Authorized push payment fraud occurs when a victim is manipulated into sending a real-time payment to a scammer’s account. Unlike unauthorized transactions, the victim initiates the transfer themselves, often believing they are paying a legitimate business or authority. This fraud type has escalated with the rise of Gen-AI, allowing criminals to use voice deepfakes and synthetic identities to deceive even high-level executives and vulnerable individuals. Banks are under increasing regulatory pressure, such as the UK’s PSR rules, to reimburse victims, making prevention through advanced biometric identity verification a business priority.
What Is an Authorized Push Payment?
An authorized push payment (APP) is a transaction where the account holder instructs their bank to send money directly to another account. These payments are typically processed through real-time systems like Faster Payments in the UK or SEPA Instant in Europe. The “push” element means the sender initiates the action, rather than a merchant “pulling” the funds via a card or direct debit.
The speed of these transfers is what makes them attractive for both legitimate users and fraudsters. Once a user clicks send, the money often arrives in the recipient’s account within seconds. This immediacy leaves very little time for banks to intervene if the transaction is part of a scam.
Authorized payments are the backbone of modern digital banking. They allow for instant bill payments, peer-to-peer transfers, and business-to-business transactions. However, because they are irrevocable in most cases, they require a high level of trust between the two parties involved.
Veridas technology helps secure this trust by ensuring that the person authorizing the payment is who they claim to be. By integrating voice biometrics, banks can verify identity in less than three seconds, preventing social engineering from leading to successful fraud.
Understanding Authorized Push Payment Fraud
Authorized push payment fraud is a form of social engineering where a criminal tricks a victim into sending them money. The hallmark of this fraud is that the victim is convinced they are making a legitimate payment. This might involve a fake invoice, a spoofed phone call from a bank, or a romantic deception.
Because the customer technically “authorized” the payment, traditional fraud detection systems often struggle to flag these events. The system sees a valid user logging in with correct credentials and performing a standard action. The breach is not in the software, but in the human psychology manipulated by the attacker.
The evolution of authorized push payment fraud has been accelerated by Gen-AI. Scammers now use audio deepfakes to impersonate CEOs or family members, making the request for funds incredibly persuasive. This industrialization of fraud means that simple password-based security is no longer sufficient to protect assets.
To combat this, a Zero Trust approach to identity is required. Veridas enables continuous authentication that analyzes the integrity of the device and the biometric traits of the user. This ensures that even if a user is being manipulated, the system can detect anomalies in behavior or identity before the fund transfer.
Examples of Authorized Push Payment Scams
One of the most common examples is the “Safe Account” scam. A fraudster calls the victim, pretending to be from their bank’s security department. They claim the victim’s account is under attack and insist the money be moved to a “new, safe account” which actually belongs to the criminal.
Another prevalent scenario is the “Invoice Scam” or Business Email Compromise (BEC). In this case, a criminal intercepts an email from a legitimate supplier and changes the bank details on an invoice. The business then sends an authorized push payment to the fraudster instead of the supplier.
Investment scams also fall under this category. Victims are promised high returns on cryptocurrency or stocks. They are directed to professional-looking websites and then authorize transfers to what they believe is a brokerage, only for the scammers to disappear once the money is sent.
Finally, the “CEO Fraud” involves impersonating a high-ranking executive. Using voice deepfakes, an attacker calls a finance employee and requests an urgent payment for a confidential merger. The employee, hearing the boss’s voice, authorizes the payment without following standard verification protocols.
Types of Authorized Push Payment Fraud
| Type of APP Fraud | Description | Primary Victim |
|---|---|---|
| Purchase Scams | Victims pay for goods or services that never arrive. | Consumers |
| Investment Scams | Victims are tricked into moving money into fake high-return schemes. | Individuals/High-Net-Worth |
| Romance Scams | Fraudsters build fake relationships to request money for “emergencies.” | Individuals |
| Impersonation Scams | Criminals pretend to be from the police, bank, or government. | Consumers/Elderly |
| CEO Fraud (BEC) | Impersonation of senior management to trigger urgent transfers. | Businesses |
Each of these types relies on the same principle: creating a sense of urgency or emotional pressure. Scammers often use “spoofed” caller IDs to make their phone calls look like they are coming from a trusted number. This increases the likelihood that the victim will skip normal security checks.
The complexity of these types varies, but the outcome is always the same. Once the authorized push payment is made, the funds are quickly moved through a network of “mule accounts” to make recovery nearly impossible. This highlights the need for real-time biometric verification at the point of transfer.
Veridas provides a layer of defense by implementing Voice Shield technology. It can detect synthetic voices and recorded audio in real-time, even if the scammer is using a high-quality deepfake. This protects the banking channel from being used as a tool for large-scale social engineering.
Furthermore, document verification ensures that when a new account is opened—potentially a mule account—the identity is legitimate. Our 100% automated IDV solution detects document tampering and facial mismatches in seconds, stopping the fraud infrastructure before it can be used.
How Banks Handle Refunds for Authorized Push Payments
Historically, banks were not legally required to refund victims of authorized push payment fraud because the customer had technically authorized the transaction. However, this is changing rapidly. Regulators are increasingly shifting the liability toward financial institutions to encourage better security measures.
In the UK, the Payment Systems Regulator (PSR) has introduced mandatory reimbursement for most APP scams. This means that both the sending and receiving banks share the cost of the refund. This regulation aims to protect consumers and force banks to invest in more robust identity verification systems.
Other regions are following suit with various “Contingent Reimbursement Models.” These voluntary codes of conduct encourage banks to refund victims who have acted with reasonable care. However, “gross negligence” on the part of the customer can still be a reason for a bank to deny a refund claim.
This shift in liability makes fraud prevention a core financial interest for banks. By using Veridas’ facial authentication and liveness detection, banks can prove they have taken every possible step to verify the user. This reduces the number of successful scams and, consequently, the volume of mandatory refunds.
How to Protect Yourself from Push Payment Scams
Protection starts with awareness and technology. Individuals and businesses must understand that a familiar voice or an official-looking email is not always proof of identity. The “human firewall” is the most vulnerable point, so it must be reinforced with automated, biometric safeguards.
Financial institutions must move away from static knowledge-based authentication (KBA). Questions like “What was your first pet’s name?” are easily answered by fraudsters who have harvested data from social media. Moving to inherent factors, like a person’s voice or face, provides a much higher level of security.
For businesses, implementing strict multi-person authorization for large transfers is essential. However, even these can be bypassed if the primary decision-maker is convinced by a deepfake. This is why biometric “proof of life” is the new standard for high-value authorized payments.
Veridas solutions are designed to be frictionless, ensuring that security doesn’t come at the expense of user experience. Our biometric authentication allows users to confirm their identity in seconds, providing a seamless experience while maintaining the highest security standards.
Tips to Avoid Falling Victim
- Be wary of any unsolicited contact requesting an urgent transfer of money.
- Always verify payment requests through a separate, known channel (e.g., call a known number).
- Never share one-time passcodes (OTP) with anyone, even if they claim to be from your bank.
- Enable biometric authentication for banking apps instead of relying solely on passwords.
- Report any “spoofed” calls or suspicious emails to your bank immediately.
The most effective tip is to pause. Scammers rely on rushing you so you don’t notice discrepancies. If a bank employee tells you your account is in danger, hang up and call the number on the back of your debit card. Legitimate banks will never pressure you to move money to a “safe account.”
Organizations should also train employees on the risks of authorized push payment scams. This includes recognizing the signs of Business Email Compromise and understanding how deepfake technology can be used to impersonate leadership. Training, combined with technology, creates a layered defense.
Veridas helps organizations implement these layers through Know Your Employee (KYE) frameworks. By using facial recognition for internal system access, businesses ensure that only the real employee—not someone with a stolen password—can initiate or approve sensitive financial actions.
Reporting Suspicious Transactions
If you suspect you have been a victim of authorized push payment fraud, time is of the essence. Contact your bank immediately. The sooner they are notified, the higher the chance they can freeze the funds in the recipient’s account before they are withdrawn.
You should also report the scam to national fraud reporting centers, such as Action Fraud in the UK or the FTC in the USA. These reports help law enforcement track the movement of money and identify the organized crime groups behind these large-scale operations.
Banks use these reports to improve their own fraud detection algorithms. By analyzing the “mule accounts” used in these scams, institutions can better identify patterns that signify authorized push payment activity. This collaborative data sharing is crucial for the banking ecosystem.
Veridas supports this through database deduplication. Our system identifies if the same face is trying to open multiple accounts under different names, a common tactic for creating the mule accounts needed to funnel stolen funds. This proactive approach stops the fraud loop before it begins.
Credit Push Payments vs Authorized Push Payments
While the terms are often used interchangeably, there is a technical distinction. A credit push payment refers to the general mechanism where the payer sends funds to the payee. An authorized push payment specifically refers to the user giving explicit permission for that action to take place.
The term “Credit Push” is often used in the context of payroll or automated bill payments. These are scheduled and predictable. Authorized push payments are often ad-hoc and manual, which is where the risk of deception and fraud is highest for individual consumers and businesses.
From a security perspective, both require strong identity verification. However, ad-hoc authorized payments need real-time, “in-the-moment” authentication. This is where facial liveness detection becomes vital, ensuring that a live person is present and consenting to the specific transaction.
Veridas provides solutions for both scenarios. Whether it is an automated onboarding process for credit services or a manual high-value transfer, our facial recognition technology ensures the integrity of the “push” at every step of the payment journey.
Key Takeaways
Authorized push payment fraud is a psychological attack, not a technical one. It exploits the speed of modern payment systems and the trust people place in digital communication. As scams become more sophisticated with AI, relying on passwords and OTPs is no longer a viable security strategy.
The shift in regulatory liability means banks must take a proactive role in prevention. This requires moving beyond simple transaction monitoring to advanced biometric identity verification. Proving that the user is physically present and who they say they are is the only way to stop authorized scams.
Veridas offers a comprehensive suite of tools to combat this threat. From Voice Shield that stops deepfake impersonation to automated IDV that prevents the creation of mule accounts, our proprietary technology is designed to protect both the bank’s bottom line and the customer’s trust.
In an increasingly digital world, identity is the most valuable asset. Protecting it requires a partner who understands the intersection of AI, regulation, and security. Veridas is that partner, providing the technology needed to build a safer, fraud-free future for digital payments.
Use Cases by Industry
- Banking: Implementing voice authentication for call centers to verify high-value transfers in under 3 seconds, reducing TMO and stopping social engineering.
- Telecommunications: Secure digital onboarding for credit-based equipment purchases, using facial liveness to prevent synthetic identity fraud.
- Fintech: Streamlining online financing applications with 100% automated ID verification, achieving 90% funnel conversion while maintaining strict compliance.
