How to recognize and prevent authorized push payment (APP) fraud

Learn how scammers manipulate customers into sending money — and what banks and fintechs can do to detect and prevent APP fraud before it happens.

Your phone rings. It’s your bank calling to alert you to suspicious activity on your account. The representative explains that someone is trying to drain your funds, and if you want to protect your money, you need to transfer your balance to a separate, secure account immediately. They guide you through the process step by step, reassuring you the entire time. You complete the transfer, relieved that your money is safe.

Except it wasn’t your bank on the phone. And the “secure account” belongs to a scammer, not you.

This scenario is an example of authorized push payment (APP) fraud, and these scams are becoming increasingly difficult to detect. And they’re everywhere. Alloy’s 2025 State of Scams Report found that the top reported scam tactics included common drivers of APP fraud, such as phishing, romance, deepfake/AI, and investment scams. As these tactics grow more sophisticated and affect more victims, the costs continue to climb. Deloitte projects APP losses alone could amount to $14.9B by 2028.

To fight APP fraud, you have to understand it. This post breaks down everything you need to know to keep these fraudsters at bay.

What is authorized push payment (APP) fraud?

APP fraud, sometimes called an imposter scam, occurs when a fraudster swindles an authorized user into transferring money to a bad actor. Unlike account takeover (ATO) fraud, where criminals steal credentials to access accounts, APP fraud relies on the victim voluntarily initiating the transaction. Scammers use manipulation and manufactured urgency to convince targets to act quickly, often before they have time to think critically about what’s happening.

But what makes APP fraud particularly harmful (and effective) is its reliance on social engineering: using psychological manipulation to get victims to do what the bad actor wants. It’s no wonder that the State of Scams Report found that victims of fraud feel that emotional distress is just as significant a consequence as their financial losses.

As real-time payments have become more prevalent, so too has APP fraud. It’s easier than ever to move money and increasingly difficult to recover it once it’s gone. This speed creates the perfect conditions for APP fraud to flourish.

Learn more about the various types of real-time payments, their processing speed, and whether or not they are reversible.

How do APP scams happen?

APP fraud typically begins through familiar communication channels: text messages, emails, phone calls, or social media. From there, scammers guide their targets to digital finance applications like Venmo, Cash App, Zelle, and the UK’s Faster Payment System (FPS). They also exploit other channels like wire or crypto rails. 

Real-time payment channels have become preferred for fraudsters because of the speed of the transactions. Once the money has left an account, the options to recover it vary widely and depend on the platform; it’s rarely a straightforward process. Regardless of the channel, what makes APP so hard to catch is the legitimate nature of the payments: The individual is sending the money themselves, but under false pretenses. 

Artificial intelligence (AI) is only making fraud detection more challenging. Alloy’s 2025 State of Scams Report found that 85% of Americans worry that scams are becoming harder to spot because of AI — and with deepfakes and generative AI content more accessible than ever, that concern is founded. When a scammer can clone someone’s voice from a few seconds of audio or create a convincing video of a bank executive, the line between legitimate and fraudulent communication is dangerously blurred.

Explore how AI is accelerating social engineering scams and what you can do to protect yourself and your customers.

What are typical authorized push payment fraud methods?

While fraud methods evolve as scammers adapt their tactics, there are several categories that continue to be used. Understanding these common schemes helps both financial institutions and consumers recognize red flags before it’s too late. They include: 

• Social engineering scams: Fraudsters impersonate a legitimate party (like an employee from the victim’s bank), who reaches out through an everyday social interaction — like email (phishing), text message (smishing), or phone (vishing) — to trick them into sending them money.
• Vulnerable adult and elder abuse scams: Scammers target elderly adults or adults who have some type of cognitive impairment to trick them into sending money, creating a sense of urgency, typically involving some kind of false emergency involving a loved one.
• Romance scams: Popularized by MTV’s Catfish TV show, bad actors create a fake online identity and build a relationship with an unsuspecting target over weeks, months, or sometimes years, eventually manipulating the victim into sending them money or expensive gifts.
• Investment scams: Criminals convince victims to invest money into stocks, crypto, real estate, or another valuable asset, presenting fake returns and data from a real investment they’re not involved with or making up a fake investment opportunity altogether.
• Purchase and invoice scams: Fraudsters trick both consumers and businesses into paying for goods or services they’ll never receive or into redirecting payment for legitimate purchases into fraudulent accounts.

Learn more about these scams and more in our fraud types deep dive guide

Who is liable for money stolen from APP fraud?

The methods of APP fraud are complex, and unfortunately, so is the question of legal and financial responsibility for APP fraud losses. This ambiguity creates an added layer of frustration for both FIs and fintechs as well as scam victims.

Historically, the sender of a push payment has been liable for the transaction, as they did transfer money themselves. However, because of the manipulation involved, some financial institutions will try to recover or reimburse some or all of the stolen amount. While FIs are often not legally responsible for reimbursement of lost funds, many choose to offer goodwill credit to maintain strong customer relationships. Though this represents a financial loss in the short term, the long-term benefits of maintaining trust and reinforcing a positive reputation can outweigh the immediate financial hit.

However, there are cases where financial institutions and fintechs are responsible for reimbursement (depending on the scheme, channel, level of customer involvement, and other factors), and that liability may become more common in the future. The regulatory landscape is beginning to catch up to fraudsters, starting with first-of-its-kind legislation in the UK that requires payment service providers to reimburse victims of APP fraud. The National Clearing House Association (NACHA), the organization that governs the ACH network, announced new rules that require banks to enhance monitoring ACH transactions.

The reality of reimbursement, however, remains complex, dependent on factors such as the payment channel used, the specific type of scam, how quickly the fraud was detected, and the level of customer involvement. Still, 67% of consumers surveyed in Alloy’s 2025 State of Scams Report believe their financial institutions should reimburse them for money lost in a scam, even when they personally authorized the transaction. 

How to prevent authorized push payment fraud

How can banks and fintechs improve APP fraud prevention?

Effective APP fraud prevention requires a multi-layered approach that addresses vulnerabilities throughout the entire customer lifecycle. Unlike ATO fraud, where stolen credentials provide an early warning sign to potential victims, APP fraud warning signs are harder to spot. Banks and fintechs can focus on prevention through three main approaches:

• Verifying behavioral patterns throughout the entire customer lifecycle: Leverage technology that provides advanced multi-factor authentication, biometric checks, and device intelligence to create a baseline understanding of normal customer behavior. Unusual behavior, like logging in from a new device or making a series of large transfers to a new recipient, can trigger additional fraud checks in real time. 
• Deploying multi-layered, AI-driven fraud detection and automated step-up verification: Add layers of security introduces friction into processes to slow down high-risk transactions. This provides intended victims with crucial time to recognize what’s happening and stop the transfer.
• Building evolving identity risk profiles: By analyzing real-time transaction patterns, user behavior, and device data, financial institutions can build individual risk profiles that can be monitored throughout the customer lifecycle. These profiles can help flag early warning signs of APP fraud before money changes hands, based on personalized risk signals.

How can customers better protect themselves against APP fraud?

Consumer education remains one of the most powerful tools in the fight against APP fraud, but to be effective, it must be ongoing and adaptable as scammer techniques evolve. While the State of Scams Report shows that consumers often feel a strong sense of personal responsibility when a scam occurs, they also believe their financial institutions share nearly equal responsibility in preventing these attacks. In short, a partnership between FIs and customers is essential to prevent APP fraud.

Consumers can help fight fraud by:

• Leveraging educational resources:  Banks, fintechs, and other organizations provide educational resources that go beyond generic warnings. There may be classes, quizzes, or other tools that can offer helpful insights into what to do when they’re suspicious of fraud and how to verify communications are legitimate.
• Getting familiar with different types of APP fraud: With so many types of fraud out there, it can be hard to keep up. But when you know what to look for, scams will stick out like a sore thumb — even if they’re sophisticated. 
• Speaking out if they are scammed: Alloy found that the majority of consumers believe they can recognize financial fraud. But when they do fall victim to a scam, feelings of shame and embarrassment keep them from sharing their experience, which only helps scammers. Normalizing these conversations proves that anyone can be a target, and empowers customers to report fraud right away.

Stop APP fraud before it starts

Alloy’s identity and fraud prevention platform helps financial institutions and fintechs stay ahead of fraud throughout the customer lifecycle. Our end-to-end solution moves faster than the pace of fraud, offering protection through:

• AI-powered risk profiles that evolve as customer behavior changes
• Automated identity verification that catches suspicious activity early
• Ongoing behavioral insights that flag potential manipulation and fraudulent transactions

With Alloy, you can stop APP fraud at the source: flagging suspicious identities and behavioral activity before a single dollar leaves your customers' accounts.