Payment security

Payment fraud in 2026: how to protect your business

UK payment fraud hit £1.28bn in 2025. Learn how APP scams, invoice fraud and card fraud work, and the practical steps to protect your business.

8 min read Published 16 Jul 2026
Payment fraud in 2026: how to protect your business

Payment fraud cost the UK £1.28 billion in 2025, a four per cent rise on 2024, according to the UK Finance Annual Fraud Report 2026. That covers only losses reported through the banking system. The true cost, once you factor in operational disruption, reputational damage and recovery time, runs considerably higher.

The fraud landscape has shifted. Criminals have moved away from brute-force card attacks and towards social engineering backed by AI. Deepfake audio, AI-generated emails and convincing impersonation scripts mean that even experienced finance teams are being deceived into authorising payments to criminal accounts. UK Finance reports that 66 per cent of authorised push payment fraud cases in 2025 began online.

This guide covers the main payment fraud types hitting UK businesses in 2026, the regulatory framework that shapes how losses are handled, and the practical controls you can put in place today.

The scale of payment fraud in the UK

UK Finance's 2026 Annual Fraud Report recorded more than four million confirmed fraud cases across the UK banking sector in 2025. Total losses reached £1.28 billion, split between £703.4 million in unauthorised fraud (down five per cent year on year, despite an 11 per cent rise in case numbers to 3.81 million) and £576.4 million in authorised push payment (APP) fraud (up 19 per cent). The direction of travel matters: criminals are winning ground on authorised payments even as banks get better at stopping unauthorised ones.

APP fraud case volumes rose seven per cent to 248,070 in 2025. Banks reimbursed £354.3 million to APP fraud victims during the year, equivalent to 61 per cent of APP losses. For businesses, the Home Office Economic Crime Survey 2024 found that just over a quarter of UK businesses with employees reported experiencing a fraud attempt, with fake invoice fraud affecting 11 per cent and mandate fraud seven per cent.

Banks prevented £1.68 billion of unauthorised fraud in 2025, roughly 70 pence in every pound attempted. But APP fraud is harder to intercept at the bank level because the customer authorises the payment themselves. That shifts responsibility for prevention firmly onto business-level controls.

The five-year trend shows sustained pressure. APP losses fell from £583.2 million in 2021 to £450.7 million in 2024, partly due to Confirmation of Payee reducing misdirected payments, before rebounding to £576.4 million in 2025 as AI-enabled scams scaled. Remote purchase card fraud alone reached £423.5 million in 2025.

UK APP fraud losses 2021 to 2025 (£ million)

Annual gross APP fraud losses reported by UK Finance member banks. Source: UK Finance Annual Fraud Reports 2022 to 2026.

2021

583%

2022

485%

2023

460%

2024

451%

2025

576%

The main fraud types targeting businesses in 2026

APP fraud is now the dominant threat for businesses. A criminal persuades someone in your finance team to initiate a bank transfer to what appears to be a legitimate payee. The payee is a mule account. By the time the transfer is spotted, the money has moved on and is effectively unrecoverable. Common triggers include fake supplier invoices, purchase order interception and impersonation of senior executives or HMRC.

Invoice fraud and mandate fraud are closely related variants. In invoice fraud, criminals replicate a genuine supplier invoice and substitute their own bank details. In mandate fraud, they contact the business posing as an existing supplier and ask the accounts team to update payment details. Both are low-tech relative to their effectiveness: the request looks entirely normal until the supplier chases the missing payment.

Business email compromise sits at the intersection of cybercrime and payment fraud. Criminals spoof or compromise a legitimate email account and use it to issue payment instructions. AI has made these attacks cheaper to run and harder to spot. By mid-2024, an estimated 40 per cent of business email compromise phishing emails were AI-generated, according to research from VIPRE Security Group. UK Finance reports that organised criminal groups are increasingly using deepfakes, cloned voices and synthetic identities to impersonate trusted people in fraud attempts targeting businesses and consumers.

Unauthorised card fraud remains significant for businesses that accept payments. Remote purchase card fraud losses reached £423.5 million in 2025, with case numbers up 13 per cent to 3.2 million. This affects businesses as victims when card credentials are stolen and as merchants when fraudulent transactions are later charged back.

UK payment fraud losses by category 2025 (share of £1.28bn)

Split of the £1.28 billion of UK payment fraud losses in 2025: card fraud on UK-issued cards £594.9m, APP fraud £576.4m, remote banking fraud £104.4m, and other unauthorised fraud (cheque and other) £4.1m. Source: UK Finance Annual Fraud Report 2026.

UK payment fraud losses by category 2025 (share of £1.28bn)
100Total %
Card fraud46%
APP fraud45%
Remote banking fraud8%
Other unauthorised fraud1%

The regulatory framework: what businesses need to know

The Payment Systems Regulator (PSR) introduced mandatory APP fraud reimbursement for Faster Payments on 7 October 2024. Payment service providers must reimburse eligible victims up to £85,000 per claim, with costs shared equally between the sending and receiving firms. Claims should ordinarily be processed within five business days.

The scheme covers consumers, microenterprises and charities. Larger businesses are not automatically protected and should check the specific terms of their banking agreement. Internal fraud controls are therefore especially important for organisations that fall outside the mandatory scheme.

Confirmation of Payee (CoP), operated by Pay.UK, checks whether the account name you enter matches the name on the destination account before a payment is sent. Pay.UK reported that CoP passed two billion checks in 2024. Under the PSR's Specific Direction 17, nearly 400 additional payment service providers were required to adopt CoP in two phases completing by October 2024, bringing coverage to over 99 per cent of Faster Payments and CHAPS transactions and closing a gap that fraudsters exploited by routing payments through non-enrolled firms.

The FCA requires the firms it authorises to maintain adequate systems and controls against financial crime. For businesses that are not themselves regulated, the obligation falls on their payment provider. Choosing a regulated, CoP-enabled provider is part of the compliance picture, not just a commercial preference.

Practical payment fraud prevention controls for businesses

The most effective defence against APP and invoice fraud is a consistently enforced payment authorisation policy. No single person should be able to request, approve and execute a transfer without a second check. Dual authorisation removes the single point of failure that criminals rely on. Set your threshold low enough to catch typical mandate fraud values, not just large transfers.

Verify every request to change supplier payment details through a separate channel. If an email arrives asking you to update a bank account, call the supplier back on a number from your existing records, not one provided in the same message. This single step defeats most mandate fraud attempts. Write the call-back step into your accounts payable procedure so it is not optional.

Use a payment provider enrolled in Confirmation of Payee. When you make a payment and the account name does not match, investigate before proceeding. A mismatch is not always fraud, but it is always worth checking. Nasara Pay runs CoP checks on outbound payments so your team sees name-match results before any transfer is authorised.

Train your finance team regularly on current fraud tactics. Action Fraud and the National Cyber Security Centre both publish updated guidance on business email compromise and invoice fraud. Scenario-based training that walks through a realistic deepfake call or spoofed email is more effective than generic awareness sessions. Segregate duties in accounts payable so the person processing invoices is not the same person setting up new payees.

How technology is changing the fraud threat in 2026

AI has lowered the cost and raised the quality of fraud attacks. Criminals can generate personalised phishing emails at scale and clone a voice from a short audio clip. Research by McAfee found that as little as three seconds of publicly available audio, such as a clip from a social media video or a voicemail greeting, can be enough to produce a convincing voice clone. UK Finance reports that organised criminal groups are increasingly using cloned voices and deepfakes to impersonate trusted people in fraud attempts.

The shift to real-time payments changes the recovery picture. Faster Payments processes transfers within seconds. Once an APP fraud payment leaves your account, it moves rapidly through a chain of mule accounts and is rarely recovered in full. Prevention at the point of authorisation is worth far more than any post-loss process.

Phishing and smishing attacks are increasingly tailored. Criminals use data from prior breaches, LinkedIn and company websites to craft messages referencing real people and real financial activity. A request that appears to come from your CFO, names a genuine supplier and quotes the correct invoice amount is much harder to identify as fraudulent than a generic scam email. Treat any payment instruction arriving via a new or unexpected channel as high risk.

What to do if your business is a victim of payment fraud

Speed matters. Contact your bank immediately and request an urgent payment recall. The sooner the receiving bank is alerted, the better the chance funds have not yet moved on. Note the exact time you discovered the fraud and document every step, as this will be required for any reimbursement claim or police report.

Report to Action Fraud at actionfraud.police.uk or on 0300 123 2040. Action Fraud passes intelligence to the National Fraud Intelligence Bureau, which identifies patterns and supports police investigations. Reporting does not guarantee recovery but contributes to the national picture and may assist other businesses facing the same criminal group.

If your loss falls within the PSR's mandatory reimbursement scheme and was made via Faster Payments, submit a formal claim to your payment service provider. Eligible victims should receive reimbursement of up to £85,000, with claims ordinarily processed within five business days. If your claim is refused and you believe it should be covered, refer to the Financial Ombudsman Service.

After any incident, identify which control failed before returning to normal operations. Close the gap whether it was a procedural weakness, a technical flaw or a training shortfall. Fraud incidents involving social engineering often indicate the criminals had prior knowledge of your business, so review whether your supplier data, email system or staff information may have been compromised.

Choosing a payment provider with strong fraud controls

Look for a payment provider that is FCA-authorised, enrolled in Confirmation of Payee and transparent about how it monitors outbound payments. Regulatory authorisation means the provider faces ongoing oversight of its systems and controls.

Dual authorisation built into the platform is more reliable than manual workarounds. A provider that supports payment limits, approval workflows, role-based access and real-time alerts gives your finance team the visibility to catch anomalies before they become losses.

Nasara Pay is built for UK businesses that need fraud controls embedded rather than bolted on. CoP checks, dual authorisation workflows and full transaction audit trails are part of the standard account setup.

Conclusion

Payment fraud in the UK reached £1.28 billion in 2025 and the methods criminals use are becoming more sophisticated, more personalised and more difficult to distinguish from legitimate business activity. The regulatory response, mandatory APP reimbursement, wider Confirmation of Payee coverage and FCA oversight of payment providers, addresses liability and raises baseline standards. But reimbursement is not prevention. The businesses that lose least to fraud are the ones that build systematic controls into their payments process before an attack happens: dual authorisation, verified call-backs, CoP-enabled providers and regular, scenario-based staff training.

The threat will continue to evolve. AI tools that are expensive and specialised today will be widely accessible tomorrow, and the criminals who use them are adaptive. Reviewing your payment fraud controls annually, and whenever you change payment provider or onboard new suppliers at volume, is not excessive caution. It is standard operating practice for any UK business that moves money.

Frequently asked questions

What is the most common type of payment fraud affecting UK businesses?

Invoice fraud and mandate fraud are among the most common. The Home Office Economic Crime Survey 2024 found 11 per cent of UK businesses experienced fake invoice fraud and seven per cent experienced mandate fraud. Both involve convincing an accounts team to pay a fraudulent bank account through a copied invoice or a request to update supplier payment details.

Will my bank reimburse me if my business is a victim of APP fraud?

The PSR's mandatory reimbursement scheme covers consumers, microenterprises and charities for Faster Payments APP fraud up to £85,000 per claim. Larger businesses are not automatically covered and should check their banking agreement. Submit a claim promptly if you believe you are eligible, and refer to the Financial Ombudsman Service if the claim is refused.

What is Confirmation of Payee and does it prevent all fraud?

Confirmation of Payee is a service that checks whether the name you enter for a payee matches the name registered to that bank account before the payment is sent. It helps prevent misdirected payments and some forms of APP fraud. It does not prevent all fraud: a criminal who has taken over a legitimate account, or who convinces you to ignore a mismatch warning, can still succeed. It is one layer of control, not a complete solution.

How should I verify a request to change supplier bank details?

Always verify via a separate channel. Call the supplier on a number from your existing records, not one provided in the request itself. Write this call-back step into your accounts payable procedure so it applies every time, regardless of how convincing the original message appears.

What should I do immediately after discovering a fraudulent payment?

Contact your bank immediately to request a payment recall. Document the time of discovery and every subsequent step. Report to Action Fraud at actionfraud.police.uk or 0300 123 2040. If the payment was via Faster Payments and you may be eligible under the PSR scheme, submit a formal claim to your provider and keep all correspondence.

How is AI making payment fraud worse for businesses?

AI lets criminals generate personalised phishing emails at scale, clone voices and produce deepfake video. A call appearing to come from your CFO, or an email referencing real invoice details, may be fraudulent but look entirely genuine. UK Finance reports that organised criminal groups are increasingly using deepfakes and cloned voices in fraud attempts targeting businesses. Verbal verification and strict dual authorisation become more important as social engineering quality improves.

Ready to move money with confidence?

Nasara Pay helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide