APP Fraud Prevention Guide for Financial Services: Controls That Actually Work

Control 1: Email Security — Closing the Primary Attack Vector

Business email compromise is the gateway to the majority of APP fraud. The controls that close it:

• MFA on all email accounts: Without MFA, a phished or stolen password gives attackers full email access. With MFA, compromised credentials are useless alone
• DMARC, DKIM, and SPF: These email authentication standards prevent attackers from sending emails that appear to come from your domain to your clients. DMARC at p=reject is the target configuration
• Anti-phishing filtering: Blocks the emails that harvest credentials before the compromise occurs. Modern solutions detect impersonation, lookalike domains, and social engineering patterns
• User behaviour analytics: Detects anomalous email behaviour — forwarding rules, bulk access, login from unusual locations — that indicate an account has been compromised
• Email encryption: Prevents interception of payment instructions in transit — relevant for firms sending payment details via email

Control 2: Payment Verification Procedures

Technical controls reduce the probability of compromise but cannot eliminate it entirely. Operational controls provide a second line of defence:

• Out-of-band verification: Any instruction to change bank account details must be verified by telephone to a pre-registered number — not by reply to the email making the request
• Dual authorisation: Payments above a threshold (e.g., £10,000) require approval from two people — one to initiate, one to authorise. This is both an APP fraud control and an FCA client money control
• Confirmation of Payee: Use CoP for all new payment setups — it verifies that the account name matches the account number, detecting redirected payments
• Payment limits: Default limits on payment amounts; elevated amounts require additional verification
• Time delays: 24-hour delay on first payments to new beneficiaries — gives time for the client to notice and report if the instruction was fraudulent

Control 3: Client Communication and Education

APP fraud ultimately targets clients — and clients who understand the risk are harder to defraud:

• Written client communication: Inform all clients that you will never ask them to move money to a new account by email alone; all changes to payment details will be confirmed by telephone
• Onboarding communication: Set expectations at the start of the relationship — how you communicate, how you will never communicate
• Incident response communication: Have a pre-drafted client communication ready for when an APP fraud attempt is detected — early warning prevents completed fraud
• Regulatory requirements: PSR rules require payment service providers to implement the above — client communication is a regulatory expectation, not just good practice

Control 4: Staff Training and Phishing Simulation

Technical controls are only as effective as the people who operate within them. Staff training in financial services must cover: how to identify phishing emails (including sophisticated spear-phishing targeting senior staff); what to do when they receive a request to change payment details; how to verify client instructions; and how to report suspected compromise or fraud attempts. Phishing simulation — sending realistic phishing emails to staff to test their response — is the most effective training method and is increasingly expected by FCA supervisors and cyber insurers. Coro's email security platform includes phishing simulation capability as part of its financial services deployment.

Frequently Asked Questions