Authorized Push Payment (APP) Scam

As real-time payments become more popular, authorized push payment fraud becomes more pervasive. Here’s what you need to know about APP scams.

On This Page

What Are Push Payments?

Push payments refer to any situation in which a payer initiates a transaction and sends or “pushes” money to a payee. By comparison, most traditional payment types require the payee to initiate the transaction by requesting or “pulling” money from the payer. Cash payments are perhaps the most straightforward example of push payments, but other common examples include direct deposits, bank transfers, wire transfers, digital wallet payments and other alternative payment methods.

Why are push payments popular with consumers?
  • Extra security: Payees do not have to share their personal information or account credentials with payers
  • Control of the timing: Payers can only make a payment when they have sufficient funds in their accounts
  • Faster than pull payments: Preauthorization allows for more rapid payments reconciliation

What Is Authorized Push Payment Fraud?

Authorized push payment fraud, or APP fraud, happens when a fraudster convinces a payer to authorize a payment under false pretenses. In almost all APP scams, a fraudster will pose as someone from a trusted institution — a payer’s bank or a representative from a recognized company’s billing department — in order to convince the payer that the transaction is legitimate.

It’s important to note that “APP fraud” is a U.K.-specific classification; other global regions may use different terminology to classify this type of fraud. The Federal Reserve recently launched the Fraud Classifier Model, an online tool to help U.S. consumers classify fraud independent of payment type.

APP scams are a type of confidence-based fraud and include any scam that attacks the human element in the payments chain. According to ACI Worldwide’s Prime Time for Real-Time global report, it is one of the most common forms of fraud that appears in every region.

What Are Common Examples of APP Scams?

APP fraud can take many forms; the two most common are:

Social Engineering:

Social engineering APP scams involve fraudsters posing as trusted institutions or individuals in order to convince payers to share personal information or account information, which scammers can then use to gain access to payers’ accounts and make push payments to their own accounts. There are many different types of social engineering scams that include phishing, romance scams, purchase scams, investment scams, advance fee scams, invoice and mandate scams, CEO fraud and impersonation scams.

Account Takeovers

A scammer acquires partial or complete payer information (either by hacking into systems or purchasing it through the dark web), uses that information to gain access to the payer’s account(s) and then makes push payments to their own account.

Though attacks on individuals are the most widespread form of APP fraud, scammers can leverage each of these techniques to deceive businesses, as well. For example, a scammer might use phishing to impersonate a supplier, convincing their intended target to change the bank account details it has on file for that supplier and route all future payments to the new, fraudulent account.

How do real-time payments increase the risk of APP scams?

Push payments offer rapid settlement and reconciliation for faster payment services and real-time payment systems. This means they are irrevocable and irreversible — making them a prime target for scammers.

What Is the Impact of APP Fraud?

APP scams skyrocketed during the pandemic, making it the top cause of financial loss due to crime. New techniques included posing as a government official requesting payments for COVID-19 vaccines, romance scams on dating platforms and impersonating delivery companies to exploit the rise in online shopping.

UK Finance reports in 2021


million in losses in 2021


APP scams versus 83,699 in 2020


increase in APP scams year over year

Finextra also reports that banks paid £207 million of the £479 million cost of APP fraud in 2020, amounting to 43%. These figures paint a troubling picture about the very real threat APP scams pose to banks and individuals alike.

Beyond the financial cost, APP fraud presents a serious threat to banks’ reputations. If a scammer were to repeatedly pose as a particular institution, it could lead customers to associate that bank’s brand with fraudulent practices causing reputational damage. This poses a direct threat to banks’ ability to remain top of wallet, which is especially concerning for U.S. banks, which earn substantial revenue from interchange fees. It is within banks’ best interest to educate their customers about APP fraud, warn them of any potential scams and invest in comprehensive fraud management solutions.

What Is a Bank’s Liability With APP Fraud?

A bank’s liability for APP fraud depends entirely on the market in which they operate:


  • Roughly 60% of all fraudulent APP transactions are granted reimbursement by a financial ombudsman
  • To reduce banks’ liabilities, Pay.UK has launched Confirmation of Payee, a name-checking service that helps reduce fraud and misdirected payments

United States

  • APP fraud victims are considered liable and they are less likely to get their money back


  • Whether banks or individuals are liable is a point of contention. A consumer court in Gujarat recently denied a fraud victim’s claim for compensation. The National Consumer Disputes Redressal Commission and the Reserve Bank of India disputed the ruling.

How can banks protect themselves against APP fraud?

There are a wide variety of measures banks can take to mitigate the risk of APP fraud:

  • Enhance your existing fraud management platform with authentication data using a data extensibility model and RESTful APIs.
  • Profile scams on all levels using biometrics and behavioral profiles, including customers, fraudsters, merchants and merchant types, acquirers, countries and currencies.
  • Build world-class machine learning algorithms for informed risk-based authentication within a single enterprise-wide platform.
  • Integrate two-way customer communication and customer education campaigns using automated messaging tools.
  • Leverage scam alerts automation to enable your users to detect and decline scam merchants in real time without creating an additional workflow for your fraud operations team.

What Are Banks Doing To Protect Consumers From APP Scams?

There’s been a concerted effort across multiple industries to address and prevent authorized push payment fraud.

In 2016, a U.K.-based consumer advocacy group filed a super-complaint to financial regulators, calling upon them to:

  • “Formally investigate the scale of bank-transfer fraud and how much it is costing consumers”
  • “Take action and propose new measures and greater liability for banks to ensure consumers are better protected when they have been tricked into making a bank transfer.”

In its formal response, the Payment Systems Regulator (PSR) found:

  • There was room for improvement in banks’ collective response to scams
  • There was evidence to suggest that more could be done to identify fraudulent incoming payments
  • The data available on the type and scale of scams was of poor quality

These findings ultimately led the PSR to form the Authorized Push Payment Scams Steering Group — a steering committee made up of industry professionals and consumer representatives led by an independent chair — and create the Contingent Reimbursement Model (CRM) Code.

The CRM Code “sets out expectations for both receiving and sending firms to prevent, detect and respond to APP scams” and “creates a mechanism whereby victims can make a claim for compensation.” 

Given the prevalence of APP fraud in the U.K., it is currently the most advanced global market in terms of tackling this type of scam. We can likely expect other markets around the world to adopt a similar approach to combating APP fraud.

Beyond adhering to the expectations outlined by the CRM Code — which applies to push payments sent to or from the U.K. — banks can also invest in solutions that use machine learning algorithms to proactively detect suspicious and potentially fraudulent behavior. Banks are advised to manually intervene whenever possible and educate their customers about the dangers of this type of fraud.

Banks are not the only ones fighting APP fraud. In March 2022, the U.K. Parliament introduced the U.K. Online Safety Bill which includes measures to protect people from internet scams.

How Does ACI Worldwide Help Banks Prevent APP Fraud?

ACI Worldwide delivers a wide variety of fraud management solutions for banks that leverage real-time monitoring, adaptive machine learning algorithms, behavioral biometrics and network intelligence to create a multilayered fraud prevention strategy. We also offer fully managed, automated, AI-driven fraud scoring services to help organizations increase fraud detection rates, reduce false positive rates and substantially reduce fraud losses.

Contact us today to speak to a specialist about ACI’s anti-fraud solutions and services.

Who’s truly responsible for APP fraud?

Find out in this free, on-demand webinar from FinExtra, featuring insights from the experts at ACI Worldwide.