How to tackle authorized push payment fraud: A merchant’s guide

Authorized push payment (APP) fraud is rampant, affecting millions of individuals and businesses annually. In the UK, APP fraud losses are expected to exceed $811 million by 2028, and in the US, they’re on track to top $3 billion.

If you’re a merchant, you might be worried about what these figures mean for you. You might be concerned about:

• Rising operational costs: Even though APP fraud often bypasses traditional chargebacks, you may still face disputes, transaction reversals, or platform scrutiny that disrupts cash flow.
• Legal and compliance risks: In cases where customers claim you were negligent, for example, by failing to detect a blatant scam, you could face legal action or regulatory pressure. Some merchants have had funds frozen or lost access to key payment methods after a fraud incident.
• Reputational damage: Even if your systems weren’t compromised, customers often associate your brand with the transaction. That perception of being “unsafe” can lead to lost trust, abandoned checkouts, and long-term churn.

In this article, we'll cover what authorized push payment fraud is, how it works, and some common tactics fraudsters use. Then, we’ll share how to identify and protect your business and your customers against authorized push payment fraud.

Ready to start fighting fraud with Primer? Book a call now.

What are push payments?

Push payments occur when the payer initiates the transaction, pushing the funds to the payee. Think of it as a digital equivalent of handing over cash. The payer takes control, directing the money to its destination in bank transfers.

Conversely, card payments work like a pull mechanism. The payer provides information to the merchant, who then pulls the funds during settlement through their payment gateway.

What is authorized push payment fraud, and how does it work?

APP fraud is a scam in which the victim is tricked into willingly sending money to a fraudster. This typically happens through deception, where the fraudster impersonates someone trustworthy or invents a compelling scenario that causes the victim to act.

In APP fraud, the victim initiates and authorizes the transaction themselves. From the bank’s perspective, this makes the payment appear legitimate. Because the transaction was "authorized," traditional fraud detection tools may not flag it, and the victim may not be entitled to reimbursement.

Scammers often rely on psychological manipulation, urgency, or social pressure to convince victims to act quickly. APP fraud can affect individuals, businesses, and even employees in finance roles who are deceived into paying fake invoices or settling fraudulent requests.

Under new rules from the Payment Systems Regulator, banks in the UK are now required to reimburse most APP fraud victims. In other countries, victims may still be liable for the loss, which makes education and prevention even more critical.

4 common types of authorized push payment scams

Authorized push payment fraud can take a few different forms. Here are a few of the most common types of scams affecting individuals and businesses.

1. Social engineering purchase scams

In some cases, APP fraud happens when a scammer impersonates a legitimate business or creates a fake online storefront. Unlike card fraud, which may allow chargebacks, these scams often involve real-time bank transfers or peer-to-peer payments, which are harder to reverse and fall outside standard consumer protections.

Example:

John buys a new TV from a well-known retailer. After it arrives, he posts a picture of it on his public Instagram using a branded hashtag. A scammer monitoring social media spots the post, then creates a fake website mimicking the retailer and finds John’s email through his personal website.

The scammer emails John with a fake “VIP loyalty reward”, offering 50% off a matching soundbar if paid via instant bank transfer. The email uses official branding and mentions details from John's recent order to look credible.

John clicks through, places the order, and pays via bank transfer using the provided details. Days later, when the soundbar doesn’t arrive, John contacts the retailer, only to find that no such promotion ever existed. Because he willingly initiated the transfer, he can’t recover the funds from his bank.

2. Romance scams

Romance scams involve the attacker developing a fake relationship with the victim over time to build trust and manipulate emotions. Once the victim feels a strong connection, the fraudster invents an urgent need for money.

Example:

Amanda, a marketing executive in Portland, meets “Daniel” through a dating app. They message frequently over the next several weeks and develop a close bond. Daniel says he is working overseas but plans to visit Amanda soon. Just before his scheduled return, Daniel says he has been stranded due to a travel issue, and his bank card was frozen. He asks Amanda to wire him $2,500 for hotel costs and flight rebooking.

Amanda agrees. After the money is sent, Daniel gradually stops replying. She later learns the hotel never had a booking, and no such flight existed. Romance scams are particularly damaging because they result in both financial and emotional harm.

3. Invoice redirection scams

Invoice scams are often used to target businesses. Fraudsters monitor communications and then impersonate a supplier or service provider to redirect payments to a fraudulent account.

Example:

Samantha, a finance manager at a mid-sized architecture firm, receives an email from a regular supplier notifying her of new bank account details. The email looks authentic, complete with the supplier’s logo and signature, and references a current invoice. Believing the change is legitimate, Samantha updates the payment information and transfers $18,000.

Days later, the genuine supplier calls to ask about the overdue invoice, and the fraud is discovered. These scams often rely on spoofed email domains or social engineering techniques to gain enough context to appear credible, even without breaching any systems.

4. Executive impersonation scams (including AI-generated fraud)

Some APP scams target employees inside businesses, especially those with access to company funds. Fraudsters may impersonate executives or suppliers, using social engineering and sometimes AI-generated content to make their messages more convincing.

Example:

Jenny, a senior accountant at a mid-sized tech company, receives an email that appears to be from her CFO, Shira. The message requests a $10,000 transfer to secure a deposit on an event space for an upcoming company conference.

The email sounds exactly like Shira. It uses her usual tone, references internal planning conversations, and even includes personal quirks, like double-spacing after periods. The domain name looks nearly identical to the company’s, and there are no red flags in the formatting or signature.

Unbeknownst to Jenny, a fraudster has been monitoring the company’s event planning updates online and used an AI writing assistant to craft a near-perfect spoof of Shira’s voice. The scammer registered a fake domain that closely matches the company’s real one and sent the message from there.

Samantha initiates the bank transfer without questioning it. Hours later, the real Shira mentions she’s still reviewing venue proposals, and that’s when the fraud is discovered.

Read more about growing fraud trends in Spotlight: payments fraud

The impact of authorized push payment fraud

APP fraud can be financially catastrophic for businesses and individuals. Take a look at these sobering statistics:

• Globally, APP scams are still the number one fraud threat, followed by card fraud and identity theft
• 1 in 3 UK consumers have fallen victim to APP fraud, and 53% of customers say it's getting harder to spot and prevent an attack
• 35% of victims of app fraud said the scam negatively impacted their willingness to send a payment to a new payee
• Scams using real-time payment rails are predicted to climb from 63% of total APP fraud in 2023–24 to 80% by 2028, accounting for an additional $3.3 billion in projected financial damage  

How to identify and prevent authorized push payment fraud

Detecting APP fraud requires robust tools and a proactive strategy. Behavioral profiles, biometrics, and risk-based algorithms are pivotal. Given the high risk, merchants should implement measures to protect themselves and their customers.

To help protect customers, merchants should focus on:

• Educating customers about APP fraud warning signs.
• Advising customers on what to do if they suspect a scam.
• Monitoring their platforms for suspicious behavior with analytics tools.
• Using fraud prevention tools with features like behavioral analysis and push payment risk scoring.

Merchants should also consider these measures to protect their business from APP fraud:

• Training employees to manage APP fraud 
• Safeguarding personal information with strong passwords and 2FA.
• Using secure payment methods that require two-factor authentication.
• Keeping software up-to-date and monitoring for suspicious activity.
• Developing a comprehensive fraud prevention strategy in partnership with a specialist.

Learn more: Buyer liars, AI fraudsters, and lost revenue — what merchants need to know

The fight against APP fraud goes on

While APP fraud is increasingly widespread among scammers, it's not the only threat merchants need to worry about. But taking steps to protect your customers can boost your sales, improve your reputation, and protect you against unnecessary expenses.

Read our ultimate guide to payment fraud prevention to learn more about the different types of fraud.

Or, book a call now to speak to one of our consultants and see how we can help you build a more fraud-resistant payment stack.

Frequently Asked Questions (FAQ) about push payment fraud

1. What is authorized push payment (APP) fraud?

APP fraud is a scam in which the victim is tricked into sending money to a fraudster through a payment method they initiate, such as a bank transfer or a peer-to-peer app. Since the transaction is “authorized” by the sender, banks and fraud tools may not block it, and victims often struggle to get reimbursed.

2. How does APP fraud affect merchants?

While merchants are not always directly liable, APP fraud can still lead to chargebacks, frozen funds, lost payment privileges, or platform scrutiny. Reputational damage and lost customer trust are also major risks if your brand becomes associated with scam activity.

3. What are common examples of APP scams?

Common APP scams include fake invoices sent to businesses, executive impersonation using spoofed domains or AI-generated emails, romance scams targeting individuals, and social engineering schemes that mimic trusted brands to trick customers into paying.

4. Can merchants prevent APP fraud?

Yes, merchants can reduce the risk of APP fraud by educating customers, using fraud detection tools, monitoring for behavioral anomalies, and deploying real-time observability. Tools like Primer help by connecting multiple fraud providers and enabling dynamic, no-code payment logic.

5. Why is APP fraud increasing with real-time payments?

APP fraud is growing because real-time payment systems like Faster Payments (UK) or RTP (US) settle instantly, leaving little time to detect fraud or reverse a transaction. Scammers exploit this speed to convince victims to act quickly, often before red flags are noticed.