Push payment fraud happens when someone is manipulated into willingly sending money to a fraudster not by hacking, but by deception.
The victim authorizes the transfer themselves, which is exactly what makes it so difficult to reverse and so hard to prosecute.
What Is Push Payment Fraud?
Push payment fraud also called APP fraud, or Authorized Push Payment fraud is a type of financial scam where the victim is tricked into initiating a bank transfer to an account controlled by a criminal.
The key word is authorized. Unlike card fraud or account takeover, no one breaks into your account. You send the money yourself, under false pretenses.
This matters because most consumer protections in banking are built around unauthorized transactions.
When a fraudster drains your account without your knowledge, banks and regulators have clear frameworks for liability and recovery.
When you authorized the payment even if you were deceived those frameworks often don't apply in the same way.
That gap is exactly what fraudsters exploit.
Push Payments vs. Pull Payments — Why the Difference Matters
In a pull payment, the payee requests funds from the payer think of a direct debit or a card payment at checkout. The payee initiates it.
In a push payment, the payer sends funds directly think of a bank transfer, wire payment, or digital wallet transaction. You initiate it.
Push payments are genuinely useful: faster, no need to share account credentials, and fully in the payer's control. But that same control becomes a vulnerability when the payer has been deceived about who they're paying.
Why These Transactions Are So Hard to Reverse
Real-time payment systems which now operate across the UK, US, India, Australia, and elsewhere settle transactions almost instantly.
Once the money leaves your account, it moves quickly through intermediary ("mule") accounts, often split into smaller amounts to avoid detection.
There is no chargeback mechanism for bank transfers the way there is with credit cards. In practice, the window for recovery is narrow and often closes before a victim realizes what has happened.
How Push Payment Fraud Works — Step by Step
Understanding the mechanics helps. These scams don't succeed by luck — they follow a predictable pattern.
Step 1 — First Contact The fraudster reaches out through phishing emails, spoofed phone calls, text messages, or social media. They typically pose as a trusted entity: your bank, a government agency, a supplier, or someone you've met online.
Step 2 — Building Trust or Urgency Here, fraudsters use one of two psychological levers sometimes both.
Either they build trust slowly over days or weeks (common in romance and investment scams), or they manufacture immediate urgency ("your account has been compromised — act now"). Both bypass careful thinking. Both work.
Step 3 — Triggering the Payment Once trust or urgency is established, the victim is directed to transfer funds to a "safe account," a new supplier account, or an investment platform. The instructions look legitimate. The branding matches. The person sounds authoritative.
Step 4 — Concealing the Funds Payments are quickly moved through multiple accounts or converted to cryptocurrency, making tracing and recovery increasingly difficult.
Speed is the fraudster's advantage here real-time systems work against victims as much as they work for them.
Common Types of Push Payment Fraud
|
Fraud Type |
Primary Target |
Common Trigger |
|
Impersonation Scams |
Individuals (esp. older adults) |
Fake bank/government/tech support call |
|
Investment Fraud |
All age groups |
Fake high-return schemes, crypto platforms |
|
Romance Scams |
Individuals |
Fake identity on dating apps |
|
Purchase Scams |
Individuals |
Fake goods advertised online |
|
Invoice & Mandate Fraud |
Businesses |
Fake supplier invoices, altered payment details |
|
Advance Fee Scams |
Individuals |
Upfront fee promised to unlock larger reward |
|
CEO/BEC Fraud |
Businesses |
Impersonation of senior executive via email |
|
AI-Enabled Scams |
All |
Deepfake audio/video, large-scale targeted attacks |
Impersonation Scams
These are among the most reported. A fraudster poses as a bank employee, government official, or tech support agent sometimes layering all three in a sequence.
As reported by CNBC, the FBI flagged a sharp rise in "phantom hacker" scams in 2023, where criminals impersonate tech support, then a bank, then a government agency each layer adding credibility and urgency.
Victims are ultimately told their accounts are at risk and instructed to move funds to a "safe" account, which the fraudster controls.
Older adults are disproportionately targeted here. In 2024, baby boomers and the Silent Generation accounted for roughly 85% of reported tech support scam losses in the US, according to Deloitte's analysis.
Investment Fraud
The largest APP fraud category by total losses. In 2024, US investment fraud losses were estimated at $4.6 billion up approximately 14 times from 2020.
The most discussed tactic is "pig butchering." As covered by Fortune, fraudsters have extended this scheme to fake mobile trading apps listed on mainstream app stores, making them harder to distinguish from legitimate platforms.
The pattern is consistent: build a relationship, introduce a fake investment opportunity, show false returns, then disappear with the money.
Romance Scams
Fraudsters create fake identities on dating platforms and develop emotional relationships over time. The financial requests come later, framed as emergencies medical bills, flights to visit the victim, sudden crises.
What makes romance scams particularly damaging isn't just the financial loss it's that victims often feel deep shame, which delays reporting.
Invoice and Mandate Fraud
Primarily targets businesses. A fraudster impersonates a supplier and sends what looks like a routine invoice but with updated bank details.
Finance teams process it as normal. By the time the real supplier flags the missing payment, the money is gone.
In practice, finance teams commonly report that these emails are nearly indistinguishable from genuine supplier correspondence. The fraud works precisely because it mimics normal business processes.
AI-Enabled Push Payment Fraud
This is the category that most fraud frameworks haven't fully caught up with yet. Generative AI now allows fraudsters to create convincing voice clones, video deepfakes, and highly personalized phishing messages at scale and at low cost.
A fraudster can now impersonate a CEO's voice on a phone call with convincing accuracy making traditional verification instincts less reliable than they used to be.
Who Is Most at Risk?
Fraudsters don't have a single profile in mind. The approach just shifts depending on the target.
Older adults tend to face higher losses from impersonation and tech support scams.
They typically hold more financial assets, and may be less familiar with the specific tactics fraudsters now use spoofed numbers, official-looking websites, urgency scripts.
Younger generations aren't safer they're just targeted differently. Job opportunity scams, online shopping fraud, and advance-fee traps are more common vectors for Gen Z and millennials. Higher digital payment usage means more exposure.
Businesses face invoice fraud, mandate scams, and BEC (Business Email Compromise) attacks. The finance function specifically anyone with payment authorization authority is the primary target.
The Scale of Push Payment Fraud
The numbers here are worth sitting with. They're large.In the United States, estimated APP fraud losses reached $8.3 billion in 2024.
Deloitte projects this could rise to $14.9 billion by 2028 under a baseline scenario and as high as $18.2 billion if AI-driven fraud outpaces institutional defenses.
These are scenario-based projections, not certainties, but the directional trend is consistent across multiple independent analyses.
Imposter scams alone cost Americans an estimated $2.5 billion in 2024, growing at roughly 27% annually since 2020.
Business imposter scams were the most commonly reported APP fraud type, with over 360,000 reported cases.
In the UK, losses were estimated at $587.2 million in 2022, projected to reach $934.7 million by 2027.
What's often overlooked is that these figures almost certainly undercount the real picture. Many victims don't report out of embarrassment, uncertainty about what to do, or simple lack of awareness that a fraud authority exists.
How Regulation Is Responding
The regulatory landscape varies significantly by country. The UK has moved furthest. Most other markets are still catching up.
United Kingdom
The UK's Payment Systems Regulator (PSR) introduced a mandatory reimbursement rule in June 2023.
Under this rule, APP fraud liability is split 50/50 between the sending bank and the receiving bank shifting meaningful responsibility onto receiving banks for the first time.
Previously, receiving banks had little formal accountability for funds flowing into accounts they held.
The Financial Conduct Authority (FCA) also amended payment regulations to allow payment service providers to delay suspicious outbound Faster Payment transactions by up to four business days giving investigators time to act before funds become irrecoverable.
Confirmation of Payee (CoP) — a name-checking service that verifies recipient account details before a transfer completes — has also been implemented across UK banks.
United States
The legal picture is significantly different. US consumers generally cannot rely on mandatory reimbursement for APP fraud. Liability falls primarily on the victim unless they can prove their account was accessed without their authorization.
Some legislative movement is underway. The TRAPS Act, proposed in June 2025, aims to establish a federal task force on digital payment scam prevention.
The Aspen Institute's National Task Force for Fraud and Scam Prevention brings together 33 organizations across banking, tech, and federal agencies. These are steps, but no comprehensive federal framework currently exists.
Other Markets
Australia has implemented Confirmation of Payee and is piloting an SMS Sender ID Registry, allowing telecoms to verify that messages come from legitimate registered businesses blocking a common impersonation vector at the source.
India's liability framework remains ambiguous. Victims are generally treated as responsible for a first-time loss, with banks expected to tighten security protocols afterward.
|
Country |
Mandatory Reimbursement |
Confirmation of Payee |
Regulatory Body |
|
United Kingdom |
Yes (PSR, 2023) |
Yes |
PSR / FCA |
|
United States |
No |
No (under discussion) |
FTC / CFPB |
|
Australia |
Partial |
Yes |
ASIC / ACCC |
|
India |
No (case-by-case) |
No |
RBI |
How Banks Detect and Prevent Push Payment Fraud
Detection has become more sophisticated but it's genuinely a moving target.Real-time transaction monitoring assesses payment patterns continuously, flagging anomalies like unusual amounts, unfamiliar payees, or atypical timing.
Post-PSR, UK banks now monitor both inbound and outbound transactions a meaningful operational shift.
Behavioral analytics and device fingerprinting build a baseline of what "normal" looks like for each customer.
A sudden transfer to a new account for an unusually large amount, initiated from a different device, raises a flag.
Cross-institution intelligence sharing allows banks to flag mule accounts and share fraud signals in real time.
In practice, organizations commonly find this is one of the most effective deterrents but it requires infrastructure and cooperation that takes time to build.
AI and machine learning now power risk scoring, anomaly detection, and anti-money laundering monitoring.
The practical challenge is calibration: fraud detection that's too aggressive generates false positives, frustrating legitimate customers. Too permissive, and fraud gets through.
How to Protect Yourself
Some of this is straightforward. Some of it cuts against instincts which is exactly why fraudsters rely on it.
For Individuals
- No legitimate bank will ever ask you to move money to a safe account. Full stop. That request is the scam.
- If someone calls claiming urgency — hang up and call back using a number you find independently, not one they provide.
- Take your time. Urgency is a tactic. A real emergency can withstand a 10-minute pause.
- Never share OTPs or login credentials over the phone or by email, regardless of who is asking.
- If a deal, investment return, or job opportunity looks significantly better than market rate — that's a signal, not a reward.
For Businesses
- Require dual authorization for all payments above a defined threshold.
- Treat any emailed request to change supplier payment details as high risk — verify through a separate, pre-established channel (not by replying to the same email).
- Train staff in finance and accounts payable to recognize BEC-style social engineering. These emails are specifically designed to look routine.
- Confirm new payee details through direct phone verification before any first payment is made.
What to Do If You Have Been Targeted
If you suspect you've been a victim of push payment fraud, speed matters more than almost anything else.
Contact your bank immediately. The faster you report it, the better the chance of any recovery. Banks can sometimes flag and halt transactions that are still in process.
Report to the relevant authority. In the UK, that's Action Fraud. In the US, the FTC and FBI's Internet Crime Complaint Center (IC3) both accept reports. Reporting also helps build the data picture that informs future regulation and prevention.
Do not send more money. A common follow-up scam involves the fraudster posing as a recovery service or regulatory body, claiming they can retrieve your funds for a fee. They cannot. This is a second fraud layered on the first.
Recovery prospects depend heavily on how quickly the fraud is reported and how far the funds have already moved.
In the UK, the PSR's mandatory reimbursement framework provides a formal claim pathway. In the US, recovery is not guaranteed and typically depends on bank discretion and the speed of reporting.
Conclusion
Push payment fraud is a consent-based crime that's what makes it hard to detect, hard to reverse, and hard to regulate. The victim authorizes the transaction.
The bank processes it normally. The fraud happens at the social engineering layer, not the technical one. Awareness, skepticism, and fast reporting remain the most effective individual defenses available.
Frequently Asked Questions
Is push payment fraud the same as APP fraud?
Yes. APP fraud (Authorized Push Payment fraud) is the formal UK regulatory term for the same thing. Other regions use varying terminology, but the core mechanism a victim authorizing a transfer under false pretenses is identical.
Can you get your money back after push payment fraud?
In the UK, the PSR's mandatory reimbursement rule provides a formal recovery pathway. In the US, recovery is not guaranteed and depends on how quickly the fraud is reported and bank discretion.
Why can't banks reverse push payment transactions?
Real-time payment systems settle instantly and irrevocably. There is no chargeback mechanism for direct bank transfers. Funds typically move through multiple accounts quickly, making tracing difficult.
What is "pig butchering" in the context of push payment fraud?
A tactic where fraudsters build a relationship with a victim over weeks or months before introducing a fake investment opportunity. The trust-building phase is deliberate designed to lower the victim's skepticism before the deception.
How is AI making push payment fraud worse?
Generative AI allows fraudsters to create voice clones, deepfake video, and personalized phishing content at scale and low cost making impersonation more convincing and harder to detect through traditional verification.