frontier might be. The key is that no bank can do this alone. They need visibility into fraud occurring elsewhere to anticipate what might happen within their own organization.
A Layered Approach
Preventing fraud requires layering multiple authentication approaches, including biometrics, and triangulating these signals to pinpoint both the individual and the recipient of the payment.
“Fraud prevention is not one and done, and it’s not detection anymore,” said Narayan. “It’s not like one data point will actually prevent fraud from happening.”
A strong program requires constant monitoring and a multilayered authentication approach. With, say, a corporate treasury, you might onboard a supplier, then three months later there might be a scammer who got hold of the domain. If the treasurer emails and ask to change the account number from X to Y it’s tempting to simply do that via that e-mail, and allow the payments to go through to the wrong place.
“You need to have constant validation of the beneficiary accounts and account numbers and account ownerships,” said Narayan. “It’s absolutely paramount from a corporate treasury perspective.”
The layered approach means that entities can no longer fight fraud with spreadsheets. Automating solutions and bringing new API-based or portal based services can make sure technology does the work for you, allowing you to focus on building your business. The right experienced partner can help you find the latest mix of tools to fight APP fraud.
“We can no longer just rely on one approach,” said Pitt. “We can no longer be reactive. We can’t just monitor transactions. We can’t just look at historical behavior. We can’t just look at some intelligence. We have to have this layered approach in cybersecurity. We want to put as many barriers before that fraudster as we can.”
[contact-form-7]
The post Fighting Authorized Push Payment Fraud on All Fronts appeared first on PaymentsJournal.
