Authorized Pushed Payment Fraud: From Reaction to Prevention 

For several years now, the term Authorized Pushed Payment (APP) fraud has been impossible to ignore for anyone involved in fintech, banking, or payments. It poses a major threat, with £450.7 million ($611.3 million) lost to APP fraud in 2024 in the UK alone. For those unfamiliar with the term, APP fraud is when a fraudster persuades an account holder to transfer funds into an account they control.

Which type of fraud most worries us

While fraudsters have many ways of conning victims into authorizing payments, what really concerns us is account takeover (ATO) fraud. This is where a fraudster gains direct access to an account and starts using it for fraudulent activities. In most cases we see, the fraudster changes the security settings, making it impossible for the account holder to prevent the fraud. 

The fraudster can then take advantage of their control of the victim’s account to perform authorized push payments themselves, without needing any authorization from the account holder. This removes the need for social engineering and the fraudster actually coercing the victim into making the payments themselves, which is often one of the most difficult and time-consuming components of APP fraud. 

APP fraud is notoriously hard to prevent and even detect. The person initiating the transfer is a real, verified account holder, seemingly acting of their own will, which means traditional fraud prevention frameworks that focus solely on identity verification or unauthorized access don’t go far enough.

Rethinking our approach to APP fraud

According to the UK FCA’s 2024 Financial Lives Survey, 13% of adults reported experiencing fraudulent banking or payment activities in the last 12 months. Of that, 3.7% was specifically APP fraud. While that may seem small, the figure has been increasing year on year. Globally, ATO fraud accounts for 12% of identity fraud, which translates into millions of victims who are locked out of their accounts and exploited in APP scams. 

Given its impact on consumers, the market, governments, and policymakers have been working together to combat this type of fraud. In the UK, banks and other payment service providers are legally required to reimburse most victims of APP fraud. Similar discussions are happening globally. These changes are essential for making sure victims are not financially ruined after falling prey to sophisticated fraud networks.

But there is a critical question: Is reimbursement enough? Protecting consumers isn’t just about paying them back after they’ve been victimized, effectively paying criminals. It goes without saying that reimbursement is, of course, essential. But isn’t it better to stop fraud before it happens? We can make full use of emerging technical tools that offer promising capabilities to support a more layered and preventive response to APP fraud. 

Solutions for true fraud prevention

A layered technological approach could effectively stop APP fraud before a scammer has the chance to transfer funds from their victim’s account. At Sumsub, for instance, we’re combining behavioral analysis, transaction monitoring, device intelligence, and network detection into a single risk engine specifically designed to stop ATO fraud. Instead of going by the transaction alone, these systems assess the broader context of a user’s behavior and environment.

Behavioral analytics is one of the more exciting techniques in preventing APP fraud. By analyzing how users interact with an interface—like their mouse movement, typing speed, or unusual hesitations—platforms can distinguish between normal behavior and potential signs of duress, manipulation, or social engineering. A user under pressure from a scammer may hesitate, copy and paste payment details, or complete steps unusually quickly. While not definitive, signals like this could prompt a delay or a secondary check before transferring any funds.

Complementing this is real-time transaction risk scoring, which considers factors like location, device fingerprint, payment history, and recipient behavior. APP scams tend to involve large sums of money being sent to new or high-risk recipients. Transfers made from a new device or network, or outside of a user’s typical profile, could be flagged, prompting a user alert or delay, or blocking the transaction altogether.

Device and network monitoring are other promising points of intervention. Many APP fraud cases involve remote desktop tools like AnyDesk or TeamViewer, which fraudsters use to coach their victims into falling for their scam. Detecting remote access, VPN usage, or headless browser activity would add a crucial layer of insight, especially when combined with other behavioral indicators.

One often overlooked aspect of fraud prevention is recipient profiling. APP fraud often relies on mule accounts to launder stolen funds, and while a payer may appear legitimate, recipient accounts can often be part of broader fraud networks. Some anti-fraud technologies now include fraud network detection tools that analyze shared characteristics between users, like common IP addresses, document templates, or device IDs, which help to identify previously unknown mule accounts.

No silver bullet for preventing APP fraud

Still, no system offers a definitive solution to APP fraud. These tools rely on probabilistic risk models and need to be calibrated carefully to avoid blocking legitimate users. Moreover, technical solutions should be seen as just one component of a wider strategy that combines consumer education about red flags, regulatory oversight, and interbank collaboration to share data and information about emerging fraud patterns.

Platforms like Sumsub can play a key role in this context—not as silver bullets, but as part of a broader ecosystem of risk detection and prevention. By extending fraud monitoring beyond onboarding and into the full transaction lifecycle, institutions can detect more subtle and emerging forms of manipulation that would otherwise go unnoticed. For regulators and policymakers, the implication is clear. Both smarter data use and more proactive risk detection are essential to fully combat APP fraud, especially when faced with users who appear to be acting with consent.