APP fraud: what every UK business needs to understand

Authorised Push Payment (APP) fraud

Authorised Push Payment (APP) fraud is when a criminal tricks you (or a member of your team) into sending a bank transfer to an account they control. It’s fast, convincing, and it targets businesses of every size—from sole traders to listed companies. In 2023 alone, APP scams cost UK victims ~£460m, and the majority were executed over Faster Payments.

What APP fraud looks like in a business

Common business-targeted variants include:

  • Invoice redirection / “change of bank details”
    Criminals compromise email threads or spoof suppliers, then send “updated payment details” just before an invoice is due.
  • CEO / controller impersonation
    A fraudster posing as a senior leader demands an urgent transfer—often “confidential”—to bypass normal checks.
  • Supplier, lawyer or bank impersonation
    Callers claim to be from your bank’s fraud team or a professional services partner, pressuring staff to “secure funds” by moving money.

These scams exploit the fact that the business itself authorises the transfer—so it isn’t blocked as an “unauthorised” payment. That’s what makes APP fraud so damaging. UK Finance’s definition captures this clearly.

The 2024–2025 rule changes that affect you

The UK Payment Systems Regulator (PSR) introduced a mandatory reimbursement regime for APP scams on 7 October 2024, covering Faster Payments and CHAPS. Key points for businesses:

  • Who’s covered & how costs are shared
    In-scope customers who fall victim to APP fraud must be reimbursed in most cases; the cost is split 50:50 between the sending and receiving payment firms.
  • Time to reimburse
    Firms must reimburse within five business days (with narrow “stop the clock” exceptions while investigating).
  • Excess & cap
    A sending firm may charge an excess of up to £100 per claim (not for vulnerable customers). The maximum reimbursement level is £85,000 per claim for Faster Payments and CHAPS (updated in 2025).
  • Claim window
    Claims can be refused if submitted more than 13 months after the last payment in the scam series.

Important nuance: The PSR originally aligned an upper cap to £415,000, but following consultation it was finalised at £85,000. Don’t assume older guidance still applies.

Why small and mid-sized firms are especially exposed

  • Lean finance teams juggling AP runs under time pressure are prime targets for “urgent” bank detail changes.
  • Supplier diversity creates lots of genuine exceptions—perfect cover for impostors.
  • Hybrid work patterns make out-of-band verifications (e.g., walking to a colleague’s desk) less common.
  • Money-mule networks rapidly launder proceeds; the FCA warns mule recruitment is rising, complicating recovery.

The controls that actually reduce risk

  1. Confirmation of Payee (CoP)—use it, and act on mismatches
    CoP checks the account name against sort code and account number before you pay. Treat “no match” or “close match” warnings as red flags that require secondary verification.
  2. Tighten your payment journey, not just your inbox
  • Dual authorisation for new beneficiaries and bank detail changes.
  • Out-of-band callbacks using verified numbers you already hold—never the number in the email.
  • Delay high-risk payments (e.g., first payment to a new or changed beneficiary) to allow extra verification.
  1. Standard Operating Procedures (SOPs) that staff can follow under pressure
  • A one-page “Change of Bank Details” playbook: the precise steps to verify, who signs off, and what gets documented.
  • No-exceptions policy for “urgent” requests to break process—leaders must model this.
  1. Friction where it counts
  • Payment system rules now drive faster reimbursement decisions; but pre-payment friction (holds, maker-checker, CoP) prevents losses in the first place.
  1. Train for the scam, not the software
    Use UK Finance’s Take Five message—Stop. Challenge. Protect.—in quarterly refreshers. Include call-spoofing roleplays and “CEO urgent transfer” drills.

If you think you’ve been hit: a 60-minute response plan

  1. Call your bank immediately (use the number on the back of the card / your banking app).
  2. Report to Action Fraud (or Police Scotland if in Scotland). This creates a crime reference and helps law enforcement link mule accounts.
  3. Freeze further exposure: suspend new beneficiary creation, rotate email credentials for affected users, force MFA resets.
  4. Preserve evidence: emails with headers, call logs, payment approvals, CoP screenshots.
  5. Notify impacted suppliers/clients if their details were in the thread.

What reimbursement doesn’t mean

Mandatory reimbursement is a safety net—not a guarantee. Payment firms can decline where the consumer standard of caution wasn’t met or if first-party fraud is suspected, and caps/excesses apply. Build controls assuming you may not get all the money back.

The bigger picture: scale and momentum

  • Losses & volume: APP losses remained in the hundreds of millions; broader UK fraud losses were £1.17bn in 2023 (with shifts into other fraud types).
  • Post-rule performance: Early data and reporting point to higher reimbursement rates under the new regime, with the PSR publishing performance dashboards and guidance through 2025. (Monitor PSR updates for your bank’s performance.)

A quick, practical checklist for UK finance teams

  • Enable CoP checks and block payments on no-match without senior override.
  • Require dual approval for new beneficiaries and any change of bank details.
  • Maintain a trusted phonebook of suppliers’ accounts teams; never call numbers from a change-request email.
  • Use payment holds or delayed release for first-time / high-risk payments.
  • Run quarterly APP-fraud simulations (CEO scam, invoice change, bank-impersonation).
  • Embed a 60-minute incident playbook and train everyone who can move money.
  • Track PSR policy updates and your bank’s APP fraud performance data.

Useful links for your policy pack

  • APP fraud: consumer protections & how reimbursement works (PSR) — what’s covered, timelines, and exceptions.
  • Consolidated policy statement PS25/5 (May 2025) — latest cap (£85,000), excess, timelines, and scope across Faster Payments & CHAPS.
  • UK Finance: APP fraud and “Take Five” — plain-English training materials for staff awareness.

 

APP fraud is engineered to slip past traditional controls because you authorise the transfer. The UK’s reimbursement regime offers welcome protection, but the strongest defence is still process discipline plus name-check (CoP), dual approvals, and trained people who pause when something feels “urgent” or “off.”

Scroll to Top