risk intelligence Insights

APP Fraud: A growing global crisis in payments

Jonathan Hart

Senior Product Manager, Digital Identity & Fraud

Governments around the world are taking steps to combat rising rates of APP fraud. We provide examples of global action and shed light on how businesses can best protect themselves against APP scams. 

  • Authorised Push Payments, or APP, describe scams where a fraudster convinces a victim to authorise a payment under false pretences.
  • This includes several types of scams including product, service or purchase scams, romance scams, invoice scams and investment scams.
  • Responses by governments around the world can include potential compensation to individual victims, proving the seriousness of the threat. Can businesses expect the same kind of safety net?

Why APPs are a Threat

APPs are effective because they take advantage of individuals, whether consumers or key finance people within a business. Scammers use social engineering techniques to deceive or confuse victims into making payment transfers, even if this goes against processes they have been trained to follow or against better judgement. Even worse, the use of instant payments, or other payment tools, such as crypto exchanges, mean the funds are often irretrievable.

For this reason, governments around the world have started to create policy and legislative action to curb APP growth and damage they can cause to consumers, businesses and economies.

Examples of Global Action

In the UK, APPs represent about 40% of payment fraud, which itself represented 40% of all reported crime in the UK in 2023[1]. APP losses for the four years to 2023 equated to almost £2 billion. 

In response, from October 7th 2024, the UK Payment Systems Regulator required banks to reimburse consumers who are victims of APP fraud. This will be funded 50% by banks sending funds and 50% by banks receiving funds, to a maximum limit of £85,000.

Businesses (aside from some microbusinesses and smaller charities) will not be eligible for reimbursement. 

In addition to being better incentivised to detect patterns of fraud and stop them before they impact customers, the wider deployment of Confirmation of Payee (CoP) technology, which alerts bank users to where the name of a payee and their account details don’t match, and improved data sharing between financial institutions, is expected to dramatically reduce the impact of scams.

The UK is unique in its approach for a 50/50 reimbursement model, but far from the only country taking action against payment fraud.

In the United States, according the FBI’s Internet Crime Report, $9 billion in losses from APPs were related to investment scams, business email compromise and impersonation scams -and this was in 2023 alone[2]. As a result, the Federal Trade Commission is working with law enforcement to prosecute illegal telemarking and investment schemes, and improve its regulatory force in relation to impersonation fraud[3]&[4]. Additionally, the Federal Communications Commission (FCC) has initiated multiple actions in 2024 focusing on reducing the 4 billion robocalls Americans receive per month[5].

Australia, with a population of just 26 million people, experienced over $1.8 billion in APP losses in 2023[6]. It is deploying CoP technology in 2024, adding new rules for financial account openings such as mandatory biometrics, requiring shared intelligence between financial institutions, and increasing regulation on telecommunications and social media companies to crack down on scams[7]&[8].

Singapore is working on implementation of a “shared responsibility framework” that would allocate responsibility between financial institutions, telecommunications companies and consumers, with compensation for losses where a party has breached their duties[9]. Additionally, legislation passed in July 2024 has strengthened the ability for authorities to takedown websites, apps and online accounts suspected to be used for scams and cyber-crime activities[10].

In the European Union, Payment Services Directive 3 (PSD3) and Payment Services Regulation 1 (PSR1) are expected to come into effect in 2026. These will outline liability for fraud between financial institutions, make mandatory the use of CoP technology (known in the EU as Verification of Payee), and require financial institutions to undertake customer education, improvements to secure customer authentication, and share fraud intelligence with other financial institutions[11].

In summary, unless otherwise required by market rules or legislation, liability for APP fraud will continue to primarily lie with victims. Additionally, the compensation schemes presently under review by western economies appear to be focused on consumer, rather than business victims.

Whilst individual financial institutions may provide compensation to customers who are victims of scams, full reimbursement in the absence of rules requiring it tends to be rare, and usually only if the financial institution has identified a fault in its own processes.

How should businesses respond?

Despite effort by governments to reduce the potential for fraud, advancements in technology ensure the threat of Authorised Push Payments remains real.

The reality is that the perpetrators of APP fraud are skilful in exploiting new technology and opportunities to socially engineer diverse types of victims, tightening payment processes and employee training will only go so far.

At the same time, reliance solely on payment infrastructure and financial institutions alone to thwart fraudsters and scammers is a high-risk strategy, especially where businesses as victims have little to no possibility of a refund, reimbursement or compensation.

Therefore, businesses should consider the use of global fraud detection technology to ensure trust throughout all critical points of the customer or supplier lifecycle, including onboarding, during times of change, and pre-transaction. Such technology will include regular KYC/KYB verifications, behavioural analysis, and use of other diverse risk signals, which are critical to ensuring fraud mitigation in a world of generative AI technology.

Read more about

Stay updated

Subscribe to an email recap from:

Legal Disclaimer

Republication or redistribution of LSE Group content is prohibited without our prior written consent. 

The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.

Copyright © 2024 London Stock Exchange Group. All rights reserved.