The Headline
In the first half of 2025, UK banks reported £629.3 million in fraud losses. The split: £372 million in unauthorized fraud (59% of the market) and £257.5 million in authorized push payment (APP) fraud (41%).
Source: UK Finance, Over £600 million stolen by fraudsters in first half of 2025.
Against that baseline, device-bound authorization infrastructure — the category Yuthent operates in — closes almost the entire unauthorized-fraud category deterministically, and reduces a subset of the APP category through signal integration with existing fraud stacks. The combined coverage is roughly half to 60% of the UK banking-fraud market, without replacing Actimize, Featurespace, or Sardine.
The rest of this post works through the math, category by category, with every source-level figure linked. Where a figure is analytical rather than published, we say so.
Methodology and Sources
Primary source: UK Finance Half-Year Fraud Report 2025, covering January–June 2025. Secondary context from UK Finance Annual Fraud Report 2025, covering full-year 2024.
For each category we assign one of three coverage outcomes:
- Neutralize — the attack vector requires something device-bound authorization makes impossible to produce (no fresh biometric signature from the account holder’s hardware → the request fails before the fraud engine evaluates it). Coverage: deterministic.
- Signal — the attack vector passes a live biometric (the customer was manipulated into signing). Cryptographically-linked friction and dual-control receipts feed a sharper input into the existing fraud stack, measurably reducing but not eliminating losses.
- Not applicable — the attack vector is outside the scope of device-bound authorization (cheques, or APP categories where the customer authorizes a real transfer to a criminal they believe is legitimate).
Where UK Finance publishes a figure at category level but not at sub-category level, we work at category level. Where we estimate reduction percentages for APP signal coverage, we flag the estimate explicitly.
Market Size, H1 2025 (UK)
| Category | H1 2025 losses | Share | YoY change |
|---|---|---|---|
| Unauthorized fraud | £372M | 59% | −3% |
| Authorized Push Payment (APP) | £257.5M | 41% | +12% |
| Total | £629.3M | 100% | +3% |
Banks also prevented £870M of unauthorized fraud during H1 2025 — up 20% year on year — demonstrating that the industry’s preventive tooling is working, but that the residual £629.3M reaches customers despite that effort. Annualized, the UK banking fraud market runs at roughly £1.26B/year.
The Unauthorized Category (£372M, 59% of market)
UK Finance groups unauthorized fraud into three reporting categories: payment cards (£299M in H1 2025, up 5%), remote banking (losses down 24% YoY, hitting their lowest level since 2019), and cheques (losses down 41%).
What unites these categories: the customer did not approve the action. A stolen card, a hijacked session, a swapped SIM, a credential-stuffed login — something moved money without the account holder knowingly consenting.
Device-bound cryptographic authorization closes this entire pattern, because every unauthorized-fraud path fails the same test: the attacker cannot produce a fresh biometric signature from hardware bound to the account holder’s specific device.
| Sub-category | H1 2025 | Coverage |
|---|---|---|
| Payment cards (CNP, card-present, card ID theft) | £299M | Neutralize |
| Remote banking (internet, mobile, telephone) | Published as YoY change only (−24%) | Neutralize |
| Cheques | Published as YoY change only (−41%) | Not applicable |
| Deterministic coverage | ~£349M of £372M | ~94% |
Cheque fraud is the small residual (historically the smallest of the three unauthorized categories and declining sharply; estimated at low-single-digit percent of £372M based on the published YoY trend). Everything else is structurally reachable by device-bound authorization.
Why card fraud (£299M) is neutralized
Every sub-pattern inside card fraud depends on a shared or copyable secret — the card number plus CVV for card-not-present, the PIN for card-present, a stolen identity document for card ID theft. CNP fraud cases rose 22% in H1 2025 as criminals shifted online; the attack vector is well-understood.
When a fresh biometric signature from the cardholder’s paired device is required at the moment of transaction — either at a CNP checkout, or as a second factor at a physical terminal — the attacker with only the card data, or only the physical card, cannot produce the signature. The transaction fails before authorization.
Why remote banking is neutralized
Remote banking losses in H1 2025 fell to their lowest level since 2019, largely because of enhanced customer authentication and behavioral signals. But the residual covers four attack patterns that share one architectural weakness:
- Account takeover (ATO): attacker acquires credentials and logs in as the customer.
- Session hijack (AiTM, EvilProxy, Tycoon 2FA): attacker captures the authenticated session token and replays it.
- Remote Access Trojan (RAT): attacker controls the customer’s device remotely and acts through the already-authenticated session.
- SIM swap: attacker takes over the phone number, intercepts OTP codes, completes transfers that rely on SMS as the second factor.
All four defeat password / OTP / session-based authorization. None produces a fresh biometric on the customer’s specific hardware — because the attacker does not have the customer’s body and cannot reach the secure-hardware-backed private key. For background on why sessions fail structurally, see Why Sessions Failed.
The Authorized Push Payment Category (£257.5M, 41% of market)
APP fraud is structurally different. The customer authorizes the payment with their own legitimate biometric — under manipulation, coercion, or deception. The signature verifies. The transfer is legitimate on paper. Recovery depends on regulatory reimbursement schemes; UK Finance reports that £159.2M (62%) of H1 2025 APP losses was returned to victims, with mandatory reimbursement effective from 7 October 2024.
No device-bound primitive can claim to prevent APP fraud deterministically — the customer is the one signing. The categories UK Finance identifies as the bulk of APP losses are explicitly unreachable by cryptographic authorization:
- Investment scams: £97.7M in H1 2025, up 55% year on year. The largest single APP sub-category. Victims invest over weeks under conviction; no primitive solves conviction.
- Purchase scams: 72% of all APP cases. Victims pay for goods that don’t arrive; the signature is real.
- Romance scams: losses up 35% year on year. Emotional manipulation; victim signs.
- Advance fee and other: victim pays a “processing fee” for a promised windfall; victim signs.
For why OTP, 3DS, and traditional controls fail in this category, see APP Scam Fraud: Why OTP and Risk Scoring Can’t Stop It.
Where authorization infrastructure acts as a signal
A subset of APP categories can be meaningfully reduced — not eliminated — through two mechanisms enabled by device-bound authorization:
- Dual-control signing — a second authorized person’s fresh biometric is required for transfers that meet defined criteria (new payee, amount above threshold, flagged risk class). Primarily effective against CEO fraud and invoice/mandate fraud, where the sender is internal and a two-party check is organizationally enforceable.
- Non-repudiable friction with contextual warning — the customer signs a cryptographically-linked screen naming the payee, amount, and scam warning. Measured abandonment from similar real-time interventions is significant. UK Finance also reports that impersonation fraud (police / bank) fell 14% in H1 2025 driven in part by education campaigns — showing the category responds to friction.
UK Finance does not publish category-specific loss amounts for impersonation, invoice/mandate, or CEO fraud in the H1 2025 press materials (CEO fraud is noted as less than 1% of APP losses at £1.6M). Our analytical estimate for the signal-reachable subset — based on industry reduction benchmarks in friction-enabled categories and the published impersonation trend — is 5–10% of the APP category, roughly £13–25M. This estimate is illustrative, not drawn from UK Finance.
The Combined Formula
Deterministic (Unauthorized category): ~£349M of £372M (~94%)
Signal-reduced (APP subset, analytical): ~£13–25M of £257.5M (5–10%)
Combined coverage: roughly £360–374M of £629.3M ≈ 55–60% of H1 2025 UK banking fraud losses.
Two top-level figures anchored in UK Finance’s own reporting. One analytical adjustment for APP signal coverage, flagged openly. The claim we defend in a banking security review:
Authorization infrastructure neutralizes the unauthorized-fraud category almost entirely — roughly 94% of the £372M that makes up 59% of the UK market — and reduces a measurable subset of the authorized-fraud category through signal integration with existing fraud stacks. Combined coverage: approximately half to 60% of H1 2025 UK banking fraud losses.
What UK Finance Does Not Count
Two loss categories sit outside the UK Finance banking figures entirely. Both are covered deterministically by the same primitive that covers unauthorized fraud.
Insider fraud
The Association of Certified Fraud Examiners (ACFE) estimates organizational occupational fraud at roughly 5% of revenue on average in its Report to the Nations. That loss category does not appear in UK Finance’s retail-banking numbers because it is not reported through consumer channels.
Every insider-fraud investigation turns on a single question: did this specific employee perform this specific action? Session logs cannot answer that — the session belongs to a username, not a body. Device-bound authorization produces a cryptographic receipt naming the individual by their hardware-bound key and a fresh biometric gesture. Insider denial closes.
AI agent-initiated fraud
In H1 2025, losses from autonomous AI agents executing unauthorized financial actions are small enough that UK Finance does not break them out. By 2026–2027 this category is expected to become one of the fastest-growing classes of banking and enterprise loss, driven by prompt injection and agent-pipeline compromise. Agents cannot produce a fresh biometric from the responsible human’s device; they are covered by the same primitive that covers session hijack, for structurally the same reason.
How the Signal Integrates with Existing Fraud Stacks
The most common objection from bank security architects is reasonable: “We already run Actimize, Featurespace, or Sardine. Are you replacing them?”
No. Those systems run probabilistic models over device reputation, velocity, behavior, and graph signals. They are compensating for an unknown: is the authorized human actually at the keyboard? That unknown is why their models must be probabilistic.
Authorization infrastructure contributes one binary field to those models:
human_verified = true | falseWhen the field is true, the existing fraud engine can move probability mass toward “legitimate” for cases it previously flagged as uncertain. False positives drop. When the field is false — because no valid signature was produced for an action that required one — the decision is deterministic before the probabilistic model ever runs. The request fails outside the decision engine.
For a standalone treatment of the framing, see Deterministic Human Authorization, Explained.
Market Sizing Beyond the UK
The UK is the most granularly reported market. Applying the 55–60% coverage band to broader published fraud totals gives a directional picture (not a strict forecast — fraud category mixes differ across markets).
| Market | Reported annual fraud losses | Coverage at 55–60% |
|---|---|---|
| UK (H1 2025 × 2 annualized) | ~£1.26B | £690–760M |
| US (FTC + Federal Reserve) | ~$10B+ (order of magnitude) | $5.5B+ |
| Europe (ECB payment fraud) | Multi-billion EUR | Multi-billion EUR |
These are addressable loss figures, not contract sizes. Authorization infrastructure priced at the typical fraud-tech rate (low single-digit percent of measurable loss reduction) implies a global serviceable revenue opportunity in the single-digit billions.
The Categories We Do Not Close
Investment scams, purchase scams, romance scams, and advance fee scams are not reachable by device-bound cryptographic authorization. The customer signs with a real biometric after weeks of emotional or financial manipulation. No primitive solves conviction.
We state this openly because any banking security review will find it within the first meeting. Claiming otherwise destroys credibility on every claim that is defensible.
What we do claim — deterministic closure of the unauthorized category (~94% of £372M), plus signal-level reduction on a subset of APP, plus full coverage of the insider and AI-agent categories that fall outside UK Finance’s retail banking figures entirely — is large enough to justify the category on its own.
Closing
Authorization infrastructure is not fraud prevention. It is the primitive that makes fraud prevention deterministic in every category that depends on knowing which specific human authorized a specific action at a specific moment.
In UK banking today, that is roughly half to 60% of the market by H1 2025 numbers. It will be more tomorrow, as autonomous agents become a first-class class of actor and the gap between session-based evidence and device-bound proof becomes more visible to regulators.
A probabilistic fraud stack without a deterministic signal for human presence is compensating for a known unknown. Authorization infrastructure closes that unknown.
For the industry view, see Financial Transactions. For the signal integration detail, see Deterministic Human Authorization, Explained. For the receipt anatomy, see Cryptographic Receipts for Financial Transactions.
Sources
- UK Finance, Half-Year Fraud Report 2025 — top-level H1 2025 figures, category splits, YoY changes.
- UK Finance press release, H1 2025 — £629.3M total, £372M unauthorized, £257.5M APP, £299M card fraud, £97.7M investment scams, £1.6M CEO fraud, £159.2M reimbursed (62%), £870M prevented.
- UK Finance, Annual Fraud Report 2025 — 2024 full-year context, purchase scams £87.1M (2024), mandatory reimbursement effective 7 October 2024.
- ACFE, Report to the Nations — ~5% of revenue estimate for occupational fraud globally.