Table of Contents

What Is APP Fraud, and How Can It Finally Be Stopped?

If you think there’s nothing more insidious than phishing attacks, think again. There’s another form of social engineering that’s even more difficult to prevent. Authorized push payment (APP) fraud accounted for a staggering 75% of all digital banking fraud in 2022. Financial losses from APP fraud are projected to double across the UK, India and the US in the next four years, hitting $5.25B by 2026

The reason APP fraud is on the rise: companies don’t have a way to stop it. After all, customers willingly approve the payment. How does this happen? APP fraud occurs when a fraudster pretends to be someone from a company or service the victim trusts, like their bank, water or power utility and tells the individual they owe money (or some other lie). By creating a sense of urgency, scammers convince the victim to transfer money out of their bank account to one controlled by the scammer, often a mule account used to move illicit funds on behalf of criminals. 

Some victims — turned into puppets — have seen their entire savings swept away in a flash. Once the money is transferred, it is nearly impossible to recover because, as the term, ‘authorized push payment’ suggests, the transaction is authorized by the victim. Who is accountable for the loss? That’s a question under debate. In the UK, regulators of the Faster Payments system will require banks to reimburse business victims starting in October 2024.

In this blog post, we’ll cover how APP fraud slips past today’s defenses and the tactics that fraudsters use to trick victims. Most importantly, you’ll learn about new methods and strategies for preventing APP fraud — before the money is transferred. 

Why it’s so hard to prevent APP fraud

Traditional customer identity and access management (CIAM) solutions are designed to catch account takeover (ATO) fraud that starts at login in the form of credential stuffing, phishing, brute force or other means. But APP fraud doesn’t need to employ the same tactics because the legitimate user authenticates the money transfer. As a result, typical ATO detection techniques don’t work.

Sure, you might try to warn customers about APP fraud, but we’ve all been shouting from the rooftops about phishing and social engineering for years — with disappointing results. Scammers often succeed by targeting the elderly, individuals who are not as savvy and skeptical. 

APP fraud: tricks of the trade 

Masters of deception, they’ll create a sense of urgency by telling victims, “Your bill is past due…” or, “Your account has been hacked.” Key to the art of persuasion, they use leaked information about the victim and create a sense of urgency. Fearing ramifications, victims transfer money immediately. This can happen through various channels, including email, phone calls or text messages. 

Examples of how fraudsters deceive victims through impersonation:

  • Bank: A scammer claims there’s been suspicious activity in their bank account and advises the victim to transfer their money to a ‘safe account’ to protect their funds.
  • Utility or service provider: Victims are often told they have an unpaid bill, and the fear of losing services (water, electricity, gas, cable or internet service) motivates them to quickly pay it to avoid being cut off from life’s amenities.  
  • Government agency: The fraudster claims to work for the tax department, for example, and tells the victim they owe back taxes or fines.
  • Rent scam: The imposter poses as a landlord or real estate agent and asks the victim to transfer a deposit and/or first month’s rent to secure the property.  
  • Investment opportunities: Scammers convince victims to transfer funds for a too-good-to-be-true “investment,” which doesn’t actually exist.
  • Family emergency scam: Pretending to be a family member, often a grandchild in distress, who needs money immediately for an emergency, like legal trouble or medical expenses. Concerned for their loved one, the victim transfers the money.
  • Romance scam: After connecting online, the scammer tells their new romantic interest that they have an emergency, like a health issue, and urgently need funds.

In all these contrived scenarios, the key element is deception: making the victim believe they are transferring money for a legitimate and urgent reason. Even when an alert pops up, fraudsters will convince the customer to ignore it by saying, “That’s a standard warning that always appears. Just close that window.” So smooth.

How to prevent APP fraud

In an ideal world, the consumer (a would-be victim) knows to verify the recipient before making any money transfers, especially when prompted by unsolicited communications. But as we’ve learned from phishing attacks, banks and other companies cannot rely on customers to protect themselves. 

There is clearly a gap in the security and a dire need for APP fraud detection. With this in mind, Transmit Security has developed a new approach for detecting this highly deceptive form of social engineering, building a three step process:

  1. Detecting suspicious transactions and behavior
  2. Increasing interaction with the customer
  3. Contacting and verifying the money recipient

Step 1: Detecting suspicious behavior and transactions

It’s essential to detect suspicious behavior based on intelligence collected throughout the user journey. Is the user pausing more than usual? If so, this may indicate the customer is being coached. Or perhaps they’re “too fluent,” moving along more quickly than usual. Maybe they are carrying out an activity outside of their normal patterns. Any behavior that strays from that individual’s norm could indicate a fraudster is in control. With Transmit Security’s advanced behavioral biometrics, you can detect all of this. 

Transaction intelligence is continually analyzed to detect anomalies. For example, is the money transfer going to a new or atypical recipient and are similar transactions happening at a high frequency? If so, these are clear risk signals. Transaction size can also indicate APP fraud; for instance, if the amount is slightly below the bank’s threshold for additional controls, this could be a fraudster trying to fly under the radar.  

Context-aware, orchestrated security also checks device and network reputation, mule accounts and lists of targeted banks (typically ones with easier account opening processes). It even looks at call center intelligence and weighs the customer’s age as a factor since the elderly are commonly targeted by APP fraud. 

Machine learning (ML) and AI analyze risk signals the full context of all that’s happening in real time — to detect suspicious transactions and stop APP fraud before the money is gone.

Step 2: Increase interaction with the customer

Transmit Security has devised a way to increase the friction with customers and fraudsters, significantly reducing the success rate of APP fraud. If there are enough signs of a risky transaction, our solution allows you to probe for answers that will help you understand: 

  • The reason for the transfer
  • How much the customer knows about the money recipient
  • How the customer was contacted (if was contacted)
  • Who the money recipient is; get their phone number, company name and any information that can be validated in real time 

With all of the information above, Transmit Security is able to rapidly re-assess the level of risk for the transaction.

Step 3: Validate and verify the money recipient (individual & business) 

Whether it’s an individual or business, use data validation to check the money recipient’s phone number (a prepaid number would indicate risk), email address (who registered and when) or company website (who registered and when). At the same time, verify if there is a match between the recipient’s email address and the company website. 

If the data appears to be legitimate, the final step is to validate the business and/or individual. When validating a business, leverage our leading Know Your Business (KYB) verification methods. For an individual, contact the money recipient and use identity verification in order to analyze their photo ID and selfie. At the same time, you can check the money recipient’s device fingerprint. 

Transmit Security Detection and Response

It’s time to move beyond traditional reactive approaches where rules and models are based solely on past observations. Prepare for what lies ahead.

  • Advanced Anomaly Detection: Streamline the detection of anomalies and emerging fraud modus operandi to stay one step ahead of evolving threats.
  • Dark web and threat intelligence: Transmit Security’s Threat Research team continuously monitors the dark web and leverages threat intelligence to proactively address emerging risks. Over time, we continue to build a black list of email addresses, targeted mule accounts, phone numbers and device IDs associated with APP fraud — to protect you more quickly.

Our product redefines fraud management, offering an all-encompassing solution that combines cutting-edge technology and user-centric design, ensuring you stay ahead of evolving APP tactics. Discover Detection and Response or request a meeting so we can help you solve your toughest identity and fraud challenges. 


  • Danny Kadyshevitch, Senior Product Manager

    Danny Kadyshevitch is a Senior Product Manager at Transmit Security previously building and leading product management for the company's Passwordless and MFA Services and is now running PM for Account Protection Services. Prior to Transmit Security, Danny has an essential experience in the domain of cyber security, after serving in the 8200 intelligence unit of IDF and spending 7 years in Microsoft's Cloud Security division.

  • Brooks Flanders, Marketing Content Manager

    In 2004, the same year the U.S. launched the National Cyber Alert System, Brooks launched her writing career with one the largest cybersecurity companies in the world. There she wrote about enterprise security and the highly-deceptive threats designed to circumvent standard defenses. Nineteen years later her interest in helping companies solve complex security challenges still runs deep.