Behavioural biases may make consumers particularly susceptible to APP fraud – vulnerability to scarcity, willingness to trust, susceptibility to interpreting the illusory as true (a phenomenon linked to the representativeness heuristic), and rushed and pressured decision-making. That’s suggested in a report for the UK’s Payment Systems Regulator by Prof John Gathergood of the University of Nottingham’s School of Economics, on why people – regardless of age, background or education – can fall victim to Authorised Push Payment (APP) fraud.
He said that behavioural economics provides a compelling framework for understanding the tactics fraudsters use, and why we fall for them. “The PSR and payments industry are taking many measures to try to address this problem. The report suggests some avenues for potential further measures built on key insights from behavioural economics.”
UK Finance
The trade body UK Finance in October released its half year fraud report. The 2.09 million confirmed cases of fraud means a 17 per cent increase on this time last year. Authorised push payment (APP) fraud losses were £257.5m in the first half of 2025, a 12 per cent increase on the same time last year. APP cases fell by eight per cent to 110,747. The main reason for the increase of APP losses was investment scams, while purchase scams (where a victim pays in advance for goods or services that are never received), continued to be the most common form of APP fraud. Most such frauds begin on online platforms.
Among other details, ‘card not present’ fraud cases, which occurs when a criminal uses stolen card details, increased by 22 per cent. Banks prevented £870m of unauthorised fraud during the first half of the year, 20 per cent more than a year ago. Ben Donaldson, Managing Director of Economic Crime at UK Finance, said: “Fraud continues to be a major threat to our society and our economy, and criminals continue to adapt ways to steal victims’ money and funnel significant sums of money to criminal enterprises, impacting society greatly. Despite the ongoing investment and prevention measure by the industry, the majority of fraud originates outside the banking system, online and over the phone, where manipulation begins long before any payment is made.
“The scale of the threat is not commensurate with the current level of government investment in countering it or the insufficient action by other sectors. The government must prioritise prevention and hold the social media and telecommunications industries to account in its new Fraud Strategy.”
Ransomware report
Large enterprises are increasingly resisting the pressure to pay ransoms, it’s claimed. Several high-profile data exfiltration campaigns were largely unfruitful for the attackers despite widely reported impact on the victim businesses. These are increasingly understand that it’s little or no use, paying to suppress the proliferation of stolen data, according to the report.
According to a report, by the vendor Coveware, the cyber extortion landscape has split into two: volume-driven Ransomware-as-a-Service (RaaS) campaigns against the mid-market, and high-cost, targeted intrusions aimed at larger enterprises. Ransom payment rates dropped to less than a quarter, 23 per cent, the lowest ever recorded by Coveware; while average payments fell 66pc, and median payments dropped 65pc to $140,000.
Insiders
The report points to insider threats – while always a risk, they typically manifested as data-theft-only events — for example, disgruntled employees exfiltrating intellectual property or a North Korean remote worker stealing data before termination. Public reporting has also documented cases where insiders at major companies were bribed to assist data theft campaigns. A traditional RaaS group hiring an English speaker to try to bribe insiders at companies to help them achieve encryption via ransomware deployment is a very specific and noteworthy deviation, according to the report.
Methods
As for the continued evolution of attacker behaviour, the same foundations — remote access compromise, phishing/social engineering, and software vulnerability exploitation — remain, the report adds.
Digital identities
A study by the identity services firm Signicat The Battle in the Dark, suggests that most, 74pc of companies in Europe believe they’re successfully tackling fraud, even though one in five transactions remains fraudulent and less than half of them (45pc) are measuring the impact of identity fraud on their businesses. “From anti-money laundering directives to stringent data protection frameworks, organisations in regulated financial and technology sectors face mounting pressure to comply with evolving digital identity requirements,” said Pinar Alpay, Chief Product Officer at Signicat.
August edition
As featured in the August edition of Professional Security Magazine, the UK has been making diplomatic efforts to go after fraudsters in their home country.
