APP Fraud Reimbursement: AI Protection for UK SMEs

UK banks reimbursed £173m to customers hit by authorised push payment (APP) scams last year, paying back 88% of reported losses across 269,000 claims (PSR figures reported 2026). That number isn’t just a banking headline. It’s a loud signal that fraud has shifted into a space where “normal” security controls don’t help much—because the payment is authorised.

For UK small businesses, APP fraud is particularly nasty: it hits cash flow, wastes hours, and can wreck supplier relationships in a single click. Even if reimbursement rules are tightening, I wouldn’t build a business risk plan around “the bank will sort it out.” The firms that cope best put their own controls around invoicing, payment approvals, and transaction monitoring—then use AI tools to spot the patterns humans miss.

This post sits inside our “AI for UK Retail Banking: Digital Transformation” series. Banks are using AI and pattern recognition to identify scams earlier, but the same approach (scaled down) is now practical for SMEs—without building a fraud team.

Why APP fraud bypasses “bank-grade” security

APP fraud succeeds for one simple reason: the bank’s systems see a customer (or employee) doing something that looks legitimate—logging in, setting up a payee, making a transfer. Traditional controls are designed to stop unauthorised access. APP scams are social engineering.

The PSR’s reimbursement data highlights the uncomfortable truth: even with strong banking security spend, authorised payments slip past because they don’t look like account takeover.

The scam paths SMEs keep falling into

Most APP fraud routes boil down to a handful of repeatable plays:

• Invoice redirection: a supplier’s bank details are “updated” via email; you pay the new account.
• CEO / director impersonation: urgent payment request, often just outside normal processes.
• Fake portal payments: a spoofed website for a vendor, courier, HMRC-style communications, or “business account” services.
• Social-media led grooming: contact begins on social platforms, then moves to email/WhatsApp for payment.

What makes these work is speed and pressure. Fraudsters don’t need to beat encryption—they need to beat your process.

Reimbursement is improving, but it’s not a strategy

The regulatory shift reported—where the sending payment service provider repays the customer, and the receiving provider shares 50% of the cost (with exceptions for customer fraud or gross negligence)—creates better incentives for banks. Good.

But SMEs still face real-world gaps:

• Time lag: even when money is reimbursed, you can lose days or weeks of working capital.
• Operational damage: stock orders missed, payroll stress, supplier trust issues.
• Disputes about “gross negligence”: messy edge cases can drag on.

The practical stance for SMEs: assume reimbursement is a backup, not the primary control.

What this means for UK small businesses (and why the £173m matters)

£173m in reimbursement is a proxy for the scale of the problem—and it’s a proxy for how hard detection is once a payment is “authorised.” If banks—who see enormous volumes and have specialist teams—still end up paying out at this scale, SMEs need to harden the earlier steps.

Where SMEs are most exposed

In my experience, risk clusters around a few moments in the finance workflow:

1. Changing supplier bank details
2. First-time payments to a new payee
3. Out-of-pattern payment size or timing
4. Payments initiated from a new device/location
5. High-pressure approvals (end of day, holidays, quarter-end)

Early February is also a common “catch-up” period after January reconciliations—teams are processing backlogs, which creates exactly the kind of rushed environment scammers love.

“Tech sector scams” and the uncomfortable shared-responsibility gap

Banks have argued (and the article quotes prior claims from major banks) that a large share of scams originate in the tech sector—often via social platforms—and that banks are left funding much of the remediation.

Whether or not the blame is fairly distributed, SMEs shouldn’t wait for that policy debate to settle. Your quickest win is building a verification loop and using AI to enforce it consistently.

AI fraud detection for SMEs: the controls that actually help

AI doesn’t stop fraud by being “smart” in the abstract. It stops fraud by doing three concrete jobs well:

1. Spotting anomalies (behavioural and transactional)
2. Reducing human error (workflow enforcement)
3. Triaging risk fast (flag what needs a phone call)

1) AI-powered payment anomaly detection (what to look for)

If you use online banking, accounting tools, or expense platforms, you can add an AI layer that monitors patterns like:

• Typical supplier amounts vs a sudden spike
• First payment to a new payee over a set threshold
• Multiple bank-detail changes in a short window
• Payments created and approved unusually quickly
• New payee + urgency language in linked messages (where integrations exist)

Snippet-worthy truth: APP fraud is predictable at scale because humans are predictable under pressure.

You don’t need perfect detection. You need a good flagging rate that forces a second look.

2) AI assistance for invoice verification (practical, not theoretical)

Most invoice fraud relies on tiny changes people miss:

• Sort code/account number changes
• Subtle domain typos (e.g., suppIier.co.uk vs supplier.co.uk)
• “Updated bank details” attachments

AI tools can help by:

• Comparing new invoice bank details to historical supplier records
• Highlighting mismatches automatically
• Summarising email threads and extracting bank-detail change requests

Even a basic “compare against last paid invoice” rule plus AI extraction cuts risk sharply.

3) AI-driven approvals: add friction in the right places

The goal isn’t to slow everything down. It’s to add friction only when risk is high.

A lightweight AI approval design for SMEs:

• Low-risk: known supplier, normal amount → single approver
• Medium-risk: new payee or changed bank details → mandatory call-back verification
• High-risk: new payee + large amount + urgency markers → two approvers + 24-hour cooling-off window (where feasible)

AI helps by classifying the transaction and prompting the right workflow automatically.

4) AI for staff training that sticks (because scams are social)

The biggest improvement I see comes from training that mirrors reality.

Use AI to generate:

• Role-specific scam simulations (finance admin vs operations manager)
• Short weekly “spot the red flag” prompts
• Internal policy reminders written in your company’s tone

Training isn’t about making everyone paranoid. It’s about making verification normal.

A simple “APP fraud prevention” playbook (you can implement this month)

Most companies get this wrong by buying security tools before fixing the process. Do the opposite.

Step 1: Lock down supplier changes

Create one rule: bank detail changes are never accepted by email alone.

Minimum viable controls:

• Call the supplier using a known number (not the email signature)
• Require a second person to confirm the change
• Log the verification (date, who called, which number)

Step 2: Add AI triage to your payment run

For each payment batch, require an “AI flagged items” review. You’re looking for:

• New payees
• Unusual amounts
• Out-of-hours creation
• Unusually fast approval chains

This is where AI tools for small business finance pay for themselves: fewer manual checks, more targeted checks.

Step 3: Introduce a “two-channel” confirmation

If an email asks for urgency, confirm through a different channel:

• Email request → confirm by phone
• WhatsApp request → confirm by Teams/phone

Fraudsters try to keep you in one channel because it’s easier to control the narrative.

Step 4: Prepare an incident checklist (speed matters)

When APP fraud happens, minutes count.

Your checklist should include:

• Who contacts the bank and how
• What evidence to preserve (emails, headers, invoice PDFs)
• Who pauses further payments
• How to notify impacted suppliers/customers

AI can help here too: keep a drafted incident template and let AI populate it with the key facts from the thread.

Where banks are going next—and what SMEs can copy

The article hints at the direction of travel: data sharing and intelligence sharing across banks and tech firms (e.g., industry pilots to share signals about fraud campaigns).

Banks will keep expanding:

• Network-level fraud signals (mule accounts, beneficiary risk scoring)
• Behavioural biometrics (how users type/click)
• Pattern recognition across huge transaction graphs

SMEs can’t copy the scale, but you can copy the principle:

• Centralise your finance data (invoices, approvals, supplier master list)
• Keep clean histories so anomalies stand out
• Use AI to compare “now” vs “normal” automatically

One-liner worth remembering: Fraud prevention is a data quality problem before it’s an AI problem.

The stance I’d take as a small business owner

Banks paying £173m back to victims is a reminder that APP fraud isn’t a fringe issue—it’s a mainstream operational risk. And because these payments are authorised, prevention has to happen before the transfer.

If you do one thing this week, make it this: treat supplier bank detail changes as high-risk events and enforce a call-back process. If you do a second thing, add an AI-supported review step so anomalies don’t rely on someone’s memory at 5:45pm.

This is where the broader theme of AI in UK retail banking digital transformation becomes useful to SMEs: the techniques banks are building—pattern recognition, risk scoring, and automated triage—are exactly what smaller firms can adopt in simplified form.

If your finance process had a built-in “pause and verify” button for the top 5% riskiest payments, how many scams would fail outright?