When Warnings Fall Flat

Why banks' soft prevention tactics rarely stop APP fraud—and what needs to change

Authorized Push Payment (APP) fraud is personal. It tricks real people into sending real money, often to scammers posing as banks, police, or loved ones. To fight it, many banks have turned to soft prevention methods: warning banners, pop-up messages, SMS alerts, and fraud education pages.

The idea is simple: catch the user’s attention just in time. Remind them what the bank would never do. Nudge them to stop and think before hitting "Send."

But here’s the catch. In the heat of a scam, these warnings often fail because the fraudster’s voice is louder.

What these messages look like

If you’ve made a bank transfer recently, you’ve likely seen one of these alerts.

Starling warns customers to “stop and take a moment” whenever money is involved. Revolut says it plainly: “If someone calls you out of the blue and it hasn't been flagged through the app, it’s a scam. No exceptions.”

HSBC tells users that “genuine organisations won’t ask for your online security details,” followed by a capitalized “STOP.” Most of these messages come with an exclamation icon or urgent tone—trying hard to cut through the noise.

The goal is always the same: remind users what a legitimate bank would never do and push them to act cautiously. The logic is sound, but in practice, these messages can feel more like decoration than defense.

Why they fail in the real world

Most scams aren’t about technology, they’re about emotion. The best warnings in the world don’t stand a chance if the customer is being told, in real time, by a scammer: “They’ll show you a warning, but it’s just standard. Ignore it.”

Fraudsters coach victims to expect alerts and dismiss them. Victims hear: “That message is part of our security check,” or “We have to trigger that popup to verify your identity.” It sounds official enough. And under pressure, people believe it.

Banner blindness is another issue. Over time, users learn to skim or close alerts without reading. If they’ve seen similar messages before, especially during legitimate activity, they stop noticing them at all.

Worse, people don’t expect to be scammed. They assume warnings are for someone else. So when a message pops up saying, “This could be fraud,” the instinct is to move past it—especially when the person on the phone sounds calm, professional, and in control.

The role of emotion and urgency

Scammers build pressure. They claim your money is at risk, that you must act now. They speak with authority. In that moment, the brain shifts into crisis mode—and any warning on the screen becomes background noise.

We've spoken to numerous victims of fraud over the years and they all shared that were simply going along with the artificial urgency of the situation.

Behavioral research backs this up. People ignore advice they don’t fully understand, especially when stressed. The human brain is built to resolve perceived danger quickly. If a scammer offers a way out, even if it’s fake, it often wins out over a vague warning.

Victims aren't careless. They’re caught in a well-rehearsed script that’s been refined by fraudsters to override rational thinking.

What regulators are saying

Regulators around the world are starting to acknowledge the limits of soft prevention.

In the UK, the Financial Conduct Authority (FCA) now expects firms to test warning messages—not just display them. They’ve said plainly that static alerts aren’t good enough. The Payment Systems Regulator (PSR) is going further, requiring banks to reimburse victims by default unless there's clear negligence.

In Australia, ASIC has pointed out the risks of “warning fatigue.” When every transaction comes with a pop-up, customers tune out. The European Banking Authority (EBA) is also urging stronger measures, noting that social engineering often bypasses standard security controls like passwords and OTPs.

Across all these regions, the message is clear: passive warnings aren't protection. Banks need to build active defenses into the transaction process.

Smarter friction, not just more friction

So what does real protection look like?

It starts with well-placed friction. Not every transaction needs extra steps—but risky ones do. If a customer is paying a new recipient, moving an unusually large amount, or sending money internationally, that’s a signal to slow things down.

In the UK, banks can now delay certain payments by up to four business days if fraud is suspected. That delay gives the bank a chance to step in—and gives the customer space to reconsider.

Adaptive authentication is another smart approach. If something feels off—device mismatch, strange behavior, or a flagged recipient—the bank can step in with a second verification step or a call from the fraud team. Not a generic warning, but a tailored intervention.

Some banks are also starting to share real-time fraud signals between institutions. If one bank sees an account being used in scams, others can block or delay payments to that account. It’s a system-level defense, not just a popup.

The path forward

Soft prevention has its place. A well-timed message can help, especially when backed by education and trust. But on its own, it’s no longer enough.

Today’s fraudsters know the script better than most banks do. They know how to override alerts, coach victims, and manipulate urgency. Customers, meanwhile, are overloaded with warnings they barely notice.

To truly stop APP fraud, banks must move beyond the popup. That means detecting risks earlier, introducing smart friction where it counts, and designing systems that take responsibility for stopping fraud—not just warning about it.

The future of fraud prevention is proactive, adaptive, and integrated. Because by the time a banner tells someone to stop and think, it may already be too late.

Where Enlace fits in

At Enlace, we believe fraud prevention should be built into every step, not bolted on at the end.

Our platform brings together authentication, transaction monitoring, and behavioral risk scoring into a unified flow. That means fewer false alarms, smarter interventions, and less friction for legitimate users.

Instead of relying on static warnings, we help banks detect fraud patterns early—before money moves—and act fast when something’s wrong.

The insights in this post are based on industry research, conversations with banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.