How to Identify Push Payment Fraud Before It’s Too Late
New technologies present new opportunities for businesses to reach customers and conduct transactions. So-called “push” payments, or buyer-initiated purchases, are one example.
Of course, whenever new technologies and payment options hit the market, fraudsters are always quick to find new ways to take advantage of the situation. Push payments are no exception.
In this post, we'll explain a bit about push payments and how fraudsters are abusing them. We'll also provide some tactics that merchants, banks, and cardholders can use to protect themselves from this emerging threat.
Recommended reading
- Fake Google Reviews: How to Identify, Remove & Prevent
- The Top 10 Prepaid Card Scams to Watch Out For in 2025
- How do Banks Conduct Credit Card Fraud Investigations?
- How to Prevent Gift Card Fraud: Tips & Best Practices
- How to Identify Gift Card Fraud: Red Flags & Warning Signs
- Examples of Gift Card Fraud in 2025
What is Push Payment Fraud?
- Push Payment Fraud
Authorized push payment fraud, or APP fraud, happens when a cybercriminal tricks a consumer into authorizing a payment under false pretenses. During the APP scam, the fraudster will pretend to be someone the individual trusts, like a bank or utility provider, then attempt to convince the individual to authorize the payment without much consideration.
[noun]/po͝oSH • pā • m(ə)nt • frôd/
Push payments occur when senders initiate and authorize payments to recipients. This stands in contrast to pull payments, which happen when recipients request (or “pull”) funds from senders.
Push payment fraud involves manipulation of push payment users by a scam artist. Here, the fraudster uses deception, threats, or false urgency to trick victims into initiating (or “pushing”) payments to unintended recipients.
For example, fraudsters may pose as a legitimate recipient, like a friend, vendor, or business associate. Other times, they may coerce or blackmail victims into sending payments to recipients they do not know.
No matter the tactics employed, though, the outcome of all push payment scams are basically the same: they cause individuals or merchants to unfairly lose hundreds or thousands of dollars.
How Does Authorized Push Payment Fraud Work?
Do you remember that old “Nigerian Prince” scam from the early days of the internet?
You’d get an email from somebody claiming to be foreign royalty. The sender would say they need you to give them a small, temporary loan. In exchange, you’d be entitled to a big reward later, once the prince reclaims the family fortune. Authorized push payment fraud actually has a lot in common with that trick, just in a more modern format.
APP fraudsters will begin by researching their victims. They will then carefully engineer a scenario through which they will attempt to manipulate an individual into approving a payment or releasing sensitive account information.
How Push Payment Fraud Works
Common Tactics Used in Push Payment Fraud Attacks
Unlike unauthorized fraud — which occurs when a criminal accesses an account without permission — push payment fraud hinges on deceiving the victim into authorizing the payment themselves.
For this reason, push payment fraudsters typically resort to some form of trickery, manipulation, or identity theft to carry out their attacks. A few common methods that fraudsters use include:
Common Targets of Push Payment Fraud
Push payment fraudsters are especially interested in going after well-resourced businesses. The rationale is obvious: tricking a single victim into sending a lot of money is more profitable and efficient than having to carry out dozens of low-value push payment scams.
From a tactical standpoint, scammers may also intentionally target complex push payments. For instance, those involving several steps or complicated pre-transaction procedures.
These two facts mean that certain push payment transactions are especially vulnerable to APP attacks. Examples include:
Protect your revenue against third-party fraud chargebacks, regardless of the source.
Request a Demo
Common Examples of Push Payment Fraud Attacks
The point of authorized push payment fraud, from a criminal’s perspective, is to convince a victim to move money by impersonating someone that the victim recognizes and trusts. This can be a merchant, an employer, a governmental agency, or even a personal friend.
It can help to have a concrete example. So, here are a few examples of how APP scams might play out in the real world:
APP Fraud: Impacts for Consumers, Merchants, & Banks
It’s not only cardholders that should worry about being victimized by push payment fraud. Push payment fraud negatively impacts everyone involved:
REAL-LIFE EXAMPLE
Petty Son and Prestwich, a UK-based real estate firm, published a post on their blog outlining how they were targeted by an authorized push payment fraud scheme. “The fraudsters targeted our accounts department by replicating our director’s email address, so any correspondence they chose to send would appear as if the email had come from him,” they explain. The fraudster sent multiple emails to an employee in the department with questions aimed at “warming up” the individual.
“It was only when the accounts department phoned our director informing them we had reached our payment limit for the day, so they therefore wouldn't be able to make the payment, that the scam was discovered. On another day the payment would have been made. It was for £19,000! We now have a code word in place to thwart any further attacks.”
Regulatory & Industry Responses to Push Payment Fraud
Push payment scams are growing in frequency, sophistication, and magnitude. In response, both governmental bodies and the financial services industry are devising ways to address the challenge.
In the UK, for instance, consumers and businesses were faster to adopt push payments. In response, the British government adopted the Contingent Reimbursement Model, or CRM.
The CRM is essentially a reserve of cash that signatories to the Code agree to fund. The reserve can then be used to reimburse victims of APP fraud attacks.
More recent regulatory efforts, like the APP scams reimbursement requirement imposed by the UK’s Payment Systems Regulator (PSR), aims to make victims whole through other means. Effective October 7, 2024, UK payment service providers are required to reimburse APP fraud victims up to £85,000 per instance.
While this requirement goes a long way in insulating consumers from potentially devastating financial consequences, it remains a reactive solution that fails to address the root cause of the problem: the fraud itself.
For this reason, the banking industry must also educate the public about APP scams and invest in robust tools and strategies for fraud detection and prevention. Always-on machine learning-based anomaly detection and fraud scoring systems, for instance, can help banks monitor 100% of their transactions. Suspicious payments can then be forwarded to fraud analysts for manual review or met with multi-factor authentication (MFA) challenges.
Ultimately, a multi-layered, collaborative approach that combines regulatory safeguards with proactive industry-led prevention is the best way governments and banks can work together to stay one step ahead of APP fraudsters.
Red Flags to Watch For
Each Authorized Push Payment (APP) fraud attack can involve one or more of several dozen tactics and put thousands of dollars at stake. Luckily, you don’t need to memorize every trick in the book; you can thwart the lion’s share of attempts by paying attention to these warning sings:
Unusual Payment Instructions or Last-Minute Changes
Most legitimate vendors or payees won’t make eleventh-hour modifications to their payment instructions. Nor will they ask for prepayments, overpayments, or make other unusual requests, unless explicitly agreed to in writing. If you encounter these requests, it could be a scam.
Urgent or Unexpected Requests
Alarm or urgency, including language like “immediately,” “need it now,” or “ASAP” should inspire caution, not action. In most business settings, legitimate recipients won’t pressure you to make payments (unless you’re late). For the most part, they’ll abide by the payment terms, deadlines, and frequencies specified and agreed to in writing. If you receive an urgent request, reach out to the recipient; it’s possible they never made that request at all.
New or Unverified Account Details
Sketchy or incomplete account details should be an immediate red flag. If a recipient is withholding account information from you or unwilling to verify their details (e.g. by providing an ID), you could be engaging with a scammer.
Best Practices for Push Payment Fraud Prevention
We established earlier that governments and financial institutions both have crucial roles to play in fighting push payment fraud. As a merchant, you play just as important of a role in keeping APP fraudsters at bay. You can do so by:
Make sure to segregate duties in procurement, payment initiation, and bookkeeping so that transactions can be reviewed and nobody within your organization can “cook the books”. Also, make sure that you can establish a three-way match between the purchase order, invoice, and receipt generated as part of every transaction. This will help reduce payment errors and lessen your susceptibility to APP attacks.
If anything appears off, try to verify payment details via established backchannels. Ideally, get on a live phone or video call with the recipient; don’t rely on email or instant messenger as a means of communication.
Fraud evolves constantly, and the best way to stay ahead is to educate yourself and your staff on the latest tactics. Provide fraud awareness training on a monthly, quarterly, or annual cadence, and subject staff to regular phishing simulations so that they remain on guard against push payment attacks.
Use multi-factor authentication (MFA) at account creation and checkout to prevent bad actors from onboarding themselves to your platform, and secure employee and executive emails with MFA as well. The latter can help prevent business email compromise (BEC) scams, which often culminate in some sort of push payment fraud.
A complementary suite of fraud detection tools, including fraud scoring tools, device fingerprinting solutions, and velocity check systems can help you detect suspicious activity and stop APP scammers in their tracks. After all, an ounce of prevention is worth a pound of cure. The most cost-effective thing you can do is stop fraud from happening in the first place.
Use or implement account verification services like Confirmation of Payee (COP) before initiating payments to recipients. Also, deploy always-on transaction monitoring software so that you can monitor all of your incoming and outgoing transactions and payments for signs of fraud.
Fraud prevention tools that use machine learning to identify anomalies can adapt to new threat environments in real time and allow you to defend yourself against new push payment fraud tactics. Closely related is behavioral analytics, which uses data about past interactions with recipients to identify patterns and predict future behavior. Any payment requests that deviate from “normal” behavior can be flagged as suspicious and forwarded for review.
Have other questions about merchant fraud prevention? Want to learn how you can save time and recover more revenue? Contact Chargebacks911® and get started today.
FAQs
What are examples of push payment fraud?
In the US, we generally refer to the tactics employed here according to the methodology, for instance, social engineering tactics, etc. At their core, push payment scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.
To illustrate, consider that these scams can take the shape of invoice scams, home improvement scams, and new account scams.
How do I stop push payment fraud?
The good news is that there aren’t many new practices or technologies merchants should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.
We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.
Can I get my money back from an authorized push payment?
Authorized push payments are normally irreversible, so it’s difficult to get your money back. However, new rules that went into effect on October 7, 2024, require payment service providers (PSPs) in the UK to reimburse APP fraud victims up to £85,000, so you may be able to recover funds by filing a claim with your bank.
How do push payments work?
A push payment is initiated (or “pushed”) by the sender to the recipient. This stands in contrast to a pull payment, which is initiated (or “pulled”) by the recipient.
Can you block a pre-authorized payment?
Yes. You can block a pre-authorized payment by revoking authorization directly with the recipient company, or by submitting a stop payment order with your bank.