Field note

APP fraud: real-time payments solved the wrong problem

Instant rails stripped out the friction that quietly prevented massive losses - and authorized push payment fraud walked straight through the gap. Once the money hits the rail it is gone, and multi-factor authentication cannot help when the victim authorizes the payment themselves.

Jul 7, 2025 · Navin Agrawal · Payments · 3 min read

APP fraud: real-time payments solved the wrong problem

Visual brief

Visual brief

APP fraud: real-time payments solved the wrong problem

As of July 2025

Real-time payments solved for speed and quietly removed the thing that prevented massive losses: friction. Authorized push payment fraud is the bill for that trade.

Banks cheered when RTP limits jumped to $10 million and FedNow launched - instant, 24/7, streamlined. Almost nobody named the architectural choice that makes those same systems ideal for fraud.

The old rails had friction that doubled as protection. ACH takes days to settle. Wires need approval steps. Cards can be disputed and reversed. Real-time payments strip every one of those recovery mechanisms in the name of speed - and that is exactly where authorized push payment (APP) fraud lives. The victim is tricked into authorizing a real payment to a fraudulent account; once it hits the rail, it is gone. No dispute, no reversal, no recovery window.

US RTP fraud

$2.06B

projected US real-time-payment fraud losses by 2028, up from $865M (ACI ScamScope, November 2024).

UK response

GBP 85,000

mandatory per-incident APP-fraud reimbursement, effective October 2024 (UK Payment Systems Regulator).

The catch

No reversal

once an authorized push payment hits a real-time rail it is final - no chargeback, no recall window.

APP fraud, the speed-versus-safety problem (as of mid-2025): traditional payments (ACH, wires, cards) are recoverable - reversible, traceable, disputable, settling over 1 to 3 days; real-time payments (RTP, FedNow, instant rails) are irreversible - final settlement, instant and permanent, no dispute process, under ten seconds. US real-time-payment fraud losses are projected to rise from $865M toward $2.06B by 2028. Architectural responses: behavioral pattern analysis, strategic transaction delays with educational warnings, network-level fraud intelligence sharing, and enhanced confirmation flows.
The same properties that make instant rails attractive - finality and speed - are the ones that make APP fraud unrecoverable.

Why the usual defenses miss

Multi-factor authentication cannot stop APP fraud, because the customer is authenticating correctly - they are authorizing the payment themselves. Every technical control built to stop unauthorized access is irrelevant the moment social engineering convinces a legitimate user to push the button.

What regulators already did

The UK decided the losses were severe enough to mandate it: as of October 2024, banks must reimburse APP-fraud victims up to GBP 85,000 per incident, with the cost split between sending and receiving institutions. The economics of “build it safe” changed overnight.

The banks that come through this will treat it as an architecture problem, not a fraud-rules problem: behavioral pattern analysis that flags transactions inconsistent with a customer’s history, strategic delays with educational warnings on high-risk transfers, real-time fraud-intelligence sharing between institutions, and confirmation flows designed to make a customer slow down on a suspicious payment.

Sometimes the best fraud prevention is a system smart enough to recognize when a customer needs protecting from themselves. Speed without intelligent safeguards is not innovation.

Was this useful?

Choose once.

Related Posts

View All Posts »
Instant rails now carry wire money. Do the controls?

Instant rails now carry wire money. Do the controls?

FedNow matched RTP at a $10M network limit in November 2025 and added new risk rails - a receiver-account pre-check pilot, ScamClassifier reporting, an Exception Resolution Service, and 1,500+ banks live. Instant is treasury cash now, and batch-era controls just got a 24/7 bypass.

Pay-by-bank's 3% savings hides a reconciliation bill

Pay-by-bank's 3% savings hides a reconciliation bill

The CFO sees "save 3 percent on transactions" and the math looks obvious. Treasury sees continuous settlement at 3 AM and a reconciliation process built for batch. Before you switch to account-to-account, count the operating cost the savings slide leaves out.

Instant rails broke the treasury day

Instant rails broke the treasury day

ACH cleared overnight, wires ran on business hours, and float was predictable. FedNow and RTP ended that. With 42 percent of RTP payments landing nights, weekends, and holidays, treasury teams are positioning cash by the hour - and the Fed discount window still keeps bankers' hours.

Under a second is the right answer to the wrong question

Under a second is the right answer to the wrong question

At an AWS Bedrock AgentCore Payments session the question was what happens at a thousand transactions a second, and the answer was settlement in under a second. Both are true and they answer different questions. The right frame for one payment crossing a trust boundary is the wrong frame for a million events a day inside one agent fleet, where the chain fee stacks up before anything else does.