The wire they begged you to send
APP scams don't break in — your own customer hands over the money. Here's the behavioral fingerprint that every ID-based control is blind to.
What we're seeing
Authorized push payment (APP) fraud — where the victim is socially engineered into sending the money themselves — has become the fastest-growing category of fraud loss across instant-payment rails. Because the rails are real-time and irreversible, the money is usually gone before a human ever reviews the transfer.
The playbook is consistent: a fraudster impersonates a trusted authority — the customer's own bank fraud team, a title or escrow company, a government agency, a 'safe account' specialist — and manufactures urgency. The customer logs in from their own device, passes every authentication check, and pushes the payment with their own hands.
Why your current stack misses it
- Every identity control comes back green. The credentials are valid, the device is recognized, MFA passes — because it really is the customer. Nothing was stolen.
- Rules engines are built to answer 'is this the right person?' They were never built to answer 'is this person being coached right now?'
The signal pattern
- A brand-new beneficiary added minutes before a high-value transfer.
- The beneficiary account is itself young and collecting funds from multiple unrelated senders — a mule funnel.
- Session behavior that doesn't match the customer: long hesitation, repeated same-day help-line calls, typing pauses.
- An amount that drains most of the balance, sent under a tight time window.
What you'd do Monday morning
- Add a behavioral hold on first-time, high-value beneficiaries under ~30 days old — a targeted pause, not a blanket freeze.
- Give the front line one disarming question: 'Is anyone on the phone with you right now, helping you do this?'
- Review wires landing in beneficiary accounts that receive fan-in from unrelated senders.
Spot the Fraud
Read the case. Make the call. See how you score against The PreCogs.
A 61-year-old customer initiates a same-day wire from web banking. Every authentication check passes. Your rules engine sees a known customer on a known device. Clear it, or hold it?