APP fraud — Authorised Push Payment, authorised transfer fraud

Definition

APP fraud (Authorised Push Payment fraud) refers to a fraud in which the victim is manipulated into authorising, themselves, a transfer to an account controlled by the fraudster.

The transfer is technically legitimate — the victim enters the amount, completes the SCA, confirms — but they have been deceived about the beneficiary's identity. It has become the leading transfer fraud in Europe and the United Kingdom since 2020, fuelled by the widespread adoption of instant transfers (SCT Inst).

APP fraud vs card fraud

The difference is fundamental:

Card fraud (cloning, card not present): the transaction is not authorised by the cardholder. The 3DS2 liability shift or PSD2 protects the victim, who is generally reimbursed.
APP fraud: the transaction is authorised by the payer, who has completed their SCA. Without specific regulation, the victim is not reimbursed. It is this imbalance that the PSR aims to correct.

The main modi operandi

Fake bank adviser: a fraudster poses as the bank's fraud department and asks to transfer the funds to a "safe account" that is theirs. The most widespread one in France and the UK.
Fake bank details / fake supplier: interception of an invoice, alteration of the bank details; the payer (often an SME or an individual paying a tradesperson) transfers to the wrong account.
Romance scam: a virtual relationship of several months, then "urgent" transfers. Sometimes huge losses (€50K to €500K per victim).
Investment scam: fake crypto or FX platforms promising miraculous returns; the victim transfers and recovers nothing.
Mule account: the beneficiary account is often opened by a mule (themselves recruited through a scam). The funds pass through it and are laundered in a cascade.
Phishing + transfer: a fake email (tax office, social-security agency, delivery) triggering a "small" adjustment transfer.

Why it is exploding

Three factors combine:

Instant transfer: the funds are irrevocable within seconds, versus 1 to 2 days to recall a classic SCT.
Strong SCA: paradoxically, the authentication reinforces trust — having validated, the victim does not suspect the deception.
AI-equipped social engineering: voice deepfakes, spoofing of the bank's number, conversational bots — the attack is industrialising.

In France, the Observatoire de la sécurité des moyens de paiement (Banque de France) highlights the strong growth of transfer fraud linked to the manipulation of the payer, which has become a significant share of non-cash fraud.

Regulation: VoP and PSR

Two major tools in response:

VoP (Verification of Payee): since October 2025 (the IPR regulation), every PSP must check the match between name and IBAN before executing a transfer, which blocks fake-bank-details attacks.
PSR (Payment Services Regulation, proposed in 2023, application 2026-2027): provides for mandatory reimbursement of the payer in certain APP fraud cases (notably spoofing), shared between the payer's and the beneficiary's PSPs.

In the United Kingdom, the PSR has imposed, since 7 October 2024, mandatory reimbursement of up to £85,000 per victim on Faster Payments, shared 50/50 between the two PSPs — a precedent closely watched in Europe.

On the bank's side: transaction monitoring

Banks invest in transaction monitoring (Hawk, ComplyAdvantage, Sardine, Featurespace, Feedzai) to:

spot unusual beneficiaries (first transfer to a new IBAN, especially a foreign one);
detect attack patterns (closely spaced transfers, atypical round amounts);
identify mule accounts (recent account, little activity, sudden inflow);
trigger friction (warning pop-up, phone verification, delay on the first transfer to a new beneficiary).

What APP fraud is not

Not a technical fraud: no compromise, no unauthorised transfer — it is a human and social fraud.
Not covered by the PSD2 fraud regime: the directive protects unauthorised payments, not those authorised under deception — hence the PSR.
Not a synonym for CEO fraud: that is one form of it on the company side; APP fraud encompasses both individuals and companies.
Not a chargeback case: there is no chargeback on a transfer; the victim must claim from their PSP, which decides.

In the PSD2 ecosystem

APP fraud is the major blind spot of PSD2: the directive secured the authorisation (SCA) but not the real intent of the payer. PSR, VoP, transaction monitoring and customer education make up the 2025-2027 response arsenal — one of the hottest topics in payments regulation in Europe.

Concrete examples

Fake bank adviser: "I'm from your bank's fraud department, we've detected a suspicious operation, transfer your funds to this safe account." Victims of all ages, especially over 60, for average amounts of €3K to €30K.
Romance scam: strong growth since 2020; the relationship is maintained for 3 to 12 months before repeated transfers, sometimes more than €100K in total.
Investment scam: fake crypto platforms promising 10% a month; growing transfers then disappearance at the moment of withdrawal. The AMF and the Banque de France publish blacklists.
United Kingdom: since 7 October 2024, 50/50 reimbursement between PSPs up to £85,000 — with, in return, a lot of added friction (cooling-off, pop-up).
VoP in the euro area: since 9 October 2025, banks display a warning when the beneficiary's name does not match the IBAN; the real effect on fake-bank-details fraud remains to be measured.
Transaction monitoring: Revolut, N26 and Lydia have invested in proprietary engines coupled with Sardine or Featurespace; "this beneficiary is new, are you sure?" pop-ups are becoming the norm.
Underlying tension: the final PSR, expected in 2026, will increase friction on transfers (delays, cooling-off) at the cost of UX — the balance between fraud prevention and payment simplicity.