ADORASEC Insights

APP Fraud After PSR: Why Communication Evidence Now Matters

By Eren Bahadir Pehlivan, Founder of ADORASEC

June 2026

The UK’s approach to authorised push payment fraud has changed.

For years, much of the public conversation focused on whether victims should be reimbursed after being tricked into sending money to criminals. That question remains important. But since the introduction of the PSR reimbursement framework, another question has become harder for institutions to avoid:

What evidence can a firm show about the communications it sent before harm occurred?

In 2024, APP fraud losses in the UK remained at a highly significant level, with UK Finance reporting losses of £450.7 million. The PSR reimbursement framework, introduced in October 2024, has made prevention, evidence and institutional accountability much more closely connected.

This is not only a reimbursement question.

It is a communication question.

It is a consumer-understanding question.

It is an operational-evidence question.

When a customer is persuaded to act on a fraudulent instruction, the institution may need to understand more than the transaction itself. It may need to understand what the customer was told, how they were warned, whether the warning was meaningful, and whether the customer had a trustworthy route to respond.

That is where the communication layer starts to matter.

Reimbursement changed the risk conversation

The PSR reimbursement framework was designed to strengthen consumer protection, and rightly so. APP fraud can be devastating, especially when criminals exploit trust, urgency, vulnerability or institutional impersonation.

But reimbursement also changes the institutional conversation.

A firm can no longer think only in terms of detecting fraud at the transaction stage or reimbursing the customer after loss. It must also consider the quality and evidence of what happened before the transfer.

Was the customer communication clear?

Was it delivered through a channel the customer could safely trust?

Was there evidence of engagement or non-engagement?

Was the customer given a safer route to verify the message or instruction?

These questions sit at the intersection of fraud prevention, customer communication, operational controls and evidence.

In a post-PSR environment, prevention and evidence are no longer separate conversations.

The problem with “we sent a message”

Many institutions can prove that a message was sent.

That is not the same as proving that meaningful protection was provided.

A message sent through SMS may be technically logged as delivered by a provider. But the institution may still not know whether the customer read it, understood it, trusted it or ignored it.

The customer may have received similar messages from legitimate institutions and fraudsters alike. The message may have arrived late at night, during stress or at a moment when careful judgment was unlikely. It may have used urgency, warnings or instructions that resemble the very patterns scammers exploit.

This creates a difficult problem.

If a bank sends a warning through the same type of channel that fraudsters use to impersonate banks, the warning may be technically real but behaviourally confusing.

The issue is not whether institutions should warn customers. They should.

The issue is whether sending a warning through an unverifiable channel should be treated as enough.

A warning that cannot be safely authenticated by the customer is a weak form of protection. A warning that creates no reliable read or response record is also a weak form of evidence.

Consumer Duty makes the communication question sharper

The FCA Consumer Duty places importance on consumer understanding and good customer outcomes. In practice, communication cannot be treated as a box-ticking exercise.

A firm should not only ask whether information was sent. It should ask whether the communication was likely to support a customer in making an informed decision.

That matters in fraud contexts.

An urgent message may technically warn the customer while also reinforcing the behavioural pattern used by scammers: act now, trust this sender name, respond quickly, do not pause.

A stronger communication model should reduce that confusion.

For selected high-trust messages, institutions need a route where the user can recognise the sender as verified, the institution can record delivery and reading, and the customer can respond inside a controlled environment.

This is not only a technical improvement.

It is a consumer-understanding improvement.

What a verified communication layer changes

A verified institution-to-consumer communication layer changes the evidence model.

Instead of sending a high-trust message through a spoofable channel and hoping the customer interprets it correctly, a verified route can give institutions a controlled way to reach registered users and record what happens next.

In practical terms, this means a message can be created by an approved institution, routed through a controlled delivery layer and received inside a dedicated user application. The customer sees the institution, the message and any response options in one place. Where a response is required, a simple tap can record it.

The aim is not to make the user experience heavier.

The aim is to make the trusted action simpler.

For vulnerable, elderly or less technical users, this matters. A secure system that is difficult to understand will not protect the people who need it most. The user experience has to be simple enough to become a habit:

Important institutional messages should be checked in a verified place, not acted on through an unverifiable SMS.

A better system should not ask users to become fraud analysts.

It should give them a safer default.

Why SMS evidence is limited

SMS remains useful because it is familiar, low-friction and widely available.

But SMS was not built to provide institutional trust or auditability.

It does not reliably prove that the displayed sender is genuine. It does not provide a full read record. It does not provide structured response evidence. It does not give users a consistently safe place to verify high-trust messages. It can be imitated by criminals using similar language, urgency and sender presentation.

That does not mean SMS has no role.

It means SMS should not be the only route for messages where impersonation risk, customer vulnerability or evidential need is high.

Post-PSR, this distinction matters.

A firm may be able to show that it sent an SMS. But that may not answer the more important question:

Did the customer receive a clear, trustworthy and auditable communication that supported a safer decision?

Silence can be a signal

One of the most overlooked parts of communication evidence is non-response.

If a customer does not read or respond to an important notification, that should not be invisible. It may indicate that the customer is unavailable, disengaged, confused, vulnerable or potentially at risk. It may also indicate that a process should not continue without further checks.

In ordinary SMS communication, silence is often treated as absence of information.

In a verified communication layer, silence can become useful operational evidence.

A non-response can help an institution decide whether to pause, escalate, use another contact route or avoid assuming that the customer has understood the warning.

This is where communication evidence becomes more than a record.

It becomes a risk signal.

What better evidence should look like

A stronger institutional communication layer should generate evidence at the message level.

For each relevant notification, an institution should be able to show the verified sender, the message content, the recipient reference, the time sent, delivery status, read status, response status, selected response, non-response and the time between delivery, reading and response.

This kind of record does not eliminate fraud. No responsible system should claim that.

But it changes the evidential position. It gives institutions a clearer record of customer communication and gives users a safer route for messages that should not depend on unverifiable SMS.

It also allows institutions to distinguish between three very different situations:

A customer who received and understood a message.

A customer who received it but did not respond.

A customer who may never have meaningfully engaged with it at all.

Those distinctions matter.

They matter for fraud prevention.

They matter for customer support.

They matter for auditability.

And they matter for consumer protection.

The missing evidence layer

APP fraud is not only a transaction problem. It is often a persuasion problem.

That persuasion frequently begins before the payment instruction, inside a communication channel. If that channel cannot verify the sender, cannot reliably evidence reading and cannot record structured response, then the institution is missing an important part of the prevention picture.

The next phase of fraud prevention should not only ask:

Did we detect the fraud?

It should also ask:

Did we communicate in a way the customer could safely trust, and can we evidence that communication?

That is why communication evidence now matters.

In a post-PSR environment, institutions need more than warnings. They need trustworthy channels, clear user behaviour and records that show what happened before harm occurred.

ADORASEC is developing a verified institution-to-consumer communication layer designed to reduce reliance on spoofable SMS for selected high-trust messages. It supports verified institutional notifications, delivery/read/response evidence and simple user-facing trust signals.

For institutional, policy or pilot discussions: adorasec.com

Sources and notes

  1. Payment Systems Regulator — APP scams reimbursement framework and maximum reimbursement level
  2. Financial Conduct Authority — Consumer Duty and consumer understanding guidance
  3. UK Finance — Annual Fraud Report 2025 / 2024 APP fraud figures
  4. UK Government — Fraud Strategy 2026 to 2029