Combating APP scam: Learnings from real-life stories

According to UK Finance, in 2023, 232,429 reported cases of Authorised Push Payment (APP) scams resulted in losses of £459.7 million. Notably, 76% of these cases originated from online sources. 

These numbers explain why it has become paramount for banks and financial institutions to take remedial action before it becomes too late. 

Scams are no longer isolated incidents—they’re part of a fast-evolving fraud ecosystem that targets not just consumers but also the operational resilience and trustworthiness of financial institutions.

In this article, we explain how APP fraud works through real-life stories and examples that will help you, as a financial institution, strengthen your system defences and protect your customers from being scammed.

Fraudsters don’t break in; they convince victims to open the door and manipulate them into willingly transferring money. 

APP fraud takes many forms, but the goal is always the same: tricking victims into willingly sending money. This is how it usually works:

1. Fraudsters gather personal information from social media, public records, or past data breaches to craft convincing stories.
2. The scammer then makes contact, typically over the phone, using trust to convince the victim to make a payment to an account.
3. Once the funds are transferred, the fraudster quickly moves the money to another account to cover their tracks.

Scammers tailor their approach based on who they’re targeting and what will feel most convincing to trick victims into willingly sending money:

• Impersonation fraud: Fraudsters pose as trusted entities, such as banks or government agencies, pressuring victims to transfer money under the pretence of protecting their funds.
• Advanced fee fraud: Victims are asked to pay upfront for promised services or benefits like job offer or loans that never materialise.
• Romance fraud: Scammers build online relationships and use emotional manipulation to convince victims to send money.
• Family fraud: Playing on urgency and fear, fraudsters impersonate distressed family members, claiming they need immediate financial help.
• Investment fraud - Victims are lured into fake investment opportunities with promises of high returns and minimal risk, often losing significant amounts.

Whichever the modality, once the payment is sent, recovering the funds is nearly impossible. That’s why banks need real-time detection that spots fraudulent transactions before being authorised.

To make this clearer, we’ll share examples of people who were scammed by fraudsters.

Shattering dreams by preying on urgency

Julie had always dreamed of going to Glastonbury. When she missed the initial ticket sale, she searched resale groups, hoping for a second chance. That’s when she found Mallory’s account. It looked legitimate - past sales, glowing reviews, even photos of real tickets.

Eager to secure her spot, she reached out to her. Mallory warned her that other buyers were interested and urged her to act fast. Not wanting to miss out again, Julie transferred £350 from her bank account to what she believed was a trusted seller. Moments later, the account disappeared, along with her money and her dream of attending the festival.

Two fraudsters worked together to run an APP scam, targeting multiple victims simultaneously. Mallory, the mastermind, was skilled in social engineering - crafting believable stories and manipulating trust. Her partner, Eve, handled the money, moving stolen funds through a maze of accounts to erase any trace.

Takeaway for banks and FIs

APP fraud doesn't rely on fake URLs or spelling mistakes. It leans on emotional pressure and trust built through believable back-and-forth interactions. Julie didn’t miss any red flags - there weren’t any, not in the traditional sense.

Banks that rely solely on transaction analysis at the moment of payment are playing catch-up. The real opportunities lie in the earlier signs—repeat login attempts, sudden changes in behaviour, and time-sensitive browsing patterns. Spotting these cues early gives banks a fighting chance to intervene before the money moves.

‍

Creating false identities to exploit trust

Charlie, a university student, was eager to get a Reading Festival ticket. After searching online, he was contacted by Edward, a fellow student who claimed he had already bought the tickets but could no longer attend due to exam clashes.

The story felt real. Edward shared a fake student ID, engaged in casual university-related chat, and had a convincing social media presence that mirrored Charlie’s world. Trusting him and thinking he was helping out a peer, Charlie transferred £280. As soon as the money left his account, Edward vanished.

Edward built an APP fraud operation together with his partner Amy, which relied on deception, trust, and carefully crafted personas. While Edward handled the social manipulation, Amy ensured that the stolen money disappeared without a trace. Each scam was tailored to its target, making it nearly impossible for victims to suspect anything was wrong until it was too late.

Takeaway for banks and FIs

Charlie didn’t get tricked by a dodgy link - he was pulled into a conversation that felt real. These scams are built to blend into everyday life, using fake personas and stolen photos to lower defences. It’s not just fraudsters being clever, it’s banks needing better visibility into behavioural patterns that don’t match the norm.

Detection tools must go beyond device fingerprinting or location mismatches. When scammers mimic social interactions and behaviour that feels ‘typical,’ systems need to understand what’s “normal” for each user, not just the average. That’s where banks can start to make fraud prevention feel less like a wall and more like a safety net.

‍

Exploiting brand credibility for fake purchases

Bill, a young data analyst, decided to buy himself a PS5. He found a great deal on Amazon from a trusted seller with decent ratings. 

After an hour, he received a fake cancellation email from Amazon and another email from the supposed seller claiming an inventory issue. This message was carefully crafted to appear like an authentic Amazon notification, referencing Bill’s original order details such as shipping address, order number, and exact product model.

Immediately after, Bill received another email claiming that Amazon’s payment system was down but offered to process the order directly via bank transfer to “hold the PS5.” Persuaded by this option, Bill logged into his online banking and, without suspicion, manually initiated the bank transfer to the scammer’s account. 

Within seconds, Bill’s money was gone, and he had never received his PS5. 

Takeaway for banks and FIs

Bill didn’t go rogue. He followed instructions from what looked like Amazon. Scammers didn’t just send a fake email, they created a situation where the next steps felt completely legitimate. He didn’t think twice.

This type of scam shows how fraud has moved upstream. By the time the bank sees the transaction, the manipulation has already happened. To stop it, detection needs to kick in earlier, looking at behavioural friction, odd device behaviour, or users being nudged into unusual actions. Banks that can spot and flag suspicious intent - not just suspicious payments - stand a better chance of keeping their customers safe.

Financial institutions are under increasing pressure to address the surge in APP scams. 

New regulations demand a greater duty of care, and failure to protect customers can now lead to direct financial liability. But the consequences don’t end with compensation payouts. Investigating cases, managing customer relationships, and handling reputational fallout all consume valuable resources. 

In an environment where trust is everything, just one publicised incident can dent a brand’s credibility, particularly for digital-first banks, whose value proposition hinges on both innovation and safety.

In fact, APP scams leave a deep and lasting impact on their victims. Financial recovery is rare, and the emotional scars often cut deeper. Many victims are left grappling with a profound sense of violation — they question their judgment, feel ashamed, and withdraw from digital banking altogether.

This erosion of trust affects not only their relationship with their bank but also their confidence in navigating the digital world. For some, the trauma leads to long-term anxiety and hesitancy with online transactions.

Combating APP scams requires more than clever technology—it demands a holistic approach that blends advanced systems with proactive customer education. 

While online banks rapidly adopt AI-driven tools to detect and prevent suspicious activity in real time, technology alone isn’t enough. Machine learning models can flag anomalies — unusual transfers, strange login patterns, behaviour that doesn’t fit the norm — but many fraud attempts still succeed because customers are unaware of the warning signs. 

The most effective fraud prevention strategies combine intelligent detection with empowering users to make safer choices. That means guiding customers to recognise manipulation tactics, question urgent or secretive requests, and use built-in security features like transaction alerts and biometric login. 

Crucially, fraud rarely looks suspicious in isolation — it’s the patterns over time, across users and platforms, that tell the real story. Online banks that integrate contextual analysis with ongoing education efforts not only protect their customers more effectively but also build the kind of digital trust that drives long-term loyalty.

Fraud detection needs to be proactive, not reactive.

Cleafy helps financial institutions identify fraudulent behaviour in real-time, before funds leave an account. By analysing device activity, behavioural patterns, and transaction data, Cleafy stops fraud without disrupting legitimate customers.

Because for banks, preventing fraud means protecting customers, reputation, and compliance.

Ready to stay one step ahead of APP scams? Get in touch with Cleafy and see how we can help.