Authorized fraud refers to fraud in which the victim appears to approve the transaction or action, but that approval has been obtained through deception, manipulation, coercion, or misrepresentation. In payment settings, this is most often seen in authorized push payment fraud, where a customer is tricked into sending money to an account controlled by a criminal. The FCA distinguishes this from unauthorized fraud by noting that the customer authorises the payment itself, even though the underlying transaction is fraudulent, and the PSR and UK Finance use the same core framing for APP scams.
In the financial crime environment, authorized fraud is significant because it exploits one of the most important assumptions in modern payment and account control frameworks: that a customer-approved action is inherently less suspicious than an unauthorized one. That assumption is increasingly unsafe. In authorized fraud, the criminal does not necessarily need to defeat authentication controls or steal money directly from the account. Instead, they manipulate the customer into becoming the mechanism through which the fraud is executed. This can weaken traditional fraud controls, because the payment, account change, or disclosure of information may appear valid from a system perspective even though it was induced by criminal deception.
The most common form of authorized fraud in retail banking is authorized push payment fraud, but the concept is broader than bank transfer scams alone. It includes scenarios where victims are persuaded to make a payment for a fictitious purchase, to transfer funds to a “safe account,” to settle a fake invoice, to invest in a fraudulent opportunity, or to act on impersonation by someone claiming to represent a bank, the police, a government agency, or a trusted business. UK Finance notes that common APP fraud types include purchase, investment, romance, and impersonation scams, while the PSR describes APP scams as victims being tricked into sending money to a fraudster posing as a genuine payee.
Watch on YouTube: Authorized Fraude
What makes authorized fraud especially serious is that the deception often takes place outside the institution’s immediate control perimeter. The customer may be groomed over time, socially engineered by phone or online, pressured by urgency, or manipulated into believing that the payment is necessary, legitimate, or protective. UK Finance has noted that a large share of APP cases originate from online sources, while the FCA and PSR both emphasize that the criminal tricks the customer into making the payment themselves. This means authorized fraud sits at the intersection of fraud risk, consumer vulnerability, digital-platform abuse, and payment-system integrity.
From a control perspective, authorized fraud is difficult because many traditional indicators of compromise may be absent. The customer may log in normally, pass authentication, approve the payee, and confirm the payment. The fraud is embedded in the intent behind the action, not necessarily in the mechanics of execution. As a result, firms need to assess contextual risk rather than relying only on whether the payment was technically authorized. Relevant indicators can include unusual urgency, large first-time transfers, payments to newly created beneficiaries, behavior inconsistent with the customer’s history, recent changes in device or contact details, and patterns associated with impersonation or scam typologies. The FCA’s 2024 consultation on APP fraud expressly discusses a risk-based approach to preventing this type of authorized deception.
Authorized fraud also has a strong connection to money mule activity and wider laundering risk. Once the victim sends the funds, the receiving account is often controlled directly or indirectly by criminals and may be used to disperse the money rapidly through mule networks or onward transfers. This means the fraud event is not only a consumer-loss issue but also part of a broader criminal movement-of-funds problem. The PSR’s reimbursement and policy materials, along with FCA fraud guidance, reflect this broader payment-chain perspective by focusing not just on the sending side but also on how receiving firms prevent, detect, and respond to scam proceeds entering their systems.
A mature financial crime framework therefore treats authorized fraud as a lifecycle risk. Prevention starts before the payment itself, through customer warnings, scam education, confirmation-of-payee style controls where relevant, account and beneficiary risk assessment, and stronger friction for higher-risk transfers. Detection then depends on behavioral analytics, payment context, typology intelligence, and escalation processes that allow suspicious customer-authorized activity to be interrupted or challenged in real time. Response requires rapid action to trace, freeze, recover, or repatriate funds where possible, assess receiving-account risk, and investigate whether the case indicates broader criminal coordination. The PSR’s reimbursement framework and related guidance, including its civil-dispute guidance, underline how operationally important it is to distinguish genuine scams from other disputes and to handle cases consistently.
Governance is equally important. Authorized fraud should appear explicitly in fraud risk assessments, payment-control frameworks, customer-vulnerability strategies, management information, and incident response processes. Recent UK regulatory and industry materials show both the scale of APP fraud and the policy emphasis placed on prevention, reimbursement, and performance transparency. The PSR reports that APP scams remained a major concern and UK Finance reported £459.7 million lost to APP fraud in 2023, with 232,429 cases. Those figures reinforce that authorized fraud is not a marginal issue; it is a core financial crime challenge in modern payments.
Ultimately, authorized fraud is a major financial crime threat because it turns the victim’s own authority into the delivery mechanism for the crime. It exploits trust, social engineering, and the operational assumption that customer authorization equals legitimacy. In a financial system built around fast payments, remote servicing, and digital interaction, that assumption is increasingly vulnerable to abuse. For that reason, authorized fraud should be treated as a core component of the financial crime landscape, requiring integrated controls across fraud prevention, customer protection, payment monitoring, mule-account detection, investigations, and governance.
