APP Fraud and Cybersecurity: How Email Compromise Drives £459M in Annual Losses
UK Finance reported £459 million in losses to authorised push payment (APP) fraud in the first half of 2023 alone. Behind much of that total is a cybersecurity failure: business email compromise (BEC), where attackers intercept or impersonate email communications between a firm and its clients to redirect payment instructions. For IFAs, mortgage brokers, wealth managers, and solicitors holding client money, a single compromised email account can result in a client losing their life savings to a fraudulent bank transfer — with the firm facing regulatory scrutiny and potential liability for enabling it.
£459 million lost to APP fraud in the first half of 2023 — the majority enabled by business email compromise and social engineering.
How Business Email Compromise Enables APP Fraud
The attack chain from email compromise to APP fraud follows a predictable pattern:
- Step 1: Attacker compromises an email account — typically through phishing, credential stuffing, or password spray — often at the firm or the client
- Step 2: Attacker silently monitors email traffic, identifying expected payment transactions and learning the firm's communication style
- Step 3: Attacker intercepts a legitimate payment instruction and substitutes fraudulent bank account details — or sends a fraudulent instruction at a natural payment moment
- Step 4: Client authorises the payment believing it is legitimate — because it comes from the correct email address, uses correct language, and references real transaction details
- Step 5: Payment is received by a mule account and dispersed immediately — recovery is rarely possible once the bank has processed the transfer
Why APP Fraud Is a Cybersecurity Problem, Not Just a Fraud Problem
APP fraud is categorised as fraud — but the enabler is a cybersecurity control failure. Firms that have deployed business email compromise protection materially reduce their APP fraud exposure. The critical controls:
- MFA on all email accounts: The single most effective BEC prevention measure — stops credential theft from enabling account access
- Email authentication (DMARC, DKIM, SPF): Prevents attackers from spoofing the firm's domain in external impersonation attacks
- Anti-phishing email filtering: Blocks the initial credential theft attempt before the account is compromised
- User behaviour analytics: Detects anomalous email access patterns — forwarding rules, login from unusual locations, bulk access — that indicate account compromise
- Payment verification procedures: Dual-authorisation on large transfers; out-of-band verification of changed bank details by telephone
The FCA's Position on APP Fraud and Firm Liability
The Payment Systems Regulator's mandatory reimbursement scheme, effective October 2023, requires payment service providers to reimburse APP fraud victims in most cases. Firms that process payments for clients — and firms that are themselves the sending institution — now face direct financial liability for APP fraud losses where they have not implemented proportionate controls. The FCA has made clear that firms with inadequate security around payment instructions face regulatory scrutiny beyond the reimbursement obligation.
How Coro Closes the Email Security Gap
Coro's email security module addresses the attack chain that enables APP fraud at every stage: phishing protection prevents initial credential theft; MFA enforcement prevents compromised credentials from being used; user behaviour analytics detects account compromise in progress; and email impersonation protection prevents domain spoofing attacks against your clients. For financial firms with distributed teams — IFA networks, mortgage brokers with remote advisers — Coro manages email security across the entire firm from a single console without requiring per-device configuration.
Frequently Asked Questions
Are we liable if a client loses money to APP fraud through our systems?
Liability depends on the circumstances. Where a firm's email system was compromised and used to redirect a client's payment, the firm may face FCA regulatory scrutiny and civil claims from the client. The PSR mandatory reimbursement scheme (October 2023) places liability on the sending payment service provider in most cases. Firms that can demonstrate they had proportionate cybersecurity controls in place are in a stronger regulatory and legal position than those that cannot.
What should we do if we discover our email has been compromised and a fraudulent payment instruction sent?
Act immediately: contact your bank to attempt a payment recall; notify the receiving bank through the Faster Payments fraud reporting route; report to Action Fraud; assess whether client data has been accessed and whether ICO/FCA notification is required; and engage your cyber incident response plan. Time is critical — payments can sometimes be recalled in the first few hours. Do not attempt to handle this without legal advice.
Is DMARC enough to protect against email-based fraud?
DMARC prevents attackers from spoofing your domain in emails sent to others — it does not prevent your accounts from being compromised, and it does not protect against look-alike domains (e.g., firm-name.co vs firm-name.co.uk). DMARC is a necessary baseline but must be combined with MFA, anti-phishing filtering, and user behaviour monitoring to address the full BEC threat landscape.
Protect your firm against business email compromise
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.