identity privacy security

Authorized Push Payment (APP) Scams and EU’s Defence: PSD3 & Digital Identity Wallets

Nat April 6, 2025 No Comments

(For an abridged YouTube Video, go to https://www.youtube.com/watch?v=1rplN-4-O_E)

Introduction

Authorized Push Payment (APP) scams are a form of fraud in which victims are deceived into willingly authorizing a payment to a criminal. In an APP scam, the fraudster poses as a legitimate payee or authority figure and convinces the victim to send money under false pretenses 1. Unlike unauthorized fraud (where transactions occur without the account holder’s consent), APP fraud exploits the victim’s trust and social engineering tactics to trick them into approving the transfer. These scams can target individuals or businesses and often involve impersonation of banks, government agencies, service providers, or even friends and family members.

APP scams have gained significant attention because of their devastating impact on victims and the financial system. Every year, thousands fall prey to such scams, suffering major financial losses that can be life-changing 2. Victims frequently face not only monetary harm but also emotional and psychological distress – for example, one in three victims reports a negative effect on their mental health and confidence in managing money after an APP fraud incident 3. These scams have proliferated with the rise of real-time digital payments, which allow fraudsters to quickly receive and dissipate funds before they can be recovered 4. In markets with widespread instant payment systems, APP fraud has been one of the fastest-growing types of financial crime, undermining consumer trust in online payments and digital banking. Given the growth of APP scams and their impact on both consumers and the integrity of payment systems, regulators and industry stakeholders are increasingly focused on measures to prevent and respond to this form of fraud.

Prevalence and Financial Impact

APP scams are widespread and on the rise globally, accounting for a significant share of fraud losses in many regions. In the UK – one of the most transparent markets for fraud reporting – losses to APP scams reached £485.2 million in 2022 5. This represented about 40% of all UK fraud losses that year, nearly rivaling losses from card fraud 6. Updated figures for 2023 showed APP fraud losses of around £459.7 million in the UK 7, indicating a slight decline from 2022 but remaining extremely high. Cumulatively, UK consumers and businesses have lost almost £2 billion over the past four years to APP scams 8. By volume of incidents, APP scams make up a large portion as well – by some estimates up to 80% of fraud cases in the UK banking sector are APP-related 9, since many lower-value scams (like purchase scams) are very common. This trend is not isolated to the UK. For example, France has reported that authorized push payment fraud now accounts for 59% of total fraud by value in their payments system 10, highlighting that many European countries face a similar challenge.

Across Europe as a whole, the scale of APP fraud is difficult to measure precisely (due to varying reporting standards), but industry analysts estimate that APP scam losses could be as high as €2.4 billion annually 11. Moreover, these losses are growing at an alarming rate of roughly 20–25% per year in Europe 12. The growth of instant payment platforms (which allow money to move faster with less opportunity to intervene) has provided new opportunities for fraudsters, leading to increases in APP scam activity in any market that adopts real-time payments 13. For instance, countries such as India, Brazil, and Australia – all of which have rapidly adopted real-time bank transfers – have seen significant surges in APP fraud incidents and losses 14. Even regions like the United States, where instant P2P payments are a newer part of the landscape, are experiencing a sharp uptick: U.S. APP fraud cases grew by 151% in 2022 alone 15. This global pattern demonstrates that APP scams have become one of the most prevalent and dangerous financial scams worldwide.

The financial impact on victims and financial institutions is severe. Individual victims can lose anywhere from a few hundred euros in a small purchase scam to life-altering sums in high-value investment or business email compromise scams. In 2022, 57% of reported APP scam cases in the UK were purchase fraud (many relatively small transactions) 16, while investment scams – fewer in number but typically involving large transfers – made up about 24% of total APP losses 17. Banks and payment providers also shoulder costs in preventing and reimbursing fraud. In the UK, firms voluntarily reimbursed £256.5 million to victims in 2023 under a voluntary APP fraud code 18. In fact, banks managed to refund victims in roughly 4 out of 5 APP scam cases in recent years 19. Even so, the net losses remain enormous, and reimbursement does not erase the harm. Many victims feel shaken – notably, 15% of APP fraud victims in one survey left their bank after the incident (even if they got their money back) due to loss of trust 20. The broader economy also feels the impact: over £1.2 billion was stolen via fraud (authorized and unauthorized) in the UK in 2022 21, and fraud now constitutes a large share of overall crime reports in some countries (for example, fraud makes up around 40% of all reported crime in the UK by volume 22.

It’s important to note that official statistics likely underestimate the true scale of APP scams. Many incidents go unreported due to embarrassment, lack of awareness, or low expectations of recovery. Research commissioned by Visa suggests that as many as one in three APP scam cases may not be captured in industry reporting 23. This under-reporting means the actual losses and number of victims could be significantly higher than the already startling figures reported by banks. In summary, APP scams are highly prevalent, with billions of euros in losses each year across Europe and globally, and their financial and societal impact is driving urgent action from both regulators and the financial industry.

Regulatory Responses

The growing threat of APP scams has prompted a range of regulatory responses in Europe, targeting different aspects of the problem. Key European regulatory frameworks – including the upcoming PSD3 (Payment Services Directive 3), anti-money laundering directives, the revised eIDAS 2.0 regulation on digital identity, and the European Digital Identity Wallet Architecture Reference Framework – all aim, directly or indirectly, to curb APP fraud and enhance consumer protection.

Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR)

In 2023, the European Commission proposed PSD3/PSR, which for the first time addresses APP fraud at the EU level. The draft PSD3 and its companion regulation introduce provisions to shift some liability onto payment service providers (PSPs) for APP scam losses, rather than burdening victims entirely 24.

In practice, this means establishing reimbursement rights for consumers who are defrauded, similar to how unauthorized transactions are handled, though the exact scope and procedures are still under discussion 25.

PSD3 also seeks to mandate Confirmation of Payee (CoP) checks (termed “Verification of Payee” in the EU context) for bank transfers 26. Under this requirement, when a customer enters a payee’s account details, the bank will check if the account name matches the IBAN and alert the customer to any mismatch before payment is executed.

This measure, already implemented in the UK, is aimed at preventing classic impersonation scams where victims think they are paying a legitimate person but the name/account don’t actually align. Additionally, PSD3/PSR will compel banks and payment institutions to improve fraud information sharing and customer authentication practices 27. PSPs will be expected to share data on known fraudsters or mule accounts to create a coordinated defense, and to strengthen Strong Customer Authentication (SCA) rules (for example, making more use of device fingerprinting and analytics in payment risk assessments) 28. PSD3 is slated to come into effect around 2026, reflecting a strong regulatory push to standardize how APP scams are prevented and how victims are compensated across all EU member states 29.

Anti-Money Laundering Directives (AMLD) and AML Regulation

A critical aspect of combating APP fraud is disrupting the money laundering networks that scammers use to funnel stolen funds. European anti-money laundering laws, such as the 5th and 6th AML Directives and the proposed new EU AML Regulation, reinforce requirements that can help address APP scam flows. Banks are required to conduct thorough Know-Your-Customer (KYC) checks and ongoing monitoring of accounts, which makes it harder for fraudsters to open or use bank accounts anonymously.

Under AMLD, suspicious transactions – for instance, rapid receipt and onward transfer of funds by a customer (a pattern common with “money mule” accounts used in APP scams) – must be flagged and reported. The EU’s plans to establish a centralized Anti-Money Laundering Authority (AMLA) will further facilitate cross-border intelligence on fraudulent funds moving through multiple institutions. While not aimed solely at APP fraud, these measures tighten the net around the recipient side of scams, i.e. the fraudulent accounts that receive victims’ payments. In 2022, about €1.8 billion in payment fraud was reported in the EU (an increase of 7% from the prior year), underlining the need for stronger AML oversight. Regulators are encouraging banks to improve KYC and transaction monitoring controls to better detect potential scam-related transactions. For example, guidelines advise assessing inbound and outbound payments for red flags, and considering customer vulnerability indicators when evaluating fraud claims. By enforcing stricter customer due diligence and facilitating faster freezing/recovery of fraudulent transfers, AML regulations complement consumer protection rules like PSD3 in the fight against APP scams.

eIDAS 2.0 (Revised Electronic Identification, Authentication and Trust Services Regulation)

The eIDAS 2.0 regulation, agreed in principle in mid-2024, establishes a framework for a European Digital Identity that citizens and businesses can use across all member states. A cornerstone of eIDAS 2.0 is the introduction of a European Digital Identity Wallet (EUDI Wallet): a secure digital wallet (often a mobile app) provided under state authority that can store verified personal data and credentials (e.g. passports, driver’s licenses, diplomas, bank account attestations, etc.) 30.

The regulation mandates that each member state must issue at least one compliant digital ID wallet to its residents by 2026, following common technical standards and with high security assurances 31. While eIDAS 2.0’s primary goal is to enable convenient and trustworthy electronic identification and data sharing, it has important implications for fraud prevention.

By allowing individuals to prove their identity and attributes digitally with a high level of assurance, eIDAS 2.0 can make it harder for criminals to impersonate someone or use a false identity – a tactic often at the heart of APP scams. For example, under eIDAS 2.0, a bank or business could reliably verify a customer’s identity via their digital wallet when onboarding a new account or confirming a transaction, rather than relying on easily forged documents or self-reported information32. Strong authentication mechanisms built into the wallets (potentially including biometrics and cryptographic signatures) also reduce the risk of account takeovers. In essence, eIDAS 2.0 creates a trusted digital identity ecosystem that, if integrated with banking and payment services, can help ensure that all parties in a transaction are who they claim to be. This can directly address certain APP scam scenarios (for instance, an imposter would have a much harder time posing as a bank official or a customer if robust digital identity verification is in place). Moreover, by giving users control over sharing only specific attributes (e.g. confirming one’s name and age without revealing other details) 33, the digital wallet can limit the unnecessary exposure of personal data that fraudsters might exploit. The eIDAS 2.0 regulation thus complements financial regulations by strengthening the identity layer of digital transactions, which is a key defense against social engineering fraud.

EU Digital Identity Wallet Architecture and Reference Framework (ARF)

Alongside eIDAS 2.0, the EU has developed a detailed Architecture and Reference Framework (ARF) for the European Digital Identity Wallet, currently in version 1.8. This framework provides the technical and security standards for implementing the digital identity wallets across member states. It covers how wallets should manage credentials, authenticate users, ensure privacy (through features like selective disclosure of information), and interoperate Europe-wide. While the ARF is a technical guideline rather than law, it is crucial for regulatory alignment: it ensures that the high-level goals of eIDAS 2.0 (security, trust, interoperability) are met in practice. From a fraud perspective, the ARF specifies rigorous security requirements (such as certified trust services, encryption, and anti-tampering measures) that make the wallets resistant to hacking or forgery. This is important because if the digital identity wallets themselves are compromised, scammers could abuse them to obtain credentials or authorize actions in the victim’s name.

The ARF also envisions integration points where wallets can be used for authentication and authorization in payments. For example, it could enable a scenario where a payment initiation or a Confirmation of Payee check is tied to exchanging verified identity attributes. By establishing a common standard, the ARF helps banks and fintechs incorporate wallet-based identity verification into their services in a consistent way. In summary, the European regulatory response to APP scams is multi-faceted – PSD3/PSR addresses payment processes and liability, AMLD tackles the flow of illicit funds, and eIDAS 2.0 (with the ARF) fortifies the identity verification process – with the overall aim of reducing fraud and enhancing consumer trust in digital payments.

In addition to these EU-wide measures, it’s worth noting the role of national regulators and industry codes. For instance, the UK (though no longer in the EU) has been a forerunner in APP fraud policy: the Payment Systems Regulator (PSR) is implementing mandatory reimbursement for APP scam victims from October 2024, requiring sending and receiving banks to split the cost 50/50 34. This UK approach influenced the PSD3 proposals on liability. Other countries are also updating consumer protection laws and fraud strategies (for example, authorities are gaining powers to quickly takedown websites or phone numbers used in scams) 35. Overall, the regulatory environment in Europe is evolving to impose greater responsibility on financial institutions to prevent APP scams and to provide consumers with stronger safety nets, while simultaneously building the infrastructure (like digital identities and verification tools) needed to thwart fraudsters.

Methods Used by Fraudsters

APP scammers employ a wide array of deceptive techniques to convince victims to send them money. At the core of almost all APP scams is social engineering – manipulating a victim’s trust, emotions, or sense of urgency so that they willingly authorize a payment they shouldn’t. Below are some of the most common methods and tactics used by fraudsters, along with recent evolutions in their approach:

Impersonation Scams

The fraudster pretends to be someone trustworthy – often a bank representative, police officer, government official, or utility company employee. They contact the victim by phone (vishing), text (smishing), email, or even in person, and create a false narrative that convinces the victim to transfer money. For example, a scammer might call claiming to be from the victim’s bank’s fraud department, warning of “suspicious activity” and instructing the victim to move funds to a “safe account” (which is actually the scammer’s account). Because the request appears urgent and comes from a figure of authority (sometimes even with spoofed caller ID matching the bank’s number), victims can be persuaded to act quickly. Bank impersonation and similar authority scams are particularly damaging – they often involve large sums and account for a substantial share of losses (many high-value APP cases start with a phone call from someone impersonating a bank or law enforcement) 36.

Purchase and Sales Scams

A very common form of APP fraud involves fake purchases. Scammers post bogus advertisements for goods or services (for instance, a used car, concert tickets, electronics, or rental property) on online marketplaces, auction sites, or social media. When a victim attempts to buy the item, the fraudster will insist on a direct bank transfer (push payment) rather than using a protected platform or escrow. Once the payment is made, the supposed seller disappears and no product is delivered. Purchase scams made up about 57% of all APP fraud cases in 2022 by volume in the UK 37, illustrating how frequent this tactic is. The values per case tend to be smaller, but collectively, it amounts to significant losses and can affect any consumer who shops online.

Investment and Cryptocurrency Scams

These schemes lure victims with the promise of high returns on investments. Scammers create professional-looking websites or profiles advertising opportunities in stocks, bonds, forex, or cryptocurrency that yield unrealistically good profits.

Often, they use social media ads or phishing emails to attract victims. Once a victim is interested, the fraudster (posing as an investment advisor or company representative) convinces them to transfer funds as an “investment.” In reality, there is no investment – the money goes straight to the scammers. Investment scams often involve larger sums per victim; in 2022 they comprised roughly 24% of APP scam losses by value in the UK 38. A contemporary twist is the “crypto investment” scam, where fraudsters direct victims to fake cryptocurrency trading platforms – the victim sees fake account balances growing after their deposits, but when they attempt to cash out, the scammers either vanish or demand additional fees. By the time the victim realizes, the crypto (or fiat funds) have been moved and laundered. These scams leverage the complexity of financial markets and cryptocurrencies to exploit victims’ hopes of quick gains.

Romance and Friendship Scams

Here, fraudsters target individuals on dating apps, social networks, or forums by creating a fake persona to build an emotional connection. Over weeks or months, they gain the victim’s trust and affection. Once trust is established, they fabricate a reason to request money – it could be an emergency (like a medical bill or legal trouble), a travel cost to visit the victim, or a lucrative investment they want to share with the victim. Believing they are helping someone they care about, the victim authorizes one or multiple payments to the scammer. These scams can be particularly cruel, as they exploit emotions and often leave victims not only financially hurt but also heartbroken and embarrassed.

Invoice and Business Email Compromise (BEC) Scams

Businesses are frequently targeted through invoice scams or CEO fraud. In an invoice redirection scam, fraudsters impersonate a legitimate supplier or contractor and inform a company that the supplier’s bank account details have changed. They often do this by hacking or spoofing the email account of the supplier or by sending a convincingly formatted letter. The company then unwittingly sends the next payment to the fraudster’s account. CEO fraud is another BEC tactic: attackers spoof the email of a high-ranking executive (or hack it) and send urgent payment instructions to an employee in the finance department (e.g., “We need to wire €50,000 to this account immediately for a confidential acquisition – I’ll explain later”). The employee, thinking the request is legitimate and time-sensitive, executes the payment. Because these scams involve authorized payments by the company, they fall under APP fraud (even though the company itself is the victim). They can result in very large losses for businesses in a short time.

Emerging AI-Driven Scams

Fraudsters are increasingly leveraging advanced technology like artificial intelligence to enhance their social engineering schemes. One alarming development is the use of AI-based voice cloning and deepfakes. Scammers can obtain a sample of someone’s voice (for example, from a social media video or a phone call) and use AI software to create a voice model. They can then call a victim using that cloned voice – for instance, mimicking a CEO, a relative, or any trusted person – to convincingly request a transfer of funds. This has already been reported in cases where company employees received calls that sounded exactly like their boss instructing a payment, when in fact it was a scammer with a cloned voice.

According to industry insights, the use of AI deepfake content has spiked dramatically – one report noted a 780% increase in detected AI-powered deepfakes in Europe between 2022 and 2023 39. Video deepfakes (though more complex to deploy in real-time scams) and AI-generated realistic profile photos are also being used in romance or investment scams to create the illusion of legitimate identities. By making scam communication more authentic and personalized, these AI techniques make it much harder for victims to discern truth from fraud. As Visa’s fraud experts observe, scammers are “harnessing tools like AI to devise ever-more sophisticated tactics,” using AI-driven voice imitation and deepfake tech to produce communications that seem genuine 40. The quality of scam attempts is improving to the point that even vigilant individuals can be fooled 41.

Use of Spoofing and Malware

Many APP scams are facilitated by technology that obscures the scammer’s true identity or location. Caller ID spoofing is widely used – fraudsters can mask their phone number to display the number of a bank or any trusted entity on the victim’s phone. This greatly increases the credibility of phone-based scams (“vishing”). Similarly, email spoofing or domain spoofing is used to send emails that look like they come from a legitimate company (e.g., using an email address almost identical to a real one). In some sophisticated cases, malware may be involved – for example, a trojan on a victim’s computer might intercept a legitimate payment they are trying to make and silently swap in the scammer’s bank details (though this blurs the line into unauthorized fraud). More commonly, malware might be used to gather information that aids social engineering (such as reading bank texts or emails to know how to impersonate). However, the hallmark of APP fraud is that the victim ultimately authorizes the payment themselves; malware generally plays a supporting role by stealing data rather than directly making the transfer.

Mule Accounts and Money Laundering

After tricking a victim into sending money, fraudsters rapidly try to launder the funds to prevent recovery. This often involves networks of “money mules” – individuals (sometimes complicit, sometimes duped via work-from-home scams) who allow their bank accounts to be used to receive and forward funds.

The stolen money might hop through several mule accounts in different banks and countries within minutes. Increasingly, criminals convert funds into cryptocurrency soon after receipt, since crypto exchanges and mixers can obscure the money trail 42. They may also purchase high-value goods or gift cards with the stolen money to quickly convert it. The speed of instant payments makes this process faster than ever – in a matter of hours, stolen funds can become effectively untraceable. This laundering step doesn’t directly involve the victim, but it’s a crucial part of the scam lifecycle that allows fraudsters to cash out and makes APP fraud particularly hard to combat after the fact.

APP fraudsters are adaptive and opportunistic

In summary, APP fraudsters are adaptive and opportunistic. They exploit human psychology through social engineering in its many forms – fear (imminent account compromise), greed (investment opportunity), love (romance), or authority (obedience to a supposed official). The channels used range from social media messages to phone calls and emails. Notably, a large proportion of APP scams now originate online: around 78% of cases start via online platforms (such as social media, e-commerce sites, or messaging apps) according to UK data43, and roughly 70% of scams in the US have been linked to social media platforms (Meta’s platforms in particular) 44. The remaining cases often start with telephone contact (vishing or SMS), which, while fewer in number, tend to involve higher-value scams (e.g. impersonating police or bank officials)45. Fraudsters take advantage of whatever medium the target is most likely to trust. With the advent of AI and vast amounts of personal data available from data breaches and social networks, scams are growing more convincing. The authenticity of fraudulent communications is improving, making it increasingly challenging for individuals to spot a scam before it’s too late46. This ever-evolving toolkit of the fraudsters underscores the need for equally adaptive defenses.

Implications for Digital Identity Wallets

The emergence of European Digital Identity Wallets (as enabled by eIDAS 2.0 and the ARF framework) introduces both new opportunities and new considerations in the context of APP scams. These wallets will allow individuals to store and share verified personal data (such as identity documents, certificates, bank account information, etc.) through a secure mobile app under their control 47. The integration of such digital identity systems with financial services can significantly influence the security and trustworthiness of personal data sharing and, by extension, the fraud landscape.

On one hand, digital identity wallets can bolster security and trust in online transactions, potentially reducing certain risks of APP scams. With a trusted wallet, users can prove their identity or attributes to service providers with a high level of assurance. For example, a user could share a verified credential (issued by a government or bank) attesting to their name and bank account number. If banks and payment apps utilize this feature for Confirmation of Payee, a sender could confirm the identity of a payee before sending money. Imagine receiving an invoice from a contractor: using a digital wallet, the contractor could send you a signed credential proving their business identity and the IBAN of their bank account. You as the payer would then be confident that your transfer is going to the right entity, not an impersonator. This kind of identity verification for payees could thwart many impersonation and invoice diversion scams, which rely on victims not realizing the account details are fraudulent. In essence, the wallet can serve as a source of truth about who owns a given account or who is on the other end of a transaction.

Additionally, digital ID wallets can help with strong authentication and consent for transactions. Since the wallets will be secured (likely with PINs, biometrics, and cryptographic keys), they could be used to approve sensitive actions. For instance, a bank could integrate wallet-based login or payment confirmation: the user would receive a request in their wallet to confirm a payment or share data, which they approve with a high-assurance digital signature. This reduces reliance on more phishable methods like one-time SMS codes. If the wallet is used to authorize payments, it could include built-in checks or more visible information about the recipient, possibly alerting the user to any discrepancies. The high level of identity assurance provided by eIDAS-compliant wallets means that if both sender and receiver in a transaction use verified identities, it becomes much harder for a scammer to masquerade as someone else. The trust framework behind the wallets (with government-backed verification and accredited providers) strengthens the overall ecosystem of digital trust, ideally making users more secure when sharing personal data or making payments online 48.

However, there are also risks and challenges associated with digital identity wallets in the context of APP scams. By design, these wallets enable the sharing of personal data at the user’s discretion. A savvy scammer might attempt to exploit that trust by tricking a user into sharing certain credentials or authorizing an action via the wallet. For example, a fraudster could impersonate a legitimate organization’s website or app and trigger a fake identity information request to the user’s wallet. If the user isn’t careful, they might see a prompt in their wallet and approve it, thinking it’s a routine verification, when in fact they are sending a copy of their ID or other sensitive data to a scammer. Similarly, a scammer could socially engineer a victim into signing a transaction or document using their digital ID wallet under false pretenses. Because the wallet is a powerful tool (a bit like a digital passport and signature device), if a victim can be convinced to misuse it, the consequences could be serious – e.g., unwittingly signing a “consent” that allows the scammer to debit their bank account or share all their personal details. The success of such fraudulent ploys would depend on defeating the wallet’s safeguards (like confirming the genuine identity of the requesting service), but human error or sophisticated phishing could potentially overcome those safeguards.

Another consideration is that digital wallets themselves could be targeted by criminals. If a fraudster manages to compromise a person’s wallet (through phone malware, phishing the wallet credentials, or exploiting a security flaw), it could grant them access to a trove of verified personal information. That data could be used to perpetrate APP scams (or other identity fraud) against the wallet owner or others. For instance, stolen identity credentials could be used to open bank accounts (to be used as mule accounts) or to impersonate the victim in other contexts. The Architecture and Reference Framework addresses many security aspects to prevent unauthorized access, but no system is entirely immune. Thus, the security of the wallet software and the care users take with it are critical. Users will need to be educated to treat their digital identity like a sensitive document – if a scammer convinces them to divulge their wallet PIN or recovery phrase, it would be equivalent to handing over all their IDs.

There’s also a potential false sense of security issue. Users might believe that because they are using a government-backed digital ID, everything they do with it is safe. Scammers could capitalize on this by, say, creating fake government portals or communications asking citizens to “update” their digital wallet or to make a payment verified by their digital ID. If users do not learn to verify the authenticity of who is requesting data through the wallet (for example, checking that the service has a valid trust certification in the wallet interface), they could still be deceived. Essentially, the wallet can prove who you are to a service – but it cannot alone prove whether a service or person is legitimate. That still requires user judgment and/or additional trust infrastructure.

To maximize the positive impact and mitigate risks, regulatory alignment and implementation choices will be key. The rollout of EU digital wallets will need to be accompanied by anti-fraud measures and user education. This could include features like warnings to users if a large amount of personal data is being shared, AI-based anomaly detection (e.g., alerting if a usually inactive wallet suddenly tries to share many credentials, indicating possible coercion), and clear displays of the requesting party’s identity (so users can spot if something looks off). Regulators might also encourage or require that certain high-risk transactions use identity wallet verification. For example, future regulations could mandate that any request to transfer above a certain amount to a new payee must involve a “verify payee identity via eIDAS wallet” step, adding friction to high-risk scenarios. The Confirmation of Payee (CoP/VoP) system planned under PSD3 could potentially be enhanced by integration with digital identity: instead of just matching a name, the system could leverage an identity credential to confirm the beneficiary’s identity with certainty.

In the big picture, European digital identity wallets have the potential to enhance trust in digital interactions – a benefit for fighting scams – but they are not a silver bullet. APP scams ultimately prey on human trust and decision-making. The wallets will provide new ways to establish trust (through verified identity data) which can deter fraud, but users and institutions must use those capabilities wisely. If widely adopted, these wallets could make impersonation much harder: a bank official could prove their role via a credential, a business could prove its identity to customers, and individuals could verify each other in peer-to-peer transactions. This creates an environment where transactions and data sharing are backed by mutual proof of identity, potentially squeezing out a lot of fraud opportunities. Conversely, if adoption is low or the systems are not user-friendly, scammers will continue relying on the weakest link – which is often the human element. Therefore, the implication for personal data sharing via digital wallets is that it can be far more secure than today’s ad-hoc methods (scans of documents, etc.), but it must be deployed alongside robust fraud awareness. Users should be trained to treat wallet data requests with the same caution as any other sensitive approval: always confirm the source. Aligning the regulatory frameworks – payments, AML, digital identity – will be essential so that, for example, a bank accepts a digital ID credential for KYC (making it easier to verify identities)49, or that law enforcement can use digital identity logs to help trace fraud. The good news is that the EU’s strategy is indeed multi-pronged, and the digital identity initiative is being developed with privacy and security at its core, which should strengthen trust online50. In summary, digital identity wallets can significantly improve the security of personal data sharing and transactions by providing trusted verification, but they must be integrated thoughtfully into the financial ecosystem with attention to new fraud tactics that might arise.

Recommendations and Future Outlook

Combating APP scams requires a coordinated approach that spans policy, industry practices, and technology. Below are key recommendations and insights for mitigating APP scam risks, as well as a look at the future outlook:

  • Enhance Cross-Sector Collaboration: Banks alone cannot eliminate APP fraud; cooperation with technology platforms, telecom companies, and law enforcement is crucial. A large portion of scams originate on social media and online platforms51, so those platforms need to actively police fraudulent content and accounts. Recent initiatives show the way – for example, Meta (Facebook) partnered with UK banks and the nonprofit Stop Scams UK in 2024 to share data on scam ads, leading to the removal of thousands of scam accounts and posts 52. This kind of cross-sector data sharing and rapid takedown of scam infrastructure (fake websites, phone numbers, profiles) should be expanded. Regulators should enforce obligations on online platforms (as in the EU’s Digital Services Act or the UK’s Online Safety regime) to prevent fraud at the source. Telecom providers must continue efforts to block spoofed calls and scam SMS. Governments can facilitate information exchange through fusion centers or centralized fraud databases while respecting privacy.
  • Strengthen Customer Education and Warnings: Public awareness is one of the strongest defenses against APP scams. Banks and authorities should continuously educate customers about the latest scam techniques – for instance, running awareness campaigns about AI-driven impersonation or circulating examples of common scam scripts. In banking apps and online banking interfaces, well-timed warnings can be very effective (e.g., if a user is about to transfer a large sum to a new payee, flash a warning: “Could this be a scam? Banks/police will never ask you to move money to a ‘safe’ account.”). Studies show many victims ignore generic warnings, but personalized or contextual alerts can give pause. Some banks use short delays on first-time payments to new beneficiaries, during which they may message the customer with fraud prevention advice – this gives the customer a moment to rethink. Educational efforts should also extend to businesses (training employees about BEC scams) and vulnerable groups in society. Ultimately, a well-informed user is less likely to fall for social engineering. As the UK’s fraud prevention community emphasizes: stopping fraud requires a broad coalition and keeping consumers vigilant53.
  • Adopt Advanced Fraud Detection Technologies: Financial institutions should leverage modern technologies – particularly AI and machine learning – to detect and prevent APP scams in real time. Traditional rule-based fraud engines are not always effective for APP fraud because the transactions are initiated by legitimate users, so the usual red flags (like an unauthorized login) may not appear. However, AI can analyze a wider range of risk signals. For example, banks can deploy behavioral analytics to notice when a customer’s behavior during a session is unusual (perhaps indicative of being coached by a scammer) – such as atypically fast navigation, unusual hesitancy, or the use of copy-paste for information that is normally typed54. Device intelligence is another signal: if a user is authorizing a payment on their phone but their device location and behavior seem inconsistent with their past patterns, it could warrant additional verification55. AI models can also cross-reference fraud data across institutions: companies like Visa are developing real-time payment analytics networks to identify patterns of APP fraud that single banks might miss56. For instance, if multiple customers at different banks are suddenly sending money to the same payee, an AI network could flag that payee as suspicious in all banks simultaneously. Monitoring of payee accounts is as important as monitoring payers57. Fraud platforms now aim to score not just the transaction but the recipient – if an account is receiving funds from many unrelated people or has other mule-like characteristics, new incoming transfers to it can be halted pending review. By embracing such technologies, banks can move closer to preventing scams before funds leave the victim’s account.
  • Implement Confirmation of Payee (CoP) and Beyond: While Confirmation of Payee (the system that checks if the beneficiary name matches the account) is not a foolproof solution, it has been shown to intercept some mistakes and scams. The UK’s CoP system, launched in 2019, has helped catch mismatches (e.g., when an impersonator gives a victim an account number that belongs to “John Doe” but the victim intended to pay a company named “XYZ Ltd.”). The upcoming Verification of Payee requirement in the EU (via PSD3) will extend this safeguard across Europe 58. Banks should implement these name-check systems as soon as possible and make the results very clear to customers. If a name does not match, the payment should be paused and the customer explicitly asked to confirm they still want to proceed. That said, scammers can sometimes work around CoP by opening mule accounts in names similar to their cover story. Therefore, CoP should be seen as one layer – helpful but not sufficient. In the future, integrating CoP with digital identity verification (as discussed in the previous section) could take this a step further, essentially confirming payee identity, not just name spelling.
  • Establish Liability and Reimbursement Frameworks: A critical policy measure is the establishment of consistent rules for reimbursing victims of APP fraud. When victims know they have some safety net, they are more likely to report scams promptly (helping authorities respond) and less likely to suffer devastating financial ruin. Moreover, when banks are liable for fraud losses (even partially), they have a stronger incentive to invest in prevention. The UK’s move to mandate reimbursement for most APP scam victims (with costs split 50/50 between sending and receiving banks) is a promising model59. The EU’s PSD3 proposal hints at similar liability shifts60. Policymakers should refine these rules to ensure fairness – for example, setting reasonable conditions under which a claim could be denied (such as proven gross negligence by the customer, which should be a high bar)61. A balanced reimbursement regime will spread losses in the system but ultimately drive them down by motivating all parties to prevent fraud. It’s also important that such schemes cover not just consumers but, where feasible, small businesses who can be equally victimized. Clear liability also pushes innovation: if receiving banks know they might eat half the loss, they will do more to vet and monitor new accounts (to avoid onboarding fraudsters). Law enforcement mechanisms should complement this by aggressively pursuing organized fraud rings so that fewer scams occur in the first place.
  • Leverage Digital Identity and Authentication: As the European Digital Identity Wallets come online, banks and payment providers should incorporate them to strengthen user authentication and verification. For instance, using the wallet for customer login or transaction approval can add an extra layer of security (with cryptographic proof of identity) beyond passwords or SMS codes. Over time, encourage customers to verify important payees or documents via the wallet. Industry groups and regulators can develop standard protocols where, say, an online merchant or a charity can present a digitally signed credential to the payer’s wallet confirming who they are. This would create a chain of trust in transactions. In addition, banks could issue their own credentials (like a proof of account ownership or a payment mandate) into the wallet, which customers could use in interactions with other institutions. Embracing the wallet ecosystem not only improves security but also helps banks meet KYC/AML obligations more efficiently (since they can rely on eIDAS-verified identities)62. As a best practice, financial institutions should be actively participating in pilots and working groups for the EU digital identity framework, to ensure that the system is designed with fraud mitigation in mind from the start.
  • Invest in Anti-Fraud AI and Analytics: The same AI that is empowering scammers can be used by defenders. The industry should invest in machine learning models trained on large datasets of fraud cases to identify subtle signals of APP scams. These models can continuously learn and adapt as new fraud patterns emerge. For example, natural language processing (NLP) algorithms might be used to analyze the content of payment references or communications (if available) to detect scam-related language. Voice analytics AI could potentially be employed on customer service lines to detect if a caller is under duress or being coached in real time. As suggested by Visa’s whitepaper, data-driven strategies and AI tools are among the best countermeasures to the AI-enhanced tactics of scammers63. The future might also see shared utilities or consortia where multiple banks contribute data to a common AI service that flags risky transactions across the network (since a fraudster often strikes at multiple institutions). While respecting privacy, pooling non-personal fraud telemetry can greatly improve detection accuracy.
  • Rapid Response and Recovery Mechanisms: Despite best efforts, some scams will succeed. Thus, improving the post-incident response is important to mitigate impacts. Banks should have procedures to quickly freeze funds that are suspected to be fraudulent, and inter-bank communication channels to notify the receiving bank to hold the money (many countries are adopting rapid freezing orders or networks for this purpose). The sooner a scam is reported, the higher the chance of recovering funds before they are moved or cashed out. Law enforcement agencies in Europe are increasingly treating fraud as a top priority (given its high incidence), which is leading to dedicated fraud task forces. Strengthening public-private partnerships for fraud (as seen in the UK’s Joint Fraud Taskforce model) can ensure swift action when scams are reported. Moreover, continuing to take down mule networks is key – if we make it hard for scammers to find mule accounts, we choke their ability to cash out, thereby disincentivizing the scams. AML regulations will support this by clamping down on those who recruit or operate as mules.
  • Future Outlook – Staying Ahead of Evolving Scams: Looking ahead, APP scams are likely to continue evolving in sophistication. The arms race between fraudsters and defenders will persist. We can expect scammers to further abuse emerging technologies like deepfake videos, AI chatbots (perhaps to run dozens of simultaneous scam conversations), and even malicious uses of upcoming technologies (for instance, exploiting any weaknesses in digital identity systems, or using augmented reality to fake identities in video calls). On the flip side, financial institutions and regulators are becoming more proactive and collaborative. By 2026-2027, the combined impact of PSD3, the new AML Authority, and eIDAS 2.0 should create a more hostile environment for APP fraud in Europe – with better cross-bank cooperation, stronger identity verification, and more consistent protections for customers. Real-time payments will soon be the norm across the EU (with the push for SEPA Instant Credit transfers), so improving security around them is paramount; the measures being put in place now aim to balance speed with safety.

In the best-case scenario, a few years down the line, we will have a Europe where: most consumers use a secure digital ID wallet to authenticate important transactions; name-checking of payees is standard; banks share fraud data instantly; and victims are promptly reimbursed and supported. Fraudsters, facing more hurdles (e.g. difficulty in anonymizing themselves or retaining proceeds), may shift to other types of crime or be deterred altogether. However, reaching that point requires diligent implementation of policies and continuous innovation in fraud defenses. Industry best practices – such as those listed above (multi-layered detection, user education, collaboration) – need to be ingrained and regularly updated. Policymakers should remain open to adjusting regulations as new threats emerge (for example, if AI scams become too advanced, perhaps certification of audio/video communications could be considered to verify authenticity).

In conclusion, Authorized Push Payment scams are a significant challenge for the European financial ecosystem, but not an insurmountable one. By addressing the issue from multiple angles – regulatory frameworks (PSD3, AMLD, eIDAS) that protect and empower consumers, technological tools that detect and prevent fraud in real-time, and cooperative efforts across industries – Europe can substantially reduce the prevalence and impact of APP scams. The introduction of European digital identity wallets, in particular, heralds a new era of trusted digital interactions, which if harnessed correctly, will bolster the fight against fraud. Stakeholders must ensure that security, vigilance, and user-centric design remain at the forefront. As fraudsters innovate, so too must the defenders: the same advanced tools and data analytics that scammers exploit can and should be used to outsmart them64. With ongoing commitment, the balance can be tilted in favor of secure and fraud-resilient digital payments, preserving consumer confidence in the fast-evolving digital economy.

Informative references

Visa APP Scam Whitepaper (2023) – Visa Europe’s commissioned research detailing the scale, impact, and evolving tactics of APP scams, including data from a Mintel survey of 2,000 UK respondents.

UK Finance Fraud Report (2023) – Annual fraud statistics published by UK Finance, detailing losses and trends in APP scams and financial crime in the UK.

European Commission PSD3/PSR Proposal (2023) – The official EU proposal introducing new regulatory measures addressing APP fraud, liability frameworks, and mandatory verification of payees.

Anti-Money Laundering Directives (AMLD) and EU AML Regulation – Legislative measures focused on preventing financial crime, including money laundering related to APP fraud.

eIDAS 2.0 Regulation (2024) – European digital identity framework enabling secure authentication and verification, with implications for preventing identity fraud in financial transactions.

European Digital Identity Wallet Architecture and Reference Framework (ARF) v1.5 – Technical specifications for implementing secure digital identity wallets in the EU.

Financial Conduct Authority (FCA) and Payment Systems Regulator (PSR) Reports (2023-2024) – Updates on UK regulations mandating APP fraud reimbursements and industry-wide fraud prevention measures.

Interpol and Europol Reports on Financial Crime Trends (2023) – Analyses on the global rise of real-time payment fraud and law enforcement strategies.

Reports from National Regulatory Agencies (France, Germany, Netherlands, and Italy) – Country-specific fraud prevention initiatives and banking sector reports on APP fraud trends.

Banking and Fintech Industry Reports (2023-2024) – Insights from major financial institutions, fintech providers, and security research firms on real-time fraud detection using AI and analytics.

Footnotes

  1. (APP scams | Payment Systems Regulator) (APP Fraud: A growing global crisis in payments | LSEG)
  2. (APP scams | Payment Systems Regulator)
  3. (Visa APP Scam Whitepaper)
  4. (Visa APP Scam Whitepaper) (Visa APP Scam Whitepaper)
  5. (Visa APP Scam Whitepaper)
  6. (Visa APP Scam Whitepaper)
  7. (Understanding APP Fraud Trends and New Regulations in Europe)
  8. (APP Fraud: A growing global crisis in payments | LSEG)
  9. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  10. (Understanding APP Fraud Trends and New Regulations in Europe)
  11. (Understanding APP Fraud Trends and New Regulations in Europe)
  12. (Understanding APP Fraud Trends and New Regulations in Europe)
  13. (Visa APP Scam Whitepaper)
  14. (Visa APP Scam Whitepaper)
  15. (Visa APP Scam Whitepaper)
  16. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  17. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  18. (Understanding APP Fraud Trends and New Regulations in Europe) (Understanding APP Fraud Trends and New Regulations in Europe)
  19. (Visa APP Scam Whitepaper) (Visa APP Scam Whitepaper)
  20. (Visa APP Scam Whitepaper) (Visa APP Scam Whitepaper)
  21. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  22. (APP Fraud: A growing global crisis in payments | LSEG))
  23. (Visa APP Scam Whitepaper)
  24. (Understanding APP Fraud Trends and New Regulations in Europe)
  25. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  26. (Understanding APP Fraud Trends and New Regulations in Europe) (APP Fraud: A growing global crisis in payments | LSEG)
  27. (APP Fraud: A growing global crisis in payments | LSEG)
  28. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  29. (APP Fraud: A growing global crisis in payments | LSEG)
  30. (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU) (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  31. (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  32. ( What is the impact of EU digital ID wallets on banks and financial institutions? – ThePaypers ) (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  33. (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  34. (APP scams | Payment Systems Regulator) (APP Fraud: A growing global crisis in payments | LSEG)
  35. (APP Fraud: A growing global crisis in payments | LSEG)
  36. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance) (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  37. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  38. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  39. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  40. (Visa APP Scam Whitepaper)
  41. (Visa APP Scam Whitepaper)
  42. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  43. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  44. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  45. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance) (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  46. (Visa APP Scam Whitepaper)
  47. (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  48. (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU) (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  49. ( What is the impact of EU digital ID wallets on banks and financial institutions? – ThePaypers )
  50. (eIDAS 2.0 Regulation Opens the Door to Digital Identification in EU)
  51. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  52. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  53. (Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online | Insights | UK Finance)
  54. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  55. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  56. (Visa APP Scam Whitepaper)
  57. (Authorized Push Payment (APP) Fraud: An Escalating Threat)
  58. (APP Fraud: A growing global crisis in payments | LSEG)
  59. (APP scams | Payment Systems Regulator) (APP Fraud: A growing global crisis in payments | LSEG)
  60. (Understanding APP Fraud Trends and New Regulations in Europe)
  61. (Understanding APP Fraud Trends and New Regulations in Europe)
  62. ( What is the impact of EU digital ID wallets on banks and financial institutions? – ThePaypers )
  63. (Visa APP Scam Whitepaper) (Visa APP Scam Whitepaper)
  64. (Visa APP Scam Whitepaper)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.