Authorized push payment (APP) fraud has grown at such scale and sophistication in the UK that it should be considered a national security risk, according to a new Royal United Services Institute (RUSI) report.
This threat has been partly driven by the growth of smaller payment service providers (PSPs) in the UK’s financial system. These PSPs receive a disproportionate share of transactions from known money mules compared with the overall share of the payments they receive.
These newer entrants to the payments system include digital banks, payment firms and banking-as-a-service (BaaS) providers.
The RUSI paper, published on August 14, urged law enforcement and the financial sector to focus on removing incentives for committing fraud, in addition to preventing criminal activity at source.
“Ultimately, organized crime is about making money. If interventions, whether from law enforcement or the industry, can make it harder for criminals to realize the profits from their crimes, it removes some of the incentives for criminals to commit fraud in the first place,” the researchers noted.
The Growing APP Fraud Threat
APP fraud occurs when an individual is tricked into making a payment to a fraudster who they think is a genuine payee.
Recent research by UK Finance found that APP fraud cost UK victims more than £450m ($609m) in 2024.
While this figure is lower than other types of fraud, such as card fraud, the devastating impact it puts on victims and the scale of the attacks make it one of the most significant.
Social media platforms are commonly the origin for this type of fraud, with attackers using a diverse range of social engineering techniques, from business email compromise to romance scams, to trick victims into voluntarily making payments to them.
Threat actors are also using AI to target victims more effectively and at scale using these techniques, the report noted.
The Role of Money Mule Accounts
Money mules play a crucial role in facilitating APP fraud by providing criminals with accounts that can receive the proceeds and then rapidly move these funds through the financial system.
The UK’s Financial Conduct Authority (FCA) told The Financial Times that it had recorded 23% year-on-year rise in money mule activity, with 226,957 UK accounts closed in 2024 for laundering criminal funds, up from 184,935 in 2023.
Funds often only stay in a money mule’s account for a short period of time, sometimes no more than 15 minutes.
In the UK, the Faster Payment System, which allows for real-time payments of up to £1m ($1.3m) between bank accounts, makes up 57% of onward transfers from money mule accounts. A sizeable portion are also made with debit cards or the withdrawal of cash.
The report highlighted that non-directed, smaller PSPs are disproportionately used by money mules to receive APP fraud funds. While non-directed PSPs accounted for just over 8% of all Faster Payments made in 2023, they received 53% of all fraudulent transactions.
Experts interviewed for the RUSI report expressed the view that smaller payment providers had less robust financial crime controls, particularly for customer onboarding, and criminals were able to exploit these weaknesses.
“Several interviewees felt that the onboarding controls of digital financial institutions were relatively weak due to the focus that many of these firms have on customer acquisition and growth, and that compliance programs are not able to keep up,” the report read.
In July 2025, the FCA fined Monzo Bank £21.09m ($28.5m) for inadequate anti-financial crime systems and controls between October 2018 and August 2020.
Commenting on this, Jonathan Frost, director of global advisory for EMEA at financial crime prevention firm BioCatch, said: “The fraud and money laundering controls employed by the UK’s largest banks have displaced money mules, with the big financial institutions tending to bank the victims of APP. Whilst the organizations highlighted by RUSI hold a disproportionate number of mules, in some cases, poorer controls will have played a part in their attractiveness to criminals.”
He added: “This asymmetrical situation underscores the need for enhanced real-time collaboration throughout the entire ecosystem.”
The RUSI researchers said that debit card spending is likely to become a more popular method of moving the proceeds of fraud, particularly following customer reimbursement rules introduced in the UK in October 2024 which require firms to strengthen controls over bank transfers even further.
How to Tackle the APP Threat
RUSI outlined several recommendations for policymakers, law enforcement and industry to adopt in order to make it harder for criminals to commit APP fraud, including:
- More regulatory pressure to be applied to new entrants to the payment market, such as BaaS providers, to implement stronger cybersecurity controls
- Further research to be conducted into evolving methods used by fraudsters to move money amid improved transaction monitoring controls
- More data-sharing partnerships between financial institutions that include smaller banks, BaaS providers and cryptocurrency firms
- Move to a model of real-time data-sharing across entire system, allowing both the private sector and law enforcement to react at speed when a fraud is identified
Frost said he would like to see an environment where data is exchanged between banks when customers show an intent to make a payment.
“This is already the case in Australia, with banks performing checks to determine the level of risk as soon as the customer has filled in the account details. This enables them to protect customers by deflecting them from high-risk payments, or, where appropriate, blocking their payment. The real-time exchange also empowers Australian banks to identify money mules, especially those that don’t conform to the classic profile of a young adult on the lookout for fast money,” Frost explained.