Authorised Push Payment (APP) Fraud

Authorised push payment (APP) fraud occurs when a victim is manipulated — through impersonation, social engineering, or deception — into initiating a bank transfer they believe to be legitimate. Unlike card fraud or account takeover, where the transaction is unauthorised, APP fraud involves the genuine account holder instructing their bank to send money, which makes traditional fraud protections harder to apply and recovery more difficult.

APP fraud encompasses a wide range of scams: a victim receiving a 'safe account' call from someone posing as their bank; a business making a large payment to what they believe is a supplier but is actually a criminal following invoice redirection fraud; a person paying for goods they never receive from a fake seller; or a romance fraud victim transferring money to someone they met online.

The scale of APP fraud has driven significant regulatory change. In the UK, the Payment Systems Regulator introduced mandatory reimbursement requirements for APP fraud victims from 2024, placing obligations on both sending and receiving banks to reimburse victims in most cases, with limited exceptions for gross negligence. Banks increasingly use Confirmation of Payee (CoP) services — which check whether the account name matches the sort code and account number — to alert customers before sending to a mismatched account.