← Back to Blog

APP Scam Fraud: Why OTP and Risk Scoring Can't Stop It — And What Actually Can

OTP and risk scoring cannot stop authorized push payment fraud. That is a structural fact, not a product gap. The harder question, and the one rarely answered honestly, is which slice of the banking-fraud market a per-action cryptographic signing primitive deterministically closes, and which slice it cannot.

Authorized Push Payment fraud is the fastest-growing category in UK banking fraud reporting, and the reason is in the name.

The payment is authorized.

The account holder is on their real device, at their real IP, at a normal time of day. They are typing the beneficiary details themselves. They are approving the transaction themselves.

Every control in a modern fraud stack behaves exactly as designed. And the customer just wired their savings to a scammer.

The UK Finance 2025 Numbers, Not Rounded

Per the UK Finance Half-Year Fraud Report 2025, the UK banking industry lost £629.3M to fraud in the first half of 2025.

That total splits into two categories that behave very differently.

  • Unauthorized fraud: £372M — 59% of the total. Account takeover, session hijack, RAT, SIM swap, credential theft, stolen cards used with a known PIN, card-not-present fraud.
  • Authorized push payment (APP) fraud: £257.5M — 41% of the total. The cardholder authorizes the transfer themselves under manipulation.

These are not the same problem. Treating them as one problem is where the fraud stack conversation tends to break down.

What Fraud Stacks Actually Detect

Actimize, Featurespace, Sardine, Sift, Forter, Feedzai, and internal scoring engines are extraordinarily good at the problem they were built for. They detect:

  • unfamiliar device fingerprints
  • velocity anomalies
  • behavioral deviations — typing patterns, cursor paths, navigation rhythm
  • IP geolocation mismatches
  • session-takeover signals

They do not detect the real user, on their real device, at their real IP, with their real behavioral fingerprint, being talked through a wire transfer by someone on the phone.

That is not a missing feature. It is outside the threat model. The models are probabilistic and they measure behavior; they do not measure intent.

What OTP Does Not Prove

An OTP arrives. The user enters it. The transaction goes through.

OTP verifies that the person with the device has the device.

It does not verify that the person with the device is acting on their own behalf. It does not verify the device itself as the original enrolled device. And it does not survive SIM swap, SMS interception, or the basic scam technique of asking the customer to read the code aloud.

The OTP was a credential check. What is needed for unauthorized fraud is a check that a specific enrolled human is physically present on a specific bound device at the moment of action — the thing OTP was never designed to prove.

What Per-Action Cryptographic Signing Closes Deterministically

A cryptographic signature produced on the payer’s device, by the specific enrolled human, at the moment of action, using a non-exportable hardware-bound key, with no recovery path through SMS or email, cannot be produced by any of the following:

  • an attacker holding the password
  • an attacker with a hijacked session token
  • a remote-access tool driving the banking app from outside the device
  • an attacker who has ported the user’s phone number to a new SIM
  • an autonomous agent acting inside a legitimate session
  • an insider replaying a colleague’s credentials or session

That set is the £372M unauthorized-fraud category in UK Finance 2025. Of the £372M, approximately £349M — 94% — is directly addressable by per-action signing. That is roughly 55% of the entire UK banking-fraud total. This is the slice the industry calls “deterministically closed.”

Where Per-Action Signing Is Signal, Not Solution

Inside the £257.5M APP category, a narrower subset is reachable through signal augmentation and dual-control flows, not through outright prevention.

  • Impersonation under pressure. A device-side signed event stream gives the fraud engine a deterministic human_verified field at the moment of action, which can trigger friction UI, second-signer flow, or hold-and-review.
  • Invoice and mandate change. A dual-signing policy — originator plus an approved second signer — can be enforced above a configured threshold before the payee change takes effect.
  • CEO fraud / BEC. Same dual-signing primitive. The second signature is bound to a specific hardware device, a specific enrolled individual, and cannot be produced by an attacker impersonating the CEO over messaging or video.

Estimated addressable range inside APP via these mechanisms is 7-12% of the £257.5M, or roughly £18-30M. The remainder of APP is fundamentally persuasion fraud and is outside the reach of any authentication primitive.

What Per-Action Signing Does Not Solve

This is the part the industry conversation tends to skip, and the reason it skips is that a fully honest version makes any vendor’s market smaller on the page.

Investment scams, romance scams, purchase scams, and advance-fee fraud together make up approximately 85% of APP losses. In all four, the victim performs the transfer themselves under full, sincere belief that the counterparty is legitimate. The signature they produce is valid because the biometric press is theirs and the intent, at that moment, is theirs.

No authentication primitive — Yuthent included — stops a sincere human from freely authorizing a scam.

Persuasion fraud is a behavioral, educational, and regulatory problem. Mandatory reimbursement regimes (UK PSR 2024) push the loss onto the issuer. Customer-side alerts, second-signer flows, and Confirmation of Payee reduce the rate at the margin. None of that is cryptography.

A vendor that claims to stop persuasion fraud should be questioned. The honest answer is that ~85% of APP is not an authentication problem, and naming that limit is a credibility move, not a concession.

The Summary in One Table

Category£ (UK Finance H1 2025)Per-action signing
Unauthorized fraud (ATO, RAT, SIM swap, CNP, etc.)£372M~94% deterministically closed
APP: impersonation, invoice, CEO fraud~£52MSignal + dual-control; 35-60% addressable
APP: investment, romance, purchase, advance-fee~£205MNot addressable by any authentication primitive

Total deterministic coverage: ~55% of the UK banking-fraud market. Total signal coverage on top of that: another 3-5 percentage points. Total unaddressable by authentication: ~32%.

Closing

Fraud-scoring systems will continue to do what they do. They are extraordinary at detecting unauthorized access. The honest story is that they cannot, and were never designed to, detect authorized access that the customer is being coerced or manipulated into granting.

A per-action cryptographic signing primitive does two things for that stack. It closes the unauthorized category deterministically, which is the majority of the losses. And for the narrow authorized subset where it can contribute, it feeds the stack a deterministic human_verified field it has never had before.

Where it cannot contribute — the 85% of APP that is pure persuasion — it should not claim to.

For the issuer-side product view, see Financial Transactions.

← Back to Blog