Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

APP fraud and the identity trust gap: what should teams change?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: APP fraud reached £583 million in UK losses in 2022, with 77% of fraudulent cases originating online and 17% via SMS or phone calls, according to Prove Identity and UK Finance. The pattern shows that payment controls cannot compensate for weak identity verification and behavioral trust signals.

NHIMG editorial — based on content published by Prove Identity: Decoding APP Fraud and the Evolution of Authorized Push Payment scams

By the numbers:

Questions worth separating out

Q: What breaks when APP fraud controls rely only on OTPs?

A: OTP-only controls break because they verify a message or device, not the legitimacy of the payment request.

Q: Why do real-time payments increase APP fraud risk?

A: Real-time payments compress the window between authorisation and settlement, which gives defenders less time to detect manipulation or reverse the transfer.

Q: What do security teams get wrong about APP fraud prevention?

A: Teams often assume that better education alone will solve the problem, but APP fraud also depends on workflow, timing, and trust signals.

Practitioner guidance

  • Strengthen pre-authorisation risk checks Evaluate beneficiary name mismatch, device reputation, transaction velocity, and channel anomalies before allowing a high-risk transfer to proceed.
  • Bind identity to device context Use device binding and contextual signals so that a legitimate account on an untrusted device does not receive the same trust as a normal session.
  • Target customer warnings to high-risk transfers Replace generic pop-ups with event-specific warnings when the payment pattern matches impersonation, investment, or account-redirection scams.

What's in the full article

Prove Identity's full article covers the operational detail this post intentionally leaves for the source:

  • The PSR reimbursement mandate and how the five-day rule changes fraud operations and customer response paths.
  • Scenario-level examples of romance, purchase, impersonation, and investment scams as they appear in live banking channels.
  • The article's discussion of why generic warnings fail and how targeted prompts change user behaviour at the point of transfer.
  • The vendor's device-binding approach and how it is positioned alongside AI monitoring and human oversight.

👉 Read Prove Identity's analysis of APP fraud, reimbursement pressure, and prevention tactics →

APP fraud and the identity trust gap: what should teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

APP fraud is an identity assurance problem disguised as a payments problem. The decisive failure happens before the transfer, when a victim believes the request is legitimate enough to authorise. That means identity verification, channel trust, and behavioural controls need to be treated as one governance plane. For practitioners, APP fraud should be measured as a trust failure, not only a reimbursement event.

A question worth separating out:

Q: Who is accountable when APP fraud payments are authorised under deception?

A: Accountability is shared across the payment provider, fraud operations, and customer protection functions, especially where regulation requires reimbursement within a defined window. The control question is whether the organisation can show reasonable preventative and response measures. Compliance frameworks should be treated as a baseline, not the main defence.

👉 Read our full editorial: APP fraud exposes the trust gap in digital identity verification



   
ReplyQuote
Share: