The US payment system is undergoing a structural transformation that's fundamentally changing how fraud must be prevented. There is an irony here with fraud protection rules present in legacy systems such as card and ACH, and an absence of such rules in the fast-growing real time payment systems and solutions.
For decades, payment volumes were dominated by ACH and checks that are slow, predictable and batch-cleared three times daily. Fraud detection had time to work. Banks could review suspicious transactions, investigate anomalies, and stop problems before settlement. The system was built on delay.
That world is disappearing.
Instant Payments Creates New Vulnerabilities
Today, instant and real-time payments are rapidly displacing traditional rails. RTP (Real-Time Payments) and FedNow are accelerating adoption across the financial system. Payment clearing happens in seconds, not days. What was once a leisurely batch process is now instant.
The transformation, however, goes beyond speed. Entirely new payment rails are emerging outside the traditional banking system. Stablecoin-based payments offer instant, cross-border settlement with minimal friction and minimal oversight. Closed loop schemes such as Zelle, Venmo, PayPal and CashApp offer further options. For legitimate use cases, this is transformative. For fraud, it's a wide-open door that can bypass traditional banking surveillance entirely.
The result? The US now has:
- Legacy batch systems (ACH), particularly Nacha
- Instant rails (RTP, FedNow) growing in popularity with limited fraud controls beyond transaction limits, velocity monitoring, negative lists and the banks’ own controls
- New crypto-based rails (stablecoins) with little-to-no fraud prevention efforts; and,
- Any number of payment wallet services and their variants
Fraud prevention infrastructure struggles to keep pace with this burgeoning ecosystem.
The Fundamental Shift: From Pull to Push
Traditional fraud prevention was mostly built to protect payers from unauthorised payment activity where money is pulled from an account. Banks and card networks developed sophisticated systems and rules (such as those of the major card schemes) to protect consumers from unauthorised payment activity.
Authorised Push Payments (APP) fraud operates differently. These are push payments where the victim actively authorizes and initiates the transfer. From the bank's perspective, the transaction looks legitimate. The customer authenticated correctly and approved the payment. The fraud detection system sees nothing wrong.
This is why APP fraud is so difficult to stop with traditional tools. Banks have spent decades perfecting fraud detection for unauthorized transactions and are blind to the crimes underneath authorised payments, particularly scams.
The shift from pull to push fraud fundamentally breaks the fraud prevention model:
- Card fraud (pull): Bank can reverse the transaction, customer isn't liable beyond $50
- APP fraud (push): Instant settlement, no reversal mechanism, customer liability unclear
As instant payments replace traditional rails, more transactions move to push payments, and the fraud protection infrastructure designed for pull payments becomes increasingly irrelevant.
Three Categories of Costly Payment Problems in the US
The structural shift to faster payments intersects with three distinct but related problems:
1. Authorized Push Payment (APP) Fraud
This is criminal social engineering at scale. Fraudsters convince victims to authorize legitimate-looking payments to fraudulent accounts. The payment is technically "authorized", as the victim approves it but have been deceived about the recipient's identity.
Deloitte estimates US APP fraud losses at $8.3 billion in 2024, projected to reach $14.9 billion by 2028. The acceleration is driven by instant payment systems that eliminate the time buffer fraud detection systems once relied on.
2. Payment Misdirection
Legitimate payments sent to the wrong recipient due to data entry errors, outdated account information, or confusion between similarly named payees. With ACH batch processing, these mistakes could often be caught and reversed. With instant payments, the money is gone.
Recovery on domestic misdirected payments is difficult. Recovery on cross-border misdirected payments is nearly impossible.
3. Business Email Compromise (BEC)
The sophisticated cousin of APP fraud. Attackers compromise corporate email accounts, intercept invoices, and substitute fraudulent payment details. Finance teams process what appears to be a routine vendor payment and funds go to a criminal account instead.
The FBI's Internet Crime Complaint Center reported BEC losses of $2.9 billion in 2023, making it the costliest form of cybercrime by a wide margin. The shift to faster payment rails makes BEC even more profitable and harder to stop.
The Enablers: What Makes This Worse
The payment infrastructure transformation sits within wider ecosystem changes that amplify the fraud risk:
AI-Powered Social Engineering
Generative AI has industrialized social engineering attacks. Fraudsters use AI to create convincing phishing emails, clone voices for phone scams, and generate fake documentation at scale. What once required sophisticated criminal operations can now be automated.
Stablecoin Payment Rails
Cryptocurrency-based payments bypass traditional banking surveillance entirely. Stablecoins offer instant, cross-border settlement with minimal friction and minimal oversight. For legitimate use cases, this might be transformative. For fraud, it's a wide-open door and regressive
Fragmented US Banking and payment System
The US has over 9,000 financial institutions, each operating semi-independently. Unlike the UK's relative handful of major banks, fraud prevention across the US system is a massive coordination problem. There's no central directory, no unified mandate, and limited data sharing.
The Pattern Repeats Across Markets
The US isn't the first country to face this problem. Every market that adopted instant payments without adequate fraud prevention saw APP fraud explode. The pattern is consistent and predictable:
United Kingdom: Launched Faster Payments in 2008. By 2022, APP fraud losses reached £485.2 million annually and overtook card fraud as the largest fraud category. The regulatory response came more than a decade later with Confirmation of Payee (CoP) (name-to-account matching) launched in 2020 and mandatory reimbursement rules and liability protections in 2024.
Brazil: As the world's largest instant payment market by volume, Brazil's PIX system processed over 42 billion transactions in 2023. APP fraud has surged alongside adoption, with criminals exploiting the lag in fraud detection capabilities relative to payment speed. ACI Worldwide projects Brazil will experience one of the highest fraud growth rates globally as scammers target the massive transaction volumes.
India: The Unified Payments Interface (UPI) revolutionized payments with instant payments. Fraud losses have grown in parallel with adoption, though proactive measures like transaction limits for newly opened accounts and network intelligence frameworks, are showing some success in controlling growth rates.
Australia: Reported AU$3 billion in scam losses in 2022. APP fraud losses saw a 42% compound annual growth rate from 2018-2023, forcing the government to make scam disruption a strategic priority and establish a National Anti-Scam Centre. A nationwide Confirmation of Payee scheme was launched in 2025 to verify recipient details before payments are sent. The private sector moved in parallel with B2B payment protection platforms like Eftsure building businesses around the gap. They have since expanded globally as cross-border fraud risk follows enterprise payment flows and integrated iPiD’s Know Your Payee (KYP) capabilities to protect enterprises managing vendor payments across borders.
The correlation is undeniable: Instant payment adoption drives APP fraud growth when verification infrastructure doesn't keep pace. The US is now accelerating down this same path.
The Cost from Fraud Is Already Mounting
The consequences aren't theoretical. They're happening now:
- CFPB scrutiny on payment service providers: Regulators are investigating fraud losses on instant payment platforms and there is a growing litigation industry supporting customers recover losses, signalling that liability rules are changing.
- Nacha rule enhancements: Even batch ACH is getting tighter fraud controls through new rules requiring recipient validation, recognition that the old approach isn't sufficient. See our summary of these changes here.
- Bank reputational damage: Financial institutions absorbing fraud losses to protect customer relationships, eroding profitability.
- Corporate treasury exposure: Enterprises losing millions to misdirected vendor payments with no recovery path
Leading financial institutions are already responding. Citi announced a strategic collaboration with iPiD to enhance Citi Verify and expanding payee validation globally to reduce payment risk and fraud for their corporate clients. When one of the world's largest transaction banks moves to strengthen pre-transaction verification, the direction of travel is clear.
The Gap Is Structural and Systemic; Not Tactical
This isn't a problem that better monitoring and screening software can solve. Monitoring happens after a transaction is initiated. With instant payments it’s too late.
The gap is pre-transaction validation. Before funds move, the system needs to verify:
- Does the account exist?
- Does the name match the account holder?
- Is this the payee the sender actually intends to pay?
This capability and payment system infrastructure exists in other markets. The UK's Confirmation of Payee (CoP) system, launched in 2020, provides real-time name-to-account matching before payments are sent. It was introduced after APP fraud spiralled out of control. Similar schemes have been introduced in Europe with Verification of Payee (VoP) and Australia with Confirmation of Payee (CoP).
The US is now accelerating toward the same instant-payment future without building the prevention infrastructure first.
What Comes Next
In our next article we’ll examine why US corporate treasurers now bear direct liability for payment fraud and why cross-border payments are the new payment fraud frontier.
For banks and PSPs, the question isn't whether liability shifts to financial institutions. It's when, and how much it will cost without prevention built in now.
The US payment system is faster and more pervasive than before. It's also now more vulnerable than it's ever been.
References
- Deloitte Insights - The rise of authorized push payment fraud (2025)
- Federal Trade Commission - Reported Losses to Fraud to $12.5 Billion in 2024 (2025)
- Federal Bureau of Investigation Internet Crime Complaint Center - 2023 Internet Crime Report (2024)
- ACI Worldwide - Scamscope: APP Scam Losses to Hit $7.6 Billion by 2028 (2024)
- UK Finance Annual Fraud Report 2023 (2023)
- Australian Competition & Consumer Commission - Targeting Scams: Report of the ACCC on scam activity 2022 (2023)
- Federal Trade Commission - Consumer Sentinel Network Data Book 2023 (2024)
