Push Payment FraudHow to Spot & Limit Exposure to Push Payment Scams for Merchants, Banks, & Consumers

David Pirtle | June 16, 2025 | 12 min read

This featured video was created using artificial intelligence. The article, however, was written and edited by actual payment experts.

What is Push Payment Fraud?

In a Nutshell

APP fraud is a modern take on one of the oldest scams in the book. It’s wreaking havoc in international commerce, but are US consumers and merchants at risk? This article will take a deep dive into authorized push payment fraud to explain what it is, how it works, who it targets, and how you can keep it from impacting your bottom line.

How to Identify Push Payment Fraud Before It’s Too Late

New technologies present new opportunities for businesses to reach customers and conduct transactions. So-called “push” payments, or buyer-initiated purchases, are one example.

Of course, whenever new technologies and payment options hit the market, fraudsters are always quick to find new ways to take advantage of the situation. Push payments are no exception.

In this post, we'll explain a bit about push payments and how fraudsters are abusing them. We'll also provide some tactics that merchants, banks, and cardholders can use to protect themselves from this emerging threat.

What is Push Payment Fraud?

Push Payment Fraud

[noun]/po͝oSH • pā • m(ə)nt • frôd/

Authorized push payment fraud, or APP fraud, happens when a cybercriminal tricks a consumer into authorizing a payment under false pretenses. During the APP scam, the fraudster will pretend to be someone the individual trusts, like a bank or utility provider, then attempt to convince the individual to authorize the payment without much consideration.

Push payments occur when senders initiate and authorize payments to recipients. This stands in contrast to pull payments, which happen when recipients request (or “pull”) funds from senders.

Pull Pay
Merchant requests payment from buyer.
Buyer authorizes payment, and merchant submits payment for clearing.
Issuer releases funds to cover authorized amount.
VS
Push Pay
The merchant provides a request for payment to buyer.
Buyer initiates payment to merchant.
Buyer authorizes payment, submitting directly for clearing.

Push payment fraud involves manipulation of push payment users by a scam artist. Here, the fraudster uses deception, threats, or false urgency to trick victims into initiating (or “pushing”) payments to unintended recipients.

For example, fraudsters may pose as a legitimate recipient, like a friend, vendor, or business associate. Other times, they may coerce or blackmail victims into sending payments to recipients they do not know.

No matter the tactics employed, though, the outcome of all push payment scams are basically the same: they cause individuals or merchants to unfairly lose hundreds or thousands of dollars.

Common QuestionWhat is a Push Payment?In essence, a push payment is a merchant-initiated payment. They let merchants provide invoices to buyers. Sellers can also submit payment requests through P2P apps like Venmo or Cash App. Buyers can then fulfill payments themselves; they don’t need to wait for merchants to batch and submit transactions for settlement.

How Does Authorized Push Payment Fraud Work?

Do you remember that old “Nigerian Prince” scam from the early days of the internet?

You’d get an email from somebody claiming to be foreign royalty. The sender would say they need you to give them a small, temporary loan. In exchange, you’d be entitled to a big reward later, once the prince reclaims the family fortune. Authorized push payment fraud actually has a lot in common with that trick, just in a more modern format.

APP fraudsters will begin by researching their victims. They will then carefully engineer a scenario through which they will attempt to manipulate an individual into approving a payment or releasing sensitive account information.

How Push Payment Fraud Works

Common Tactics Used in Push Payment Fraud Attacks

Unlike unauthorized fraud — which occurs when a criminal accesses an account without permission — push payment fraud hinges on deceiving the victim into authorizing the payment themselves.

For this reason, push payment fraudsters typically resort to some form of trickery, manipulation, or identity theft to carry out their attacks. A few common methods that fraudsters use include:

Social Engineering

This occurs when a fraudster impersonates a trusted individual, such as a representative from a billing department, and contacts the cardholder directly. The fraudster uses targeted, personal details to convince the cardholder to change personal account details. The next time the cardholder tries to make a push payment, the money gets routed to the fraudster’s account, rather than the merchant’s.

Learn more about social engineering

Phishing

A fraudster impersonates a merchant and sends a fake invoice to a cardholder. The cardholder, assuming that the invoice is legitimate, makes the requested payment. The funds, however, go to the fraudster. This is phishing in the sense that the fraudster will often send fake invoices to multiple cardholders in hopes that at least a few will take the bait.

Learn more about phishing

Account Takeover

A fraudster gains access to partial or complete cardholder information. This can be done by stealing the information or buying it on the dark web. The fraudster then uses that information to try and conduct push payments to themselves.

Learn more about account takeover

Common Targets of Push Payment Fraud

Push payment fraudsters are especially interested in going after well-resourced businesses. The rationale is obvious: tricking a single victim into sending a lot of money is more profitable and efficient than having to carry out dozens of low-value push payment scams.

From a tactical standpoint, scammers may also intentionally target complex push payments. For instance, those involving several steps or complicated pre-transaction procedures.

These two facts mean that certain push payment transactions are especially vulnerable to APP attacks. Examples include:

High-Value Transactions

The more money involved in a single transaction, the more likely it is to be a target of push payment fraud. Scammers can deliberately coax merchants or individuals into authorizing transactions worth tens or even hundreds of thousands of dollars by posing as individuals that might be involved in high-value transactions, like escrow agents or title company staff.

Vendor & Supplier Payments

Most legitimate business transactions involve a paper trail of evidence. As a best practice, purchases should involve a purchase order, invoice, or receipt. Some push payment scammers, however, will send over fake invoices and hope that your accounting or procurement team fails to triple-check.

Did You Know?

Businesses unintentionally pay fake invoices all the time. One of the most high-profile cases involved a scammer named Evaldas Rimasauskas, who impersonated a legitimate company and sent fake invoices to Google and Facebook. The tech giants, none the wiser, simply paid the bills. Rimasauskas successfully stole and subsequently laundered over $120 million before he was caught and sentenced to 5 years in prison.

Cross-Border Payments

International payments involve multiple banks, intermediaries, currencies, languages, and regulatory frameworks, which makes them more complex than domestic transactions. This, combined with the fact that cross-border payments are easier to launder and more difficult to unwind, makes them a prime target for push payment fraud.

Real-Time Payments

Instant push payments are convenient because they’re fast. But speed also comes at the cost of security. If funds fall into the wrong hands, they can disappear well before victims have time to react.

Protect your revenue against third-party fraud chargebacks, regardless of the source.

Request a Demo
The Original End-to-End Chargeback Management Platform

Common Examples of Push Payment Fraud Attacks

The point of authorized push payment fraud, from a criminal’s perspective, is to convince a victim to move money by impersonating someone that the victim recognizes and trusts. This can be a merchant, an employer, a governmental agency, or even a personal friend. 

It can help to have a concrete example. So, here are a few examples of how APP scams might play out in the real world:

Person-to-Person Scams

These are APP scams that target individuals on a personal level. The fraudster will attempt to convince a person that they are a trusted friend or relative, and have the victim deposit money into a non-related account. The fraudster will usually claim to be in some kind of bind; for instance, needing money to pay a past-due bill, or having forgotten login details to an important account.

A target might also receive:

  • Invoices that appear identical to ones issued by a child’s school, or fake bills from utility companies or service providers.
  • Emails from a hairdresser, designer, or some other nonessential servicer looking to set up payment options.
  • Personal ads, dating app scams, or other confidence scams in which scammers pose as people the individual has a relationship of some kind with.

Home Renovation Scam

In a neighborhood or apartment complex, it can be pretty difficult to hide ongoing renovations. It’s no different online, where homeowners might accidentally click fake links in search of contracting services or materials.

Fraudsters are always looking for the means to connect with potential victims. Home renovations are generally big investments, and thus present an opportunity for a big score.

Using fake invoicing with a contractor’s letterhead and details, the fraudster will send the homeowner fake payment information. Once the homeowner pays the fake invoice, the fraudster will disappear.

New Account & Supplier Scams

Fraudsters that have access to a consumer’s email address might be notified when their target opens a new account with an application or service provider online.

The fraudster will send a fake payment request, then use spoofing techniques to convince the consumer the invoice comes directly from that company’s billing department. This can be particularly tricky if auto-billing is enabled. 

Merchants, too, can be targeted for this scam. All the fraudster needs to do is convince someone in the company’s billing department that they are a legitimate account provider. When this happens, the scam can roll on for as long as it takes the company to identify the scam. 

Property Purchase Scams

If a fraudster is able to work out that a consumer is in the market for a new home or property, fraudsters may take advantage. 

A scammer can pose as a mortgage broker or bank loan officer involved in the exchange. Or, they may operate silently, without any other party’s knowledge. In either case, the scammer intercepts communications between parties, then changes relevant payment details to hijack any payment and reroute the funds exchanged to their own account.

As you might imagine, this type of APP fraud can be devastating for consumers if enough money is on the line.

APP Fraud: Impacts for Consumers, Merchants, & Banks

It’s not only cardholders that should worry about being victimized by push payment fraud. Push payment fraud negatively impacts everyone involved:

Consumers

Though they’re frequently targeted, most consumers lack the fraud prevention tools they need to protect themselves. This leaves individuals vulnerable to significant financial loss, data breaches, or account takeovers. Luckily, recent legislation in the UK will offer consumers greater protections against APP fraud, while existing laws in the US cap consumer fraud losses to $50 per incident.

Merchants

Businesses have many moving parts, and merchants can face a nearly endless list of attacks, including business email compromise scams, spoofing, fake invoice scams, and CEO scams. No matter the flavor, APP fraud can drain company bank accounts or compromise valuable data and lead to revenue loss or irreparable reputational harm.

Banks

Aside from more apparent financial repercussions, push payment fraud can also deeply damages a bank's reputation with consumers and merchants. Ask yourself: Would you feel comfortable sharing your money with a bank that is regularly associated with fraudulent attacks and data breaches? Probably not, which is precisely the issue with which banks are faced.

REAL-LIFE EXAMPLE

Petty Son and Prestwich, a UK-based real estate firm, published a post on their blog outlining how they were targeted by an authorized push payment fraud scheme. “The fraudsters targeted our accounts department by replicating our director’s email address, so any correspondence they chose to send would appear as if the email had come from him,” they explain. The fraudster sent multiple emails to an employee in the department with questions aimed at “warming up” the individual.

“It was only when the accounts department phoned our director informing them we had reached our payment limit for the day, so they therefore wouldn't be able to make the payment, that the scam was discovered. On another day the payment would have been made. It was for £19,000! We now have a code word in place to thwart any further attacks.”

Regulatory & Industry Responses to Push Payment Fraud

Push payment scams are growing in frequency, sophistication, and magnitude. In response, both governmental bodies and the financial services industry are devising ways to address the challenge.

In the UK, for instance, consumers and businesses were faster to adopt push payments. In response, the British government adopted the Contingent Reimbursement Model, or CRM.

The CRM is essentially a reserve of cash that signatories to the Code agree to fund. The reserve can then be used to reimburse victims of APP fraud attacks.

More recent regulatory efforts, like the APP scams reimbursement requirement imposed by the UK’s Payment Systems Regulator (PSR), aims to make victims whole through other means. Effective October 7, 2024, UK payment service providers are required to reimburse APP fraud victims up to £85,000 per instance.

While this requirement goes a long way in insulating consumers from potentially devastating financial consequences, it remains a reactive solution that fails to address the root cause of the problem: the fraud itself.

For this reason, the banking industry must also educate the public about APP scams and invest in robust tools and strategies for fraud detection and prevention. Always-on machine learning-based anomaly detection and fraud scoring systems, for instance, can help banks monitor 100% of their transactions. Suspicious payments can then be forwarded to fraud analysts for manual review or met with multi-factor authentication (MFA) challenges.

Ultimately, a multi-layered, collaborative approach that combines regulatory safeguards with proactive industry-led prevention is the best way governments and banks can work together to stay one step ahead of APP fraudsters.

Red Flags to Watch For

Each Authorized Push Payment (APP) fraud attack can involve one or more of several dozen tactics and put thousands of dollars at stake. Luckily, you don’t need to memorize every trick in the book; you can thwart the lion’s share of attempts by paying attention to these warning sings:

Red Flag

Unusual Payment Instructions or Last-Minute Changes

Most legitimate vendors or payees won’t make eleventh-hour modifications to their payment instructions. Nor will they ask for prepayments, overpayments, or make other unusual requests, unless explicitly agreed to in writing. If you encounter these requests, it could be a scam.

Red Flag

Urgent or Unexpected Requests

Alarm or urgency, including language like “immediately,” “need it now,” or “ASAP” should inspire caution, not action. In most business settings, legitimate recipients won’t pressure you to make payments (unless you’re late). For the most part, they’ll abide by the payment terms, deadlines, and frequencies specified and agreed to in writing. If you receive an urgent request, reach out to the recipient; it’s possible they never made that request at all.

Red Flag

New or Unverified Account Details

Sketchy or incomplete account details should be an immediate red flag. If a recipient is withholding account information from you or unwilling to verify their details (e.g. by providing an ID), you could be engaging with a scammer.

Best Practices for Push Payment Fraud Prevention

We established earlier that governments and financial institutions both have crucial roles to play in fighting push payment fraud. As a merchant, you play just as important of a role in keeping APP fraudsters at bay. You can do so by:

Tip

Applying Strong Internal Controls

Make sure to segregate duties in procurement, payment initiation, and bookkeeping so that transactions can be reviewed and nobody within your organization can “cook the books”. Also, make sure that you can establish a three-way match between the purchase order, invoice, and receipt generated as part of every transaction. This will help reduce payment errors and lessen your susceptibility to APP attacks.

Tip

Validating Suspicious Payment Requests

If anything appears off, try to verify payment details via established backchannels. Ideally, get on a live phone or video call with the recipient; don’t rely on email or instant messenger as a means of communication.

Tip

Investing in Fraud Awareness Training

Fraud evolves constantly, and the best way to stay ahead is to educate yourself and your staff on the latest tactics. Provide fraud awareness training on a monthly, quarterly, or annual cadence, and subject staff to regular phishing simulations so that they remain on guard against push payment attacks.

Tip

Deploying Multi-Factor Authentication

Use multi-factor authentication (MFA) at account creation and checkout to prevent bad actors from onboarding themselves to your platform, and secure employee and executive emails with MFA as well. The latter can help prevent business email compromise (BEC) scams, which often culminate in some sort of push payment fraud.

Tip

Using Fraud Detection Software

A complementary suite of fraud detection tools, including fraud scoring tools, device fingerprinting solutions, and velocity check systems can help you detect suspicious activity and stop APP scammers in their tracks. After all, an ounce of prevention is worth a pound of cure. The most cost-effective thing you can do is stop fraud from happening in the first place.

Tip

Employing Bank-Level Safeguards

Use or implement account verification services like Confirmation of Payee (COP) before initiating payments to recipients. Also, deploy always-on transaction monitoring software so that you can monitor all of your incoming and outgoing transactions and payments for signs of fraud.

Tip

Leveraging AI & Behavioral Analytics

Fraud prevention tools that use machine learning to identify anomalies can adapt to new threat environments in real time and allow you to defend yourself against new push payment fraud tactics. Closely related is behavioral analytics, which uses data about past interactions with recipients to identify patterns and predict future behavior. Any payment requests that deviate from “normal” behavior can be flagged as suspicious and forwarded for review.

Have other questions about merchant fraud prevention? Want to learn how you can save time and recover more revenue? Contact Chargebacks911® and get started today.

FAQs

What are examples of push payment fraud?

In the US, we generally refer to the tactics employed here according to the methodology, for instance, social engineering tactics, etc. At their core, push payment scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.

To illustrate, consider that these scams can take the shape of invoice scams, home improvement scams, and new account scams.

How do I stop push payment fraud?

The good news is that there aren’t many new practices or technologies merchants should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.

We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.

Can I get my money back from an authorized push payment?

Authorized push payments are normally irreversible, so it’s difficult to get your money back. However, new rules that went into effect on October 7, 2024, require payment service providers (PSPs) in the UK to reimburse APP fraud victims up to £85,000, so you may be able to recover funds by filing a claim with your bank.

How do push payments work?

A push payment is initiated (or “pushed”) by the sender to the recipient. This stands in contrast to a pull payment, which is initiated (or “pulled”) by the recipient.

Can you block a pre-authorized payment?

Yes. You can block a pre-authorized payment by revoking authorization directly with the recipient company, or by submitting a stop payment order with your bank.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form