Authorised Push Payment Fraud Is Hitting Singapore SMEs: How Should You Defend in 2026?

Authorised push payment (APP) fraud — where staff are socially engineered into transferring money to a fraudster's account, usually through a spoofed email that appears to come from a supplier or director — has become the fastest-growing payment fraud category affecting Singapore SMEs in 2026. The most effective response is a layered control set: mandatory out-of-band call-back verification whenever payee bank details change, dual-approval on the payee master file separate from dual-approval on the payment itself, and routing known counterparties through PayNow Corporate so unfamiliar destinations stand out. None of these controls are expensive, but they require finance workflows to be redesigned around the assumption that any payment instruction could be malicious — a shift that catches many SMEs off-guard.

What is authorised push payment fraud, and why is it spiking?

APP fraud differs from card fraud or account takeover in one critical respect: the payment is initiated by an authorised employee, not by the criminal directly. A finance executive receives an email or WhatsApp message that appears to be from the CEO, a known supplier, or the company's lawyer, asking for an urgent transfer or claiming that bank details have changed. The employee logs into corporate banking and pushes the payment. From the bank's perspective, the transaction is fully authorised — there is no anomaly to flag, and the funds settle in seconds.

The category is rising because three trends converge. First, instant payment rails like PayNow and FAST settle in seconds and are effectively irreversible once received by the mule account. Second, generative AI has made impersonation cheap: voice clones of company directors and grammatically perfect email forgeries are now within reach of low-skill actors who would have struggled even two years ago. Third, supplier email compromise — where a real vendor's mailbox is taken over and used to send legitimate-looking invoices with altered bank details — has industrialised. The Monetary Authority of Singapore and the Association of Banks in Singapore have both flagged scam-related losses as a strategic concern, but SMEs sit largely outside the protective scope of the Shared Responsibility Framework when they are the party tricked into authorising the transfer.

How are Singapore SMEs being targeted specifically?

SMEs are attractive targets because they combine meaningful payment volumes with informal controls. A typical attack pattern in 2026 looks like this: an attacker compromises a supplier's email account weeks before striking, studies the invoicing cadence, and waits until a genuine invoice is in flight. They then send a follow-up from the real address noting "updated banking details due to an audit" — sometimes attaching a forged DBS or OCBC bank letter for plausibility. Because the thread is real and the supplier relationship is established, the request clears most informal smell-tests.

A second pattern targets companies that have recently announced a leadership change, fundraising round, or office move on LinkedIn. Attackers use that public context to send convincing CEO-impersonation requests to junior finance staff, often timed for a Friday afternoon when verification is hardest. A third pattern, increasingly common as the SGD strengthens against regional currencies, intercepts genuine multi-currency payments to Malaysian, Indonesian, or Vietnamese suppliers and substitutes the fraudster's own beneficiary account at the moment payment instructions are issued.

Which controls actually prevent APP fraud at the SME scale?

Enterprise-grade fraud platforms are out of reach for most SMEs, but a small set of practical controls captures most of the value. The first is a written rule that any change to a payee's bank details — even a single digit — requires a phone call to a previously known number for the supplier, never the number on the invoice or in the email. This single control would have stopped the majority of cases reported to anti-scam hotlines in 2025.

The second is dual-control on the payee master file, treated separately from dual-control on the payment itself. Most corporate banking platforms apply maker-checker workflow to transactions but treat payee setup as a lower-risk action. SMEs should invert this assumption: payee creation and amendment is more dangerous than payment release, because once a fraudulent payee exists, every subsequent invoice can route there silently for months.

The third is a positive-pay-style allow-list approach using PayNow Corporate. By registering known counterparties' UEN-linked PayNow handles, finance teams can route 70-90% of recurring B2B payments through a channel where the destination is bound to a verified business identity rather than a raw account number. Unfamiliar destinations then look exceptional rather than routine, and exceptions are exactly what humans review carefully.

How should finance teams redesign payment approval workflows?

The redesign starts by separating three flows that most SMEs collapse into one: invoice approval, payee setup, and payment release. Each should have its own approver pair and its own audit trail. Approval should happen in a system of record — accounting software or a dedicated AP automation layer — not in email or WhatsApp threads, both of which can be spoofed or compromised at the source.

Verbal call-back procedures should be documented and rehearsed. Staff often skip verification under deadline pressure, especially when a director is travelling. A written escalation path that allows staff to delay a "CEO urgent" payment without career risk is itself a control, even if it never appears on a software architecture diagram. Some SMEs are introducing a 24-hour cooling-off rule for any first-time payee above a defined threshold — commonly SGD 5,000 to SGD 10,000 — which materially reduces same-day loss exposure without disrupting genuine supplier onboarding.

What does the Shared Responsibility Framework mean for your SME?

The Shared Responsibility Framework that came into force progressively from 2024 primarily protects retail consumers, allocating loss between banks and telcos when their anti-scam duties fail. Corporate accounts — including SME current accounts — are largely outside its protective scope. In practical terms, if your finance team authorises a payment to a fraudster, your bank is unlikely to reimburse you, even if the receiving bank failed to flag the mule account. This makes prevention disproportionately important: the recovery path for SME APP losses is narrow, and police recovery rates for cross-border instant payments remain low.

SMEs should respond by treating fraud cover and cyber insurance as serious line items, reading the social engineering exclusions carefully, and ensuring their internal controls match the warranties their policy assumes. Many SME cyber policies exclude losses from "voluntary parting of funds" — exactly the APP scenario — unless specific verification controls are documented and operating. Aligning your controls to your policy language is one of the cheapest forms of risk transfer available to a Singapore SME today.

Frequently asked questions

Does PayNow Corporate eliminate APP fraud risk?
No, but it narrows it meaningfully. Because PayNow Corporate ties payments to a verified UEN rather than a raw account number, attackers cannot easily substitute a beneficiary mid-flow on an established counterparty. However, fraudsters can still register shell companies with valid UENs, so PayNow is one layer in a defence stack rather than a complete solution.

Should SMEs report APP fraud to MAS or only the police?
Both. File a police report through the ScamShield and anti-scam centre channels for criminal investigation, and notify your bank immediately so they can attempt to freeze the receiving account — speed matters because mule operators may cash out within minutes. MAS does not directly investigate individual SME losses, but bank-level reports feed regulatory dashboards that shape sector-wide rules over time.

How much does it cost to implement these controls?
The core controls — call-back verification, separated approval flows, and payee allow-listing — are process changes rather than software purchases, so direct cost is low. The more meaningful cost is training time and the modest friction added to payment runs. Most SMEs that have implemented these controls report under 20 hours of finance leadership time invested in the redesign, paid back many times over by the first prevented incident.