What is APP Fraud?
Cyber-crime continues to evolve, becoming more sophisticated and harder to detect. One of the most damaging forms is Authorised Push Payment (APP) fraud, where individuals or businesses are tricked into sending money to criminals posing as legitimate contacts.
The Reality of APP Fraud
APP fraud remains a growing threat. Thousands of cases are reported annually, with losses reaching hundreds of millions of pounds. Small businesses are especially vulnerable due to limited internal controls and over-reliance on email communications. Unlike other types of fraud, APP fraud places the burden of responsibility on the payer, making prevention absolutely critical.
Honestly – It Happened to Us
At Pillow May, we experienced APP fraud first-hand. While on holiday with her family, Jessica received a call that changed everything. One of our team members had discovered fraudulent payments authorised on behalf of a client. The root cause was a compromised client email system, but the breach succeeded due to weaknesses in our own internal processes.
Although our client was eventually reimbursed, the emotional and reputational impact was profound. We knew we had to respond not just with fixes, but with a cultural shift.
What We Learnt – And What You Can Do
Strengthen Your Insurance and Security
We now hold cyber liability insurance that specifically covers fraudulent payments. Our insurer required us to implement key security measures, including:
• Password changes every 90 days
• Multi-factor authentication across all systems
• Regular penetration testing and system audits
• Compliance with Cyber Essentials standards to ensure baseline security across devices, software, and networks
Educate and Empower Your Team
Cyber awareness must be embedded in your company culture. We held a training session with our bookkeeping team to dissect what went wrong and how to prevent it. Key takeaways included:
• Always verify unusual transactions
• Avoid relying solely on email for payment instructions
• Understand your clients’ typical payment behaviours
• Use secure communication platforms for sensitive financial discussions
Don’t Be Afraid to Question
Encourage your team to challenge anything that feels “off”. Whether it’s a new supplier, a changed bank account, or an unusually large invoice—pick up the phone and verify using known contact details. Fraudsters often use subtle errors in emails or invoices, so vigilance matters.
Review Your Internal Systems
We introduced:
- Dual bank authority for all client payments
- A revised & more detailed bookkeeping engagement document
- Holiday cover protocols to ensure secure authorisation
- Role-based access controls to limit exposure to sensitive systems
- Bi-weekly short training sessions to keep cyber security front & central for all our team
These changes aren’t about mistrust, they’re about resilience. No single person should bear the risk of authorising a fraudulent payment.
Learn From Us
Cyber-attacks are no longer a question of if, but when. By sharing our experience, we hope to help others build stronger defences. Simple steps, like encouraging staff to question anomalies, can make a real difference.
If someone from Pillow May calls to verify a payment, please know it’s part of our commitment to protecting your business. We’re in this together.