Authorised Push Payment (APP) Fraud
The victim authorises the payment themselves. That's what makes APP fraud so dangerous, and so hard to recover from. The bank sees a legitimate transfer. The money is gone.
Source: AusPayNet, Scamwatch, ACCC
What is authorised push payment fraud?
Authorised push payment fraud is when a scammer tricks you into sending a real-time payment to an account they control. The critical difference from other fraud types: you, the victim, initiate and authorise the transfer yourself. From the bank's perspective, you made a legitimate payment.
APP fraud is an umbrella category. It includes payment redirection fraud (changing a supplier's bank details), business email compromise scams that result in payments, purchase scams, and impersonation scams. What ties them together is that the victim willingly sends the money.
This creates a fundamental problem. Because the payment was authorised, banks have historically argued they followed the customer's instruction. Recovery rates are extremely low. In Australia, ASIC has found that 96% of scam losses are borne by the victim, not reimbursed by the bank.
The Australian Government's Scams Prevention Framework, passed in February 2025, aims to change this by creating shared obligations across banks, telcos, and digital platforms. But prevention remains the most effective defence.
How APP fraud works
Every APP scam follows the same core pattern: build trust, create urgency, and get the victim to send money before they have time to verify.
The scammer builds a credible story
They impersonate a supplier, a bank, a government agency, or even a colleague. The story is tailored to your business: a supplier with updated bank details, a tax authority demanding immediate payment, or a CEO requesting an urgent transfer.
They create urgency or authority
The request comes with pressure. A deadline. A consequence for delay. "If we don't receive payment by end of business, your account will be suspended." The urgency is designed to stop you from verifying.
You authorise the payment
You log into your banking platform and initiate the transfer yourself. The payment is real, from your account, authorised by you. This is what makes APP fraud different: there's no hack, no stolen credentials, no unauthorised access.
The money disappears
Real-time payment rails (like NPP/Osko) mean the money arrives instantly. The scammer moves it through multiple accounts within minutes. By the time you realise, recovery is nearly impossible.
Warning signs of APP fraud
APP scams rely on social engineering. Recognising the pressure tactics is the first line of defence.
Urgency that bypasses process
Any payment request that asks you to skip normal verification steps or pay immediately should be treated as suspicious, regardless of who it appears to come from.
Unexpected payment requests
A supplier you pay quarterly suddenly needs an ad-hoc payment. A government agency contacts you out of the blue. Anything outside normal patterns warrants a second look.
Requests to use faster payment rails
Scammers prefer real-time payments (NPP/Osko) over BPAY or direct debit because they settle instantly and are harder to recall. A request to change payment method is a red flag.
Changed bank details
Any change to a payee's bank account should trigger independent verification. This is the mechanism behind most APP fraud targeting businesses.
Authority-based pressure
"The CEO has approved this." "This comes from the board." Scammers use authority to override caution. Always verify through a separate channel.
Secrecy or confidentiality requests
"Don't discuss this with anyone else." "This is a confidential transaction." Legitimate payments don't require secrecy from your own team.
How ezyshield prevents APP fraud
APP fraud works because no one checks who actually owns the receiving account. ezyshield verifies the recipient before you authorise the payment.
Verify before you authorise
Every payee is verified through identity, ABN/ASIC, and bank account ownership checks before a payment is made. Even if you're convinced, ezyshield confirms the facts.
Match account to identity
The bank account must belong to the verified person or business. A scammer's account won't match the supplier's ABN or identity, and the verification fails.
Re-verify on every change
Changed bank details trigger automatic re-verification. The payee must confirm ownership again. No exceptions, no manual overrides.
Related content
Payment Redirection Fraud
The most common form of APP fraud targeting Australian businesses.
THREATBusiness Email Compromise
How compromised email accounts enable APP fraud at scale.
LEARNConfirmation of Payee
How name-checking prevents payments to the wrong account.
STATSPayment Fraud Statistics
The latest data on payment fraud losses in Australia.
Verify before you authorise
APP fraud works because no one checks the recipient. ezyshield makes verification automatic, so even when the social engineering is convincing, the facts don't lie.