Account takeover and authorised push payment (APP) fraud are often discussed together, but they sit on opposite sides of a key line: authorisation. Understanding that difference is the key to deploying the right controls.
Two different attacks
- Account takeover (ATO): the fraudster gains control of the victim's account and moves money themselves. The victim never authorised it.
- APP fraud: the victim is manipulated into authorising the payment to the fraudster's account.
- Defences differ: ATO needs strong authentication and anomaly detection; APP fraud needs payee verification and clear warnings.
Authorisation is the dividing line
If the victim authorised the payment, it is APP fraud and payee verification is central. If they did not, it is account takeover and authentication is your first line.
Where VoP adds value in both
VoP is most powerful against APP fraud, where the destination name mismatch is the signal. But it also helps in ATO: even when a criminal controls the account, a payment to an unexpected payee can still be flagged as part of a layered defence.
Layering VoP into your stack
VoP is not a replacement for strong authentication — it is a complementary destination check. RoxPay's Verification of Payee slots alongside your existing controls so authorised and unauthorised fraud are both harder to pull off.