APP Fraud Cost £173m—How AI Helps SMEs Fight Back

UK banks reimbursed £173m to victims of authorised push payment (APP) fraud last year, paying back 88% of reported consumer losses across 269,000 claims (Payment Systems Regulator figures reported 3 Feb 2026). That’s not just a banking headline—it’s a loud signal that scams are thriving in the gaps between “looks legit” and “is legit”.

And here’s the uncomfortable bit: APP fraud works because the payment is authorised. The victim presses the button. Traditional bank security is built to stop unauthorised access; it’s far less effective when a customer (or employee) is persuaded to send the money themselves.

This post sits within our “AI for UK Retail Banking: Digital Transformation” series, but it’s just as relevant if you run a small business. In 2026, UK SMEs are being hit from both sides: customers expect faster payments and slicker digital journeys, while fraudsters exploit the same speed. The good news is that the practical AI approaches banks are leaning on—pattern detection, behavioural signals, smarter risk scoring—are now within reach for small businesses too.

What the £173m APP fraud figure really tells us

Answer first: The £173m reimbursement figure tells us fraud is being industrialised, and liability is shifting—forcing banks to invest harder in detection, while criminals adapt quickly.

The PSR data shows reimbursement is becoming the norm, not the exception. Since 2023, rules have pushed payment service providers (PSPs) to refund victims in most cases—unless the customer acted fraudulently or with gross negligence. The sending PSP refunds, while the receiving PSP covers 50% of the cost. That’s a major incentive for banks to reduce scam success rates.

But banks aren’t the only stakeholders in the “who pays?” debate. The original reporting highlights a frustration you’ll hear across financial services: many scams start on tech platforms, especially social media, yet those platforms aren’t expected to contribute to refunds.

A blunt way to frame it: fraud is cheaper to create than it is to clean up. Reimbursements, chargebacks, investigations, complaints, and reputational damage all cost more than a scammer’s ad budget.

Why authorised payments are so hard to stop

Answer first: APP scams bypass classic security because nothing is “hacked”—the victim is manipulated.

APP fraud typically uses believable hooks: fake invoices, supplier impersonation, “urgent” payment requests, investment scams, or a message that appears to come from a director or customer. Because the user initiates the payment, the transaction can look “normal” at the technical level.

That’s why security teams increasingly talk about behavioural fraud signals, not just authentication:

• A new payee added minutes before a high-value transfer
• Unusual time-of-day payments or device/location anomalies
• Language patterns in messages that trigger urgency or secrecy
• Payment flows that match known mule-account behaviour

This is exactly where AI is useful—when the signal is subtle, distributed, and changing.

Why UK small businesses should care (even if banks refund consumers)

Answer first: Even when consumers are reimbursed, SMEs still lose time, cashflow, stock, and trust—and some losses aren’t recoverable.

If you run a small business, APP fraud shows up in a few painful ways:

• Supplier payment diversion: a scammer compromises (or convincingly mimics) a supplier and sends “new bank details”.
• Invoice fraud targeting your customers: criminals impersonate your brand with fake invoices or payment links.
• CEO/director impersonation (“urgent transfer” scams): staff are pressured into making a “confidential” payment.
• Marketplace and social commerce scams: fraudsters exploit fast-moving channels—Facebook/Instagram ads, WhatsApp messages, or fake Google listings.

Even when a bank reimburses a consumer, your business may still deal with:

• Delivery disputes and cancellations
• Customer support overhead and reputational harm
• Refund requests while you chase the real issue
• Operational disruption while you check what else was compromised

February is also a high-risk period for many SMEs because it’s when businesses reconcile January trading, renew supplier contracts, and handle tax-year admin—prime time for invoice and impersonation scams that “fit the calendar”.

How AI spots APP-style scams earlier than humans can

Answer first: AI helps by scoring risk in real time across behaviour, content, and network patterns—before money leaves your account or before customers click “pay”.

The original piece quotes a banking IT professional noting that with enough data, AI and pattern recognition can build a clear picture of how scams trigger and who gets duped. That logic applies to small businesses too—you just apply it to the data you control.

1) Behavioural anomaly detection on payments

Answer first: AI catches “this isn’t how we normally pay” patterns that staff miss under pressure.

A practical SME-friendly approach is to build rules plus lightweight machine learning around your payment workflow:

• Flag first-time payees above a threshold (e.g., £500+)
• Require step-up approval if bank details changed within 7 days
• Detect unusual payment timing (late night/weekend) for finance users
• Compare invoice totals to historical averages for that supplier

You don’t need to build a bank-grade model. The win is friction in the right place—introducing a pause when the pattern is suspicious, not when it’s routine.

2) AI-assisted invoice and email inspection

Answer first: AI can classify risky messages and invoices by combining language cues with context.

Most finance fraud emails share traits: urgency, secrecy, threats of late fees, and “new details attached”. AI tools can score these messages and route them for verification.

What works well in SMEs:

• Automatic detection of “bank details change” language
• Highlighting mismatched domains (e.g., supplier.co vs supplier.com)
• Extracting invoice metadata and comparing it to known supplier profiles

This isn’t about replacing human judgement. It’s about making the risk obvious in the moment.

3) Customer journey fraud signals (for e-commerce and service SMEs)

Answer first: AI reduces “brand impersonation” damage by spotting abnormal customer behaviour and fake support journeys.

If customers are being redirected to fake payment pages, you often see early indicators:

• Spike in “payment failed” support tickets
• Customers asking for bank details via DMs
• Unusual referral traffic patterns or ad campaign impersonation

AI-enabled monitoring (even simple clustering and alerting) can surface those trends faster than waiting for a complaint pile-up.

A good operational mantra: fraud shows up as pattern drift before it shows up as a crisis.

A practical AI anti-fraud stack for UK SMEs (no massive budget required)

Answer first: Start with controls around payments, then add AI-enabled monitoring and staff coaching—because most APP fraud succeeds through process gaps.

Here’s a setup I’ve seen work well in small finance teams (and it maps neatly to how banks are thinking about APP fraud prevention):

Step 1: Lock down “change of bank details”

• Use a verified contact method: call a number from your CRM or contract, not the email signature.
• Enforce a two-person rule for changing supplier details.
• Keep an audit log of who changed what and when.

Step 2: Add AI-driven message triage

• Route suspicious emails/DMs to a review queue.
• Auto-tag messages that combine urgency + payment instructions.
• Create a “known scam themes” library your team can update monthly.

Step 3: Payment risk scoring (rules + AI)

• Risk-score payments based on payee age, amount, timing, and device/session signals.
• Trigger step-up checks for high-risk payments.

A simple scoring model can be enough:

• +40 points: new payee
• +30 points: bank details changed recently
• +20 points: amount 2× supplier average
• +20 points: payment initiated outside normal hours

If score ≥ 60: require second approval and supplier callback.

Step 4: Staff training that uses real examples

Annual training doesn’t cut it. Fraud tactics evolve weekly.

• Run a 15-minute monthly “scam recap” using anonymised near-misses.
• Teach staff the one behaviour that stops most APP fraud: slow down and verify out-of-band.

Step 5: Incident playbook (because something will slip through)

• Who contacts the bank, and within what timeframe
• What evidence to capture (emails, headers, invoice PDFs, chat logs)
• How to notify customers if your brand is being spoofed

Speed matters. APP fraud is easier to stop in the first minutes than the first days.

What banks are doing next—and what SMEs can copy

Answer first: Cross-industry data sharing and better pattern intelligence are becoming the standard, and SMEs should mirror that mindset internally.

The reporting notes an initiative where banks and tech firms are collaborating via Stop Scams UK intelligence-sharing pilots, bringing together organisations including HSBC, NatWest, Santander, Amazon, Google and Meta.

For banks, data sharing means better visibility of scam campaigns across platforms. For SMEs, you don’t have that cross-industry feed—but you can build a mini version:

• Centralise fraud reports (even a shared spreadsheet is a start)
• Track scam themes: “supplier detail change”, “CEO urgent payment”, “customer fake invoice”
• Feed those themes into your email rules, customer support macros, and payment controls

This is the digital transformation thread that matters in 2026: fraud prevention is now an operational capability, not a bolt-on.

Next steps: protect cashflow with AI-driven fraud controls

APP fraud reimbursement hitting £173m is a reminder that the UK’s faster payments culture is a double-edged sword. Banks are paying for it, customers are suffering it, and small businesses often absorb the messy middle.

If you only do one thing this week, do this: tighten your process for new payees and bank detail changes, then add AI-assisted triage so suspicious payment requests don’t land in someone’s inbox as “just another email”. That combination stops a large chunk of real-world APP-style fraud.

Want a practical starting point? Audit your last 90 days of outgoing payments, classify which ones were “new payee”, and set thresholds and approvals based on that reality—not a generic policy. Once you’ve done that, AI tools become far easier to apply effectively.

What would change in your business if every high-risk payment had to pass a 30-second verification check before it was sent?