The Foresight Lab
Issue 01Authorized Push Payment (APP) fraud

The wire they begged you to send

APP scams don't break in — your own customer hands over the money. Here's the behavioral fingerprint that every ID-based control is blind to.

Jun 15, 2026 3 min read

What we're seeing

Authorized push payment (APP) fraud — where the victim is socially engineered into sending the money themselves — has become the fastest-growing category of fraud loss across instant-payment rails. Because the rails are real-time and irreversible, the money is usually gone before a human ever reviews the transfer.

The playbook is consistent: a fraudster impersonates a trusted authority — the customer's own bank fraud team, a title or escrow company, a government agency, a 'safe account' specialist — and manufactures urgency. The customer logs in from their own device, passes every authentication check, and pushes the payment with their own hands.

Why your current stack misses it

  • Every identity control comes back green. The credentials are valid, the device is recognized, MFA passes — because it really is the customer. Nothing was stolen.
  • Rules engines are built to answer 'is this the right person?' They were never built to answer 'is this person being coached right now?'

The signal pattern

  • A brand-new beneficiary added minutes before a high-value transfer.
  • The beneficiary account is itself young and collecting funds from multiple unrelated senders — a mule funnel.
  • Session behavior that doesn't match the customer: long hesitation, repeated same-day help-line calls, typing pauses.
  • An amount that drains most of the balance, sent under a tight time window.

What you'd do Monday morning

  • Add a behavioral hold on first-time, high-value beneficiaries under ~30 days old — a targeted pause, not a blanket freeze.
  • Give the front line one disarming question: 'Is anyone on the phone with you right now, helping you do this?'
  • Review wires landing in beneficiary accounts that receive fan-in from unrelated senders.
Now you try

Spot the Fraud

Read the case. Make the call. See how you score against The PreCogs.

Spot the Fraud
FL-01

A 61-year-old customer initiates a same-day wire from web banking. Every authentication check passes. Your rules engine sees a known customer on a known device. Clear it, or hold it?

Amount$48,250
ChannelWeb banking outbound wire
Customer61, 14-yr relationship, no prior wires
Device/IPher usual laptop, home IP (recognized)
MFApassed
Beneficiary'Hudson Title Escrow LLC' added 9 min ago
Balance after$1,310 (97% sent)
Session14-min dwell, long pauses, 2 branch calls today asking how to wire
Beneficiary acctopened 3 wks ago elsewhere, 4 wires in from 4 unrelated senders this week
Your call?
No noise. One sharp briefing a week.

Get the Foresight Lab in your inbox.

One fraud pattern, decoded, every week — plus the Spot the Fraud challenge. Built for fraud, BSA, and risk teams. Unsubscribe any time; we read every reply.

One email a week. No spam. Or email us at info@digsfact.com.