Online Banking Safety in the UK: What APP Fraud Is and How Reimbursement Works

Authorised push payment (APP) fraud — where a victim is deceived into voluntarily transferring money to a fraudster — has become one of the most prevalent and financially damaging forms of financial crime in the United Kingdom.

Unlike older forms of payment fraud, where a bank account is accessed without the customer's knowledge, APP fraud exploits the legitimacy of the payment itself. The victim authorises the transfer. The money leaves their account correctly. And recovering it requires navigating a set of protections that, while significantly improved in recent years, are not absolute.

What Is APP Fraud and How Does It Work?

The mechanics vary, but the most common forms involve impersonation. A fraudster poses as a bank representative, a HMRC official, a solicitor handling a property transaction, a supplier, or a romantic interest — building enough trust or urgency to convince the victim to transfer funds.

Purchase scams — where a victim pays for goods or services that do not exist — are the most numerous. Investment scams, romance fraud, and impersonation of authorised firms are among the most financially damaging. In each case, the fundamental mechanism is the same: the payment is made by the victim, and the funds go to a fraudster's account, which is typically quickly drained and closed.

UK Finance publishes annual figures on APP fraud losses in the UK, and the sums involved are substantial — running to hundreds of millions of pounds annually across all types of APP fraud.

What Are Your Rights if You Are Defrauded?

The UK's reimbursement landscape changed significantly in 2024, when mandatory reimbursement rules for APP fraud came into force for firms participating in the Faster Payments system. Under these rules, which are overseen by the Payment Systems Regulator (PSR), victims of APP fraud are entitled to reimbursement from their bank, subject to a maximum claim limit per incident.

The key conditions for reimbursement include that the victim did not act with gross negligence and did not ignore clear warnings from their bank during the payment process. Banks are required to share liability with the receiving bank, creating stronger incentives for all firms in the payment chain to identify suspicious transactions.

This represents a meaningful improvement over the previous voluntary code, under which reimbursement was inconsistent and depended heavily on individual banks' interpretation of their own policies.

The important qualifier is that reimbursement under the mandatory rules is not guaranteed for every situation. Cases where a bank determines the victim acted with gross negligence, or where payments were made via systems outside the scope of the mandatory rules, may not result in full reimbursement.

What Should You Do if You Suspect Fraud?

The practical steps are time-sensitive. Contact your bank immediately — either through the number on the back of your card or through a secure in-app channel. Instruct them to attempt to recall the payment. If the receiving bank can freeze the funds before they are withdrawn, recovery is possible; once the money has been moved again, it becomes significantly harder to trace.

Report the fraud to Action Fraud (the UK's national fraud reporting centre) at actionfraud.police.uk. This creates a crime reference number, which is needed for any subsequent bank claim, and helps law enforcement identify patterns across multiple cases.

How to Reduce Your Risk

The tactics used by APP fraudsters exploit specific psychological vulnerabilities — urgency, authority, fear of loss. Awareness of these mechanisms is the most effective protection.

Banks, HMRC, and solicitors do not ask customers to urgently move money to a new account for safekeeping. This is one of the most common pretexts used in impersonation fraud. Any request that creates time pressure and involves moving money should be treated with immediate scepticism — hang up, find an independent contact number for the organisation supposedly in touch, and call back on that number rather than redial.

For property transactions — where the amounts involved can be life-changing — confirm all payment instructions in writing via a separate channel before any transfer. Email is not sufficient on its own; fraudsters can intercept email chains. Verify by phone, using a number you have independently verified, before acting.

Two-factor authentication on banking apps reduces the risk of account takeover, though it does not protect against APP fraud where the victim authorises the payment themselves.