CISI Combating Financial Crime: Authorised Push Payment (APP) Fraud—How Victims Are Tricked into Paying

CISI Combating Financial Crime includes authorised push payment (APP) fraud because it is a major real-world threat and a common exam scenario. The distinctive feature is that the victim authorises the payment—meaning firms must rely on prevention, warnings, verification steps, and monitoring rather than only blocking clearly unauthorised transactions.

APP fraud also sits at the intersection of cyber and human behaviour: criminals may intercept emails, impersonate trusted parties, or leverage account takeover to make requests look authentic.

This lesson teaches you to recognise APP fraud patterns quickly and separate them from account takeover and other fraud typologies.

Where this topic sits inside CISI Combating Financial Crime

This topic sits under Types of Fraud. It connects closely to phishing and account takeover (as enabling methods) and to internal/external fraud considerations, because the fraudster is usually external but can exploit internal process weaknesses (eg, poor payment verification).

The concept explained in plain English

Authorised push payment (APP) fraud happens when a person or business is deceived into sending a payment to a bank account controlled by the fraudster under false pretences. The payment is “authorised” by the victim, but the authorisation is obtained through deception.

Common APP fraud patterns include:

• Invoice fraud: fake invoices that closely resemble expected invoices.
• Impersonation: pretending to be a tradesperson, contractor, or trusted counterparty.
• Email interception: intercepting communications (eg, in property transactions) and replacing bank details.
• Account takeover link: using compromised accounts to send convincing payment requests.

How it works step-by-step

1. Target selection: individual consumers or businesses with predictable payments (rent, contractors, conveyancing).
2. Credibility building: spoofed email domains, lookalike invoices, or compromised email accounts.
3. Payment instruction: fraudster provides bank details and urgency cues (“today only,” “avoid penalties”).
4. Victim initiates transfer: payment is pushed to the fraudster’s account.
5. Rapid dispersal: funds are moved quickly onwards (often via mule accounts) to frustrate recovery.

Practical examples

• Supplier invoice swap: A business receives an invoice identical to the usual supplier format but with new bank details.
• Tradesperson impersonation: A homeowner receives an email “from the contractor” asking to pay into a new account due to “bank issues.”
• Property transaction interception: A buyer receives last-minute “solicitor” bank details that are actually controlled by criminals.

Exam focus: how this is tested

• Definition: victim is tricked into authorising the payment.
• Distinguish from takeover: APP is about deceiving the payer; takeover is hijacking an account to make unauthorised transactions.
• Scenario red flags: changed bank details, urgency, unusual channels, refusal to verify.
• Control questions: call-back procedures, bank-detail verification, customer warnings, and monitoring.

Common pitfalls and how to avoid them

• Pitfall: Treating APP fraud as “unauthorised payment fraud.” Avoid: APP is authorised by the victim under deception.
• Pitfall: Overlooking email compromise. Avoid: Email interception can make the fraud look legitimate.
• Pitfall: Ignoring process controls. Avoid: Verification (independent callback) is often the key prevention measure.
• Pitfall: Underestimating speed. Avoid: Funds may be dispersed quickly; early detection is critical.

Self-test (original questions)

1. Question: What is the defining feature of APP fraud?
   Answer: The victim is deceived into authorising a payment to the fraudster.
   Explanation: The payment is pushed by the victim under false pretences.
2. Question: A fraudster takes over a customer’s account and makes payments without consent. Is this APP fraud?
   Answer: No—this is account takeover/unauthorised transaction fraud.
   Explanation: In APP, the victim authorises the payment.
3. Question: Name two common APP fraud scenarios.
   Answer: Invoice fraud and property transaction email interception.
   Explanation: Both manipulate payment instructions.
4. Question: True/False: “Changed bank details” is a key APP fraud red flag.
   Answer: True.
   Explanation: Payment diversion often relies on new account details.
5. Question: What process control most directly mitigates invoice redirection scams?
   Answer: Independent verification (eg, callback using known contact details).
   Explanation: It breaks the fraudster’s control of communication.
6. Question: Why do fraudsters move funds quickly after an APP payment?
   Answer: To reduce recoverability and obscure the trail.
   Explanation: Rapid layering frustrates tracing.
7. Question: In an exam vignette, what phrase often signals APP fraud?
   Answer: “Customer was tricked into making the transfer.”
   Explanation: Deception plus authorised payment is the hallmark.
8. Question: True/False: APP fraud only affects individuals, not businesses.
   Answer: False.
   Explanation: Businesses are frequently targeted through invoice scams.
9. Question: What’s a key difference between APP fraud and card-not-present fraud?
   Answer: APP involves the victim initiating a bank transfer; card fraud often involves unauthorised card transactions.
   Explanation: Payment rail and authorisation differ.

Note for candidates in India

If you’re preparing for CISI Combating Financial Crime India, make APP fraud a “scenario drill” topic: write three mini-cases (invoice swap, contractor impersonation, property interception) and practise identifying the typology plus the single best prevention control (usually independent verification). This improves exam speed because APP vignettes can look like takeover cases at first glance. Use spaced repetition: revisit APP definitions after 3 days and again after 10 days. For exam booking, acceptable IDs, and any remote proctoring rules, verify details directly with CISI and/or the exam provider.

FAQs

• What does APP stand for?
  Authorised push payment.
• Why is APP fraud “authorised” if it’s fraud?
  The payer authorises the transfer, but does so because they are deceived.
• Is invoice fraud a type of APP fraud?
  Yes, when the victim pays a fraudster-controlled account due to a fake invoice.
• How does email interception help APP fraud?
  It makes fraudulent payment instructions look legitimate and expected.
• How is APP fraud different from account takeover?
  APP tricks the victim to send money; takeover hijacks an account and sends money without consent.
• What is a common APP red flag?
  Unexpected change in bank details combined with urgency.
• What is the most practical prevention step?
  Verify bank details independently using trusted contact information.
• What does the exam usually test on APP fraud?
  Recognition of the pattern and selecting the correct control response.

Next step

Build full coverage of payment fraud typologies in the CISI Combating Financial Crime course, and practise timed scenario recognition on www.TadawulExams.com.

Study support: Free Access | FAQ | Shop.

About Tadawul Academy
Tadawul Academy helps CISI candidates learn efficiently through structured lessons, clear notes, and exam-style practice resources.

Disclaimer
Always verify exam rules, pass marks, and booking steps with the official CISI syllabus and the exam provider.

Quick Quiz

1. APP fraud is best defined as:

   • A. A DDoS attack on a bank
   • B. A victim being deceived into authorising a payment to a fraudster
   • C. A bank employee stealing cash
   • D. A false representation made in a prospectus

2. Which scenario most strongly indicates APP fraud?

   • A. Customer’s password is guessed and funds are transferred without consent
   • B. Customer receives a lookalike invoice and pays new bank details
   • C. Server is flooded to disrupt service
   • D. Insider list is not updated

3. Which control most directly helps prevent invoice redirection scams?

   • A. Independent callback using known contact details
   • B. Increasing share buybacks
   • C. Suspending all customer accounts
   • D. Removing sanctions screening

Answers

• 1: B
• 2: B
• 3: A