How Does Confirmation of Payee Help Protect People from App Scams: Secure Payments Explained

Confirmation of Payee protects against authorised push payment scams by matching the payment recipient’s details with their bank. When there are discrepancies, the sender is alerted, and can stop the payment from going through. 

This recently-introduced regulation has had a positive impact on preventing more victims from growing APP fraud attempts, but it’s not foolproof. In business settings, firms should apply controls and work with specialist software like Trustpair that goes above and beyond Confirmation of Payee in order to fully protect themselves against payment fraudsters.  

Key Takeaways

• CoP works by verifying account name and number matches with recipient banks in real-time
• A CoP check reduces APP fraud by triggering friction in the payment process and warning the user of mismatched information 
• Businesses can prevent APP scams by training their staff to spot suspicious activity, upgrading their internal controls, and introducing the segregation of duties
• Businesses can improve their protection against APP fraud by using a software that consistently performs a payee check (verifies and monitors), rather than relying on a one-off 

How Does CoP Work With Account Details And Account Name?

Confirmation of Payee (CoP) works by checking the payee name against the registered or actual name on the correct account for a bank transfer payment, and some providers may also use extra details such as a middle name for matching. It matches the name of the account holder alongside details like their account type, sort code and account number in real-time, and in many banking apps these checks happen automatically before the user confirms they want to pay, instantly flagging if there has been a mismatch.

The payee service provides immediate feedback with possible responses: Match, Close Match, No Match, or Unavailable, with the result returned by the payee’s bank through secure API-based services used by financial institutions, informing users about the validation status of the payment details.

In most retail customer cases, users will also receive a message with a warning against sending payments without a match. Since it was introduced to improve consumer protection, many UK financial institutions have been required to offer CoP as a mandatory measure, while smaller banks are also adopting the service.

If customers do choose to proceed with the new payee, they must usually check a box acknowledging the risk that they may lose their funds, and the bank may not be able to recover them. In the world of faster payments, unrecoverability is a real risk. CoP currently applies to UK-based accounts using Faster Payments and CHAPS, but not yet to direct debits or bulk payments.

However, corporate banking customers face stricter protocols, typically because the value of these transfers can be a lot higher than a regular payment. Of course, CoP applies to the business name rather than the individual’s name, because there’s no single ‘right person’. In some business account cases, customers can’t override the flag and must change the account details in order to send the payment, but this depends on the bank or building society’s own controls.

Sending money to the wrong account is not only frustrating, but it can lead to unnecessary costs for both the business and financial institution. Whether the mismatch is due to an innocent mistake like a typo, or an intentional fraudster, CoP exists to prevent misdirected payments. Since its UK launch in 2020, it has contributed to a 59% drop in incorrect account claims and a 20–40% reduction in losses for some fraud types.

How does CoP Reduce Authorised Push Payment (APP) Fraud?

The CoP service reduces authorised push payment and app fraud primarily by intercepting social engineering scams. In these cyberattacks, the perpetrator convinces the victim to voluntarily authorise a payment. This is often made possible through impersonation of a trusted colleague, a respected third party such as an IT service, or through pressure tactics so that the victim has no time to rationalise. 

By verifying the payee details and flagging that they don’t match, CoP is effectively causing ‘positive friction’ in the payment process. It gives victims a chance to consider the legitimacy of the payment, and raises suspicions that may otherwise never surface. 

When considering the measurable impact of this, the primary metric is whether the actual fraud goes down. In short: yes. A recent study found that risk-based language interventions combined with a call to action “reduced fraudulent payments by 82% relative to the control group”.   

But there are some other important metrics to consider: 

• Are real users still completing payments smoothly (is there a low or negligible false positive rate?)
• Are warnings causing confusion or friction? 

The same paper reveals that the type of interventions introduced by CoP “reconfigure the decision environment at the moment of execution in a way that binds most strongly when decisions are made under manipulation and cognitive strain”. This suggests the infrastructure and flow is most effective at stopping fraudulent payments, while still allowing legitimate payments to continue without confusion.  

What Are Some Practical Steps For Businesses To Prevent APP Scams?

There are several ways for businesses to prevent APP scams: 

1. Introducing the segregation of duties
2. Strengthen internal controls
3. Train staff to identify and act on suspicious activity

Segregation of duties

The single biggest point of failure in business APP scams is relying on one person’s authority to execute a mandate change or large payment. By introducing the segregation of duties (also known as the four eyes process), a second person is involved in the flow.

This averts internal scammers from transferring money from the business to themself, as it reduces the window of opportunity. Furthermore, it effectively doubles the chance to intercept the fraud or stop accidental payments, since a second person must approve the transaction without being affected by social engineering. APP scams often involve fraudsters impersonating suppliers or management teams to redirect payments, so requests should be verified thoroughly.

For example: to verify payment requests, staff should double check any new or amended payment instructions and contact details by calling a trusted source, rather than relying on the same message thread, to confirm the account belongs to the legitimate recipient before they pay.

Strengthen internal controls

Firms can establish internal policies where ‘no match’ payee name alerts: 

a) cannot be bypassed

and b) automatically trigger investigative action 

By creating a system to ensure the vendor management team verifies the legal entity name with the supplier or payee’s bank, for example, organisations ensure the system is not left vulnerable or exposed to APP attacks, and keep their money safe. 

Train staff to identify and act on suspicious activity

In business settings, most APP fraud involves fraudsters impersonating suppliers or senior management teams to redirect payments. Since these members of staff have authority in the business, criminals may spoof an email address and request urgent, confidential payments in an attempt to receive payment quickly without setting off flags.

But by training staff to spot these manipulation tactics, companies are far more likely to stop APP fraud attacks in their tracks. Best practice includes:

• Inspecting email addresses closely to spot spelling errors and small changes
• Taking a breath when immediate action is demanded
• Teaching staff not to bypass procedure even when secrecy is insisted on
• Asking staff to double check any request to change bank details before actioning it

Are There Account Changes In Confirmation Of Payee For Existing Payees?

One of the main drawbacks of CoP (and its EU counterpart, Verification of Payee) is that it doesn’t consistently re-check an existing payee when saved details are edited. It’s designed as a pre-payment check for a new payee’s account, with only a few exceptions where high-risk payments are re-checked for existing payees.

This represents a huge blind spot when making payments, and leaves businesses vulnerable to common types of fraud like APP and payment fraud. For example, in scenarios like invoice fraud, whereby fraudsters intercept your real vendor’s invoice and change the information, the risk is very real:

• The finance team has paid this supplier several times before, so they simply open the online banking app and use the existing saved payee
• They edit the saved details to match the updated invoice information, which can bypass a fresh check unless the bank treats it like a new setup, increasing the risk the payment goes to the wrong place despite looking like the correct account
• They send the payment, thinking it’s a legitimate payee

Unless the bank forces a full deletion and re-add, fraudsters continue to bypass CoP altogether and therefore leave the finance member unaware of the discrepancy.

How Can Businesses Enhance Confirmation Of Payee (CoP) Integration for Improved Security?

For greater security, alongside introducing tighter internal controls, training staff to recognise signs of fraud, and segregating duties, businesses can partner with service providers like Trustpair. 

For enhanced security, platforms like Trustpair go further in-depth to validate and monitor the legitimacy of payment details. In practice, this means checking account credentials against international databases in over 190 countries, making working with international suppliers 100% safe. 

Vendor payments are automatically checked in advance, every time they are made, rather than a ‘set and forget’ process. This ensures, with greater confidence, that changes aren’t missed, and triggers automatic account protection measures in real-time to protect financial accounts until alerts are verified.

Learn more about how you can go beyond Confirmation of Payee and protect 100% of payments. 

A recap of Confirmation of Payee

CoP matches names with account details in real-time, creating positive friction that breaks social engineering scams. Corporate clients face strict blocks based on bank controls, but a major blind spot exists because CoP does not consistently re-check existing payees when details are edited. That’s where Trustpair helps, verifying existing payees for every payment.