The Signal: FinServ | Incognia

Education campaigns won't stop APP fraud

Written by André Ferraz | Jul 1, 2026 4:30:00 PM

A lot of teams I talk to believe the answer to APP fraud is better education. Awareness campaigns, warnings, messaging like "your bank will never call you."

It helps, to a point. But education has a ceiling.

When someone is being emotionally manipulated in real time and believes their account is being drained or their kid is in trouble, you can't rely on prior training to protect them.

Consumers need to be protected from themselves. Education can help reduce the risk, but it will never fully stop APP fraud. The detection has to happen somewhere else entirely.

Why education has a ceiling

APP fraud works because it relies on manipulation.

A fraudster finds your family photos on social media, texts you from a new number: "Mom, I'm in trouble. I need some money."

A scammer spoofs your bank's phone number and walks you through a fake security process, telling you your account is compromised.

A fake support team sends you an email from rnicrosoft.com. The R and N next to each other look like an M at a glance, making it easy for most to miss.

I did a webinar with Datos Insights back in 2023 where they shared a stat that stuck with me. They asked consumers at financial institutions: "If somebody tried to scam you, would you know it if you saw it?"

75-80% were confident they'd recognize it. But when the same survey asked if they'd ever fallen for a scam, more than 1 in 3 said they had.

That was three years ago. The scams have gotten a lot more convincing since then.

AI is a big part of that. Voice cloning from social media videos, flawless phishing scripts.

Even tech-savvy and well-educated users fall for them.

A colleague of mine, Jordan, has worked in fraud for years. Extremely educated on this stuff, much more than the average consumer. He recently shared a story about nearly falling for a scam himself. (Spoiler: he didn't actually send any money.)

But even with years of experience and every red flag visible, he still sat there wondering: what if this is real?

Education assumes the user will recognize the scam in the moment. But these scams are specifically designed to override that recognition.

I'm not saying education is useless. It's a necessary part of the response. But it can't be the primary strategy when the attacks are designed to defeat it.

Traditional fraud tools can't solve it fully either

The other challenge with APP fraud: at the moment the transaction happens, everything looks legitimate.

The user is authenticated, on their device, at a trusted location. They initiated the transaction themselves.

Traditional fraud signals are built to catch unauthorized activity. The problem with APP fraud is that it's fully authorized. The legitimate user is the one pressing the button.

There are signals that can help. Is the user actively on a call? Are they sending money to a new payee? Is the transaction abnormally large compared to their usual behavior? These raise flags. But on their own, they don't confirm fraud. A lot of legitimate transactions look exactly the same way.

The detection that actually works happens at the receiving end

All of those signals I mentioned matter. But the last mile is the most important.

The receiving account in an APP scam is almost always a mule account. If you can identify it as one, you can stop the transaction.

I've covered mule account detection in detail in earlier editions (one and two) of this newsletter.

We recently saw a case where 200 devices were connected to 4,500 accounts, all in a single apartment. That's a mule operation at scale. And it's only visible when you have the right signals in place.

But here's the gap with APP fraud specifically: it involves at least two institutions. The sending bank and the receiving bank. One bank can see its own accounts, but it can't see whether the account on the other end has been flagged. If the sending bank could check that before the transaction goes through, the payment could be stopped.

FinCEN recently issued updated guidance encouraging financial institutions to share fraud-related information with each other under Section 314(b).

It’s good to see that the regulatory environment is moving in this direction. The question is whether institutions are set up to actually do it.

The way I see it: institutions need a way to share mule account flags without sharing PII.

I understand why data sharing has been a concern. No one wants customer information ending up in a competitor's hands. But a privacy-preserving approach removes that barrier entirely.

Instead of sharing personal information about the account holder, you share device-level signals. A persistent device ID that stays consistent across different applications can identify that a specific device is linked to fraud across multiple institutions. You don't need to know who the person is. You just need to know that the device and its behavior have been flagged elsewhere.

When you can identify a mule account on the receiving end before the funds move, it doesn't matter whether the user recognized the scam. The transaction gets stopped either way.

The end goal

Scam education is a necessary short-term measure. But it's not a long-term solution.

My goal is to help financial institutions reach a point where the technology protects users so well that education becomes a bonus, not a necessity.

Here's what I mean. If you replace OTPs with more secure technology, the fraudster can't say "you're going to receive a code, please tell me that code." That door is shut. The user doesn't need to recognize the scam because the attack vector doesn't exist anymore.

That's the direction we should be heading. Replace every vulnerable signal with something the attacker can't exploit. When the technology protects users regardless of whether they fall for the manipulation, education becomes a nice-to-have instead of the last line of defense.

What signals are you using today to catch APP fraud before the transaction goes through? Reply and let me know.