Authorised Push Payment Fraud: How it Happens and How to React

Authorised push payment (“APP”) Fraud, where victims are tricked into sending money to criminals, is on the rise and there are threat actors specifically targeting the commodities and shipping sectors. In this article, we look at how APP Fraud happens, how to respond and what you can do to prevent it.

Earlier this year, UK Finance¹ reported that losses caused by authorised push payment (“APP”) Fraud, where victims were tricked into sending money to criminals, totalled over £450m in 2024. Worryingly, HFW has identified threat actors which are specifically targeting the commodities and shipping sectors. In one particular instance, the threat actor was linked to over a thousand email domains, most of which sought to impersonate well-known companies in the sector, ranging from commodities traders, ship owners and charterers, to brokers, insurers and service providers such as classification societies.

How does APP Fraud happen?

APP Fraud can occur in a number of different ways. Most commonly, it involves a threat actor either gaining access to a counterparty’s email system or creating an email domain which is so similar that the victim is unable to detect the difference. The threat actor then issues fraudulent invoices or amends legitimate ones, changing bank account details so that funds due are fraudulently diverted into their accounts.

Threat actors also often try to make the payment seem urgent, encouraging the victim to skip its usual fraud checks to ensure that payment is made within an imagined deadline. Examples of cases in which HFW has been instructed include instances where:

• The victim began inadvertently to correspond with the threat actor midway through a contractual negotiation. The threat actor amended the payment and notice provisions of a commodity contract, resulting in significant sums of money being paid to accounts operated by the threat actor.
• The fraudsters amended the payment details of invoices after a contract had been signed, resulting in several million dollars being sent to the wrong account.

APP Fraud is not limited to email. HFW has also seen examples of threat actors hacking a victim’s WhatsApp accounts and sending messages on their behalf to trick others into making payments.

How should you respond?

If you fall victim to APP Fraud, there is a chance of recovering any funds paid to the fraudsters. However, your chances of doing so diminish rapidly with time. Speed is therefore key. As soon as possible, you should:

• Notify your bank of the fraudulent activity. The remitting bank can try to stop the funds before they reach the fraudsters or notify the receiving bank (using SWIFT messaging) that the payment was made as a result of APP Fraud. Whilst not guaranteed, the receiving bank may place a temporary administrative freeze on the funds, or return them.
• Notify the receiving bank of the fraud. The receiving bank can be put on notice that the funds were sent to the bank as a result of fraud, and that they therefore hold the funds on constructive trust for the victim.
• Instruct lawyers to obtain a freezing order (preventing the funds from being dissipated) and a disclosure order requiring the receiving bank to disclose information as to (i) what funds there are in the threat actor’s account; and (ii) if any funds have been remitted onwards, where they have been sent.
• File police reports in the jurisdiction where the victim is based and where the funds have been remitted. Whilst the responsiveness of the police varies by jurisdiction, in a number of instances in which we have been instructed, the police have taken a real interest in addressing APP Fraud and have used their own powers to prevent fraudulently diverted funds from being dissipated. The reports have also led to a number of arrests of those involved.

Will the English courts assist?

The English courts have demonstrated a real willingness to assist victims of APP Fraud. When matters are truly urgent, the courts are willing to accommodate urgent applications, granting freezing injunctions in short order to maximise the victim’s chances of preventing its funds from being dissipated. In one particular case, the hearing of the application for a freezing injunction took less than 15 minutes.

The courts are also prepared to grant service by alternative means (including on Persons Unknown) if it can be demonstrated that service by normal means would take so long as to defeat the reasons the freezing injunction was made in the first place. The courts have in the past permitted service by text message, twitter, WhatsApp and, in the context of cryptocurrency, by airdropping a non-fungible token (or NFT) to the crypto wallet addresses used.

It is, however, worth noting that the English High Court has previously held, in the context of a contract for the sale of sunflower meal, that based on the wording in the contract, the victim’s obligation to pay sums due was only satisfied when payment was received into the correct account².

A claim of negligence against a counterparty whose IT system has been hacked and used to send amended invoices could also face difficulties. Under Article 4(1) of the Regulation on the law applicable to non-contractual obligations³, such a claim would be governed by the law of the country where the claimant suffered damage, which may not be England and Wales. This means that, for example, if the APP Fraud had occurred in the context of a sale and purchase contract which provided for London arbitration, then an English arbitral tribunal would have to decide the question of negligence in accordance with principles of foreign law (if a claim in tort is available under the law of the jurisdiction in which the damage was suffered at all). The counterparty could potentially also allege contributory negligence, arguing that the victim should have spotted the fraud before remitting any payment.

How to avoid falling victim to APP Fraud

It is vital that companies exercise due diligence to ensure that the payment instructions they receive are legitimate. You should always take steps to verify payment details. An easy way to do this is to call the reception of the company involved and ask to be put through to their accounting team, rather than relying on contact details provided by the threat actors. Another option is to use a test payment, sending a small sum and getting confirmation that the funds have been received by the intended recipient before sending larger amounts.

Even before reaching the payment stage, there are other steps you can take to reduce your vulnerability to APP Fraud. We recommend that you:

• conduct regular staff training so that they are aware of the risks and less susceptible to being caught out by a fraudster.
• have robust cyber security measures in place to ensure your own systems are as secure as they can be (for example, by flagging messages from previously unknown email addresses).
• require third parties (for example, brokers and agents) and contractual counterparties to do the same.

HFW has lawyers with extensive experience of these issues in offices across the Americas, Europe, the Middle East and Asia Pacific who can assist in trying to recover fraudulently diverted funds.

Footnotes

1. an industry body which represents the banking and financial services sector in the UK
2. K v A [2019] EWHC 1118 (Comm) at para. 29 “The contractual obligation is to make payment to the seller’s bank for the account of the sellers […]”
3. Regulation (EC) No 864/2007, also known as Rome II. The UK continues to apply these rules post-Brexit.