New technologies present new opportunities for businesses to reach customers and conduct transactions. So-called “push” payments, or buyer-initiated purchases, are one example.
Of course, whenever new technologies and payment options hit the market, fraudsters are always quick to find new ways to take advantage of the situation. Push payments are no exception.
In this post, we'll explain a bit about push payments and how fraudsters are abusing them. We'll also provide some tactics that merchants, banks, and cardholders can use to protect themselves from this emerging threat.
Push payment fraud occurs when a bad actor uses social engineering tactics and false pretenses to cause a victim to voluntarily initiate a payment to the fraudster. Unlike traditional fraud, if a scammer steals credentials or takes over an account, a fraudster does not need to access a victim’s account in order to conduct a successful push payment scams. Instead, a bad actor simply needs to manipulate the victim into authorizing a payment.
Read MoreBad actors use a combination of social engineering, phishing, and its variants to conduct push payment fraud. In any case, the procedure is similar: the scammer researches a victim, convinces them to send (“push”) a payment, and disappears once they receive the money.
Tactics such as false displays of romance, bogus promises of “too-good-to-be-true” investment returns, or hyperrealistic impersonations of loved ones can cause even the most fraud-aware individuals to fall for push payment scams.
Read MorePush payment scammers siphon billions of dollars out of the real economy every year. In fact, APP fraud losses alone in the US reached an estimated $8.3 billion in 2024, a market where victims remain largely unprotected from these scams. To make matters worse, APP fraud is also becoming an increasingly alarming issue, with dollar losses and incident counts expected to compound at double-digit rates for the next few years.
Exacerbating the acceleration in push payment fraud is the advent of generative AI tools, including large language models (LLMs), AI voice cloning software, and deepfake technologies. When combined with old-fashioned spoofing techniques, these AI tools make push payment scams virtually indistinguishable from requests from genuine recipients.
Read MorePush payment fraudsters target both businesses and consumers. When merchants are successfully victimized, losses routinely reach into the hundreds of thousands or millions of dollars, causing anything from disruption to financial devastation for the businesses involved.
Although the sums lost in consumer push payment scams are smaller, even a several thousand dollars can have similarly disruptive effects for individuals. To make matters worse, banks and payments regulators may refuse to make victims whole, prolonging both uncertainty and cash flow issues.
Read MoreBecause push payment fraud relies on psychological tricks rather than technical approaches, merchants and consumers will need to pay attention to red flags raised by communication patterns rather than transaction data.
Warning signs like the use of urgency, last-minute changes in payment details, requests for payment via specific peer-to-peer payment platforms, and alleged contact by government officials, banks, law enforcement, and other parties who usually do not contact you over email or the phone should raise immediate red flags.
Read MoreMerchants who wish to prevent push payment fraud will need to strengthen their staff’s “human firewall.” In practice, this means augmenting fraud awareness training with frequent role-playing scenarios, as well as establishing rigid internal controls that require multiple sign-offs before a transaction can be initiated.
Maintaining a centralized database of vendor information that can be referenced at all times, establishing strict protocols (including three-way matches and backchanneling) for payment verification, and formulating an incident response plan can help merchants harden their businesses against attackers and respond swiftly when they are ever targeted.
Read More
In the US, we generally refer to the tactics employed here according to the methodology, for instance, social engineering tactics, etc. At their core, push payment scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.
To illustrate, consider that these scams can take the shape of invoice scams, home improvement scams, and new account scams.
The good news is that there aren’t many new practices or technologies merchants should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.
We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.
Authorized push payments are normally irreversible, so it’s difficult to get your money back. However, new rules that went into effect on October 7, 2024, require payment service providers (PSPs) in the UK to reimburse APP fraud victims up to £85,000, so you may be able to recover funds by filing a claim with your bank.
A push payment is initiated (or “pushed”) by the sender to the recipient. This stands in contrast to a pull payment, which is initiated (or “pulled”) by the recipient.
Yes. You can block a pre-authorized payment by revoking authorization directly with the recipient company, or by submitting a stop payment order with your bank.
Unauthorized fraud occurs when a criminal accesses your account without permission (stolen password, hacked account) and initiates payments. Authorized push payment (APP) fraud occurs when YOU authorize the payment yourself because a scammer tricked you into believing it was legitimate. The critical difference: US federal law protects you from unauthorized fraud, but offers almost no protection for APP fraud.
It's very difficult. Traditional fraud detection looks for unauthorized access (wrong location, device, behavior). With APP fraud, YOU initiated the payment using YOUR credentials from YOUR device. To the bank, it looks completely legitimate. Some banks use Confirmation of Payee (verifying payee name matches account) and behavioral analytics (unusual recipient), but most US banks don't have these systems. Real-time payments leave no time for verification.
AI voice cloning requires only 3-10 seconds of audio to perfectly replicate someone's voice. Fraudsters can call a CFO sounding EXACTLY like the CEO requesting a wire transfer. AI also generates deepfake documents (invoices, IDs), spoofs emails in perfect company style, and analyzes social media to personalize scams. The Federal Reserve and FBI have both warned this technology makes scams virtually undetectable.
