Cracking the Identity Code: Authorized Payments (A Modern Scam Story)

Fraud, Scams, and Broken Policy - Part 1 of 3

Welcome back to Cracking the Identity Code!

We’ve broken out our next installment, “Fraud, Scams, and Broken Policy,” into a three part series, where we help break down the current state of scams in the U.S. In Part 1, we take a closer look at the growing issue of authorized payment scams and how existing regulations and product design have impacted this trend. 

Authorized Payments: A Modern Scam Story 

Imagine getting a late-night call and the caller ID comes up as your bank. The person on the line says fraudsters are targeting your account. They know your name and even the last four digits of your account. To “secure” your funds, they urge you to quickly transfer your money into a “safe” holding account – which you promptly do via your banking app. Only later do you realize the truth: the caller was a scammer, and you just authorized a payment straight into their hands. This scenario is not far-fetched; it’s a textbook example of an authorized push payment (APP) scam. Such scams are fueling a surge in fraud losses and exposing gaping holes in consumer protections.

Note on APP Fraud: Understanding APP fraud is important because APP systems are “new” vs. the legacy systems that fraud controls were built around. It’s as simple as thinking about someone handing you money (APP) vs. someone going into your wallet and taking it (account takeover - ATO fraud).

Fraud Losses at Record Highs

Fraud losses in the United States have soared to unprecedented levels in recent years. In 2023, Americans reported losing over $10 billion to fraud – the first time annual losses hit double digits. In 2024 it got even worse, jumping another 25% to $12.5 billion. Imposter scams (like the fake bank caller above) are now a leading fraud category, responsible for over $2.9 billion of 2024’s losses. One especially pernicious subset – scammers impersonating government officials – spiked from $171 million in 2023 to $789 million stolen in 2024.

For businesses and banks, the damage goes beyond the dollars directly stolen. Studies find that every $1 lost to fraud actually costs about $3.75 after accounting for recovery efforts, investigations, and reputational damage. In short, today’s fraud isn’t just hackers infiltrating systems; it’s con artists infiltrating minds. And it’s revealing a serious mismatch between how our financial system defines an “unauthorized” transaction and the reality of how modern scams operate.

When “Authorized” Means No Protection

Why are victims of scams like the one above often left holding the bag? The answer lies in an outdated approach to both regulation and bank policy. Under U.S. law – specifically Regulation E of the Electronic Fund Transfer Act – banks must reimburse customers for “unauthorized” electronic transactions (for example, if a hacker breaks into your account and steals money). But if you initiate the transfer yourself – even if you were tricked or coerced – it’s not legally deemed “unauthorized.” In those cases, banks aren’t required under Reg E to make the consumer whole. In other words, an APP scam where a victim is socially engineered into sending money falls into a gray area not clearly covered by existing consumer protections.

By contrast, credit cards have long touted “zero liability” for fraud, but those guarantees were designed for traditional fraud (like a thief making charges on your stolen card), not for scenarios where you willingly authorize a payment under false pretenses. 

For example, if a scammer convinces someone to buy $5,000 in gift cards for a fake IRS agent, the card network’s rules may not automatically cover that loss, since the cardholder technically made the purchase. Similarly, peer-to-peer payment networks like Zelle historically offered little to no protection for these authorized scams. Only recently, amid public and regulatory pressure, have major banks agreed to voluntarily reimburse certain scam victims as a goodwill gesture. These commitments, however, are voluntary, inconsistent, and dependent upon each bank’s approach to balancing consumer protection, creating disincentives for fraudsters, and managing shareholder expectations – resulting in a patchwork rather than a guarantee. One bank might refund a Zelle imposter scam, while another denies a similar claim, leaving consumers with uneven outcomes.

This has resulted in a clear gap in our dispute systems where we can create incentives for all participants to drive fraud rates down (from scams), while increasing consumer protection. Our fraud liability rules were built for a world where criminals impersonate you to your bank, not where they impersonate your bank (or another trusted authority) to you. Victims who are deceived into authorizing payments often find there’s no clear safety net. U.S. regulators like the CFPB have hinted at closing this gap, and lawmakers have raised alarms, but so far the liability for scams still largely falls on the victim rather than the institution. This is a blind spot in consumer protection: when a transaction is technically “authorized” by the user, everyone treats it as legitimate – even if that authorization was obtained by fraud.

Frictionless Payments, Needless Risk

Modern banking and payment apps are designed to be frictionless – assuming that if the logged-in, authenticated user initiates a transfer, it must be legitimate. Traditional fraud controls focus on preventing unauthorized access: strong passwords, device recognition, OTP codes, biometric login, etc. But those measures do little when the real customer is unwittingly doing the fraudster’s bidding. In an APP scam, all the bank’s security checkpoints light up green (correct password, verified device, confirmed text code), so the transaction sails through. The system has no insight into the customer’s state of mind. As fraud experts lament, today’s controls can verify who is making the payment, but not why – they can’t tell if you’re making that transfer under duress or deception.

This design gap means many banking apps will dutifully execute even highly unusual payments with only minimal warnings. A victim can often push through a large wire or a series of transfers to a brand-new payee with just a cursory “Are you sure?” prompt. By the time the customer or bank realizes something is wrong, the money is long gone. Contrast this with the United Kingdom, where rising losses from these scams forced a re-think. UK banks introduced a Confirmation of Payee system to check if the recipient’s name matches the account name, warning customers of mismatches. They also adopted a Contingent Reimbursement Model (CRM) in 2019 – a voluntary industry code to reimburse APP scam victims by default unless gross negligence is shown. In effect, UK banks collectively acknowledged that scam victims shouldn’t automatically bear the loss.

In the U.S., no such broad requirement exists yet. As an ex-banker and someone who loves payments (and as a parent!), one thing I’ve learned is that without clear rules, mayhem will ensue. Banks have begun adding extra warnings or callback verifications for risky transactions, and some are reimbursing scams on a case-by-case basis, but there is no universal standard. The idea of forcing banks to pay for customer-authorized scams remains hotly debated. And not many are empathetic to banks, but the reality is that without clear rules, they are destined to disappoint. Banks worry it could encourage fraud with no-recourse or complacency by the consumer, while consumer advocates point to the UK’s example as a path to better protection (but that comparison doesn't account for the fundamental differences in how each jurisdiction approaches regulations). 

For now, American consumers face an uneasy truth: if you are conned into authorizing a fraudulent payment, the default assumption is that it’s on you. The system’s protections haven’t caught up to the tactics that scammers are now using, leaving a critical policy and design gap where trust can be exploited.

Bottom line: Today’s fraud landscape has shifted under our feet. The biggest threats are no longer someone stealing your credentials without your knowledge – it’s someone stealing your confidence and consent. Yet our rules and app designs haven’t fully adapted. This gap between old definitions of “unauthorized” and new forms of authorized scams is exactly what criminals are exploiting, and it’s why so many victims (like the unfortunate caller in our story) find themselves with no recourse after the fact.

In the next installment in this series, we'll take a closer look at modern fraud threats, from impersonation to first-party fraud. We'll explore what this changing landscape means for banks and why securing account access is just one part of the solution, and why banks need to think more strategically about the context behind every transaction.