Account validation isn’t just a box to check for compliance—it’s the foundation of trust in the payments ecosystem. As credit-push fraud surges and financial institutions face pressure to safeguard transactions, account validation has become a frontline defense to avoid money being sent out of accounts through ACH credits, wires, cards, and other instant and digital payments. This year, Nacha will roll out new monitoring rules intended to reduce the incidence of successful ACH fraud attempts and improve the recovery of funds after frauds have occurred.

That shift is forcing financial institutions to think differently about how they validate accounts and stay a step ahead of fraud. In a PaymentsJournal webinar, Charles Ellert, Associate Managing Director of ACH Network Development at Nacha, and Hugh Thomas, Lead Analyst, Commercial and Enterprise at Javelin Strategy and Research, unpacked what’s changing and shared how Phixius—Nacha’s secure payment information network to mitigate payment risk and for enabling accuracy of payment routing—is evolving to help organizations strengthen their fraud defenses.

Why Credit Push Fraud Is Growing

With the growth in electronic payments, there has also been an increase in the number of credit-push fraud schemes, including a frightful rise in business email compromise attacks. Between 2022 and 2024, an estimated $8.5 billion was lost to this type of fraud, according to the FBI’s Internet Crime Complaint Center (IC3).

When this occurs, ACH originators may struggle to verify account details. “When I was on a corporate side, that was a constant worry,” said Ellert. “The teams would spend hours verifying account details just to make sure a payment landed in the right account. It slowed things down and added significant cost, but it was the only way to be safe.”

How Account Validation Can Help

A single wrong digit can send a payment astray. That’s why modern account validation methods have become so valuable. They transform a manual, error-prone process into one that’s secure, fast, and reliable.

Account validation helps keep payment processes secure in several key ways. By verifying accounts from the outset, it reduces the need for exceptions and rework. It also speeds up onboarding for new vendors and customers, since processors no longer have to wait for manual confirmations. Perhaps most importantly, it protects brand reputations by preventing misdirected or fraudulent payments before they happen.

Organizations are now using validation data to improve everything from payment analytics to customer experience. What began as a compliance exercise has evolved into a broader operational strategy—one focused on building trust into every transaction, rather than simply checking a box.

“I was persistently struck by the variety of different ways that this type of validation work has been attempted in the past, doing a penny test or mailing a check in,” said Thomas. “There is a certain consistency that is a very broad need among B2B payers.”

Enter Phixius

Many financial institutions are evaluating their existing controls and looking for ways to step up their operational readiness. Phixius, an API-based platform that facilitates secure data exchange between account validation requesters with data responders, is one option helping ODFIs support compliance efforts while improving efficiency and reducing fraud exposure. More than just a tool for meeting new requirements, it’s a way for banks to get ahead of them.

Phixius is designed to support account validation and other payment-related needs without requiring sensitive information to be stored or transmitted through traditional channels. It is a powerful tool for improving payment integrity and operational efficiency, especially as institutions prepare for the 2026 fraud monitoring rules.

Phixius acts as a bridge between data requesters and responders, helping organizations validate account details in real time. This reduces fraud risk and streamlines onboarding—eliminating the need for transactions or micro-deposits or having the customer share their check.

“It’s a kind of one-size-fits-all,” said Thomas. “It gets you hooked into all the places you want to be in terms of understanding who you’re paying, it’s a repeatable process, and because it’s an API driven process, it’s an embeddable process.”

Requesters are seeing reduced fraud exposure, faster onboarding, and fewer exceptions. By validating account information in real time, they’re improving operational efficiency and embedding trust into the payment process from the start.

“I spoke to a corporate just the other day who was facing leakage of benefit payments to some of their former employees,” said Ellert. “Because of that, they got a new email and changed their bank account. No one validated that account name match or was associated with it. That is something where Phixius can come in and help validate that the payment information is correct before you submit it.”

Phixius is also uniquely positioned to help organizations rethink how they assess transaction risk. Payroll disbursements, for example, carry far greater risk than a $20 monthly bill payment—and pulling funds involves a completely different risk calculation than pushing them.

There are still untapped repositories of account data that can inform better decision-making. Phixius allows institutions to incorporate these data sources into their risk signals, gaining deeper insight into where funds are going and how to manage risk more effectively.

“Let’s say you get one questionable response,” said Ellert. “If you’re sending a big amount of money, maybe you want to check two or three more of them, and build that into your risk profile.”

Preparing for the Future

Phixius is evolving to address the growing complexity of account validation and fraud prevention for ACH and other payment types. Its capabilities are expanding to support broader validation needs—from onboarding new customers and verifying account ownership to reducing exceptions in both B2B and B2C payments. It’s scaling to support more credentialed participants and to integrate more deeply with financial institutions and service providers.

Looking ahead, Phixius aims to deliver secure, real-time data exchange that helps participants stay ahead of compliance requirements while improving operational efficiency and trust in payment processing. For financial institutions, the imperative is clear: waiting on account validation is no longer an option.

“It’s foundational,” said Ellert. “Start now, evaluate your current processes, explore trusted platforms like Phixius, and position your organization to not just comply, but to lead.”

The post Inside the Battle Against Credit-Push Fraud: What’s Changing appeared first on PaymentsJournal.

Organizations once had the luxury of reviewing suspicious transactions prior to settlement and clawing them back after the fact. But as both payments and fraud have accelerated, financial institutions are increasingly being pushed to move fraud prevention earlier in the payments lifecycle—ideally before a transaction ever occurs.

In response, U.S. Federal Reserve Financial Services (FRFS)—which operates the FedNow instant payments system—is launching an API aimed at enhancing the security of instant payments. The goal is to provide financial institutions and payments service providers with insights derived from historical FedNow data and network intelligence, helping them determine whether to proceed with a transaction.

Alongside improved fraud detection, FedNow notes that these insights could also enable additional capabilities, such as delivering tailored messaging to users who are on the verge of initiating a high-risk payment.

“This network intelligence API is a step in the right direction,” said Jennifer Pitt, Senior Fraud Analyst at Javelin Strategy & Research. “Network intelligence is key to detecting fraud in real time, and it is key to identifying organized fraud rings. As fraudsters continue to skirt fraud flagging and reporting thresholds by spreading activity across institutions, network intelligence is a critical piece in identifying that behavior.”

The Two Elements

Two factors have allowed criminals to rapidly scale their efforts: technology and organization. Artificial intelligence has played a key role in supercharging fraudulent activity, and the threat is likely to intensify as cybercriminals experiment with frontier AI—cutting-edge models that stretch technological boundaries—to reduce the time, expense, and skill required to run fraud campaigns.

Compounding this issue, these campaigns are often carried out by organized fraud rings, which can amplify their impact. One example is a crypto investment scheme that allegedly defrauded victims of more than €700 million (roughly $817 million).

The Protections at Hand

Unfortunately, these fraud challenges are expected to grow as instant payment systems such as RTP and FedNow continues to surge. Both U.S. instant payment networks have recently reported record highs in transaction volume and value, and FedNow’s model could eventually expand globally.

In many cases, real-time payments are also irrevocable, and don’t offer recourse mechanisms like credit card chargebacks—protections that many consumers have come to rely on. As consumers increasingly expect both immediacy and safeguards, financial institutions are facing mounting pressure to adapt.

Despite these challenges, many financial institutions are still hesitant to fully leverage the fraud prevention tools already available to them.

“Participation in this FRFS network intelligence project is voluntary, that raises a question around adoption,” Pitt said. “Many banks do not fully use existing information-sharing frameworks like Section 314(b) of the USA PATRIOT Act, so it is fair to question whether they will adopt this. Some institutions point to lack of manpower and the fact that 314(b) is not real time.”

“This model may help address those concerns since the information is delivered automatically at the time a payment decision is being made, rather than requiring case-by-case outreach,” she said.

Only Part of the Picture

Another longstanding barrier is financial institutions’ reluctance to share data due to privacy and competitive concerns. The International Monetary Fund has implored banks to reconsider this stance, warning that a fragmented view of fraud is undermining their ability to respond effectively.

This view is echoed by the Global Anti-Scam Alliance, which recently partnered with OpenAI to launch scam.org, a platform offering resources for scam education, reporting, prevention, and victim support. The initiative aims to provide a centralized hub where industry participants can begin building a more standardized response to escalating scams.

Despite growing calls for industry-wide collaboration, progress will require buy-in. It remains to be seen whether tools like the FedNow API will be compelling enough to bring organizations off the sidelines.

“Even though the data is abstracted and network-derived, participation still requires a level of comfort with contributing to and using shared intelligence,” Pitt said. “For some organizations, that hesitation will remain.”

“Another limitation of the FRFS network intelligence mod is that the intelligence is focused on the receiving account,” she said. “That means participating organizations still do not have the full picture of the transaction or the parties involved.  What is ultimately needed is a more complete view of both the sender and receiver, including historical and current information about the transaction, device, and account behavior. Without that, organizations are still making decisions with only part of the picture.”

The post Stopping Fraud in Real-Time Payments Before It Starts appeared first on PaymentsJournal.

Not long ago, fraud teams could keep pace by reviewing incidents one by one. That era is ending. Armed with artificial intelligence and cloud-scale infrastructure, today’s cybercriminals operate faster, more broadly, and with far greater sophistication than ever before.

The rise of agentic commerce will only intensify these challenges, in part because it upends a longstanding assumption in fraud prevention: that bot traffic is inherently suspicious. In a world where legitimate transactions may be initiated by AI agents, that distinction becomes far less clear.

In a recent PaymentsJournal podcast, AtData’s Diarmuid Thoma, Head of Fraud and Data Strategy, and Brandt Hoffman, Sales Director, Fraud Services, along with Jennifer Pitt, Senior Fraud Management Analyst at Javelin Strategy & Research, discussed how these shifts are dramatically impacting payments risk.

At the center of this transformation is a simple but growing imperative—organizations must know, with confidence, who (or what) is on the other end of every transaction. Achieving this now requires systems capable of analyzing and contextualizing vast, dynamic data streams in real time.

The Outputs of Scalability

Historically, many fraud attacks were treated as isolated events, leading financial institutions to adopt a reactive, situational approach. However, there are often patterns that emerge when these incidents are viewed collectively. Recognizing and operationalizing those patterns is critical.

“From a law enforcement perspective, I remember a mail theft case that I investigated,” Pitt said. “We conducted a search warrant on the suspect’s home and found bags of open and unopened mail. We also found stacks of paper that contained full personally identifiable information—name, date of birth, Social Security number, next of kin, last known addresses—you name it, he had it.”

“We searched his phone and his computer, and we were able to see that he was connected with several other suspects that we were already investigating,” she said. “What we uncovered was this hierarchical organized crime ring where there ended up being more sophisticated identity theft and other crimes. If we were just looking at one of those players or incidents, we wouldn’t have seen this whole organized crime ring.”

While traditional vectors like mail fraud persist, the digital landscape has allowed bad actors to expand their reach exponentially. Technologies such as AI and cloud computing have supercharged criminal capabilities faster than most organizations can evolve their defenses.

Beyond just deploying generative AI to create more convincing impostor sites and deepfakes, bad actors can now deploy AI agents to autonomously carry out widescale fraud campaigns. For example, agentic AI has been used in a technique where email addresses are rapidly and sequentially created for use in fraudulent activities.

“We see thousands and thousands of them every day, where we see sequential types of emails created and they’re not necessarily in one client,’” Thoma said. “Somebody’s using an email over here to create a bank account and going and buying a pair of sneakers over there.”

“Individually, it looks fine; there’s nothing wrong there,” he said. “At a platform level, we see the cumulative effect. It’s a simplistic example, but that type of behavior is a direct output of the scalability of fraud.”

Distinguishing Malicious Automation

Given agentic AI’s potential to amplify fraud across every channel, the emergence of agentic commerce presents unique challenges for fraud prevention teams.

Many of the open questions around agentic transactions center on authorization. In the conventional e-commerce model, the shopper selects items, completes verification, and explicitly authorizes the purchase. When an AI agent acts as the consumer’s proxy, however, new gray areas emerge.

“What happens in a chargeback scenario?” Thoma said. “The industry hasn’t got all the answers on that. It’ll slowly emerge, but one of the things that won’t change is history. It’s still you buying it. Especially for physical goods, it’s going to your physical location, it’s going to your name, and it’s probably using your e-mail address to confirm all the details. There’s still a lot of information, even in the agentic world, that’s going to be coming through.”

This means that one of the most important considerations for fraud prevention will be the user’s history. Fortunately, this data is already present for many consumers. For example, the organization can confirm the age of an email address, whether it has been actively used, and if there are any red flags associated with it.

This historical data becomes a critical point of continuity as organizations design fraud strategies for agentic commerce.

“It was always, ‘Let’s look at the negative aspects of what this transaction could present,’” Hoffman said. “Now, we have to be cognizant to bring in those positive signals. What are the good signals that we can lean on? What allows us to interpret or infer more quickly? How do we start to identify what it means to be a positive bot, or to be a good transaction along the line?”

A Timeline Event

To act on these signals effectively, teams must start from an accurate baseline. A core lesson from AI is that models are only as strong as the data that feeds them. Just as importantly, that data must remain current, especially as consumers’ digital footprints continue to expand.

“Many still look at data like it’s a credit report, where it’s a static thing that you see in a piece of paper and that’s it,” Thoma said. “It’s not. It’s a timeline event. If you think about when you were 20 to now, you’ve had different addresses, you’ve had different IPs and different devices. Your name may have changed for different reasons, and your email probably changed one or two times.”

“Your profile naturally evolves, so the importance of the data quality and the skill in the overlaying models is to know when that change is abnormal versus normal,” he said.

A practical way to evaluate changes in a user profile is through percentage-based shifts. Significant or rapid deviations across key attributes may indicate potential account compromise.

Similarly, the repeated use of a single element across multiple account creation attempts can signal synthetic identity activity, where bad actors combine real and fabricated information.

“We commonly see that, and its behavior that is distinctly different from somebody who’s just moved addresses,” Thoma said. “Yes, they’ve moved addresses, but a lot of the time when people move, they only move a couple of blocks down. There’s continuity in that profile, where we can still say that even though the profile has changed, it’s still fine.”

“That’s a broad example of how important it is to have that data quality,” he said. “Because if you don’t have fresh data to reference, the timeline to reference back further, you can’t say, ‘This is normal behavior for them or not.’ That’s how important it is.”

Data for the Whole Organization

The growing emphasis on identity verification is driving a widescale shift in how financial institutions approach fraud prevention. Yet opportunities remain to break down data siloes and improve visibility across systems.

“We are seeing some evolution in the ability for payments teams and fraud teams to come together quicker,” Hoffman said. “Payments teams are very focused on the transaction and what it means to bring that revenue in. There still is some hesitation for the fraud teams and the payments teams to merge together.”

“In the most advanced organizations that I work with, those two functions are working hand-in-hand,” he said. “They know exactly what’s going on from a payments perspective and how that affects the flow of fraud.”

The pace and complexity of the threat landscape demand more sophisticated infrastructure. Modern fraud prevention solutions rely on graph-based methods to map relationships between entities—sometimes referred to as fraud topology or halos.

These topology-aware systems can enhance detection accuracy while reducing costly false positives. They also enable organizations to apply the right level of friction within the customer journey, including step-up authentication when warranted.

While designed for fraud prevention, the benefits of these capabilities often extend well beyond risk teams, strengthening decision-making and operational efficiency across the entire organization.

“The data is customer data; it has huge amounts of value,” Thoma said. “You’re seeing their geolocation, behavior, age demographics—all that stuff is extremely important for the business, not just for the fraud team. Everybody thinks that’s a lot of money for fraud prevention, but it becomes very cheap because you’re splitting that into multiple budgets.”

“The marketing team can use it for targeted products, and you can increase conversions,” he said. “It doesn’t have to be fraud data, it’s company data for all divisions of that business to use.”

The post As Fraud and Agentic Risks Mount, Data Provides Continuity appeared first on PaymentsJournal.

The International Monetary Fund is urging banks to rethink a long-standing taboo in financial crime prevention—how much data they are willing to share with one another. In a new Technical Note, it argues that fragmented information is weakening the fight against AI-enabled fraud. combine data of their own, urging a shift in strategy toward sharing private information among financial institutions.

Released during the 2026 Spring Meetings of the IMF, the Technical Note focuses on how financial institutions can respond more proactively to digital fraud. The paper argues that efforts to combat such fraud have been hindered banks’ reluctance to share threat data, both domestically and internationally.

AI has become a boon for criminals, enabling them to aggregate vast amounts of data to fuel increasingly sophisticated attacks. In response, the IMF is urging banks to adopt a more collaborative approach—particularly by sharing more transactional and threat data cross institutions.

Importantly, the report cautions that new technology alone is not a silver bullet, warning against solutions deployed without clear use cases. Instead, it recommends robust data-sharing practices, especially around transaction records, to strengthen the collective ability of FIs to detect, prevent, and mitigate illicit finance activity.

More Data, More Value

AI and machine learning are highly effective at detecting transactional anomalies, but their performance depends on access to large, diverse datasets. When models operate in fragmented data environments, their insights are inherently limited. The Technical Note identifies these siloed data architectures as the primary obstacle in the fight against fraud.

By contrast, AI tools perform more effectively in integrated systems built on shared datasets, enabled by application programming interfaces (APIs) and common standards such as ISO 20022. The IMF highlights APIs, standardized data formats, and interoperability frameworks as essential to fostering meaningful data exchange across institutions.

Breaking Down the Silos

Banks have good reasons to resist data sharing, including competitive concerns and regulatory constraints. However, as fraud networks become more sophisticated and globally connected, greater transparency and collaboration could strengthen the financial system’s ability to detect and prevent illicit activity.

“Data sharing and collaboration is a long-standing issue within financial institutions, not even just between banks, but between lines of business within the same organization,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “A financial institution may detect the signals needed to stop fraud on a customer’s credit card, but they may not be sharing the critical risk signals and emerging threat trends to stop fraud on that same customer’s debit account. These silos are preventing banks from accessing the critical data needed to keep up with fraudsters, especially as AI evolves and is adopted by fraudsters.”

The post The IMF’s Warning to Banks: Share Data to Beat AI Fraud appeared first on PaymentsJournal.

Organizations have begun to cede ground in the fight against AI-driven fraud, in part because bad actors have the freedom to experiment with and deploy artificial intelligence without the regulatory or organizational constraints that govern legitimate institutions.

This allows cybercriminals to rapidly adopt frontier AI—cutting-edge models that stretch the technology’s capabilities in areas such as reasoning and coding. These emerging systems are not only more powerful, but they can also significantly reduce the time, expense, and skill required to perpetrate sophisticated fraud campaigns.

IBM recently highlighted this trend with the launch of an enhanced set of cybersecurity capabilities. As cybercriminal operations increasingly rely on autonomous agents, the company  noted that fraud defenses must adopt a similar playbook.

To this end, IBM will launch two cybersecurity tools. The first is an assessment solution designed to evaluate an organization’s defenses for vulnerabilities to agentic threats and other security gaps. The second is an agentic service that deploys multiple AI agents to automate fraud detection, enforce organizational policies, and address any cybersecurity deficiencies.

A Pressing Need

Unfortunately, there is a pressing need for stronger fraud defenses. The FBI’s annual Internet Crime Report found that both fraud losses and complaints reached all-time highs last year. For the first time, the bureau also measured the impact of artificial intelligence on fraud, finding that AI-related threats accounted for 22,364 complaints and nearly $893 million in losses.

Equally concerning, data from the Association of Certified Fraud Examiners and SAS indicates that bad actors are increasing their use of AI across nearly every stage of their operations. In particular, the study found that AI’s ability to generate highly convincing images, audio, and video has contributed to a rise in deepfake scams.

Devastating if Weaponized

More concerning still, the ACFE/SAS report suggests that some bad actors are already experimenting with quantum-enhanced AI. Quantum computing represents a significant leap beyond conventional systems, and integrating AI with quantum architectures could hypothetically make these models far more efficient. While this evolution could transform many industries for the better, it could also be highly destructive if weaponized.

For example, Google researchers have conducted quantum computing experiments suggesting that more advanced systems could potentially break widely used cryptographic methods underlying cryptocurrency security—systems long considered rock solid—far more quickly than previously estimated.

If quantum computing can compromise digital asset safeguards, it could pose serious risks to the broader financial services industry.

“We’re close to where quantum computing is going to break encryption,” Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, told PaymentsJournal. “This goes back to the whole risk that we see with the way we’re securing data today. Data is tokenized or encrypted; card numbers are tokenized as they’re transmitted as this is a requirement for PCI compliance.”

“If quantum computing is able to break that encryption, then we’re ultimately sending card data in the clear and it’s setting us back 20 years,” she said. “Tokenization will mean nothing.”

Finding Inventive Implementations

These trends carry significant implications for the financial services sector, where banks and credit unions operate under strict regulation and a strong mandate to protect customers. As a result, many institutions have been cautious about adopting new technologies that could introduce additional risk.

While this caution is understandable, resistance to technological innovation has also created cybersecurity gaps. Addressing these vulnerabilities will require not only greater adoption of emerging technologies, but also a fundamental rethinking of cybersecurity strategies across the industry.

“Bad actors can adopt those technologies quickly, and they’re incredibly creative,” said Suzanne Sando, Lead Fraud Management Analyst at Javelin Strategy & Research, in a recent PaymentsJournal podcast. “I don’t want to give them applause for that, but they’re incredibly inventive in the way that they take risks to use new technology. It’s difficult for FIs to keep pace when it comes to the adoption of any innovation.”

“It’s no surprise that AI is a problem for criminal manipulation,” she said. “But we also know that it’s a huge asset for financial services that they could make great use of in terms of automating certain aspects of the customer experience. Or even the employee experience, for things that maybe used to be a manual review of transactions, or typical tasks that were completed during fraud investigations.”

The post Cybersecurity Must Evolve as Frontier AI Fuels New Fraud Risks appeared first on PaymentsJournal.

Deutsche Boerse is deepening its push into digital assets with a $200 million investment in Kraken, expanding its partnership with the crypto exchange and underscoring Wall Street-style interest in crypto infrastructure.

The investment represents a strengthening of the partnership the two firms established late last year. The objective was to collaborate on areas like regulated crypto ventures and tokenized equities, as well as to improve cross-border liquidity for institutional clients.

This partnership exemplifies one of the key trends in the payments industry in recent years: traditional financial companies investing in digital assets technologies. That trend has shown no signs of slowing, as evidenced by Charles Schwab’s recent foray into crypto trading and Mastercard’s acquisition of stablecoin firm BVNK.

Growing institutional confidence in the crypto industry is also one of the main reasons Kraken secured a landmark “skinny” master account with the U.S. Federal Reserve.

“These stories show Kraken is moving closer to the center of institutional market structure,” said Joel Hugentobler, Cryptocurrency Analyst at Javelin Strategy & Research. “Deutsche Boerse’s investment says major financial infrastructure players view crypto exchanges as strategic distribution and liquidity partners—not just a side bet.”

“Crypto and Kraken is entering a new spotlight here,” he said. “They must prove they can plug into traditional and sovereign infrastructure, such as Kraken’s tier 3 skinny account, while also proving they can withstand risks that come with scale.”

An Unwelcome Trend

Alongside this surge in institutional interest, however, has come another, far more unwelcome trend—a spike in cyberattacks. Kraken recently said it is being extorted by a group of bad actors who gained access to proprietary data by tricking two of the company’s staff members. The firm said it received videos purportedly showing Kraken’s internal systems with customer information visible.

The crypto exchange confirmed two instances of inappropriate access but noted that its core systems were never breached and customer funds were never at risk. Roughly 2,000 accounts may have been viewed.

The Human Layer

The decentralized and often anonymous nature of digital assets has made exchanges and users frequent targets for cybercriminals, include everything from crypto investment scams to credential theft.

The incident at Kraken also reflects another concerning trend where bad actors target an organization’s employees or contractors and attempt to bribe or manipulate them into sharing proprietary data.

Coinbase faced a similar attack last year that resulted in stolen customer data and roughly $400 million in damages. The incident occurred after a criminal ring bribed the crypto exchange’s overseas contractors into releasing customer information.

“The extortion incident is a reminder that as crypto moves up-market, the real test is the human layer,” Hugentobler said. “The custody, trading, and tech has proven itself to work, so the question becomes, ‘Are there systems and procedures in place to limit damage caused by any human, whether it is internal or external, so they can gain institutional trust?”

The post Kraken’s Success Attracts Institutional Investment, Cyber Threats appeared first on PaymentsJournal.

As India’s leading instant payments system scales new heights, it’s also becoming a bigger target for fraud—prompting the Reserve Bank of India (RBI) to consider slowing down transactions in the name of security.

The proposed measure includes a one-hour delay for peer-to-peer (P2P) transactions exceeding 10,000 rupees (roughly $100).

The delay specifically targets authorized push payment (APP) frauds, in which users are tricked into transferring money to criminals under false pretenses. India has seen a sharp rise in such cases in recent years, with reported losses increasing significantly between 2021 and 2025. Real-time payment systems like the United Payments Interface (UPI) have been linked to a large majority of authorized push payment-related losses.

“The delay can be key to giving banks time to investigate a transaction and determine its legitimacy when there is suspected fraud or social engineering,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “It also provides consumers with a second chance to stop and think. That delay can be critical in letting the fog clear for consumers who may have been questioning the transaction but felt pressured to complete it while in contact with the fraudster.”

Additional Transaction Limits

UPI has become a dominant force in global instant payments, accounting for more than four out five real-time transactions worldwide. Retail transactions on UPI have skyrocketed, rising from around $77 million in FY22 to roughly $2.39 billion in FY2500—reflecting both widespread adoption and the growing shift toward digital payments.

The proposed delay would apply only to P2P transfers; merchant payments would remain instant. The RBI has also suggested introducing an additional authentication layer for transactions above 50,000 rupees, potentially requiring verification through a trusted contact. Additionally, certain bank accounts could face limits on incoming funds unless they undergo further due diligence.

Other Approaches to the Problem

This isn’t RBI’s first attempt to combat APP fraud. Last year, regulators introduced measures, such as biometric authentication, often linked to Aadhaar, India’s national digital identity program.

Globally, other P2P platforms have taken different approaches to tackling APP fraud. For example, JPMorgan Chase has implemented safeguards on its Zelle network, including canceling certain payments flagged as high risk, such as those associated with suspected scam activity originating on social media.

The post To Fight Fraud, India Proposes a One-Hour Delay on Some P2P Payments appeared first on PaymentsJournal.

When a shopper is tricked into making a fraudulent purchase, they expect recourse from their financial services provider. These guardrails are one of the reasons credit cards have become predominant in the U.S.—not only can consumers dispute charges after the fact, but many issuers proactively alert users when suspicious activity occurs.

Similar protections exist for ACH payments, but they are largely a function of the lag between payment initiation and settlement. With real-time payments, such as those facilitated by FedNow and the RTP network, this buffer disappears.

As both systems gain traction, particularly in B2B use cases, fraud prevention strategies must evolve to address payments that are instant and irreversible.

In a recent PaymentsJournal podcast, Darren Beyer, Chief Product Officer at Qolo, and Suzanne Sando, Lead Fraud Management Analyst at Javelin Strategy & Research, discussed how the convergence of faster payments and increasingly sophisticated fraud is fueling a full-scale redesign of fraud prevention architecture. It has also placed a demanding onus on financial institutions to implement highly precise risk controls while preserving the customer experience.

The Window Is Closing

As faster payments erode the traditional safety net around transactions, institutions must shift fraud detection to earlier stages of the payment process. In the past, organizations benefited from extended review periods, during which funds could be reversed if necessary. That capability is quickly becoming a thing of the past.

“In the world of instant payments, specifically around RTP and FedNow, you’ve got an instantaneous movement and settlement of money. And that’s where the problem lies, because there’s no longer time to pull this stuff back,” Beyer said. “There’s no window where you have an ability to say, ‘I really didn’t mean to send it’ or ‘I fat-fingered this particular account number.’”

“With that gone, it’s less of an opportunity for the people sending payments to fix problems, and that opens the window for fraudsters,” he said.

In this environment, striking the right balance between strong fraud prevention and a seamless customer experience is difficult, especially given the high expectations shaped by card and ACH transactions.

These challenges are accelerating the need for real-time decisioning, where firms analyze multiple data points to assess payment risk before processing. However, achieving high decision accuracy will likely require introducing some level of friction. While this may feel new in the context of real-time payments, methods like multi-factor authentication are already familiar to both banks and customers.

“Every time I log into YouTube, I get a six-digit one-time passcode,” Beyer said. “If I have to do that for YouTube, why is my financial institution not making me do that? They do when I log in, but if I’m doing a big payment out, shouldn’t the same thing be happening? Isn’t the ‘friction’ of getting a one-time passcode worth the extra two or three seconds it takes to put that into the website? I think the answer is yes.”

The challenge lies in applying the right amount of friction in an emerging payments model. This is where step-up authentication plays a key role. It allows institutions to adjust controls, enabling low-risk payments to proceed smoothly while subjecting higher-risk transactions to greater scrutiny.

Even so, introducing any friction into the customer journey can raise concerns for financial institutions.

“There has been an assumption that strong security will ruin the customer experience, but Javelin has found that good security can improve trust and adoption of certain payment channels and methods and new technologies,” Sando said. “Consumers and businesses want to know that their accounts and their money is protected and that they can trust the institution and the organizations that they choose to do business with.”

The Widening Technology Gap

Implementing safeguards that remain invisible to legitimate users yet highly effective against bad actors is no small feat, but the tools to optimize this balance are rapidly improving.

Artificial intelligence has been instrumental in advancing these capabilities, as it has across nearly every sector. However, many financial institutions have lagged in adopting these technologies.

“This is a scenario where it’s so rapidly changing the industry but the traditional players—processors and banks who are operating under a regulatory environment and are operating under an environment where you can’t inhibit people from getting access to their money—they have all these constraints,” Beyer said. “Fraudsters don’t, and they can just start playing with all these great new AI tools.”

“There’s always been a gap,” he said. “Fraudsters have always been ahead of the financial institutions and the processors, and the reason for that is they’re more nimble; they’re able to get things done quicker. If you didn’t have that gap, you wouldn’t have fraud.”

Unfortunately, this gap is not only persistent but widening. Rapid advancements in generative AI and the emergence of AI agents have enabled cybercriminals to scale both the speed and scope of their attacks.

“Bad actors can adopt those technologies quickly, and they’re incredibly creative. I don’t want to give them applause for that, but they’re incredibly inventive in the way that they take risks to use new technology,” Sando said. “It’s difficult for FIs to keep pace when it comes to the adoption of any innovation.”

“It’s no surprise that AI is a problem for criminal manipulation,” she said. “But we also know that it’s a huge asset for financial services that they could make great use of in terms of automating certain aspects of the customer experience. Or even the employee experience, for things that maybe used to be a manual review of transactions, or typical tasks that were completed during fraud investigations.”

Buttressing the System

AI has quickly become central to modern fraud defenses, given its ability to detect anomalies across massive datasets. However, the rise of real-time payments is fueling the demand for intelligent infrastructure that can function as an authentication layer within the payment flow.

This is especially critical in commercial environments, where overly restrictive controls can lead to false declines or delays—issues that can quickly escalate into serious operational and reputational damage.

Ultimately, faster payments are not just driving the need for better technology, they are forcing financial institutions to rethink their entire approach to fraud prevention.

“The organizations that are succeeding in instant payments are going to be the ones that can make the competent decisions on risk just as quickly as that money is moving in that real-time setting,” Sando said. “Fraud detection isn’t just this back-office function anymore, that just happens in the background without real knowledge of it. You have to highlight fraud detection because it’s now a critical piece of the payment experience.”

This shift in mindset is essential. The fraud threat is not going away, but institutions can take advantage of one constant: the pursuit of easy money often leads criminals down the path of least resistance.

“Fraudsters are always going to find a way, but they are fundamentally no different than anybody else in business,” Beyer said. “They have an ROI, their time is valuable, and they’re going to go where they can make the most out of their time. If your bank or your processor is tougher to get through than your neighbor’s bank or processor, they’re going to go to your neighbor.”

“Make your buttress, your fortress, your castle gate—all the armor that you’re going to put around your system. Make that better than your competition and they’re going to go to your competition,” he said. “You’re never going to get a 100% fraud-proof system. Fraudsters will always be ahead, but if you can make yourself better than the people around you, then you’re not going to be the target, they are.”

The post Instant, Irrevocable Payments Demand a Fraud Prevention Reboot appeared first on PaymentsJournal.

There has been little respite from the relentless onslaught of fraud in recent years—and there are few signs of it slowing down.

The FBI’s annual Internet Crime Report found that Americans lost nearly $21 billion last year, soaring to an all-time high. At the same time, the Internet Crime Complaint Center (IC3) received 1,008,597 complaints, a 17.3% increase year-over-year.

Perennial threats like phishing, extortion, and investment schemes were the most frequently reported complaints. However, the greatest financial losses stemmed from cryptocurrency investment scams, where 181,565 complaints resulted in more than $11 billion in losses.

These scams have evolved into big business for criminal organizations. For example, a multi-jurisdictional initiative led by Europol recently shut down a syndicate operating a network of fraudulent cryptocurrency investment platforms promising high returns.

These websites defrauded thousands of victims, with the group allegedly generating and laundering more than €700 million (roughly $817 million).

Who Can You Trust?

For the first time in its roughly 25-year history, the FBI’s report included a section on artificial intelligence. Initial findings show that AI-related threats accounted for 22,364 complaints and nearly $893 million in losses.

Given the novelty of this category, these figures likely understate AI’s true impact, as it has rapidly become embedded in nearly every facet of fraud operations—from generating convincing deepfakes to amplifying campaigns through AI-driven agents.

There is also emerging evidence that bad actors are experimenting with the convergence of quantum computing and AI—a development that could exponentially increase the scale and sophistication of cybercrime.

“Using AI, things have gotten so complicated that you can’t tell what’s real and what’s fake,” said Suzanne Sando, Lead Fraud Analyst at Javelin Strategy & Research. “We’re hearing from a lot of consumers through our fraud survey who, when they receive a legitimate fraud alert from their bank, they don’t even trust that communication. Many of them don’t even take action on those fraud alerts, which is a huge red flag.”

“If you can’t even trust communication that is purported to come from your bank trying to stop fraud, what can you trust?” she said.

Stop and Scrutinize

As these threats grow harder to detect, the FBI urges consumers and businesses to “take a beat,” to pause and carefully scrutinize any unsolicited message.

“That’s the perfect advice because, unfortunately, we’re in a position where a lot of financial institutions aren’t fully ready in a real-time sense to detect some of these scams that are happening,” Sando said. “We’re still in this situation where consumers are the first line of defense. You have to take this mindset of verify everything that’s coming in and then you can figure out, is this something I can trust?”

While simple in concept, this advice can be difficult to follow in practice due to increasingly sophisticated social engineering tactics. These methods have evolved well beyond urgent emails or texts about unpaid tolls.

The FBI found that cybercriminals are now creating fake social media profiles, fabricating identification documents, and producing highly convincing video and audio impersonations of public figures or even loved ones—all to enhance their manipulation efforts.

Targeting the Vulnerable

These tactics are often deployed against older adults, who may be less familiar with digital environments and therefore more susceptible to social engineering. Unfortunately, the impact has been severe: Americans over 60 reported approximately $7.7 billion in losses last year, a 37% increase year-over-year.

This trend was echoed by the U.S. Federal Trade Commission, which reported a fourfold increase over the past four years in older adults losing $10,000 or more to impersonation scams.

In these schemes, criminals impersonate everyone from government officials to tech support personnel, initiating conversations designed to extract money or sensitive information.

Less Time After

While certain groups may be more vulnerable, cybercriminals’ growing technological acumen has made them increasingly indiscriminate—targeting individuals, organizations, and industries alike. This reality makes taking a beat more critical than ever, though it is just one component of a broader fraud prevention strategy.

“Let’s say it is a bank communication that’s coming through,” Sando said. “Call your bank back directly. Don’t use the number that’s coming from the text message because that can be spoofed, but call your bank directly and speak to someone that you know you can trust.”

“There is always time before you approve that transaction or make that investment or click on that link and give away your Social Security number,” she said. “There is less time after because once that money’s out the door, it’s very difficult to track down and try and get it back.”

The post As Fraud Escalates, Taking a Beat Becomes a Critical Defense appeared first on PaymentsJournal.

More emails about privacy practices and data disclosures are landing in consumers’ inboxes. As users’ digital footprints expand, these messages seem to come from every direction—big-box retailers, healthcare providers, financial services firms, and even streaming services.

While these emails may feel like a rote legal exercise to some—or an unwelcome intrusion to others—the growing emphasis on protecting personal data is a positive trend. These notifications not only provide greater transparency but also serve as an opportunity to build trust with consumers who are increasingly concerned about how their data is collected and shared.

Despite improvements in messaging, there are still many areas where privacy processes can be optimized.

For example, the emergence of open banking has introduced a web of intricate relationships between banks and third-party providers. As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, examined in the Data Transparency in the Age of Cyber and Privacy Risk report, this complexity—combined with escalating cyber threats—has made delivering clear, effective privacy disclosures both more difficult and more essential.

A Hot Topic

Historically, privacy disclosures were often treated as an afterthought, buried within layers of website navigation. Even when customers managed to find them, they were frequently confronted with dense, jargon-heavy documents that were difficult to understand.

“It’s been nice to see that as we have done our Cyber Trust in Banking evaluations over the course of the last three to four years, that financial institutions are making it much easier for consumers to find privacy disclosures on their website,” Goldberg said. “In some cases, financial institutions are even breaking out privacy disclosures for senior citizens, for children, and for those who fall within the working-age consumer category.”

Along with this personalized touch, institutions should prioritize clarity and accessibility, ensuring disclosures are easy to find and written in plain language. In addition, privacy documentation should be updated regularly—at least on a quarterly basis. Many consumers seek out these materials to confirm that their financial institution has adequate data protections in place. Outdated policies can quickly erode that confidence.

When significant policy changes occur, customers should be notified as soon as possible. However, even in the absence of major updates, periodic privacy notices remain valuable. These communications act as important touchpoints, reinforcing that customer data is both protected and prioritized.

Ultimately, the goal of these privacy best practices is to foster trust—a challenge that continues to grow amid persistent concerns around the economy, fraud, and evolving technologies.

“We’re finding that consumers are actually reading privacy disclosures,” Goldberg said. “A lot of that has to do with the fact that privacy is such a hot issue for consumers, especially in this age of AI. Consumers have concerns about their data being everywhere and they’re starting to pay attention.”

“Making it easy for consumers to find those disclosures—and this would apply to any business, but financial institutions in particular—is important because consumers want to know that their data is secure,” she said. “They want to know their privacy is being respected.”

Linked by Choice

While financial institutions are doing a better job of managing their own privacy policies, the increasing role of fintechs in the digital banking ecosystem has rapidly muddied the waters.

For example, customers attempting to understand how their personal data is shared with third-party partners often encounter a labyrinthine task that rivals the privacy practices of the past. In many cases, opting out of data sharing is just as cumbersome, despite being a feature that should be straightforward and accessible.

On the other hand, placing all third-party relationships front and center in a website or app risks overwhelming users with too much information.

“There are so many places where your data is linked,” Goldberg said. “Sometimes it’s by consumer choice—I choose to link my bank account to my Venmo account, that’s a choice I’ve made. I choose to link my bank account to some of the retailers that I use. When I log into online banking, I’m going to see all of those connections, and for some consumers, that may be overwhelming.”

“It’s a fine line,” she said. “Part of it goes back to knowing your customer and knowing what your customer can handle. Some of the options that you provide to one customer may not be the same as the options you provide to another. That’s where it gets a little bit difficult for financial institutions because it’s not a one-size-fits-all approach.”

Thinking Ahead to Open Banking

Although the proliferation of fintech companies has made privacy documentation more complex, these providers play an integral part of the predominant open banking model. This trend is unlikely to reverse, as consumers increasingly expect the convenience and functionality fintechs enable. Moreover, the competitive nature of financial services demands strong technological infrastructure—something many banks can’t build independently.

The benefits of open banking have prompted many regions to develop regulatory frameworks to support it. In the United States, however, a more market-driven approach has created challenges for financial institutions seeking to define their privacy and security strategies.

Most notably, uncertainty remains around the final implementation of Section 1033—the open banking rules finalized by the U.S. Consumer Financial Protection Bureau—which continues to leave key questions unanswered.

“Financial institutions don’t have a lot of guidance to go on,” Goldberg said. “They need to be thinking ahead because we know open banking is here. It makes life easier for the consumer; it’s not something that we can just forget about. But we do also have to remember—from a financial institution perspective—that there are privacy considerations that have to be taken into account and transparency is key.”   

The post As Open Banking Fuels Interconnectivity, Privacy Matters More appeared first on PaymentsJournal.

The approval of bitcoin ETFs sent the price of bitcoin soaring to new heights last year, marking one of many milestones for the burgeoning digital assets industry.

While bitcoin has since pulled back, the financial services sector’s interest in digital assets has not waned, as evidenced by Mastercard’s recent $1.8 billion acquisition of stablecoin company BVNK.

Among the technology’s primary selling points are the efficiency and security gains enabled by blockchain infrastructure. However, recent findings from Google suggest there may be emerging vulnerabilities in the cryptocurrency ecosystem.

The tech giant’s researchers conducted quantum computing pilots and found that more advanced models could potentially crack widely used cryptocurrency encryption methods far more quickly and efficiently than previously believed.

Ramping the Urgency

According to Google, such attacks are not yet feasible, and some blockchains—including bitcoin—already have mitigation measures in place. Still, the company warned that these factors should not diminish the urgency of addressing potential vulnerabilities.

Instead, Google urged the digital assets industry to adopt stronger security standards capable of withstanding emerging threats, including a transition to post-quantum cryptography—an encryption approach designed to resist quantum-based attacks.

“I don’t think this is a ‘bitcoin is getting hacked tomorrow’ story,” said Joel Hugentobler, Cryptocurrency Analyst at Javelin Strategy & Research. “The point here is that these security upgrades will take time, possibly years, so even though it seems early on in the hardware timeline, companies need to start making the migration now for chains, wallets, and custody.”

“We’re a ways out from a full-fledged quantum computer, but if companies wait until it is out to upgrade security measures, it will be way too late,” he said.

Not Just a Crypto Threat

Like many transformative technologies, quantum computing presents a double-edged sword. By leveraging the principles of quantum mechanics, it moves beyond the limits of conventional binary and linear computing models.

The result is a model that is significantly more efficient and less resource-intensive. While quantum computing could prove to be a gamechanger for businesses—and even serve as a more effective foundation for resource-heavy AI models—regulatory and organizational constraints may slow legitimate adoption, giving bad actors a head start.

There are already signs of this shift. According to separate data from the Association of Certified Fraud Examiners and SAS, roughly 10% of respondents reported that quantum AI is already creating impacts, and most expect quantum computing to play a role in fraud prevention by 2030.

This early adoption among cybercriminals, combined with the technology’s disruptive potential, suggests that quantum computing is not just a future risk for the crypto industry, but a looming challenge for the entire financial services space.

The post Google Warns That Quantum Computing Could Soon Crack Crypto Encryption appeared first on PaymentsJournal.

Last year, the treasurer’s office in Warren County, New York sent $3.3 million to what it believed was the county’s roadwork and maintenance contractor. It was not—the payments were instead routed to a fraudulent account. Because the county had recently switched from paper checks to ACH, the treasurer’s office had no account verification policies in place to prevent what turned out to be a textbook case of fraud.

While the damage in Warren County represents the upper end of the spectrum, this incident is far from an outlier. It underscores the importance of implementing ACH protections, which many organizations already have in place. Too often, however, these measures are treated as a set-it-and-forget-it solution or merely a compliance checkbox.

In a recent PaymentsJournal podcast, John Gordon, CEO of ValidiFI, and Suzanne Sando, Lead Fraud Management Analyst at Javelin Strategy & Research, discussed how robust ACH fraud monitoring controls can do more than satisfy regulatory obligations—they can act as a proactive risk prevention mechanism. This is essential to combat the growing prevalence and complexity of fraud.

The Importance of Trust

The compliance aspect of ACH fraud monitoring is partly driven by the latest version of the WEB debit rule, instituted by Nacha—the organization that governs the ACH network. Nacha’s enhanced fraud monitoring requirements raise expectations for all participants in the ACH ecosystem.

“It increases the bar to say that we’re not just checking the validity of the account, but we’re also doing fraud checks,” Gordon said. “It creates an opportunity for financial service providers to identify fraud and to look at the potential risk associated with a consumer.”

“It moves beyond compliance for compliance’s sake, which creates a lot of opportunities for financial service providers to not only identify and reduce fraud, but to put consumers in the right products that create mutually beneficial paths for them,” he said.

Finding the right fit with customers has become more challenging in the digital era, where consumers have more options than ever and increasingly expect efficiency in every interaction. As a result, consumers often choose the path of least resistance when selecting a financial institution.

These factors place institutions in a precarious position: they must balance security with customer expectations, both of which significantly impact retention.

“The importance of consumer trust cannot be overstated,” Sando said. “We’re finding that when consumers have experiences with fraud or scams on a particular account—whether it’s a traditional financial account like your checking or savings or a merchant account—if they’ve experienced any sort of suspicious activity or fraud and scams, they’re much more likely these days to close an account where the fraud occurred and move somewhere else.”

Stepping Up Authentication

Given the risk of attrition, account onboarding and authentication have become critical stages in the customer experience. One key challenge arises from misapplied friction, where every user is forced to undergo the same verification process regardless of risk profile.

“Our belief is there’s enough value in customer data that it can be managed through step-up authentication, that you are injecting friction where friction is warranted based on the risk signals that consumers have in concert with their profiles—whether that be their bank account, their payment transactions, or their credit scores,” Gordon said.

“There are a number of different ways to end up at the right answer so that you’re facilitating a flow where the consumers stay in the process and you are fast tracking your low-risk consumers and putting obstacles in place where they should be,” he said.

This process can be optimized by leveraging the richer data available in a validated account. Institutions can go further by authenticating the account, confirming that the applicant’s name matches the account owner’s—allowing for a more targeted, efficient approach.

Implementing these measures early in the process is critical for fraud prevention and enables a customized experience, reducing the verification burden on the institution.

For example, if a consumer opts out during onboarding due to friction triggered by their financial profile, the institution avoids a potentially difficult credit decision. Conversely, highly qualified consumers can be fast-tracked, improving both the experience and conversion rates.

Scouring Alternative Data

Although authentication is vital, it is increasingly challenging under the current credit scoring system. Last year, traditional scoring methodologies eliminated medical debt—a significant portion of consumer credit—from scores. While this change reshapes scoring, it does not remove the underlying debt burden.

Additionally, consumers now maintain more financial relationships than ever, including accounts at traditional banks, digital-first banks, and fintechs. Many of these relationships are undisclosed, complicating accurate assessments of creditworthiness.

“It becomes incumbent upon financial service providers to look at alternative data in a way that they can derive value out of it,” Gordon said. “We believe the consumers’ bank behavior, their payment success rates, and the velocity with which their PII elements change are all clues that will lead you to have a more accurate picture of that consumer—what they can afford and their creditworthiness.”

“When we factor in the way that consumers acquire credit today versus the way they did in 1989 when the FICO score was created, they’re wildly different,” he said. “The traditional scoring methodologies haven’t kept pace with the way consumers are acquiring credit now. We see scenarios where consumers apply with a clean bank account only to subsequently change to a neobank account or some other bank account that they’re utilizing to enact what equates to first party fraud.”

Palatable to All Parties

These challenges have driven the emergence of data-driven treatment strategies, where financial service providers leverage shared industry data. This intelligence provides critical insights into connections between consumers, accounts, identities, and performance metrics.

Such knowledge enhances underwriting, creating a scenario where a consumer’s application experience is guided by both their inputs and industry knowledge of past activity. However, these strategies must always be aligned with the institution’s broader objectives.

“We have a client that we work with that does account-to-account payments tied to loyalty cards,” Gordon said. “Their exposure in that scenario is fairly limited, they want as much acceptance as they can possibly get. Conversely, we have some clients who are doing large dollar distributions, and it is not too much to ask for someone to credential into a bank account and we’re talking about the potential for five- and six-figure disbursements.”

“It’s difficult to ensure that you’re keeping down the cost of doing business, the fraud losses, and ultimately the cost of credit,” he said. “When you marry the authentication process to the use case, you end up with a lot better solution that’s more palatable to all parties.”

Confidently and Compliantly

Developing strategies and implementing fraud management measures is imperative, as new and potent fraud variant emerge daily. The most effective defense is sharing information and leveraging a risk intelligence provider to help chart the way forward.

“It’s finding a solutions provider that is flexible and can adjust and be agile in the same way that we find fraudsters are agile with technology and how they can use it against consumers,” Sando said. “It’s also about recognizing the fact that consumers are not all the same, it’s not one-size-fits-all. It’s about having that solution provider that can help you figure out how we navigate each individual case to make sure that it’s optimized for every single customer that comes through the system.”

These solutions help organizations stay ahead of escalating fraud threats and maintain compliance with regulations like Nacha’s rule enhancements. But that’s just the beginning.

“There is a lot of opportunity beyond compliance in account verification and authentication,” Gordon said. “What we see is that not only will more of your payments clear, but there are certain attributes and thresholds that , when crossed, significantly improve performance. Meaning, you’ve verified the account, the account has a certain history, and it doesn’t indicate any of the negative attribution that we often see compounded by a name match. You have the ability to operate confidently and compliantly in a way that you probably aren’t enjoying at present.”

The post From a Checkbox to a Differentiator: Redefining ACH Fraud Monitoring appeared first on PaymentsJournal.

News of a leaked Anthropic AI model rattled the cybersecurity industry, sending the stocks of major firms sharply lower. What initially looked like a potential game changer now raises urgent questions: can organizations trust AI with their most sensitive digital assets, or does this incident simply reinforce the need for expert protection?

According to Mint, a leaked draft blog post introduced a new tier of AI models called Capybara. The draft claimed that Capybara outperformed Anthropic’s flagship model, Claude Opus 4.6, in “software coding, academic reasoning, and cybersecurity-related tasks.” It further noted that training on Claude Mythos—a model Anthropic describes as their most advanced yet—has been completed.

Why Did It Leak?

While Anthropic attributed the leak to “human error,” the explanation may do little to reassure organizations about the company’s ability to safeguard sensitive data. Some analysts speculate that there could have been other motives at  play.

“The leak of Capybara is unfortunate but I almost wonder if it was intentionally left in an accessible data lake to highlight some of the emerging cyber risks that continually evolving AI platforms pose and will pose,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “All of that said, the model is still in testing, with Anthropic clearly stating that it is aware of bugs and risks that need to be addressed, which is why Anthropic has only soft-launched Capybara.”

The Looming Threat of AI

Anthropic also highlighted the cybersecurity risks tied to these model, emphasizing the escalating arms race that is going on with AI between defenders and cybercriminals. The company cautioned that Capybara could be the first in a series of models capable of identifying and exploiting vulnerabilities far faster than security teams can respond. In other words, criminals could leverage the model to fuel a new generation of AI-driven cybersecurity threats.

Investors reacted swiftly, driving shares of CrowdStrike, Datadog, and Zscaler down more than 10% in early trading.

“The tanking of tech stocks in the wake of news about the Capybara leak really just highlight the lack of understanding investors have about AI overall,” Goldberg said. “We know these models will continue to adapt, and will do so at a pace faster than industry security measures can respond. This is why governance around AI is so critical.”

The post Pumping the Brakes on Anthropic’s Leaked Cybersecurity AI appeared first on PaymentsJournal.

As financial fraud continues to accelerate, its impact on victims goes far beyond monetary loss. The emotional and behavioral effects are long-lasting, shaping future decisions and sometimes undermining trust in their financial institutions.

Substantial progress has been made in strengthening fraud detection and prevention, but much work remains—especially in the age of AI. In a PaymentsJournal podcast, Dal Sahota, Global Director of Trusted Payments at LSEG Risk Intelligence, and Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research, discussed how fraud affects different generations and what banks can do to stay ahead of the problem.

Fraud Comes from Everywhere

It’s hard to go a single day without encountering a scam attempt or hearing about someone who has been targeted. This constant exposure underscores how sophisticated and pervasive fraudsters have become.

LSEG’s latest global research shows that most consumers believe scams are on the rise. As more aspects of life move online—opening new avenues for fraud—it is clear that everyone is at risk.

“This morning, I got an email from a car rental company about a supposed upcoming trip from Orland Park, Illinois,” said Sando. “As someone who lives in Milwaukee, about an hour and a half outside of Orland Park, I’m not picking up a rental car there. But you stop and think, ‘hey, I do find myself randomly researching trips. Could this have been something that I looked up and maybe I’m getting a prompt from their website?’ That’s how people end up clicking on phishing links or providing details they didn’t intend to reveal to a fraudster.”

Across the Generations

Because scammers have become highly skilled in targeting, each generation experiences fraud differently. Scams exploit areas where specific groups are more vulnerable. Older generations expressed the highest concern about fraud in the LSEG study, while younger groups reported greater exposure to emerging threats such as deepfakes and “quishing” attacks.

Reactions also vary by age. Some 97% of victims reported changing their behavior after being scammed, becoming more cautious online, sharing fewer financial details, and avoiding certain channels. Some may feel so insecure about certain payment types that they abandon them  entirely. Older adults, however, tend to experience the greatest loss of trust compared with other groups.

“There are deep levels of distrust in any and all communication, which can be really devastating when you’re trying to maintain a relationship with your financial institution,” said Sando. “If you don’t even know that you can believe what’s being sent to you from your bank, what can you believe? Once that security feels like it’s just an afterthought and that trust has been violated, it’s really hard to go back to business as usual.”

The Information Gap

The effects of scams extend beyond individual victims—they ripple throughout the financial services ecosystem.

“That really comes out in the research, how that’s impacting consumers and the lack of trust when they’re interacting in digital channels,” said Sahota. “We found that 32% of respondents reference shame as an emotional impact. And this is very devastating in the market.”

A significant information gap exists regarding accessibility and the warning signs of potential fraud. Less than a quarter of LSEG’s survey respondents described themselves as well-informed  in this area. Separate data from Javelin indicates that many consumers are unaware of the educational resources their financial institutions offers, even when these resources are available online or via mobile apps. These programs are only effective if consumers can locate and act on them.

“We can think about this in terms of vulnerabilities that they’re under and how those are targeted,” said Sahota. “Don’t assume that the consumer’s first language is English, for example. Those are nuances to work within, but the fraudsters really take advantage of those exposed vulnerabilities.”

Sando added: “A lot of financial institutions post really text-heavy articles. Frankly, you’re seeking out education when you need it the most. You’re not sitting around on your couch on the weekend reading education on your bank’s website. You’re going to it in that moment. So it has to be hitting the consumer right at the part where it’s most critical.”

A More Personalized Experience

Financial institutions could benefit from delivering a more personalized experience, tailoring education based on demographics and customer behavior. Understanding what resonates—by geographic location, generation, or product ownership—helps identify who is most vulnerable to specific scams and how to reach them.

“You’re not going to hit older generations with a lot of pop-up notifications on their phone,” said Sando. “That’s not the typical way that they consume information.”

Once someone has fallen victim to a scam, they often struggle to focus on available resources or their rights. This is when financial institutions must guide them through the recovery process.

“A scam victim shouldn’t have to be the most well-informed person on the process of reimbursement and resolution for your scam,” said Sando. “You want to have a highly trained investigator or case worker from your financial institution that’s there to walk you through because you’re already having to bear the burden of the financial loss.”

Playing on Offense

With money moving faster than ever, applying the right level of friction to the right type of payment reassure consumers. A small verification step can provide certainty that the beneficiary is legitimate. Friction that ensures validation is not a barrier—it’s a protective measure.

Too many institutions wait until validation occurs too late. In the era of real-time payments, once a transaction is submitted, the money is gone. Prevention must come before the payment, not after.

“We are focusing earlier on in building a full picture of ‘Who is this person I’m paying? What’s their historical account information?’” said Sahota. “Building a full picture and using the data that we have access to as financial services can make the difference in detecting suspicious activity before it’s too late. There are a number of vulnerabilities that the fraudsters and the scammers are exploiting. They continuously evolve. The leveraging of AI in that regard has really scaled the scams up. We need continuous risk assessment of all the aspects across the value chain.”

“We continue to play from behind,” he said. “We’re always on defense, we’re never on offense. We’re always being reactive when we should be proactive.”

To explore the full breadth of consumer insights referenced in this discussion you can review the complete survey findings in LSEG’s After the Scam research.

The post The Emotional Toll of Financial Fraud appeared first on PaymentsJournal.

Artificial intelligence has rapidly stretched the limits of the traditional computing model, as it demands substantial infrastructure and resources to operate.

A potential solution lies in quantum computing, which leverages the principles of quantum mechanics to move beyond conventional binary and linear processing. Shifting AI to a quantum computing foundation could theoretically enable models to improve efficiency while consuming fewer resources.

While quantum AI may still seem like a distant prospect for organizations that are just beginning to integrate generative and agentic AI, there are signs that cybercriminals are already experimenting with the next level of artificial intelligence.

According to data from the Association of Certified Fraud Examiners and SAS, most respondents expect quantum AI to significantly impact fraud prevention by 2030, and roughly 10% report that it is already having an effect.

Supercharging the Deepfake Threat

Equally concerning, the study found that bad actors have increased their use of AI across nearly every aspect of their operations, from consumer scams to document forgery. However, deepfake-driven social engineering has seen the sharpest rise, with roughly three-quarters of respondents reporting an uptick over the past two years.

While early deepfakes were often easy to identify, more advanced AI models have made them a threat that can no longer be dismissed. The AI Incident Database reinforced these concerns, documenting more than 100 distinct deepfake incidents between November 2025 and January 2026.

A Perilous Situation

These emerging threats are straining the capabilities of modern cybersecurity systems. For financial institutions in particular—bound by strict compliance constraints and high customer expectations—implementing new technologies is often a complex and resource-intensive process.

This has created a precarious situation where cybercriminals are evolving in lockstep with rapidly advancing technologies, while many banks are struggling to keep pace. According to the ACFE study, only 7% of respondents said their organization was more than moderately prepared to detect or prevent AI-powered fraud.

With quantum computing potentially entering the equation, this gap could quickly become catastrophic.

“We’re close to where quantum computing is going to break encryption,” Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research told PaymentsJournal. “This goes back to the whole risk that we see with the way we’re securing data today. Data is tokenized or encrypted; card numbers are tokenized as they’re transmitted as this is a requirement for PCI compliance.”

“If quantum computing is able to break that encryption, then we’re ultimately sending card data in the clear and it’s setting us back 20 years,” she said. “Tokenization will mean nothing.”

The post Bad Actors Are Already Piloting the Next Evolution of AI appeared first on PaymentsJournal.

Microsoft has detected a surge in sophisticated phishing campaigns timed to exploit heightened anxiety during tax season, as cybercriminals ramp up efforts to trick both individuals and businesses.

According to the company, criminals are sending fraudulent emails masquerading as tax refunds, payroll documents, filing reminders, and requests from tax professionals. These messages are intended to lure recipients into opening malicious attachments, clicking on suspicious links, or scanning harmful QR codes.

The scope of these attacks is significant. In one large-scale campaign detected last month, more than 29,000 users across industries—including financial services, technology, and retail—were targeted.

Microsoft researchers say the campaigns are not only aimed at individuals, but also professionals who regularly handle sensitive financial data. Accountants and similar roles are especially attractive targets because they are accustomed to receiving tax-related communications and often have access to valuable information.

More Convincing Every Year

Compounding the threat, phishing tactics have become more sophisticated, with attackers leveraging advanced tools to create more personalized and convincing messages.

“A huge part of this is generative AI, which is making these emails way more convincing, said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “The average consumer will say: ‘I don’t think this is real, but maybe it is.’”

The IRS continues to stress that it doesn’t initiate contact with taxpayers via email, text, or social media, and it doesn’t demand immediate payment or threaten arrest over the phone. Official communication is typically sent through U.S. mail, making any deviation from that a strong indicator of a scam.

“We push the point that the IRS is never going to call and ask for your information,” Sando said. “They’re never going to email you and ask for information, but people are still going to give it up.”

Tax-Adjacent Scams

To illustrate how these attacks are carried out in practice, Microsoft highlighted several common tactics seen in recent campaigns, including:

• Tax-themed websites designed to trick users into clicking links under the guise of accessing updated forms
• Fake IRS messages promoting a “Cryptocurrency Tax Form 1099,” particularly targeting the education sector
• Emails impersonating clients seeking help with filing, leading to malicious links
• Targeted lures aimed at CPAs that are phishing kits to steal a victim’s email and password

The post Microsoft Warns of New IRS-Based Phishing Attacks appeared first on PaymentsJournal.

In many ways, OpenClaw represents the next evolution in artificial intelligence. Part of its appeal lies in its architecture: the AI agent runs locally on a user’s device, enabling it to interact with applications and perform tasks autonomously.

The platform’s promise has attracted considerable consumer attention—so much so that it has reportedly driven a spike in prices in China’s secondhand MacBook market. As with many rapidly growing ecosystems, however, this surge in popularity has also drawn the interest of cybercriminals.

According to OX Security, bad actors have been contacting many OpenClaw developers via GitHub, informing them that they had been selected to receive $5,000 of CLAW tokens. Those who engaged were redirected to a convincing replica of OpenClaw’s official website, modified to include a “connect your wallet” prompt.

If a user connected their crypto wallet, bad actors could potentially drain its contents.

Many Red Flags

Despite the apparent legitimacy of both the message and the site, the campaign contains several clear red flags. Most notably, while many platforms issue governance tokens or cryptocurrencies, OpenClaw does not—meaning there is no such thing as a CLAW token.

OpenClaw creator Peter Steinberger has also emphasized that any crypto-related outreach claiming to originate from the project is fraudulent. The platform was designed as an open-source, non-commercial initiative and doesn’t conduct giveaways or promotional campaigns.

Capitalizing on Newness

Phishing schemes that impersonate popular brands are a mainstay in cybercriminals’ playbooks. While many users might dismiss a similar message from a more familiar organization, criminals are exploiting OpenClaw’s novelty—targeting users who are intrigued by its capabilities but not yet fully familiar with how it operates.

As AI continues to expand in both capability and reach, concerns around fraud and abuse are likely to grow in parallel. Jensen Huang, CEO of Nvidia, has described OpenClaw as “the next ChatGPT” and “the largest, most popular, the most successful open-sourced project in the history of humanity.” With that level of visibility, and with OpenClaw’s access to core device functions, security threats on the platform could carry particularly far-reaching consequences.

The post Cybercriminals Aim to Capitalize on OpenClaw’s Prominence appeared first on PaymentsJournal.

One of main challenges in combating scams is defining them properly. Romance, investment, and impersonation scams can take many forms and arrive through a wide range of channels.

Another critical issue is communication. One financial institution may uncover and address a scam affecting one of its customers, but upon further examination, that incident may be just one part of a global campaign orchestrated by a fraud ring.

To address both challenges, the Global Anti-Scam Alliance (GASA) is launching scam.org, a platform that offers resources including scam education, reporting tools, prevention guidance, and victim support. The platform will be AI-powered through integration with OpenAI and has secured buy-in from many of the world’s leading cybersecurity firms.

“This is a meaningful partnership and highlights the great work GASA is doing,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “A relatively new entrant, GASA has made significant strides over the last 18 to 24 months to bring the global community together to address social-engineering risks.”

An Agnostic Threat

This industry-wide approach has become increasingly necessary as scams continue to spiral out of control. Recent data from BioCatch found respondents reported a 65% year-over-year increase in the total number of scams between 2024 and 2025. These scams are becoming agnostic, targeting industries, demographics, and platforms with equal ardor.

This threat would not be able to reach such scale without two factors: technology and organization. Criminals can now use AI to make their communications appear more legitimate, while the cloud model has enabled the rise of cybercrime-as-a-service operations.

For example, the Tycoon 2FA phishing toolkit was sold as a subscription service on social media. The toolkit was recently taken down, but not before playing an integral role in more than 100,000 breaches across a variety of organizations.

An Overarching Approach

Taking down Tycoon2FA required a coordinated global effort between law enforcement, technology companies, and cybersecurity firms. A similarly broad approach will likely be required to quell the threat of scams.

Scam.org can play a key role by facilitating data-sharing and communication that will be critical to that fight. The platform will also give consumers a resource they can turn to at a time when many scam victims feel isolated and powerless. Ultimately, however, its success may depend on whether consumers are willing to report what happened to them.

“While the mobile app security features included in Scam.org are notable, consumers will still be expected to make decisions about what is suspicious and what is not,” Goldberg said. “Ultimately, helping consumers remove their mobile numbers from robocall lists and protect and remove their compromised PII on and from the dark web will be the only solution that stops SMS-based, smishing scams.”

The post Global Scam Reporting Platform Launches with OpenAI Support appeared first on PaymentsJournal.

More than half of organizations now rank generative artificial intelligence as their biggest security threat, surpassing stolen credentials. The rise of AI-driven attacks—from deepfakes to hyper-personalized phishing—is upending cybersecurity, with speed and scale overwhelming traditional defenses.

According to The State of Passwordless Identity Assurance, a study from HYPR, generative AI and agentic AI are enabling entirely new forms of attacks, including deepfakes and employee impersonation. The study found that nearly two-thirds of organizations surveyed had already been targeted by personalized phishing emails—AI-generated messages designed to imitate executives—highlighting how quickly these threats are evolving.

Phishing was the most common type of cyberattack organizations faced in the past 12 months, followed by malware and ransomware. These findings align with a study from Cofense, which found that rate of phishing attacks is accelerating, with spam filters flagging one phishing email every 19 seconds in 2025, up from one every 42 seconds the previous year.

Speed Is of the Essence

Nearly 40% of respondents reported experiencing some form of generative AI-related security incident in the past 12 months. Concerns are growing, as 43% of respondents identified AI-driven attacks as the most significant change in cybersecurity over the past year.

Yet too many organizations still react only after the damage is done. Three in five respondents said they had incurred a hindsight tax, increasing their cybersecurity budgets only after a breach had already occurred.

In the era of AI, that approach is no longer sufficient. AI has increased the scale, speed, and effectiveness of phishing and other cyberattacks. While most identity-based attacks are detected within hours, AI-driven automation allows data to be stolen before human intervention can occur.

Threats from Agentic AI

Another emerging risk, agentic commerce, is also making headlines. According to HYPR, automated agents are on track to leak more passwords than people this year, amid growing reports of agents going rogue.

AI security firm Irregular recently conducted a test in which AI agents were instructed to create LinkedIn posts using material from a company’s internal database. The agents evaded anti-hacking protocols and ended up publishing sensitive password information. In another case, AI agents bypassed antivirus software to download files containing malware.

The post Study Finds That AI Is Organizations’ Top Cybersecurity Fear appeared first on PaymentsJournal.

One of the most prolific phishing-as-a-service toolkits of all time was not widely used to send consumers phony unpaid toll texts or urgent account alert emails. Instead, Tycoon 2FA was primarily leveraged to target paid accounts associated with organizations.

Although financial services and healthcare companies have typically been prime targets for fraud attempts, cybercriminals appeared to deploy Tycoon 2FA more arbitrarily. According to The Hacker News, the tens of millions of phishing messages created with the platform led to breaches at over 100,000 organizations across industries, including schools and hospitals.

The worldwide phishing threat spawned by the toolkit prompted a coalition of public and private entities to band together and take down the service. This alliance included Europol and other law enforcement agencies, Microsoft, cybersecurity firms, and Coinbase. This effort ultimately resulted in the takedown of the 330 domains that formed the criminal network’s infrastructure.

“International, coordinated efforts to take down organized cybercrime rings, cybercrime-as-a-service networks, and phishing-as-a-service networks—like this one—are necessary,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “But sadly, these takedowns only result in short-term gains, as new networks and models quickly step in to replace the ones taken down.”

Streamlining Cybercrimes

Prior to the disruption, a monthly subscription to Tycoon 2FA could be purchased on social media platforms like Telegram for roughly $350. In return, users gained access to a dashboard where they could create and monitor phishing campaigns, along with templates and tools designed to streamline cybercrime.

As with many phishing attacks, these tools were used to craft messages impersonating widely used services like Outlook, SharePoint, and Gmail. The goal was to capture sensitive data such as login credentials or multi-factor authentication codes. Once stolen, the information was often transmitted to criminals in near real time.

A Massive Issue on Multiple Fronts

One of the most alarming aspects of phishing-as-a-service platforms is how they simplify the process for novice bad actors and dramatically expand the reach of their campaigns. These services are also highly customizable. Microsoft attributed much of Tycoon 2FA’s success to its ability to convincingly mimic legitimate authentication processes.

Even more concerning, Tycoon 2FA subscribers were able to engage in ATO jumping. After compromising an account, criminals could send phishing messages from that email address, making them appear to come from a trusted user.

This means a single phishing message can quickly spiral into a major problem for organizations on multiple fronts.

“Law enforcement is caught in a perpetual state of reaction when it comes to fighting cybercrime,” Goldberg said. “From a global perspective, U.S. consumers and business, which are typically the primary cybercrime targets, pay the price. In the case of Tycoon 2FA, the vast majority of compromised targets were in the U.S., followed by the United Kingdom and Canada.”

The post Authorities and Tech Firms Team Up to Take Down Phishing Platform appeared first on PaymentsJournal.

With the advent of faster payments, many financial organizations have prioritized speed over fraud detection. Consumers expect instant transactions, but banks must still protect themselves and their customers from fraud. Running fraud detection in the background—analyzing contextual signals and historical data—helps strike the right balance between speed and security.

In a PaymentsJournal Podcast, Diarmuid Thoma, Head of Fraud & Data Strategy at AtData, and Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research, discussed how traditional fraud detection methods have fallen short in the era of real-time payments. The key today is to stop fraud before it occurs.

Moving Protections Upstream

For customers, speed is paramount—but that speed is only required at the transaction or decision phase. Banks can conduct much of the pre-authorization and risk assessment before a transaction ever happens, without the pressure of real-time execution. By the time a customer reaches the transaction stage, the bank should not be scrambling to complete all fraud checks instantly.

Many institutions focus on where the financial loss occurs. When a transaction results in a chargeback, they look to fix the transaction itself. In most cases, however, that wasn’t the customer’s first interaction. The initial touchpoint often occurred much earlier, well upstream of the chargeback.

“With account takeover, you can see a lot of behavioral signs before payments even happen,” said Pitt. “If the information is changed in something like an account profile, that’s a clue. Logins from different areas at different times can be a clue. If that is flagged first, then essentially the suspicious payment doesn’t happen, and there’s no loss to either the consumer or the financial institution.”

Building an Identity

In the traditional brick-and-mortar world, banks might have asked for a driver’s license or passport to open an account, perhaps along with a utility bill to verify an address. While those documents could be forged, such cases were relatively uncommon.

Today, verification relies on digital identity. Devices, IP addresses, and email accounts form the foundation of an identity profile. That profile extends across consortium networks containing prior transaction data, creating a clearer picture of how a consumer behaves. For example, is this person likely to buy $1,000 sneakers?

“It’s building an identity,” said Thoma. “Even in the physical world, who we are is defined by liking a certain bar, or shopping at a certain store. All of those together, that’s you. All we’re doing now is taking that and translating it into a digital concept. From a fraud perspective, that builds consistency. The nice thing about good people, from a fraud profiling point of view, is they’re very consistent.”

Modern fraud professionals build dynamic profiles rather than relying on static identifiers. They can construct timelines spanning five or 10 years—whatever data is available—representing a big leap forward from traditional methods.

“When I was in the banking world, part of my role was to evaluate investigations to see if the investigations were done correctly,” said Pitt. “I would frequently listen to different calls from customer service reps and call centers. Several times I listened to calls where the fraudster themself was trying to make a wire transfer.

“The call center rep just asked for basic information like name, date of birth, normal knowledge base questions. Information that you can get pretty much anywhere, from leaked data breaches to background check websites,” she said. “That wire was able to go through. And when the customers called in to say there’s fraud, the customer service representative said, well, no, you verified the information.”

Bringing the Information Together

Many financial institutions still conduct manual reviews one transaction at a time. This approach yields insight only into those specific transactions and fails to reveal broader fraud patterns or emerging tactics.

“I still see small financial institutions operating as if there were no internet,” said Pitt. “They’re essentially verifying physical documents, especially in branches with human detection only. That is not good enough anymore with the AI tools that are out there for fraudsters. It is so easy to fake or forge some of these documents. You can’t rely on a human detection for that.”

Compounding the issue, criminals understand reporting thresholds. They deliberately stay below those limits, spreading activity across multiple accounts and institutions. That is why consortium data-sharing is essential for identifying coordinated patterns that would otherwise go undetected.

The Best Quality Data

In the early days of social media, companies could look up a profile to confirm a person’s existence. Today, AI can easily generate convincing social profiles across multiple contexts and geographies. Fabricating digital footprints isn’t only simple, it’s scalable. The challenge for banks is no longer finding data, but finding data that can’t be easily manipulated.

“Ideally, the best quality data is immune to automated generation,” Thoma said. “Sources that are unconnected to each other are independent of each other. An email is unrelated to a device from a data perspective. When you take in all this data from unconnected data sources—if they all agree that something’s good—generally you have better decision quality.”

Investing in advanced fraud prevention tools may seem costly upfront, but the expense is inevitable. Institutions will either pay on the front end by strengthening their defenses—or on the back end through fines, consent orders, reputational damage, and customer attrition.

“We have to stop looking at payments fraud from the point of the transaction,” said Pitt. “That’s the last possible point to prevent fraud. We talk about defense in depth and a layered approach where if some security measure does not catch the fraud, then another one will. We still need to look at the payment itself, but we also need to look at everything before that so that we can catch the fraud earlier.”

The post From Reaction to Prevention: Rethinking Payment Fraud appeared first on PaymentsJournal.

At first glance, it looks like a simple return or a routine dispute. But behind many of these transactions is a growing problem often mischaracterized as friendly fraud—a form of first-party fraud that costs organizations significantly and is increasingly normalized by consumers.

Although it has sometimes been called friendly fraud, there is nothing benign about exploiting organizations’ returns processes. What’s even more troubling is that a growing number of consumers feel justified in not paying for products and services they have ordered and received.

However, much of the information that’s critical to combating first-party fraud is already at many banks’ fingertips.

In a recent PaymentsJournal podcast, Craig Agulnek, Vice President of Product Management at Quavo, Brady Harrison, Head of Strategy and Execution at Equifax, and Jennifer Pitt, Senior Fraud Analyst at Javelin Strategy & Research, discussed how financial institutions can identify this data and leverage it to embed first-party fraud defenses into their workflows.

From the Background to the Forefront

One of the challenges in addressing first-party fraud is that it encompasses a wide range of scenarios. For example, a customer may not recognize a valid transaction on their statement and dispute it in error. Conversely, first-party fraud can also be a coordinated effort by networks of bad actors who have identified and exploited vulnerabilities in a company’s systems.

While fraud operations are a constant thorn in organizations’ sides, what’s equally alarming is the broader consumer mindset.

“More people are feeling like, ‘It’s OK, I’ll just defraud this merchant,’” Harrison said. “Where we have inflation, cost of living, and other pressures, more folks feel like, ‘I don’t want to pay for this item.’ It’s not every order or even every attempt. I’ve had conversations with quick-service restaurants where it’s only ever the fifth order or the tenth order where folks are like, ‘I don’t want to pay for this.’”

Some consumers are more inclined to engage in this type of fraud when dealing with larger merchants they believe can more easily absorb the costs of fraudulent returns. Although a customer may feel that a low-dollar fraudulent return has little impact, these charges quickly add up.

“First-party fraud has moved from the background to being an issue at the forefront,” Agulnek said. “It makes up about 70% of all credit card fraud cases and it’s costing the industry $132 billion every year—so it’s not an edge case, it’s the majority of the problem.”

“What we’re seeing is fast acceleration,” he said. “In 2024, 79% of merchants reported experiencing first-party fraud, where in the prior year, it was just 34%. That kind of increase shows you it’s not slow moving. It’s a fast trend, one that catches wind very quickly when you think about social media impact and trends that are popular to gain additional funds or take advantage of the system.”

Untapped Data Sources

Rising customer expectations have exacerbated these issues. Today, consumers expect immediate responses and fast refunds with few questions asked, putting tremendous pressure on institutions to resolve disputes quickly.

As a result, institutions are dealing with significantly higher transaction volumes, elevated customer expectations, increased intentional abuse, and little room for error. Yet the same technologies that have raised these expectations can also benefit financial institutions. Better still, many institutions already have these capabilities at their disposal.

“Institutions have access to these data sources, but they may be siloed across their financial institution,” Agulnek said. “Claims history is the top one; a lot of banks and credit unions will look at disputes one at a time instead of seeing the pattern over months or even years. How often does someone file, how quickly do they file a dispute after a purchase, and is this repeat behavior across merchants or merchant types?”

Many organizations have access to rich behavioral data, such as sudden device changes, shifts in login behavior, and unusual account activity. While these signals often surface before a dispute is filed, they are rarely incorporated into the review process until a transaction has already reached the chargeback stage and fees have been incurred.

Moreover, contextual data from merchants and transactions is frequently underutilized. Certain merchant types, fulfillment models, and subscription behaviors introduce predictable friction points where first-party fraud is more likely to occur.

When organizations fail to leverage the risk signals embedded in these data sources, they are often left without clear guidance on how to respond.

“The challenging bit is that we’re not efficiently separating a true third-party dispute under the regular fraud and dispute programs, and this whole other thing that’s potentially being counted in that bucket,” Harrison said. “How can we separate friendly fraudsters—people who are abusing the system? That feedback is helpful for helping people come to the correct conclusion earlier.”

Stepping Out of the Sandbox

Even the institutions that excel at identifying risk signals within their own organizations are not immune to first-party fraud. More financial services companies are offering a wider range of products than ever before, which means organizations can no longer rely solely on data from within their own domains.

“I’m a big travel card person, so if you’re just looking at my DDA account, you might not have details about what my normal transaction spend is on my rewards credit card,” Harrison said. “Also, my wife and I share a credit card, so if you’re just looking at Brady’s dispute data, you may miss that most of the disputes are on his wife’s card, because that’s the card that gets used or gets stolen.”

With such a proliferation of products, painting a clear picture of an individual’s financial situation is often challenging. Institutions must account for additional factors such as a customer’s household, devices, and physical location to gain a more complete and accurate view.

“Those that live in the same household tend to have the same banking relationship, but then you look at modern day fintechs that have child-friendly financial-education-geared applications that are also banking applications,” Agulnek said. “How do you bring those together and do it in a secure way?”

“By leveraging the vast amount of data, you can see those links and bring them together,” he said. “You can start to breakdown the profile of the individual by seeing more of their holistic profile across different institutions.”

Sharing the Details

Although many financial institutions have been reluctant to share protected customer data, participation in the broader financial services ecosystem has become imperative. Bad actors, after all, gain an advantage by rapidly sharing data and tools across networks—an agility that banks can’t afford to ignore.

“You might have heard of the TikTok/Chase glitch that happened last year,” Pitt said. “Essentially, there was a viral social media post where somebody posted saying, ‘You can go to a Chase Bank ATM, put in any sort of check—whether it’s fake or if it’s an amount over the amount that you have in your account—and you can immediately get cash out.’”

“Chase was able to connect the dots pretty quickly and stop that, but these fraudsters then went on social media and said, ‘Chase Bank figured this out, let’s go to these other banks that haven’t figured it out yet,’” she said. “Unfortunately, there were several other banks that were hit with the same fraud. If they had been privy to this collaborative effort and this information sharing, they wouldn’t have been hit with that type of fraud.”

Along with data-sharing hesitations, other obstacles hinder the development of a unified financial services data solution, including the limitations of legacy technology systems and a complex regulatory and compliance environment.

Still, the escalating costs of first-party fraud make it untenable for organizations to keep data close to the vest.

“We hear disputes cost from $50 to hundreds of dollars to manage,” Harrison said. “If you look at it from that lens of, ‘How many of these disputes could I eliminate?’, it’s like, ‘How can I go find information outside of my individual institution with extra detail about that consumer or grabbing details about that individual event?’”

Avoiding the Overcorrection

It has become critical for institutions to implement measures to mitigate first-party fraud, as economic and retail challenges are likely to worsen before they improve. Persistent inflation, sustained consumer pressure, and the growing social acceptance of first-party fraud are expected to continue.

Despite these challenges, financial institutions should avoid responding by ratcheting up dispute controls to an unreasonable degree.

“If I have a dispute with a bank and they put me through the wringer on proving it wasn’t me and signing all these forms, that’s probably a one-time experience with that institution,” Harrison said. “We don’t need an overcorrection, it’s how can we sort and divine those transactions and events, separating good consumers who have a valid dispute from people who are abusing their rights to dispute a transaction.”

Identifying first-party fraud is particularly challenging, especially for smaller institutions. However, platforms like Quavo’s QFD® can maximize the value of data financial institutions already generate, connecting insights across transactions to reveal the bigger picture.

“That’s what our approach brings together,” Agulnek said. “QFD unifies the internal signals that matter, adding in cross-institution identity that makes those signals more meaningful. When you automate routine work and put intelligence at that point of decision, schemes can resolve cases faster and focus on what truly matters.”

“That speed directly drives higher card and account usage, more towards top-of-wallet, stronger account holder trust, and a more efficient and scalable operation—all wins for the financial institution and wins from their customer perspective as well,” he said.

The post Returns, Disputes, and the Rise of First-Party Fraud appeared first on PaymentsJournal.

Scams have become universal, affecting all types of consumers and every kind of organization. This has placed tremendous pressure on financial services firms, which often bear the brunt of the financial losses, to develop strong fraud prevention strategies to protect their customers.

In a recent PaymentsJournal podcast, Raj Dasgupta, Vice President of Product Marketing at BioCatch, and Suzanne Sando, Lead Fraud Analyst at Javelin Strategy & Research, discussed the evolving forms of scams, the varying global approaches to fraud prevention, and how financial institutions can develop a blueprint to combat these threats.

Inundated at Every Turn

One of the most impactful trends in recent years is that cybercriminals can now more accurately target their victims. For example, someone interested in investing may receive messages about cryptocurrency scams, while a job seeker might be targeted with fake job offers.

Even with this precision targeting, cybercriminals continue to cast a wide net.

“The target for these kinds of scams could be just about anybody,” Dasgupta said. “Usually, we are led to think that they would have been elderly people who are less tech savvy or who can be gullible, but not quite. It could have been anybody. What we are seeing romance scam-wise is it’s skewed towards the elderly. The scammers target lonely individuals who are looking to get into a relationship.”

“Or it could be an investment scam where it can target practically anybody, mostly the elderly, but then the younger demographic is also not immune to those kinds of scams,” he said. “If you are less averse to financial risk, you might end up investing in cryptocurrency  in the hope of great returns, ultimately to realize that you’ve been scammed.”

These diverse scam variants are driving a widespread problem. In a recent survey conducted by BioCatch, respondents reported a 65% year-over-year increase in the total number of scams between 2024 and 2025. This included a 14% rise in purchase scams, the most common type worldwide.

Phishing scams via both voice and texting— oftenknown as smishing—also increased last year, along with significant upticks in romance and investment scams.

The lone bright spot in the study was a 15% decrease in impersonation scams, where criminals pose as legitimate agencies. This decline is likely due to increased awareness and more effective controls implemented by organizations.

“We saw minuscule drops in scam losses in the number of affected victims, but it’s not enough to throw the confetti and pop the champagne,” Sando said. “We’re still talking about a $20 billion problem for scams across 22 million victims, according to Javelin data. Scams feel so prevalent at this point. It feels like we can’t trust anybody or anything—we can’t trust any text that comes in, or emails, DMs, or social media.”

“Everything that we get is met with this air of distrust, and from a consumer perspective, rightfully so,” she said. “We’re inundated with these messages all the time, at every single turn. I don’t feel like I can trust that this voicemail that I got from my mom is really from my mom.”

A Changing Answer

In addition to rising volumes, scam messages have become more convincing and harder to detect. A major driver of this trend is new technology, particularly artificial intelligence.

“There are AI technologies which are easily adoptable, like writing out a grammatically correct email or a text message and making it look  very real,” Dasgupta said. “Those are easily accessible technologies. Now it’s hard for our customers to detect if a victim was in fact receiving an email or a text which was constructed by  AI.”

“The more sophisticated forms are not happening at scale so we can’t call them mainstream just yet, but that is not to say that things can’t change in about six months, because this is a space which is moving very fast,” he said. “Technology itself is changing very fast. I wouldn’t be surprised if I have to give you a different answer six months from now.”

AI has also enabled the creation of highly realistic deepfake audio and video. For example, a deep fake audio clip could be used in a call to convince someone that a family member is in distress and needs urgent help.

As retailers deploy AI in the shopping experience, such as through agentic commerce, cybercriminals are finding ways to exploit this technology. For instance, they could create counterfeit agent services or attempt to manipulate AI agents themselves. Unfortunately, these examples represent just a few of the many ways cybercriminals are leveraging AI for scams.

“We have not seen all that AI is capable of at this point,” Sando said. “That can go for how it can help financial institutions better mitigate scams, but it also stands true for criminals. They aren’t bound by regulatory bodies or compliance or governance teams or data privacy restrictions.”

“They can do whatever they want, so they can move a lot faster and more freely in adopting AI,” she said. “They’re more agile and they can do what they need to get it to fit their needs for their schemes.”

Not Just a Fraud Problem

The scale and sophistication of scams have imposed both direct and indirect costs on financial institutions. These include authorized losses, where customers are manipulated into approving transactions, and unauthorized losses, such as account takeovers or stolen cards.

Unfortunately, the impact of scams extends far beyond immediate financial losses. They can cause operational strain and reputational damage.

“Something that is not immediately apparent is that victims can leave the bank, so there is a real cost of attrition and related is the cost of acquisition,” Dasgupta said. “When one customer leaves, to get another customer to have the same level of profitability, your acquisition cost may be double what you normally have to acquire new customers.”

“Bear in mind also when the customers are leaving, in a lot of cases they’re seniors and they’ve had their life savings with the financial institution,” he said. “When they choose to leave, they’re leaving with all that money, so it’s a big deposit loss. It impacts the overall portfolio.”

In addition to driving customer attrition, scams consume substantial resources. Many institutions rely on staff to investigate incidents, and these teams are often quickly overwhelmed by the sheer volume of cases.

What’s more, the increasing effectiveness of scams has led to a rise in authorized losses, and the resources required to investigate and respond to these incidents are often substantial.

“All the associated costs mean that the profitability of your deposit portfolio is taking a hit,” Dasgupta said. “It’s not only the reimbursement losses, but everything else: investigative effort, regulatory exposure, regulatory requirements, compliance requirements, legal exposure, deposit loss, acquisition costs of new customers, and the profitability of the deposit base.”

“All of those things have to be taken into consideration when thinking of scams as a problem rather than just a fraud problem,” he said.

Getting It Right

Due to this combination of factors, scams have become a global scourge. However, some regions have made strides in developing effective scam prevention mechanisms.

“Two countries are top of mind when it comes to getting it right,” Dasgupta said. “One is Australia, and I would give a shout out to Australia because they’re not doing it because of regulatory pressure, but they’re doing it because they feel like they need to protect their customers. They’ve taken a variety of actions—be it technology related, be it process related—to make sure that their end users are not going to be victims of scams and lose money.”

“The UK is a bit different than Australia because there is regulation that came into effect not too long ago, where the losses will have to be divided out between the sending bank and the receiving bank so that the victim who’s a customer of one of those banks is not left holding the bag,” he said. “That’s a step forward.”

Conversely, the U.S. has lagged behind in this area. One reason is the sheer number of financial institutions operating in the United States; another is the country’s more market-driven regulatory approach.

While some leading U.S. banks have invested in scam prevention, significant progress remains to be made. The strategies adopted by other countries can provide useful guidance, but U.S. institutions will ultimately need to forge their own path.

“The important part to me is not taking exactly what some other country is doing and doing a copy-paste into the U.S.,” Sando said. “We know that’s not going to work. Everybody has their own regulations and things that are going to work for them. It’s about taking what strides other countries have taken, figuring out what’s feasible for the U.S. and taking action on that.”

“That is where I feel like we’re missing the boat,” she said. “We’re missing the take-action part in a big way. We’ve got a lot of good things going for us. We’ve got task forces and scam groups that are popping up that are sharing critical information and encouraging more industry-level information sharing. That’s a huge step forward. We now have to get to the point where we’re taking concrete action to stop those scams.”

Combating the Typologies

The most impactful action financial institutions can take is to acknowledge the scam threat and begin developing proactive solutions. Given the unlikelihood of regulatory mandate on scam prevention in the near term, organizations will need to lay the groundwork themselves.

Although this is a significant undertaking, the first step is to develop a dedicated strategy to mitigate the devasting impacts of scams. Then, it’s time to act.

“If they don’t act, they will be at a loss,” Dasgupta said. “Scams cannot happen if there is no mule account where the scam proceeds can be deposited. They’re all interlinked and at the end of the day the more accounts you have either become victims of scams or they’re holding illegal money from scams.”

“Banks are becoming very aware of it and at the highest levels they are making it their KPI to combat this entire ecosystem of different scam typologies and different attack vectors so that they can make their base more profitable and have better quality deposits,” he said. “That’s where my hope is that this trend continues, where banks are getting more aware of what needs to be done and taking action.”

The post Escalating Scams Demand a Dedicated Response appeared first on PaymentsJournal.

As many banks have scaled back branch networks, automated teller machines have become essential pillars of the financial services infrastructure. But that autonomy has also made ATMs attractive targets for hacking, exploitation, and physical breach.

ATM “jackpotting” combines these tactics. Criminals gain access to a machine’s cabinet—often using widely available generic keys—then either inject malware into the existing system or swap the hard drive for an infected one. Once installed, the malware enables bad actors to force the machine to dispensing cash on command.

While the technique itself isn’t new, the Federal Bureau of Investigation recently warned that incidents are rising, citing more than 700 reported cases last year resulting in roughly $12 million in losses.

“The resurgence in ATM jackpotting in the U.S. just reiterates the adage: ‘Everything old is new again,’” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “ATM jackpotting became popular back in the early 2000s when IBM retired OS/2, the operating system used by ATMs worldwide.”

“With that operating system retirement, ATMs migrated to Windows,” she said. “That opened the floodgates for attackers, as vulnerabilities in Windows OS were easily exploited, either through an attack against the network or via a physical attack that involved locally installing malware via a thumb drive. Like any connected device running common software, ATMs must be regularly scanned and software-updated.”

On All Fronts

This fraud trend adds another layer of complexity for financial institutions already contending with relentless attacks. Many schemes focus on account takeover or social engineering, pressuring customers to sending payments or act as money mules.

Jackpotting highlights a parallel and troubling shift: criminals are using advanced technology to attack banks’ systems directly. Sophisticated malware, similar in capability to tools deployed in ransomware attacks, can disrupt operations at scale.

Recent incidents illustrate the stakes. An attack on payments provider BridgePay knocked systems offline and left customers without service for weeks.

Pervasive Threats

All these technology threats are supercharging the capabilities of already-impactful fraud groups.

“This latest report does not highlight what new techniques or tactics attackers are using in their latest ATM-jackpotting sprees, but I suspect the same techniques that proved fruitful more than 20 years ago are proving fruitful today—a socially engineered attack waged against an admin with rights and privileges allows access to the ATM or the physical ATM is compromised by criminals feigning to be employees or maintenance,” Goldberg said.

“Vigilance, as always, that is based on a model of zero-trust is the best way organizations can secure their networks and all of the devices—including ATMs—connected to them,” she said.

The post FBI Warns ATM Jackpotting Fraud Attempts Are Back on the Rise appeared first on PaymentsJournal.

In a rare victory against elder financial fraud, KeyBank has recovered $2 million stolen from some of its oldest customers—a reminder that swift action and oversight can make all the difference. According to the FBI’s Cleveland field office, every victim in the case got their money back.

The scheme exploited the most vulnerable: Yue Cao, a former quantitative analytics manager at KeyBank, fabricated online banking profiles for clients over 90 and funneled their savings into accounts he controlled. He deliberately targeted customers who had never used online banking, making the theft less likely to be noticed. In one shocking instance, he even opened an account for a man who had already passed away.

A Vulnerable Population

KeyBank’s internal fraud detection team flagged the unusual activity and quickly referred the case to the FBI before the victims were even aware. Earlier this month, a federal jury convicted Cao on ten counts of bank fraud, four counts of aggravated identity theft, and one count of money laundering.

Elder financial abuse remains widespread. The FBI’s Internet Crime Complaint Center reported a more than 40% increase in complaints from people over 60 in 2024. American adults in this age group lose an estimated $38.5 billion annually, with average losses reaching $83,000.

Guidance for Banks

KeyBank’s proactive approach demonstrates how vigilance and early intervention can protect vulnerable customers and recover stolen funds. It sets an example for other banks to educate and safeguard their clients before it’s too late.

“First and foremost, when working with scam victims, leading with empathy is the most important takeaway,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “Banks need to treat the victim as just that—a victim—and not as a burden to the bank. Working with empathy and compassion helps to reduce the emotional toll victims face in the wake of a scam, which is often a leading reason why many scam victims don’t report their crimes.

“Banks should also manage expectations for the victim during the resolution process,” she added. “How long will it take? Who can they contact with questions or follow-up information? What’s next? Lay out the steps the bank is taking, the steps the victim may need to take, and expected timelines. Being transparent about the process eases stress and frustration in an already stressful situation.”

The post KeyBank Recovers $2 Million in Elder Fraud Scheme appeared first on PaymentsJournal.

The Iron Triangle of Service suggests that a product can be good, fast, or cheap—but not all three. That adage has taken on new meaning in the world of instant payments, where speed has often come at the expense of fraud detection. Is it possible to deliver payments that are both fast and secure, or must financial institutions choose one over the other?

A new report from Javelin Strategy & Research, Foolproof Payments: How AI Is Revolutionizing Payment Fraud, explores that question in the age of artificial intelligence. In the study, Jennifer Pitt, Senior Analyst of Fraud Management, examines where fraud prevention processes have fallen short and how banks can use AI to strengthen payment oversight.

No Time for Suspicion

In the past, organizations had at least some time to evaluate a payment as it moved through the system. Check transactions, for example, can take several days to clear, with multiple institutions involved that can intervene if something suspicious arises.

Real-time payments eliminate that buffer. Once a payment is sent, it’s gone. While a bank may later reimburse a customer or dispute the transactions as fraud, it no longer has the option to simply stop the payment before it settles.

Consumers have come to expect faster payments. At the same time, many understand that effective fraud prevention may require some friction—small steps to ensure they are not being victimized and are not unintentionally committing fraud. Educating consumers about the necessity of that friction is important, but so is striking the right balance. In fact, some early real-time payments prioritized speed over security. Many, including Zelle and Cash App, have since shifted course to strengthen fraud protections.

Signs of Fraud

With real-time payments, the key is identifying potential fraud before the customer clicks “yes” and completes the transaction. That requires analyzing historical and behavioral data: device intelligence, account activity patterns, and user behavior. Is the device being held differently? Is the login occurring from an unusual location? Are there sudden changes to account credentials?

Consider account takeover fraud. A criminal may first log in, then change some account details—adding a new email address or username. The next logical step is initiating a transaction. If that suspicious activity is flagged and stopped early, the fraudulent payment never occurs. That is the new frontier in payment fraud prevention: shifting from stopping fraud at the transaction level to preventing it before a payment is ever initiated.

“Consumers can’t wait a week to make transactions, but organizations need to make sure that their customer is a legitimate customer, not a bad actor, and that we’re protecting those customers from fraud,” said Pitt. “AI tools can look at things like behavior, customer device intelligence, and looking at historical information can help speed that up.”

Making Authentication Work

Authentication inevitably introduces friction. Asking a customer to retrieve a code from their phone or email adds steps to the process. FIs need to make that friction as seamless as possible, minimizing unnecessary hoops. Technologies such as passkeys and biometrics can replace cumbersome multi-step verification processes that require users to move between devices and applications.

“Financial institutions can introduce barriers like step-up authentication if there’s a higher risk that’s flagged,” said Pitt. “If I log into my account every day from Switzerland for 20 years, then one day I log in from Taiwan, that could be normal. I could have moved, but I didn’t tell the organization. So now they might do a step-up where I have to do another authentication to make sure that it’s me, then they would verify the new location.”

The Criminals’ Advantages

Banks and financial institutions must comply with privacy and security regulations while also avoiding excessive customer friction. Criminals face no such limitations.

On top of that, criminals are evolving rapidly with the help of AI. As AI capabilities advance, criminals are using these tools in real time, refining their tactics and making yesterday’s schemes even easier to execute today.

Banks, by contrast, often must navigate approvals, bureaucracy, and red tape, By the time new safeguards are implemented, they may be respondent to last year’s fraud trends. Focusing solely on the threats directly in front of them ensures a perpetually reactive strategy.

AI offers FIs a way to close that gap. While banks may never stay fully ahead of criminals, advanced AI tools can help them keep pace, and in some cases, anticipate emerging threats.

“There’s a lot of attention now on mobile check deposit fraud,” said Pitt. “Well, we should have known that 20 years ago when we had physical checks and moved to mobile deposit. We focus on the fraud that we see, not the potential fraud, and we need to shift our thinking. It’s like a triage patient—you have to stop the bleeding right there, but you have all these other patients coming in. We only address the immediate fraud that we have in front of us, and we never plug the hole.”

Pay Now, or Pay Later

One of the ways in which banks can be more effective is by reallocating resources. Many banks still rely heavily on manual reviews, generating overwhelming volumes of alerts—often with false positives as high as 99%. Human teams spend a lot of time investigating benign activity instead of focusing on actual threats. By using technology to filter routine alerts more accurately, FIs can deploy personnel toward deeper investigations, rather than chasing false leads.

“It’s legacy technology that flags some of these alerts rather than using the proactive real time detection,” said Pitt. “We get the pushback that it is cost prohibitive, but as I always say, you’re going to pay on the on either end somehow. You’ll pay on the front end for the technology, or you’re going to pay on the back end for more personnel, consent orders and fines or fraud. There are things in the industry we should have been able to anticipate that we didn’t, like enumeration attacks or check fraud.

“We need to start looking at the entire landscape and seeing how we can better detect some of this. And we need to start thinking like fraudsters. If I were a bad guy, what would I do? Where’s the hole in the organization? Let’s fill that!”

The post Fighting Fraud in the Era of Faster Payments appeared first on PaymentsJournal.

As information highways have opened new avenues to the global marketplace, many business owners have been attracted to these new frontiers. However, there are unique challenges associated with cross-border operations that go far beyond currency conversions and product delivery. When businesses start moving money across borders, it introduces more gaps for cybercriminals who are increasingly adept.

At the heart of these issues is counterparty risk. In the current cross-border payments model, the recipient of the transfer is often verified through a process built on manual callbacks and spreadsheets. Given the technologies that bad actors now possess, it has become a significant challenge to effectively verify counterparties in this fragmented process.

This has created a vulnerability that criminals can exploit. Because these attacks expose organizations to financial and reputational risks, it is critical for businesses to implement solutions that can optimize the verification process.

The Unaddressed Gaps

Despite the challenges, the global market offers an enticing opportunity. Due to breakthroughs in digital payments, more small- to medium-sized businesses and financial institutions can now participate in the worldwide economy. According to the Bank for International Settlements, cross-border payment volumes are projected to reach $250 trillion by 2027, in part due to this increased participation.

However, these organizations are also exposed to the risks of a system that has been historically challenging. Many of these issues have arisen from the correspondent banking model which has dominated international payments for decades, where a chain of foreign and domestic banks work to complete a single payment.

This complex process often causes payments delays as each institution must perform their portion of the process and adhere to their policies and regulations. The intensive operation required to shuttle these payments along also leads to high transaction fees.

As these payments are routed, there is often a lack of visibility into the payment’s status within the process and any issues impacting it. What’s more, the regulatory demands and currency components of each region must be considered when processing cross-border payments.

All these issues make international transactions a lengthy, costly undertaking. Since many of these functions are still performed using manual processes, it also creates the potential for errors and misrouting along the way.

Unfortunately, bad actors are acutely aware of the issues that plague cross-border payments, and they are actively working to exploit them. According to TransUnion, global businesses lost an average of 7.7% of their annual revenue to fraud in 2025—mounting to an estimated $534 billion.

“According to that same TransUnion report, U.S. companies lost an average of almost 10% of their annual revenue to fraud,” said Jennifer Pitt, Senior Fraud Analyst at Javelin Strategy & Research. “Whether fraud losses average 7% globally or closer to 10% in the United States, the impact to a company’s bottom line is significant. While not all fraud can be prevented, unaddressed gaps in prevention and verification continue to contribute to financial loss.”

These challenges are often compounded by the ways organizations approach controls, risk, and friction in international transactions.

“In some cross-border payment environments, controls exist but have not kept pace with how organized fraud operates today,” Pitt said. “As a result, those gaps are exploited by criminal networks. This also introduces the potential for large-scale fraud operations. Consumers are generally willing to accept some level of friction, and some friction is often necessary in financial crime prevention.”

“Organizations must balance applying the right amount of friction to detect illicit activity while still meeting the demand for cross-border payments,” Pitt said. “Recognizing that consumers will tolerate necessary friction when it protects them against fraud should give organizations more confidence in addressing the lack of transparency and identity verification common in cross-border payments. When implemented correctly, these controls do not hinder payments in the way organizations once believed.”

The Tech-Enabled Threats

One of the reasons why fraud has outmatched current controls and defenses is that bad actors increasingly have access to more effective technologies.

For example, this tech has allowed hackers to perform more account takeovers, where they gain unauthorized access to a targeted account at an online financial institution. The FBI Internet Crime Complaint Center recently warned about an uptick in account takeover fraud that has already cost organizations millions of dollars this year.

Emerging technologies also allow bad actors to create and deploy malware and ransomware on a far greater scale. The initial point of entry for these attacks—and for the lion’s share of fraud attempts—are phishing messages.

The phishing messages of years past were easier to spot due to typos and grammatical errors, but this has changed. One of the reasons why today’s phishing attacks are more effective is bad actors are leveraging artificial intelligence. AI allows cybercriminals to craft better messages and send them on a wide scale.

According to a SlashNext report, there has been a 4,151% increase in phishing attacks since open-source AI was launched in late 2022. Beyond phishing, AI has also been used to create deepfake impersonations, synthetic identities, and phony documentation.

In addition to technical sophistication, fraud is increasingly perpetrated by organized fraud operations. These syndicates are well-equipped to deploy their messages and attacks on a global scale.

This environment has made fraud and increasing challenge for organizations and consumers. According to the Association for Financial Professionals, 79% of U.S organizations reported attempted or actual payments-fraud incidents in 2024.

All these fraud risks are exacerbated when sending money across borders. In addition to fraud threats, organizations must be cognizant of the threats from organized threat actors who use cross-border channels for money laundering or terrorist financing.

“Fraudsters and cybercriminals understand the limitations organizations face when identifying organized crime, including gaps in cross-border visibility,” Pitt said. “To skirt detection efforts and distance themselves from the crime, threat actors frequently use cross-border channels. And because fraud and money laundering incidents increasingly overlap, failing to detect one can mean failing to detect the other. This is also why it’s critical that teams are not completely siloed.”

“Many organizations still operate with separate AML, fraud, and KYC teams that rely on different systems and data sets,” she said. “When activity is viewed in isolation rather than across functions, it becomes significantly harder to identify risk accurately, particularly in real time. This is why the FRAML approach—a combined fraud and money laundering team—is still being heavily discussed and debated among fraud professionals.

“While the regulations may be different with fraud prevention and AML practices, the need to see the customer and activity holistically across all illicit activity often outweighs any outdated reasons for separate teams,” she said.

Moving Away from Manual Processes

The threat of cross-border payments means that organizations seeking to enter the global market must protect themselves. This means moving away from manual processes that open organizations to greater risk.

“Automation and data visualization tools are extremely helpful in quickly identifying counterparties and how they might be linked to one another,” Pitt said. “These tools can often uncover organized crime rings more easily than just relying on static data that is eventually manually analyzed by people just trying to make sense of mass amounts of seemingly unrelated information.”

Because threat actors have access to sophisticated technologies, organizations will have to adopt technology to protect themselves. Even as AI been exploited to create fraud attacks, so can it be used to identify and flag suspicious activity.

“Being able to detect reuse in identity elements (like name and date of birth, photo, and/or SSN) across multiple accounts can help identify synthetic identities as well as money mule accounts—high-risk typologies currently being used for fraud and money laundering,” Pitt said.

One of the most important challenges in international transactions is verifying that the party on the other end of the transaction is who they claim to be. In the correspondent banking model, each party conducts a series of manual checks to ensure the identity of the recipient.

However, after all these checks, banks are often left to trust that the counterparty is acting in good faith.

“There are still financial institutions that rely heavily on manual identity verification, using human review as the primary method,” Pitt said. “Advances in document fraud have made it easier for fraudsters to create convincing fake identity documents that can bypass weak verification processes, including those where in-branch professionals manually inspect IDs and documents for signs of forgery.”

“Many financial institutions are still relying on legacy KYC checks that are only done once—usually during onboarding—and annually after that,” she said. “KYC checks should not only focus on understanding each customer, but also take a risk-based view of the counterparties they transact with. Some banks only look at the customer in a vacuum and not holistically. And some don’t thoroughly explore counterparties.”

The Cornerstone of Risk Management

To address these challenges, LSEG Risk Intelligence developed its Global Account Verification (GAV) platform. GAV is an API-based and portal-accessible solution that verifies bank account ownership in real time across more than 45 countries.

The GAV platform helps organizations confirm counterparty account details before releasing funds which can significantly reduce APP fraud, failed payments, and compliance risks under PSD3, NACHA, and PSR1.

This platform is a gamechanger for organizations who are attracted by the global marketplace—but leery about the cross-border payments landscape.

“It’s just as critical to understand counterparties as it is to understand each customer,” Pitt said. “Doing what are essentially risk-based, mini-KYC processes for relevant counterparties, along with understanding how counterparties might be linked to different account holders, can help financial institutions identify organized crime and fraud rings.”

“Being able to vet who account holders are and who they do business with is often a cornerstone of basic risk management practices,” she said. “Failing to meet compliance requirements can lead to significant consequences like consent orders, lawsuits, fines, reputational risk, and customer attrition.”

The post Solving for Fraud in Cross-Border Payments Requires Better Counterparty Verification appeared first on PaymentsJournal.

A ransomware attack on U.S. payments platform provider BridgePay is having ripple across the country, leaving many entities—including restaurants and municipal organizations—unable to accept card payments.

BridgePay confirmed the attack last Friday, saying it had enlisted federal law enforcement as well as external forensic and recovery teams. According to a status update on the company’s website, the outage remains ongoing.

While the attack has rendered several core systems inoperable, the company said it has found no evidence of a payment card data compromise. BridgePay emphasized that any data accessed or stolen during the incident was encrypted.

Cash Only for the Time Being

Merchants that rely on BridgePay’s platform reported being forced to accept cash-only payments due to the card processing outage. Jimmy’s Roadhouse Bar & Grill in Michigan announced it could accept only cash on Super Bowl Sunday.

For municipal customers, the situation was more complex. The government of Palm Bay, Florida, reported that the city’s online billing payment portal was unavailable and didn’t have a timeframe for when the issue would be resolved. Residents were asked to make utility payments in person using cash, card, or check.

When Ransomware Fans Out

Ransomware attackers have increasingly targeted points of centralization in digital infrastructure, where an attack against a single provider can have cascading consequences for businesses nationwide—or even globally. An ransomware attack last year against Salesforce resulted in the theft of more than 1 billion customer records. More than 40 companies were affected, ranging from AirFrance to Walgreens. By accessing tokens and signing credentials, the criminals were able to move laterally and silently from one compromised vendor to another.

Another extortion campaign last year targeted Oracle’s E-Business Suite, giving criminals access to payroll, finance, and HR databases at numerous organizations. Nearly 30 major business were impacted, including Mazda and Estee Lauder.

Such incidents underscore the risks posed by centralized service providers and highlight the growing importance of cyber resiliency—the ability of organizations to withstand, adapt to, and recover from cyberattacks.

“Retailers and independent payments providers are at increasing risk because their cyber resiliency strategies have not evolved to address emerging risks,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Retailers and independent payments networks fail to address emerging cyber risks holistically. They need to bring in a proactive cyber resiliency mindset by investing more heavily in threat detection and prediction facilitated via cyberthreat and dark web intelligence.”

The post The Latest Wave of Ransomware Attacks: As Widespread as Possible appeared first on PaymentsJournal.

AI-generated deepfakes continue to pose a growing global threat, with investment opportunity scams emerging as the fastest-growing use case.

Between November 2025 and January 2026, the AI Incident Database documented more than a hundred separate deepfake incidents, many aimed at defrauding victims. Impersonation-for-profit is the “largest, most repetitive thread” in the latest reports. Researchers warn that these videos often feature familiar faces and trusted formats, creating credibility through seemingly official accounts.

Celebrity Sweepstakes

In many cases, politicians or celebrities appear to endorse a product or platform on social media. Victims are then funneled through a series of requests that ultimately ask them to transfer money. Some examples from the most recent incident report, all circulating on Meta, include:

• A Thai news anchor and the CEO of the Miss Universe Organization promoting an online investment promising rapid, high returns.
• Greek Finance Minister Kyriakos Pierrakakis depicted endorsing fraudulent “high-yield” investment schemes.
• Australian billionaire Andrew Forrest shown endorsing a fraudulent crypto platform called Quantum AI.

Slow Down, Take a Beat

The key to these scams is what the AI Incident Database calls “industrialized plausibility.” These videos combine low-cost realism with widespread distribution and weak verification methods. So how can social media users tell the difference between these deepfakes and reality?

“From a technical perspective, spotting deepfake red flags can be a bit tricky,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “Pay attention to the edges and background of the focal point of the video. Look for blurring or warping in spots where it doesn’t look natural, and for mismatched or unaligned edges. Lighting and shadows are also a dead giveaway. If the lighting on the person doesn’t match up with the background or room. If there’s any audio component, listen for pacing and tone, and keep an ear out for any odd sounds or unnatural cuts or edits.

“If there’s even a hint of a doubt if something might be a deepfake or AI-generated, search on your own for verified sources for the offer,” she said. “In the instances of investment opportunity deepfakes, if it seems too good to be true, it probably is. Many scams rely on a sense of urgency to drive the victim to act immediately, but this is the time to slow down, take a beat, and do your research.”

The post Staying on Guard Against the Growing Use of Deepfakes appeared first on PaymentsJournal.

Many of the fraud threats facing organizations today are not new. However, the convergence of these threats—combined with ever-evolving technologies—has created a formidable challenge for cybersecurity teams.

This environment is calling some of the most fundamental security tools into question and threatens to permanently reshape the cybersecurity paradigm.

As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, detailed in the report, 2026 Cybersecurity Trends, there are three main threats that loom large, including increasingly sophisticated infostealers, quantum computing encryption decoding, and rising supply chain risks.

Removing Trust from the Chain

The supply chain is a critical channel for organizations, but it has also long been a point of vulnerability. This reality drove the adoption of controls such as Know Your Customer and anti-money laundering processes. Despite these safeguards, the current threat landscape is more perilous than ever.

“The threat landscape is growing—and exponentially—and the reason is because there’s more digital data,” Goldberg said. “Every third party that you work with, every organization that’s tethered in that supply chain has its own set of data, so you increase the exposure risk. Any third party that you’re working with, you’re only as secure as your weakest link.”

To address this risk, organizations must return to the fundamentals of a zero-trust approach. This requires assuming that no vendor, and no data, can be trusted until it is explicitly verified. While adopting this mindset is imperative, it also demands greater due diligence to ensure that vendors consistently adhere to rigorous security standards.

Compounding this challenge, cybercriminals now have access to increasingly sophisticated, AI-powered tools. As a result, organizations must monitor communications more closely to validate their authenticity. These steps are critical, but given the sheer scale and interconnected nature of supply chain risks, the most impactful solution would be an industry-wide effort.

“The email verification strategies like DMARC and DCAM are going to become increasingly important, because we’re going to have to constantly be re-verifying the authenticity of senders and recipients,” Goldberg said. “There’s no one solution or one answer, but we’re going to have to all be in agreement. Because whatever we decide, it’s going to have to be industry agnostic.”

Stymying the Infostealers

Infostealers represent another significant threat that requires a similarly holistic response. Infostealers are a form of malware capable of capturing large volumes of data from infected devices—including browsing activity, credentials, and even screenshots.

What makes infostealers particularly concerning is the speed at which they’re evolving. Many variants can now easily bypass security controls that were previously considered effective.

Consider the customer onboarding process at a financial institution. Customers are typically asked to create a username and password. If the customer is using Chrome, Google may suggest a strong password, one that meets length requirements, avoids personal information, and includes a mix of characters. This password is then stored in Google Password Manager.

“The challenge is that with these emerging infostealers, they’re able to go in and capture your browsing history,” Goldberg said. “Even if you are a savvy user and you’re going in and clearing that browsing history and you’re clearing the cache every time you open your browser—which I would argue no one is really doing—these infostealers are able to go in and capture screenshots.”

“Even if you cleared the cache, if they’ve captured a screenshot of what your browsing history was, they’re also able to capture autofill data,” she said. “Any of those passwords that have been autofilled, they’re able to capture that, so they’re circumventing everything.”

This convenience can introduce downstream risk. For example, when a financial institution detects suspicious card activity, it will usually close the compromised card and issue a replacement. Because many cards are stored in digital wallets, customers often receives a digital card immediately, with the card number automatically updating in their wallet before a physical card arrives.

If an infostealer has already compromised the credentials used to access that digital wallet, a criminal could gain immediate access to the new card number as well.

“A lot of banks don’t appreciate how sophisticated these infostealers are,” Goldberg said. “It comes back to the fact that we have to get away from usernames and passwords. The only thing I can think of at this point that’s going to help us get over the hump is something like YubiKey, which is that physical hard key token that you would have to have on your person when you login to the online banking or the mobile banking.”

“Ultimately, what we have to decide as an industry is how are we going to get beyond passwords,” she said. “Until then, we have to get to a place where we as an industry are reauthenticating those users on a more regular cadence. Maybe it has to even happen as often as once every two weeks. That’s going to be a huge shift for the industry, it’s going to require a massive overhaul in culture and in technology on the bank side, and I don’t think we’re there yet.”

Cracking Quantum Computing

While a complete move away from traditional usernames and password may not be imminent, continued advances in computing could eventually force a shift in authentication and encryption protocols. One of the most consequential developments is quantum computing, which applies the principles of quantum mechanics to solve highly complex problems.

Quantum computing holds tremendous potential across many domains, including cybersecurity. However, bad actors are also exploring ways to exploit its capabilities. For example, a recent study by a Google researcher found that quantum computers could crack a 2048-bit RSA encryption key, a common online data security standard, in less than a week.

“We’re close to where quantum computing is going to break encryption,” Goldberg said. “This goes back to the whole risk that we see with the way we’re securing data today. Data is tokenized or encrypted; card numbers are tokenized as they’re transmitted as this is a requirement for PCI compliance.”

“If quantum computing is able to break that encryption, then we’re ultimately sending card data in the clear and it’s setting us back 20 years,” she said. “Tokenization will mean nothing.”

This is not the first time that expanding technologies have prompted a change in encryption methods. A decade ago, Triple DES was the encryption standard, but as criminals’ capabilities increased, vulnerabilities in the format were exposed.

This caused organizations to shift to the more robust Advanced Encryption Standard (AES). Unfortunately, a similar scenario may be playing out with AES.

“We have to start thinking ahead to how we are going to secure data, and maybe it means we hold less data,” Goldberg said. “It could go back to where consumers are having to input data all the time. It’s a challenge because the data is out there; the data’s not going away. We’re just adding more to the digital footprints.”

“Maybe that’s going to require us to take a step back,” she said. “Maybe that’s going to require us to manage the digital data in a different way and maybe it’s a combination of things where we continue to rely on digital data, but it has to be coupled or partnered with something that’s more tangible and physical.”

The post The Fraud Epidemic Is Testing the Limits of Cybersecurity appeared first on PaymentsJournal.

The rate of phishing attacks is accelerating, with spam filters flagging one email every 19 seconds last year, up from 42 seconds the previous year.

A major driver of this uptick is artificial intelligence, which has rapidly become a core component of fraud operations. In addition to speeding the deployment of phishing campaigns, AI is enabling cybercriminals to create highly adaptive messages to capture users’ attention.

AI can personalize logos, phrasing, signatures, and links for specific victims, and can even compose messages in multiple languages with grammatical accuracy. In a study by Cofense, over three-quarters of malicious URLs found in phishing emails were unique links.

Peppering the Message

Phishing attempts have mimicked major brands and entities since their inception, but the convergence of new technologies has made impersonation scams more effective than ever. Bad actors can now scrape data from the web and use it to pepper messages with personal details.

Much of this data is readily disclosed by consumers on social media. At the same time, social platforms themselves have become alternative channels that criminals can exploit to reach victims. For example, LinkedIn messages have become a common phishing avenue because many professionals access the platform on company devices, while many organizations have yet to implement stringent filtering for LinkedIn communications comparable to email security controls.

The Primary Vector

Although phishing has become the primary attack vector for cybercriminals, these messages are often just the first step. The Cofense report found a 204% year-over-year increase in phishing emails that delivered malware last year.

Malware like infostealers or remote access trojans (RATs) can have significant consequences. RATs allow bad actors to gain control of all or part of a user’s system, while infostealers can collect vast amounts of behavioral data that go well beyond login credentials.

AI can also play a role in malware management and data extraction once systems are compromised. However, current use cases may only be the tip of the iceberg. Credit bureau Experian recently identified AI agents as the top fraud threat this year, warning that agentic AI could soon autonomously handle many aspects of fraud operations.

The post AI Drives Sharp Rise in Phishing Volume appeared first on PaymentsJournal.

As one of the three major credit bureaus in the United States, Equifax has broad visibility into consumer credit behavior. In recent years, one notable trend has been the rise of first-party fraud, in which consumers knowingly exploit organizational policies for financial gain.

First-party fraud, sometimes referred to as consumer-engaged fraud or friendly fraud, can take many forms. One commonly cited example involves shoppers who purchase items online with the intent to return them and pocket the refund.

Equifax is leveraging its access to credit data to address two other prevalent forms of first-party fraud: loan stacking and credit washing. Loan stacking occurs when consumers rapidly apply for multiple loans with no intention of repayment, while credit washing involves attempts to remove negative information from a credit report.

To detect these patterns, Equifax is deploying its Credit Abuse Risk predictive model. The model’s primary objective is to identify suspicious application behavior in real-time, enabling lenders to be notified immediately and respond accordingly.

Justifiable Fraud

Stronger defenses are increasingly necessary, as first-party fraud has become the most common form of fraud. One reason for its growth is that many customers don’t view it as genuine fraud. Data from FICO found that nearly a third of respondents believe lying on credit applications is either justifiable under certain circumstances or simply common practice.

This mindset has been shaped by several factors, including digital anonymity and mounting economic pressure. In recent years, high inflation and elevated interest rates have ramped up financial stress, while credit card debt has prompted lenders to tighten underwriting standards.

As a result, some consumers feel validated in gaming their credit profiles or inflating details on loan applications.

When the Criminal Is a Customer

The proliferation of first-party fraud has created a new paradigm for the financial services industry, as threats increasingly originate from within the customer base rather than from external attackers. When the criminal is a customer, many organizations lack the tools and processes needed to identify and mitigate the threat.

Further muddying the waters is the emerging era of agentic commerce. As AI agents increasingly make purchases on behalf of consumers, organizations will face a host of new questions around responsibility in returns, accountability, and liability in cases of fraud—whether first-party or otherwise.

The post Equifax Launches Credit Abuse Risk Model to Detect First-Party Fraud appeared first on PaymentsJournal.

Crypto money laundering has surged at a staggering pace, reaching at least $82 billion last year, up from just $10 billion in 2020. As crypto markets have become more liquid, laundering operations have grown more sophisticated and more brazen, operating openly across messaging platforms and blockchains while governments struggle to keep up.

Much of the growth in crypto laundering has come from Chinese-language money-laundering networks, according to the report from Chainalysis. Those groups processed nearly $40 million worth of crypto per day in 2025. Chainalysis estimates that Chinese networks now launder more than 10% of the funds stolen worldwide in so-called “pig butchering” scams.

Moving to Social Media

These networks rely heavily on social media messaging platform Telegram, which is headquartered in Dubai. Telegram not only connects buyers and sellers of laundering services but also functions as an escrow hub.

Services such as money mules, OTC desks, and gaming sites began appearing on the platform in early 2020, during the onset of COVID-19. Over time, these social platforms have largely supplanted centralized crypto exchanges, many of which have tightened security controls in recent years.

The international nature of these scams, and the movement of funds across borders, has complicated law enforcement efforts. China, for its part, says it prosecuted more than 3,000 individuals for crypto laundering in 2024. There have also been some successful attempts at international collaboration. In October, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN), announced they had worked with the UK’s Foreign, Commonwealth, and Development Office to dismantle the Huione Group, which laundered roughly $4 billion from digital currency scams.

Anatomy of a Scam

Just this week, the U.S. Justice Department announced that Chinese national Jingliang Su was sentenced to 46 months in prison for his role in laundering millions of dollars in crypto. According to prosecutors, the criminals first contacted victims through social media, text messages, and online dating services to build trust. Su’s group then steered them into fraudulent crypto investments, using fake websites designed to mimic legitimate trading platforms. 

More than $36.9 million in victim funds was ultimately transferred from U.S. bank accounts to a single account at Deltec Bank in the Bahamas. Deltec converted the funds into the stablecoin Tether before transferring the assets to a digital wallet controlled by Su’s group in Cambodia.

The post As Crypto Money Laundering Soars, Governments Seek Ways to Fight Back appeared first on PaymentsJournal.

WEBINAR

How Consumer Insights Are Changing the Fight Against First-Party Fraud

February 18, 2026

1:00 pm EST

[contact-form-7]

How Can Banks Turn Disconnected Data Into Fraud Prevention?

First-party fraud continues to be one of the most complex and costly challenges facing the banking industry. As fraud tactics evolve and customer expectations rise, many institutions struggle with fragmented data, siloed teams, and slow decision-making. Yet, the most powerful tools to fight fraud are often already inside the organization—hidden in plain sight within existing consumer data.

Join us on February 18 as Craig Agulnek, VP of Product Management at Quavo, Brady Harrison, Head of Strategy & Execution at Equifax, and Jennifer Pitt, Senior Fraud Analyst at Javelin Strategy & Research explore how banks can turn disconnected information into actionable intelligence.

In this webinar, you will gain insights into:

• How to embed insights directly into fraud workflows
• How to build a unified, reliable source of truth across systems
• Real-world strategies that reduce losses, speed resolution times, and improve the customer experience

Our Presenters

Craig Agulnek

VP of Product Management

Brady Harrison

Head of Strategy & Execution

Jennifer Pitt

Senior Fraud Analyst

The post How Consumer Insights Are Changing the Fight Against First-Party Fraud appeared first on PaymentsJournal.

As more financial institutions deploy artificial intelligence for key functions such as credit assessments, a group of UK lawmakers has raised concerns that the industry may be unprepared to withstand a major AI-related incident.

The lawmakers recently advised the Financial Conduct Authority and the Bank of England to implement AI‑focused stress tests that could help financial services firms navigate potential issues originating from the technology.

The committee also called on the UK to take a more proactive stance in addressing these risks. For example, it recommended that the FCA publish guidance clarifying how consumer protection rules apply to AI, as well as the extent to which senior financial services managers are expected to understand the AI components embedded in their systems.

Flaws and Risks

According to the report, these measures are increasingly necessary given the substantial risks posed by AI. Flaws often present in this nascent technology could lead to inaccurate credit decisions, elevated fraud risks, and the spread of misinformation.

The report further highlighted the concentration risks associated with major AI models, which are largely facilitated by leading U.S.-based tech giants. These centralized systems could skew consumer decision-making and foster herd behavior in financial markets.

What’s more, UK lawmakers stated that the emergence of agentic AI—and the rush to embrace agentic commerce—has created a potential inflection point for financial institutions. This sentiment was echoed by Experian, which noted that merchants and financial institutions currently lack the tools to differentiate between legitimate AI agents and malicious bots.

The Current Conundrum

Despite these concerns, the dynamic benefits of AI ensures it will remain a priority for financial institutions.

Data from FIS shows that over three-quarters of business and technology leaders believe AI has strengthened their organization’s fraud detection and risk management capabilities. Roughly half of respondents also said their organizations plan to ramp up AI investments over the next two years.

At the same time, a Bank of England official recently underscored that the UK financial industry isn’t fully utilizing data analytics for fraud detection. This highlights the central dilemma facing many FIs: leaders must create strategies that maximize AI’s benefits while mitigating its inherent risks.

The post UK Regulators Voice Concerns About AI’s Role in Financial Services appeared first on PaymentsJournal.

Artificial intelligence is helping shoppers find items and compare prices, but it also introduces new risks. According to Experian, the top fraud threat this year is AI agents and their potential to disrupt the evolving retail landscape.

In the past, merchants and financial institutions relied on blanket defenses to identify and neutralize any activity originating from bots. That approach is no longer sufficient as agentic commerce gains traction this year, leaving organizations struggling to distinguish malicious bot traffic from legitimate AI agents.

Experian notes that issues are heading into a crisis that will demand proactive responses, pushing organizations and regulators to examine liability obligations and the regulatory framework governing agentic commerce.

An Accelerating Threat

Even without widespread agentic activity, fraud is accelerating. Criminals can now craft highly targeted messages, and social media has become a breeding ground for scams.

These fraudulent messages are increasingly difficult to detect because cybercriminals use AI to generate realistic communications. Bad actors also leverage AI to create deepfakes, tricking employers to gain access to remote jobs or deceiving consumers into sending funds. This functionality has made deepfakes the second most impactful fraud trend of the year, per Experian.

“Consumers will always be the weakest link,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Socially engineered schemes, whether driven by AI or not, will continue to fool consumers into clicking on malicious links, friending malicious actors they do not know, and giving out personally identifiable information about themselves. AI just makes the risk of socially engineered attacks more targeted and personal, which is a real worry for businesses’ customers and employees.”

“Enhanced email and firewall security while become increasingly critical to protect employees from themselves, and more businesses, financial services in particular, should consider providing ancillary security services, such as identity theft protection, to their customers that includes firewall provisions, virtual private networks, and spam filtering for text messaging and emails.”

Dynamic But Nascent

It is no coincidence that these threats leverage one of the most powerful technologies of our time: AI. Unfortunately, bad actors have been able to harness AI capabilities faster than many organizations, which are often constrained by regulatory, customer, and internal considerations.

Some organizations, however, have begun to take defensive action. Amazon has blocked third-party bots, including AI agents, from interacting with its platform. The e-commerce giant even went so far as to take legal action against AI platform Perplexity, seeking to block its AI agents from shopping autonomously on Amazon.

While this may provide a short-term solution, consumers are increasingly comfortable with using AI in retail settings—at least in certain contexts. As a result, agentic commerce is reaching a crossroads, where all stakeholders must define the roles and permissions AI agents should be granted.

These considerations could further delay the fully adoption of this dynamic yet still nascent technology.

The post Experian Raises Concerns Over Emerging Agentic Commerce Fraud appeared first on PaymentsJournal.

The rise of artificial intelligence is coinciding with a shift toward instant payments that are increasingly difficult to stop once fraud occurs. Real-time payments put a stopwatch on fraud prevention, leaving businesses with only moments to detect and respond to suspicious activity.

Striking the right balance between frictionless customer experiences and strong controls is becoming a critical challenge for businesses. In a recent PaymentsJournal Podcast, Dal Sahota, Global Director of Trusted Payments at LSEG Risk Intelligence, and Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research, discussed the importance of collaboration and highlighted how AI has become a double-edged sword—assisting fraud prevention teams while also giving criminals more sophisticated tools.

A Growing Concern

OpenAI tools have enabled scams to scale, increasing their ability to penetrate markets across the globe with minimal friction. Javelin’s research found that 88% of consumers are concerned that AI will be used to commit identity fraud against them.

“What I’ve been hearing more is voice can’t be trusted and video can’t be trusted,” said Sahota. “The scale has increased, meaning that the cost of committing fraud is very low, meaning that the potential gains that the frauds can go after are even more exponentially higher year on year.”

Sando added: “We’re all confident that the number one tool that’s going to be used by fraudsters is AI. We’re going to see a shift in focus to more manipulation and social engineering tactics versus just the more traditional way of trying to gain unauthorized entry into an account.”

Faster Payments, Faster Fraud

The rise of faster payments also means faster fraud. When money moves instantly from one domestic account to another, the sender often has little to no recourse to recover funds—regardless of whether the loss stems from fraud or simple error.

In cross-border payments, fraud exposure rises exponentially, and the likelihood of recovering funds is even lower. While some countries offer consumer and business protections that can partially offset these losses, reimbursement is typically limited to specific regulatory or legislative corridors.

Overall, the longstanding processing delays built into traditional payment channels have effectively disappeared. As a result, real-time detection and prevention of suspicious activity are no longer optional—they’re essential.

Detecting Legitimacy Is Paramount

Organizations should be analyzing every piece of data available to them to gain confidence in who is authorizing a payment or purchase. This includes the need for stronger shared network data and deeper network intelligence. Without access to that intelligence, organizations are likely to miss important signals—often at the exact moment they matter most. Detecting those signals in real time can prevent significant financial losses for customers and reduce future instances of identity fraud.

The challenge lies in navigating this process in real time: collecting and analyzing information using faster, more accurate data signals at speed. This requires evaluating biometric attributes tied to the device and the transaction, as well as determining what constitutes normal versus abnormal behavior.

How the Good Guys Use AI

More transactions are conducted digitally than ever before, with trillions of transactions and a quadrillion dollars in value exchanged each year. How is it possible to identify a bad or suspicious transaction amid all that activity? One emerging answer is the use of AI.

When combined with robust data and existing defense mechanisms, AI adds another layer of protection against attackers who are themselves using AI illegitimately. However, AI must play a proactive role—taking the offense in ways that can prevent fraud before it happens, not just detect it after the fact.

Criminals can take greater risks and move faster because they’re not constrained by AI governance or risk management teams. To keep pace, fraud prevention teams need strong collaboration and the elimination of organizational silos. This enables them to adopt AI responsibly as it evolves, close the gap with criminals, and ultimately get ahead of them.

Another major trend is the focus on authentication and identity proofing. Many banks are recognizing that they are losing confidence in the true identity of the user on the other end of a transaction.

“How can we trust that transaction if we can’t even trust the person who may or may not be authorizing it?” Sando said. “That’s going to be particularly important as we see a rise in deep fakes and synthetic identities that are aided by AI.”

Minimizing (but Not Eliminating) Friction

This is also an important moment for organizations to consider what their optimal level of friction should be. The conversation often centers on balancing friction with the consumer experience, but the goal should be less about eliminating friction entirely and more about applying it where it matters most. Effective friction comes from confidently verifying who is being paid or confirming that biometric data aligns with patterns observed across recent transactions.

Contextual signals such as biometric behavior, rich transaction data, and network and device intelligence provide valuable insight without creating unnecessary friction for consumers. These signals allow organizations to make confident decisions about whether fraud or suspicious activity is present without compromising the customer experience. When suspicious behavior is identified, authentication measures can then be appropriately escalated.

“When businesses make payments, typically to their suppliers, those can be 30, 60, even 90 days out,” Sahota said. “And one of the areas that we’ve been working on is how can we create tools to verify who they’re paying well in advance of when they pay. The friction is done much earlier, but it’s the right level of friction.”

Fostering Collaboration

True market leadership today depends on deep collaboration—partnerships that go beyond traditional boundaries to address challenges collectively. One area where this is starting to take shape is in the sharing of fraud insights across market participants, enabling faster detection and smarter prevention strategies.

“If we look at how our organizations manage fraud, whether that’s a bank, fintech or a multinational corporate, typically it’s done in some level of isolation,” said Sahota. “We need to get better with our cross industry and cross-border collaboration and data sharing. That’s where we have the strongest shot at reducing fraud and scam losses.”

But these efforts must evolve far more rapidly and on a larger scale. Fraud networks operate globally, and the response to them must match that scope and sophistication.

“A private-public sector collaboration and partnership would allow connections between everyone who has something to bring toward solving the problem,” Sahota said. “When we work together, we will get in front of the problem, and we will beat the fraudsters in their game that they play.”

The post Faster Payments Demand Faster Fraud Detection appeared first on PaymentsJournal.

A multi-year crypto theft ring has been traced back to Russian hackers who stole sensitive data from LastPass. Armed with that information, the criminals were able to access roughly 30 million users’ vaults and steal more than $35 million in cryptocurrency.

The scheme began in 2022, when cybercriminals breached LastPass, a tool millions of people use to store their passwords securely. Using the stolen information, they were able to break into the very crypto vaults the password manager was designed to protect. Although those vaults were also password-protected, the criminals reportedly took the systems offline, giving them time to figure out how to unlock them.

According to Blockmanity, many users relied on LastPass as their primary layer of security, leading some to use weak master passwords, like “password123.” The breach continued through 2025, with new waves of wallet drains indicating that the criminals continued to successfully access users’ vaults and steal thousands of dollars in crypto.

An Increasing Vulnerability

For years, password managers have been largely effective against hacking attempts. But recent crypto thefts underscore that users need to protect themselves at every step of the process. If master passwords had been stronger, the criminals would have had far less success.

“To access password manager vaults, consumers use basic usernames and passwords,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Any credential or account secured by traditional security and authentication methods, such as username and password, are increasingly vulnerable, especially when those passwords are saved in browser history and autofills.”

“If those credentials are compromised, then hackers can access all of the credentials saved in the password manager vault, bypassing encryption, especially if those same credentials are saved in browsing history and autofill data,” she said. “These areas are increasingly being targeted by malware strains that fall under the infostealer category.”

Slow-Motion Hacking

The incidents also highlight how long these breaches can unfold. LastPass discovered that portions of its source code and proprietary technical information had been stolen shortly after the 2022 breach. The company took steps to minimize the damage, including advising users to change their master passwords.

Despite these efforts, the thefts continued for three years. The stolen data gave the criminals ample time to break into crypto vaults.

The post Weak Master Passwords Led to the Theft of Millions in Crypto appeared first on PaymentsJournal.

The revised Payments Services Directive (PSD2) was designed to facilitate open banking in the European Union while also providing consumers with protections in the new digital payments paradigm. Although these measures have largely achieved their objectives, the evolving fraud threat has continued to drive losses.

A joint study by the European Banking Authority (EBA) and the European Central Bank (ECB) found that, even though the incidence of fraud in the EU remained stable from 2023 to 2024, the total cost of fraud increased from €3.5 billion in 2023 to €4.2 billion in 2024.

These losses occurred despite the largely successful implementation of the Strong Customer Authentication (SCA) requirements under PSD2 in 2020. The report highlighted that transactions leveraging the protocol were generally less susceptible to fraud than those that did not, especially card payments.

Despite this success, the ECB and EBA noted that fraud has persisted because bad actors have adapted their tactics, either by targeting transactions which occur outside of SCA or by tricking consumers into initiating payments themselves.

Stepping Up Scams

These social engineering techniques are part of a broader trend. As the impacts of fraud have grown, many companies and governments have bolstered fraud defenses and controls to rein in bad actors.

As a result, criminals have turned to scams that target consumers directly. Some of the most common scams involve criminals posing as legitimate entities, such as in fake emails from major retailers asking for urgent account action or phony text messages from government agencies demanding payment for unpaid tolls or fines.

While the primary goal of these messages is to trick users into sending funds, there has also been an increasing incidence where consumers being used as money mules—either willingly or unwittingly—to  move money for nefarious purposes.

Shifting the Focus

This shift in focus to the end user is why fraud has continued to accelerate despite better regulations and defenses.

ECB/EBA’s data underscores this challenge. Even though SCA protocols were adopted just five years ago and have been successful, cybercriminals rapidly shifted their tactics to account for it. This is largely because bad actors don’t have to go through pilot programs or review boards to implement their operations.

For organizations to catch up to these cybercriminals—especially as technology has evolved—they will have to shift their mindset and think outside the box.

The post EU Payments Fraud Rises Despite Effective Authentication Measures appeared first on PaymentsJournal.

While ransomware remains a billion-dollar problem, total payments actually declined between 2023 and 2024, according to a data from the Financial Crimes Enforcement Network (FinCEN).

The Financial Trend Analysis shows that ransomware incidents dipped slightly in 2024 to 1,476 individual reports, with total payments amounting to $734 million. That’s down from the 1,512 reported attacks and $1.1 billion in payments recorded in 2023—both all-time highs. The median ransom payment size also fell, dropping to $155,257 in 2024.

Still, ransomware continues to be a costly threat. Across the three years covered by the FinCEN report, entities paid out more than $2 billion in ransom payments.

Governments Team Up

The drop appears to stem from governments around the world taking a more aggressive action against ransomware operations. The report specifically credited disruptions to two major hacking groups: ALPHV/Blackcat in December 2023 and LockBit in February 2024.

Since then, several government entities have taken additional steps to curb the ability of ransomware criminals to get paid. Last month, the U.S. Treasury Department, in partnership with Australia and the UK, announced sanctions against Media Land for supporting online ransomware operations. At the same time, the U.S. and UK sanctioned individuals affiliated with Aeza Group, which was charged with providing web hosting services to ransomware groups.

The UK is also moving forward with plans to make it a criminal offense for public entities to pay cybercriminals who are holding their data hostage, and to require businesses to notify the government before making any ransom payment. However, the exemptions would apply in cases involving national security.

Local Efforts

Smaller governments are also taking steps to fight the problem. In August, a year after the city of Columbus fell victim to a massive ransomware attack, the state of Ohio mandated that local governments establish cybersecurity training requirements for all employees and report cyberattacks to the Ohio Department of Public Safety. Additionally, officials may only pay a ransom with the approval of the government’s legislative body.

Similarly, the state of New York adopted new rules requiring municipal and public authorities to report any cybersecurity incidents within 72 hours. Any ransomware payment must be reported within 24 hours to the New York State Division of Homeland Security and Emergency Services.

The post Ransomware Payments Dwindle as Governments Fight Back appeared first on PaymentsJournal.

As technology becomes increasingly sophisticated, so do the scams criminals use to prey on unwitting victims. The new 2026 Fraud Management Trends report from Javelin Strategy & Research focuses on three schemes to watch for in the coming year and beyond. The schemes involve money mules, agentic bots, and phantom hackers.

Suzanne Sando, Javelin’s Lead Analyst in Fraud Management and a co-author of the report, hopes the study will prompt financial institutions to get in front of these scams before they get worse. But she is not optimistic. “We’re not going to see a dip in fraud and scam losses next year,” she said, “because I don’t think that we’re doing enough at all.”

The Changing Face of the Money Mule

There are multiple kinds of money mules. Some are 100% in on the scheme, while others may be turning a blind eye but suspect that what they are doing is not right. Some are scam victims who have been persuaded to complete a peer-to-peer transfer without getting paid for it. They don’t actually know that what they’re doing is a crime.

A younger group of consumers, ages 18 to 24, was asked what they would do if someone asked them to make a money transfer. Most said they would, especially if offered money to do so. There is a propensity for being willing to bend the rules a little bit for a payout, leading many people to become unwitting money mules.

Criminal mule ring organizations often reach out to college students or people who are out of jobs and looking for a quick payday. It often happens digitally, with a mobile check deposit through whatever channel the criminal has suggested. Or criminals will ask someone to go into a physical branch to deposit a check. Once the money is in the account, they can make their transfer or take cash out, or whatever the criminal requests.

Social Media Scams

We’re also seeing similar scam channels through a text message or email or a message through Facebook. Sometimes it’s a quick work-from-home job offer, something on the order of “I saw you were posting in the neighborhood group, and if you’re looking for some extra cash, I can help you out. All you have to do is this one little thing.”

“A lot of consumers who participate in mule activity don’t understand that what they’re doing is against the law and can result in fines and jail time,” Sando said. “Someone might say, ‘Hey, can you make this deposit for me? I’ll give you 50 bucks.’ So you think, well, who’s it going to hurt? It’s not going to hurt the bank. It’s not going to hurt me. It doesn’t feel like you’re really committing a crime. We have to explain to people that this is illegal and there are real repercussions for what you’re doing.”

Good Bot, Bad Bot

As agentic AI purchases come to the fore, they will present a whole new threat. How do we determine the difference between a good bot, an agent that’s actually making a legitimate purchase, and a bad bot that’s malicious and is doing something without a customer’s approval?

“You have certain behaviors that you can look for and certain signals,” Sando said. “But the fact of the matter is, a bot is a bot. They’re robotic. They act in a certain way that is not exactly like a human.”

A malicious bot that makes 500 quick purchases of the same product is obviously going to look suspicious, as opposed to an agent that should take some time to browse. But banks and merchants may not be ready to make those subtle distinctions.

“Either it’s an agent that is making this purchase on behalf of the consumer, or it’s the consumer themselves,” Sando said. “Those are the only two legitimate options in that scenario. If it’s anything else, we’ve got a problem. There has to be some sort of acknowledgment that this is an agent buying something on behalf of a consumer.”

Imitating the Bots

Sando thinks we are going to see criminals imitating agent bots. Criminals will code their own agents to impersonate a Visa agent and send a text or an email saying, “This is Visa’s new agent. Click here to sign up.” Conversely, a competitor agent might dangle an introductory offer for using the service. They can steal not only the victim’s money but also their personal financial information.

“We’re in for a world of hurt if we are not ready to put the controls in place and have a good understanding of what this means for a bank or a merchant,” Sando said. “If you’re not using bot detection, at the very least, I hope you’ve got something else running in the background that can still analyze those behaviors and those actions to make a more informed decision on who is actually making this purchase.”

Phantom Hacker Scams

The latest elaborate scheme is the phantom hacker scam. A criminal will reach out to a targeted victim through a phone call or a chat window, claiming to be technical support and saying that the victim’s computer has been hacked. The victim is prompted to download software, allowing the scammer to remotely access the computer, including the target’s financial accounts. Then, a criminal posing as an employee from the selected financial institution tells the victim that they need to move their money to a safe place, such as a fake Federal Reserve or government agency account. To add a false sense of legitimacy to the scheme, a third scammer steps in to pose as a government agent.

Having these extra stages and different people making contact adds legitimacy to what feels like a serious scenario.

“If someone contacts you for a tech support issue and says your computer’s been hacked, right off the right off the bat you might say, oh, this doesn’t seem legit,” Sando said. “But if someone from your bank calls you and they’re using phone masking on your cellphone and it’s showing X bank, not everybody in that moment is going to think, ‘I should actually call my bank, rather than do whatever they tell me.’”

The initial targets for these scams were seniors and older consumers, but Sando thinks the criminals are poised to move beyond that.

“They might start focusing on the more tech-savvy, the people who are willing to take risks with their payment technology, who are willing to try out an agentic purchase situation,” she said. “Because this is a newer technology, you don’t have that built-in history to know whether or not something is right or wrong.”

Communication Is Key

What remedies do we have for these new scams? The first thing that must happen is more collaboration within the bank itself, between the groups that handle fraud and the groups that handle any money laundering.

“Once you get these two groups to talk to each other and share information, you will see a reduction in successful money muling,” Sando said. “And you may also then, in turn, see a successful reduction in some of these fraud typologies.”

The post Keeping Up with the Most Dangerous Fraud Trends of 2026 appeared first on PaymentsJournal.

An investigation into a single fraudulent website has escalated into a multi-jurisdictional initiative to take down a crypto fraud network that has allegedly laundered more than €700 million (roughly $816 million).

According to Europol, the criminal organization operated a series of phony cryptocurrency investment platforms, luring thousands of victims with false advertising that promised unusually high returns.

Once individuals engaged with these websites, they were relentlessly contacted by organized criminal call centers and pressured into investing through aggressive social engineering techniques. After victims transferred their crypto, the funds were stolen and laundered across multiple platforms.

While investment scams have long been a staple of criminal enterprises, the sophistication of this particular fraud ring reflects a troubling evolution—one that demands a new, more adaptive response.

“This criminal network takedown shows why collaboration is so critical,” said Jennifer Pitt, Senior Fraud Management Analyst at Javelin Strategy & Research. “Fraudsters often rely on cryptocurrency because they believe it is untraceable, but blockchain creates an audit trail that supports investigations and helps identify the entities involved.”

“Transactions move quickly, so law enforcement must act quickly and act together to freeze funds before they disappear,” she said. “It is also important to target both the operators behind fraudulent cryptocurrency platforms and the companies using aggressive and deceptive marketing to reach victims.”

Any Means Available

While fake crypto investments were the initial driver of this scam, cybercriminals will exploit any available channel to reach potential victims. For example, Google recently highlighted a group of threat actors known as the Smishing Triad that have developed a phishing-as-a-service toolkit used to create and deploy text message scams.

These messages impersonate urgent notifications from organizations like E-ZPass, the U.S. Postal Service, and Google. When users clicked the links, they were directed to phony websites engineered to steal personal and financial information.

Calling for a Global Response

The threat is compounded by the scale and coordination of organized fraud rings. In response to the widespread impact of these attacks, many organizations are searching for new strategies to combat the growing fraud epidemic. Google has even gone so far as to file a lawsuit against the Smishing Triad due to the extensive harm the group has allegedly caused.

While fraud attacks have far-reaching ramifications for consumers and businesses, networks such as the one European authorities uncovered are often tied to a broad array of other criminal activities.

“This case also highlights the connection between fraud and money laundering and why unified FRAML (Fraud Detection and Anti-Money Laundering) teams are necessary,” Pitt said. “When everyone uses the same data and systems, they can see the entire picture rather than isolated pieces. This is a global problem, with criminals coordinating across borders. The response needs to be global as well.”

The post European Authorities Uncover Crypto Investment Scam Syndicate appeared first on PaymentsJournal.

The FBI Internet Crime Complaint Center has received more than 5,000 consumer complaints about account takeover (ATO) fraud already this year, totaling more than $250 million. The news came in an FBI warning about several new ATO scams consumers should be vigilant about.

In ATO fraud, criminals usually gain unauthorized access to a targeted online financial institution. Although many people connect ATO fraud to bank accounts, every type of account is at risk. A fraudster taking over an email account or a social media account can be dangerous as well.

Hacking into Multiple Accounts

The goal for the criminals is not just stealing money but also leveraging additional information to do greater damage.

“If I only know your username and password, when I log into your financial account, maybe now I can see your email address and your phone number,” said Jennifer Pitt, Senior Analyst in Fraud Management at Javelin Strategy & Research. “Banks need to get out of the thinking that it’s solely financial accounts that are being taken over and one account. They’re after as many accounts as they can access, as quickly as they can.”

The FBI warning included advice for avoiding account takeovers through social media. Sharing certain information–like a pet’s name, date of birth, or information about family members—can give scammers dangerous insight into a user’s password or answers to security questions.

New Trends in Scams

The scams have gotten sophisticated enough that even phone calls that seem to be from a customer’s own bank are not reliable. The FBI recommends that people be suspicious of unknown “banking” employees making unsolicited phone calls. Rather than trust caller ID, the FBI says consumers should hang up, verify the correct number, and call it themselves.

The FBI report also cited a relatively new technique called search engine optimization (SEO) poisoning, in which cyber criminals buy online ads that make them look like legitimate businesses. When users click on the fraudulent ad, they are directed to a phishing site that mimics a real website and tricks them into providing their login information.

To avoid this, the FBI recommends that users not click directly on Internet search results or advertisements. Instead, rely on bookmarks or browser favorites to navigate to websites. And always carefully examine any email address or URL that was sent in an unsolicited email or text.

The post FBI Warning Highlights New Account Takeover Scams appeared first on PaymentsJournal.

Creating a synthetic identity used to be the realm of seasoned hackers, but now it can be done with a few simple prompts. Just as artificial intelligence has fueled countless business innovations, it has also been a boon for bad actors—allowing cybercriminals to commit fraud at a fraction of the cost and with greater sophistication.

In a recent PaymentsJournal podcast, Danica Kleint, Product Marketing Manager for Fraud Solutions at Plaid, and Jennifer Pitt, Senior Fraud Management Analyst at Javelin Strategy & Research, examined how AI is rendering fraud-fighting methods obsolete, and the tools and techniques organizations can use to defend against future threats.

The Flywheel Effect

Bad actors use AI as a proving ground. Within AI models, cybercriminals can create and test fabricated credentials. Unlike legitimate businesses, threat actors aren’t encumbered by regulatory or ethical boundaries, allowing them to evolve their methods faster than fraud prevention professionals can respond.

These bad actors also exploit vast repositories of stolen personal data from the growing number of data breaches, as well as the wealth of information that consumers and businesses share online. With more data and advanced tools, cybercriminals can now construct synthetic identities that are extremely difficult to detect.

Compounding the problem, many financial institutions still rely on outdated verification methods.

“When I was working in banking, I had to review customer service calls, and there were several calls where fraudsters called in pretending to be the victim,” Pitt said. “They would give static identity information—that’s all that these call centers were asking for: name, date of birth, account number—and they didn’t verify anything else. This is information that they’re easily able to get on the internet through social media or that has been leaked from data breaches.”

To make matters worse, today’s fraud attacks are often highly coordinated, executed by far-reaching and organized fraud rings.

“Not only do they have better tools to commit fraud, but we’re also seeing them collaborate more and share tips and insights,” Kleint said. “It’s this flywheel of a rapid increase in fraud across the whole ecosystem. I remember not that many years ago, fraudsters were just two people in a dorm room trying to hack a few things here and there.”

“Now, they’re these large-scale operations where there’s even TikToks readily available to learn how to commit fraud,” she said.

Layering Fraud Defenses

In the battle against increasingly sophisticated fraud schemes, financial institutions can no longer rely on a single line of defense. The most effective strategy is to build layered defenses—a coordinated system of tools, data, and analytics that work together to detect and prevent fraud from multiple angles.

While some organizations worry that such an approach could increase customer friction, advancements in technology have significantly reduced these concerns.

One effective starting point is to leverage the significant customer data FIs already possess. With the right analytics, institutions can use these data points to run synthetic or stolen identity checks, helping uncover fabricated identities or records linked to deceased individuals.

Beyond identity verification, FIs now have an increasing number of tools at their disposal.

“An interesting one that we’ve been seeing catch a ton of fraud lately is facial duplicate detection,” Kleint said. “It’s a super simple concept: have we seen this face across our platform or service multiple times?”

“But not that many companies are doing it,” she said. “You take a picture from the ID or from the selfie image and you just see if you’ve seen that face across your organization multiple times.”

In addition to facial duplication detection, financial institutions should deploy systems that flag duplication across other identity elements. For example, if a bank identifies the same name or date of birth used to open a dozen accounts, this could signal coordinated fraudulent activity.

Device intelligence and behavioral analytics add another critical layer of protection. These systems can identify atypical patterns in how customers interact with platforms, alerting the institution to potential risks in real time.

Ultimately, organizations benefit from taking a broader, comparative view of customer behavior. By evaluating an individual’s activity alongside peers in similar demographic groups, FIs can distinguish between legitimate anomalies and genuinely suspicious behavior.

“What a lot of financial institutions that have some behavioral analytics in place are lacking is they’re just looking at a single customer,” Pitt said. “That addresses account takeover for that customer, but it doesn’t address things like new account fraud.”

“It’s looking at the device intelligence in the beginning to see if that device has been used before,” she said. “Is this typical behavior of a customer that’s in that demographic that gives this typical KYC information? Looking at the historical data of that customer—as well as the historical data compared to that demographic—is critical.”

Shifting the Strategy

Technology alone isn’t enough. More organizations are realizing that true resilience requires a shift in strategy—not just in tools.

“Companies are focused on fraud at the very beginning, at onboarding, but it happens throughout the entire lifecycle of a customer,” Kleint said. “Often, they forget about how they could potentially have account takeovers later in the journey and we’re seeing that be so prevalent right now.”

While continuous fraud prevention is important, one of the most critical strategic shifts for financial institutions is opening the lines of communication with their peers.

By sharing data within an industry consortium, organizations can begin to leverage collective network insights—not only to understand how an individual or device has behaved on their own platform, but also how that behavior extends across other institutions.

Because bad actors often operated in organized groups, it’s important that financial services firms work together so fraud attacks can be traced back to the organizations that initiated them.

Still, many FIs remain reluctant to participate in a consortium model due to compliance and privacy concerns. While these concerns are well-founded, as long as customers have full visibility into how their data is being used and organizations encrypt personal information, consortium members can share intelligence freely while still meeting their regulatory and privacy obligations.

“Financial institutions in particular are hesitant sometimes because of privacy concerns,” Pitt said. “They’re afraid not only will they violate privacy laws, but they’re also afraid that they’ll alienate their customers by sharing information. But collaboration is going to be key—if we can’t collaborate, we are going to continue to lose this fight.”

Across the Entire Ecosystem

Unfortunately, the fight against fraud is only getting tougher. Generative and agentic AI tools are advancing at a meteoric pace, giving bad actors new ways to deceive and exploit. To keep up, companies must adopt technologies that close the gap—and work together to establish stronger, industry-wide standards for identifying and preventing fraud.

Perhaps more importantly, organizations need to make the most of the systems already in place.

“Plaid’s network powers digital finance—one in two Americans have used Plaid in some way,” Kleint said. “We’ve seen a billion device connections across the ecosystem and because of that scale, we can see how those devices and individuals have conducted themselves across the entire financial ecosystem.”

After all, fraud is ultimately about financial gain—and the surest way to uncover and trace it is by following the money.

“We sit at the center, so we have this view that nobody else has,” Kleint said. “We can see patterns like a person connecting to six different fintech apps within a week. They’re using different personally identifiable information, but they’re using the same device or the same email. It’s these patterns that fraudsters are not aware of. They’re not aware that we can see all this, and it’s super powerful in understanding potential risks.”

The post The Rise of Smarter Cybercriminals Demands Stronger Fraud Defenses appeared first on PaymentsJournal.

Cybercriminals are expanding their playbook. While email and text remain common phishing channels LinkedIn messages are quickly gaining traction as a new favorite target.

According to The Hacker News, LinkedIn has become an appealing target because many professionals—including company executives—access the platform on corporate devices. At the same time, many organizations haven’t put the same safeguards in place to identify and intercept fraudulent LinkedIn messages as they have for email.

“Social media accounts, including LinkedIn, are increasingly being used by cybercriminals to target employees, consumers, and executives,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Beyond the lacking multi-factor authentication (MFA) noted in the article, social media channels give consumers false senses of security, because consumers inherently trust communications that come through social media.”

“Add to that the increasing sophistication of infostealers—which readily compromise credentials for account access by scraping and capturing browsing histories and stored cookies—and consumers are at ever-increasing risk of being manipulated by socially engineered attacks like phishing that prey on their psychological vulnerabilities,” she said.

A Launchpad for Campaigns

Infostealers are a powerful class of malware capable of extracting sensitive data from online sources at an alarming scale. Some experts attribute of billions of stolen personal credentials to these tools, driven in part by the vulnerabilities inherent in social media platforms.

“It’s incredibly easy to just take over legitimate accounts,” Goldberg said. “Some 60% of credentials in infostealer logs are linked to social media accounts, many of which lack MFA—because MFA adoption is far lower on nominally ‘personal’ apps where users aren’t encouraged to add MFA by their employer. This gives attackers a credible launchpad for their campaigns, slotting into an account’s existing network and exploiting that trust.”

Expanding the Scope

Although individuals are often the initial targets of LinkedIn phishing campaigns, the ultimate objective is typically to gain access to a larger organization—especially those with extensive cloud infrastructure.

Once an initial foothold is established, cybercriminals can infiltrate company systems to steal protected data for financial gain or launch ransomware attacks against the organization.

Given the rising costs associated with a single breach, organizations should broaden their phishing training and defensive strategies to specifically account for LinkedIn and other social media platforms.

The post LinkedIn Messages Are a Popular Protocol for Phishing Attacks appeared first on PaymentsJournal.

When financial institutions think about protecting against new-account fraud, they usually focus on the customer who has already applied and is being onboarded. But with the fraud typologies out there now, onboarding may be too late. Fraud detection needs to start as soon as the application for an account is being filled out.

In a new report, New-Account Fraud: Old Problem, New Challenges, Jennifer Pitt, Senior Analyst in Fraud Management at Javelin Strategy & Research, looks at why such fraud is growing and what financial institutions can do to fight it.

“New-account fraud detection is a partnership with banks, consumers, identity protection service providers, and other organizations like e-mail service providers,” Pitt said. “It’s going to take all of us.”

Starting from the Outside

Fraudsters often start by setting up non-financial accounts, like email or social media accounts. Those accounts have no real identity verification measures. The scammer just needs a name or an email address, without verifying things like date of birth or even establishing that the applicant is a real person.

Setting up accounts that don’t require identity verification establishes legitimacy. Many financial institutions use static identity verification, checking for things like whether a person belongs to a given email address. The more legitimacy that’s added before a financial account is set up, the easier it is to pass the verification tests.

Static identity verification asks people to scan or mail in copies of driver’s license documents. Because of AI and the use of synthetic identities, those are easy to fake. It’s hard for the human eye to tell the difference between a real identity and one that was created with an AI tool.

In addition to documents, financial institutions use other static identity information such as a name and date of birth, or previous addresses. This information is also easily obtainable by scammers through background check websites at a cost of just a few dollars.

“Financial institutions need to use static identity when they’re looking at the documents, but then verify it dynamically,” Pitt said. “Maybe have somebody hold up a driver’s license next to their face, and then ask them to do something on video, like turn their head or say something.”

Watching for Human Behavior

This is where behavioral analytics come into play. When someone fills out an application online, a key way to separate humans and bots is the typing patterns. With bank account applications, behavioral analytics is essentially checking to see if the behavior is that of a human or a bot. If a three-page application for a financial institution is filled out in two seconds, that’s suspect because humans can’t type that fast.

“A lot of these AI tools, and bots can be fed PII—name, date of birth, Social Security number,” Pitt said. “If the same name or a same identity document element, like a picture or a date of birth, is used to fill out multiple applications, that can be detected before the customer is onboarded. Once an account is opened, with the new technology with synthetic identities, with bots, with AI that’s able to pass like deep fake detection, it’s too late.”

Bots are deployed to send out multiple applications to gain access to multiple financial institutions. As with scams, they cast a wide net and see what bites. Once an account is established at one organization, a credit profile can be established that essentially legitimizes that the accountholder is real, even if they’re not.

Challenges for Individuals

Even though new-account fraud may not seem to affect individual consumers, it can still cause problems for them. The scammers use some pieces of personal information to set up an account, whether that’s a name and date of birth or a Social Security number. At some point, that account will be tied to the legitimate holder of that information.

“If somebody sets up a new account in your name, it could potentially hinder you from getting a mortgage, from getting government benefits, anything like that,” Pitt said. “It’s very important that consumers are diligent about checking their own information, making sure it has not been compromised.”

Part of the problem with new-account fraud is it doesn’t have the same indicators as account takeover. Consumers are not alerted to unusual transactions because it’s a new account they’re not even aware of. Depending on the type of account, they might not even be alerted to problems on their credit history.

“I encourage consumers to sign up with the credit bureaus to basically say let me know if there are any changes in my information,” Pitt said. “Sign up for identity protection service providers, which provide services like credit monitoring and monitoring information that’s on the Internet or dark web. They let the consumer know if their information is found on the Internet. If the consumer gets that alert, they know they need to be on guard a little bit more. Watch your credit profile, and unless you need a new loan or new credit, freeze your credit. This basically disallows anybody who is trying to get credit or a loan in your name.”

Concerns About AI

Many financial institutions are still not using identity verification. Some of the reasons include privacy concerns about feeding a customer image into an AI model and about customer friction.

“Financial institutions are using AI tools on a very limited basis for limited things,” Pitt said. “Most are not using comprehensive AI tools for identity verification. They should. There are a lot of vendors out there that offer it. It’s just a matter of getting financial institutions on board.”

Eventually, some financial institutions get to the point that they want these AI tools. If they can explain to their customers why AI is beneficial, that reduces the friction. But some think they don’t have the money for it and can’t afford to start from scratch.

“What a lot of financial institutions don’t realize is they don’t need to start from scratch,” Pitt said. “A lot of the tools vendors offer are able to fit into their existing tech stack. They can just put them on top of solutions they already have. There is obviously a cost, and AI is expensive, but at this point financial institutions need to realize that they’re not going to have a choice. Either you spend the money on the front end for the technology, to detect and prevent it, or you spend the money on the back end for fines, losing customers, and lawsuits.”

The post New Approaches to Fighting New-Account Fraud appeared first on PaymentsJournal.

Fraudulent credit activity is on the rise, and it’s costing lenders—and consumers—millions. TransUnion is launching a solution to fight credit washing, a scam in which criminals remove legitimate negative credit data to temporarily boost their scores and secure loans they never intend to repay.

Credit washing often involves disputing accurate negative information on a credit report. The temporarily boost can allow criminals to obtain auto loans, credit cards, or other financing, leaving lenders and businesses holding the financial losses.

A Possible Solution

According to TransUnion, these schemes have surged in recent years. Roughly 5% of U.S. consumers have had charge-off accounts suppressed for what it calls “atypical reasons” just this year. It estimates that $10 billion in debt will be removed from credit reports by the end of the year.

TransUnion’s solution enables lenders to route suspicious consumers to manual review, reducing early charge-offs. Its Credit Washing Default Score identifies consumers with a history of charge-off suppression who may be at elevated risk of defaulting on new accounts within 12 months. The product also includes algorithms that track changes in reported charge-offs across six lines of business, including auto loans and bank cards.

An Unfortunate Side Effect

Credit washing is possible because of the Fair Credit Reporting Act, which was originally intended to help victims of identity theft. If a consumer reports that they have been a victim of identity theft, their financial institution and the credit bureaus are legally required to block the impact on the disputed account within four days while the claim is being investigated. The request can be denied or later revoked if the institutions can prove misrepresentation, but doing so is not always feasible within the narrow window allowed by law.

“What seems to be particularly tricky about credit washing is the first party fraud angle, which is often difficult to distinguish from legitimate fraud claims,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “Without strong fraud detection in place to identify and analyze the right signals to actually determine if the dispute is legitimate, these claims get approved, negative marks get removed, and the credit score jumps high enough for a loan to go through. It’s yet another avenue that some consumers have exploited for financial gain without detection.”

The post As Credit Washing Surges, TransUnion Fights Back appeared first on PaymentsJournal.

In a bid to curb an escalating wave of phishing and financial fraud, Google has filed a lawsuit against a group of cybercriminals allegedly behind large-scale credential theft campaigns.

These threat actors, known as the Smishing Triad, use a phishing-as-a-service toolkit called Lighthouse to develop and deploy convincing text-message scams. These fraudulent texts contain malicious links to phony websites designed to pilfer victims’ personal and financial data. Like many phishing attacks, they often pose as urgent notifications from legitimate organizations like E-ZPass, the U.S. Postal Service, or Google.

According to Google, the Smishing Triad’s operations have comprised between 12.7 million and 115 million credit cards in the U.S. alone, with victims spanning across 120 countries.

Segmenting Fraud Operations

One of the most troubling aspects of modern cybercriminal organizations is how organized and widespread they have become. Investigators, for example, found that the Smishing Triad had roughly 2,500 members active on the Telegram social media platform, where they both recruited new participants and shared instructions on how to operate Lighthouse.

The group had also divided its operations into specialized teams. Researchers uncovered a data broker group responsible for supplying lists of potential victims and contacts, a spammer group tasked with sending text messages, and a theft group that coordinated the actual attacks.

Unfortunately, these kinds of organized cybercriminal syndicates are becoming increasingly common. Palo Alto Networks recently uncovered attacks by the Jingle Thief group, which uses phishing techniques to infiltrate gift card systems and issue cards for resale—particularly around the holidays.

The Demand for Action

Understandably, these threats have prompted action, but Google is the first company to take legal action. The tech giant has filed claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse (CFAA) Act.

While the immediate goal is to shut down the Smishing Triad and the Lighthouse platform, Google also hopes to deter copycat groups from treading a similar path. Regardless of the outcome, the lawsuit represents just one tool in the broader fight against fraud. Google has also called for tougher regulations to curb cybercrime and improve coordination across the industry.

The post Google’s Latest Weapon in the Fight Against Fraud: Litigation appeared first on PaymentsJournal.

The indictment of three cybersecurity professionals accused of running their own ransomware operation is a frightening reminder that those entrusted with protecting digital systems often possess the same skills required to exploit them.

While few want to imagine their own cybersecurity experts acting with malicious intent, the case reinforces the importance of a zero-trust approach—one that assumes every users and system could be compromised. Effective zero trust relies as much on a company’s culture and vigilance as it does on its technology.

According to an indictment filed in Florida last month, rogue employees of a Chicago company that specializes in negotiating ransomware settlements allegedly launched their own malware attacks against at least five U.S. organizations between May and November 2023. While there’s no evidence the accused targeted their own client, they are charged with using their insider knowledge of ransomware response tactics to prey on vulnerable entities.

Can You Trust the Experts?

Organizations must be constantly alert to breaches. Cybersecurity professionals must earn and re-earn their clients’ trust—and the principle of zero trust is an important starting point.

“‘Trust but verify’ is a phrase commonly used in cybersecurity to explain the need to continuously authenticate, verify, and scrutinize every device, user, and endpoint,” said Tracy Goldberg, Directory of Fraud and Security at Javelin Strategy & Research. “Even if a system or user is trusted, their authenticity and actions must constantly be verified to prevent unauthorized network access and malicious activity.”

Healthcare Has Unique Vulnerabilities

According to an affidavit, the first attack occurred in May 2023, when a medical company in Florida was targeted with a $10 million ransom demand. The group allegedly went on to attack a Maryland pharmaceutical manufacturer and a California doctor’s office, according to CSO Online.

Healthcare organizations are frequent targets of such attacks because of the vast amounts of personal data they hold. Last year, the personal information of 100 million individuals was stolen during a ransomware attack on Change Healthcare, which resulted in a $22 million ransom payment.

“Healthcare must invest more in cybersecurity, perhaps second only to education,” said Goldberg. “Healthcare is widely known for its cybersecurity vulnerabilities, and exposure of employee and patient Personal Identifiable Information.”

That attack was attributed to the AlphV/BlackCat ransomware group, the same group named in the recent Chicago indictments, though it remains unclear whether the individuals charged were involved in that particular incident. According to Trustwave SpiderLabs, Russia-based AlphV was responsible for roughly a quarter of all ransomware attacks in 2024.

The post When Security Professionals Turn to the Dark Side appeared first on PaymentsJournal.

A study from UK Finance found that criminals stole £629.3 million (roughly $826 million) during the first half of the year, a 3% year-over-year increase.

What’s more, there were over 2 million reported fraud cases through Q2 2025, a 17% rise from the previous year, with the average scam costing victims £300 ($394).

Most of these cases originated online, and social media is playing a role. The study found that purchase scams—where consumers are manipulated into paying for fake products or services—were the most common, with many stemming from social media posts.

Investment scams were the next most frequent and often the costliest type of fraud in the UK. Romance scams also remained prevalent, with victims losing an average of £6,500 ($8,547) to criminals who preyed on their emotions.

The Most Prevalent Form

The continued rise in fraud in the UK mirrors a broader global trend. Consumers are being flooded with fraudulent emails, phone calls, texts, and messages—many of which are difficult to distinguish from legitimate communications.

These scams peaked during the pandemic, when most shopping and messaging moved online. However, even as consumers return to physical stores, scams remain a persistent threat, now surpassing traditional identity fraud to become the most prevalent form of fraud.

An Effective Combination

Criminals are increasingly relying on social engineering tactics to manipulate their victims. High-pressure communications, coupled with realistic-looking messages, can be especially effective combination when targeting vulnerable populations like children or the elderly.

Worryingly, many victims who are tricked into sending payments aren’t reimbursed, even when they use legitimate channels.

UK Finance found that 98% of victims whose credentials were stolen were reimbursed by their banks. In contrast, when consumers are tricked into sending a payment—such as in authorized push payment (APP) fraud—only about 62% are refunded.

This is a growing global problem. According to LSEG Risk Intelligence, worldwide APP fraud losses could reach $331 billion by 2027.

The post Fraud Losses and Incidence See Uptick Through Q2 in UK appeared first on PaymentsJournal.

Fraud has long been a constant in the financial services industry—for the same reason the notorious bank robber Willie Sutton targeted it: “That’s where the money is.” Yet many financial institutions remain reluctant to invest in the kinds of solutions that can truly counter these threats.

As technology continues to evolve—both for banks and for criminals—the key to combating fraud lies in taking a holistic, intelligent, and sustained approach. Criminals will not stop refining their methods, and financial institutions must respond in kind or risk losing not only money but also the trust and loyalty of their customers.

Where Things Stand

Credit and debit card fraud remain the top concerns for most financial institutions. However, identity fraud may pose an even greater threat going forward. Javelin Strategy & Research reported a sharp rise in identity fraud in 2024, with total losses in the U.S. reaching $27.2 billion, up from $22.8 billion in 2023.

Within this category, account takeover (ATO) fraud may represent the biggest threat on the horizon. Annual losses from ATO are currently estimated at nearly $16 billion, according to Javelin, affecting roughly 5 million consumers each year. Criminals are targeting a wide range of accounts—including checking and credit accounts, email, digital wallets, mobile phones, and social media. Weak authentication measures, such as optional multi-factor authentication and lenient password policies, have exacerbated the problem.

“People continue to use and reuse their login credentials across multiple accounts, both financial and nonfinancial,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “That’s not the victim’s fault, but it is an opportunity for banks to look into their account takeover protections and make better decisions based on some of the account actions that criminals are taking.

“With ATO, criminals don’t have to go through the Know Your Customer and identity verification that they do for new account fraud,” she said. “All they have to do is crack the credentials, change a few pieces of critical information, and then they’re pretty much able to evade detection until the customer notices they’ve been locked out of their account.”

Current Defenses Are Not Strong Enough

The growing losses from fraudulent attacks suggest that current prevention methods are not strong enough. Nearly half of the financial institutions surveyed allocated less than $50,000 to fraud, authentication, and identity verification solutions. Javelin’s research reveals that many FIs not only lack the necessary tools to fight fraud but also, in large numbers, have no plans to increase their investment in this area.

For example, in 2023, fewer than a third of organizations used an authorized push payment fraud solution, and only 18% planned to adopt one in the future. Tools designed to address synthetic ID fraud, chargeback fraud, and peer-to-peer fraud are used by even fewer organizations. Additionally, three-quarters of organizations aren’t using decision engine tools—critical systems for combating fraud effectively and at scale.

“A decision engine takes in a bunch of different signals and behaviors and data points, and it spits out a decision on whether or not you should allow a transaction or a particular account action to happen,” Sando said. “For example, it can use inputs like behavioral biometrics, which are the way you type, the way you hold your phone, device intelligence. ‘Is this normally Suzanne’s iPhone, and is she using the same operating system?’”

The Solutions Are Available

Effective fraud-fighting tools are available to financial institutions, even those with restrictive budgets. The key is to be strategic. Many of the most innovative fraud prevention tools perform best when seamlessly integrated, rather than operating in the siloed environments that FIs often fall back on.

Fraud detection and prevention technology operates on multiple levels. When these tools work in tandem, they can provide a comprehensive view of a user and a real-time assessment of their risk profile.

Risk-based decision engines that draw on multiple data sources are far better equipped to manage complex processes than relying on a single internal system. These engines work dynamically with data—such as biometrics—to automate decisions related to detecting attacks. That capability provides FIs with greater confidence in the actions they take regarding individual users and transactions.

This is truly an area where there is strength in numbers. Shared industry data, compiled from many sources, enables more accurate identification of suspicious behaviors. By contrast, when FIs rely solely on their internal data, their view of a consumer’s risk level is severely limited.

Data privacy must always be handled with the utmost care and consideration, which is why many FIs prefer to keep information internal. However, a secure data consortium can reveal critical fraud intelligence, granting FIs access to a wealth of information that ultimately supports better-informed decisions. In a rapidly changing fraud landscape, this level of industry collaboration is essential.

The Growing Role of AI

Artificial intelligence is already enhancing these capabilities. AI-powered solutions can sift through vast amounts of data to identify telling patterns, while machine learning handles much of the heavy lifting in trend and data analysis—supporting a risk management and decision-making process that stays both relevant and up to date.

“AI is a more precise way of looking for some of these patterns and behaviors that the human eye cannot detect,” said Sando. “We can only do so much as we look through someone’s transactions. Let’s say there’s a bot attack. You may notice some characteristics of that that are in line with fraud, but AI can recognize patterns in a way that we cannot.”

What FIs Need from their Partners

It’s critical that fraud detection partners are able to meet financial institutions where they are. Most financial institutions already have complex, highly customized tech stacks, so any fraud prevention solutions need to work with the existing technology. This requires a fraud partner who is flexible and can adapt to each FI’s unique needs.

FIs also need partners who are visible and accessible. Javelin’s research found that quality face time with experts is crucial, with more than three-quarters of respondents saying they want knowledgeable and trustworthy collaborators. These institutions place high value on in-person interactions with vendors before adopting new technology.

Javelin also found that the top priority for businesses concerned about financial fraud is protecting their brand. Since customers are willing to switch providers if they fall victim to fraud, a bank’s reputation can be its most important asset.

“You are more likely to read a bad review about someone than a good review,” Sando said. “If one fraud victim has a bad experience and they start publicizing it, that’s something a bank wants to prevent. Trust is such a basic part of the foundation of a relationship between a customer and a bank. If you don’t have that trust, that person can walk at any time. And we’re seeing growing numbers of fraud victims growing who are willing to close their accounts and move somewhere else.”

The post The Big-Picture Approach to Fighting Bank Fraud appeared first on PaymentsJournal.

As fraud becomes more prevalent and organized, the need for an overarching solution to identify fraud patterns has grown. However, many financial institutions have been hesitant to share customer data due to compliance and privacy concerns.

Privacy-enhancing technologies (PETs) could help address these challenges. PETs enable organizations to share information across the industry while protecting personal data through pseudonymized or tokenized identifiers.

Two of the main use cases for this approach include detecting mule accounts and synthetic identities. Taken in a single instance, an account that is opened with seemingly legitimate credentials may not raise red flags. However, if the same synthetic identity is used to open accounts at multiple institutions within a short period, PETs could help identify the suspicious activity and enable timely intervention.

The Spiraling Scale of Fraud

The proliferation of fraud vectors has reached a point where financial institutions are facing significant impacts.

For example, organized criminal rings now recruit money mules through social media and other channels, exploiting a company’s already-verified customers to perform nefarious activities. While this may appear to be an isolated event, mule activity rarely occurs in isolation.

Indeed, such activity often happens on a large scale—so much so that criminal syndicates often use a “mule-herder” to manage the many mules and their accounts.

The Teeming Dark Web

This scale, amplified by sophisticated technologies like AI, has prompted more calls for a consortium approach to fraud prevention. A cyber fusion strategy is built on cooperation among financial institutions—sharing data and pooling resources to create fraud and money laundering defenses.

In addition to data sharing, a cyber fusion strategy should also include dark web threat intelligence. The dark web teems with consumer data, much of it stolen through pernicious malware like infostealers.

Dark web threat intelligence not only scours this data to find connections, but also extracts information from cybercriminal communications in forums and chat channels. These capabilities are essential for uncovering connections between bad actors, enabling authorities to properly attribute attacks and dismantle cybercriminal rings.

A cyber fusion strategy that incorporates PETs for secure data-sharing—combined with dark web threat intelligence—gives financial institutions their best chance to combat evolving fraud threats.

The post Privacy-Enhancing Technologies Can Supercharge Threat Intelligence appeared first on PaymentsJournal.

The Better Business Bureau has issued a new warning about a scam targeting tap-to-pay chips in credit cards and mobile wallets.

So-called ghost tapping abuses the near-field communication (NFC) technology embedded in contactless payment chips and digital wallets, which allows devices to exchange data at very close range. The scam can happen without the victim noticing. In crowded spaces like a festival or train stations, a criminal may get close to a victim—and sometimes even bump into them—then use a wireless payment reader to access a tap-enabled card or phone without the victim realizing it.

In other instances, the criminal poses as a vendor or charity fundraiser and convinces the victim to make a small tap payment. That minor charge may not be enough to trigger fraud detection systems, so victims might not notice the theft right away. The criminal can then use the stolen data to make additional unauthorized charges.

Widespread Operations

Even more insidious, once payment card information is stolen and loaded into mobile wallets, criminals can transfer those credentials to other phones to scale the operation. Although these scams may appear to be the work of small-time criminals, a substantial infrastructure supports them.

Recorded Future’s Insikt Group has identified organized networks that disseminate both the phones and the phishing software used in ghost-tapping fraud. Insikt also found advertisements and recruitment messages on messaging platforms, indicating a burgeoning market for goods obtained through ghost-tapping.

Protection Against the Scam

The BBB recommends that consumers use an RFID-blocking wallet or sleeve on their credit cards to help stop wireless skimming. For less than $10, these sleeves prevent others from detecting the radio signals emitted by the card’s chip.

Before tapping a card or phone, consumers should verify the merchant’s name, amount, and terminal screen to make sure everything looks correct. The BBB also advises limiting tap-to-pay use in high-risk areas, like at a farmers market or crowded retail stored. In these cases, swiping or inserting the card is generally a safer option.

Finally, consumers should set up transaction alerts with their bank and regularly monitor their accounts. If they suspect fraud or discover unauthorized charges, they should contact their bank or card issuer immediately to report the issue and cancel the card.

The post Ghost Tapping Preys on Credit Card Chips and Digital Wallets appeared first on PaymentsJournal.

Cybercriminals have been after personal data for years, but new technology is giving them a dangerous boost. Infostealers—malware that extracts sensitive data like passwords and credit card numbers—are becoming one of today’s biggest online threats because they are easy to use and hard to spot.

While conversations about online safety often peak during Cybersecurity Awareness Month, the reality is that vigilance is needed year-round. In a recent PaymentsJournal podcast, Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, discussed the damage infostealers can cause, how consumers can protect themselves, and how dark web threat intelligence is helping fight back against bad actors.

Protecting the Keys to the Kingdom

Malware has become a damaging force capable of shutting down systems and causing financial havoc—even to large-scale organizations. However, infostealers take this threat to another level, having been responsible for extracting billions of personal credentials.

“What makes it different from malware that we’ve seen in the past like keyloggers is that infostealers are extremely sophisticated, so they’re capturing all kinds of data,” Goldberg said. “When you type in your username and password, they’re capturing the browsing history and the cookies.”

“Some of these infostealers are sophisticated enough to capture screenshots, which is really frightening,” she said. “There are some infostealers out there that are specifically designed to target crypto wallets and digital wallets—all of that data can be captured.”

Their sophistication makes infostealers exceptionally difficult to detect and neutralize. The combination of stealth and power poses a serious challenge to the financial services industry on multiple fronts.

First, financial institutions must find ways to ensure the authenticity of online browsing and mobile banking sessions. Second, the industry must confront the reality that traditional passkeys and tokens are no longer sufficient to defend against modern malware.

“In the same way that password managers have risks, because if the password to the password manager is compromised in a data breach—and we know people use reuse passwords—then the keys to the kingdom are gone,” Goldberg said. “The same holds true in this environment for passkeys and digital wallets and tokens because oftentimes that encrypted data is held behind a site that is password-protected.”

“When we save passwords and browsing history, which most of us do, if that browser history or the cookies are compromised, then there’s no reason for the cybercriminals to decrypt any data, they get access to where that data is housed,” she said. “It’s an extremely concerning problem, and it’s one that I don’t think we’re prepared for as an industry.”

The Cost of Convenience

Many of today’s emerging risks stem from the new digital paradigm. While digital payments and modern technologies offer transformational benefits, they have also introduced new vulnerabilities.

“If you have a credit card that is reissued and it’s automatically updated to your digital wallet, if that cybercriminal has already gained access to the password and login credentials that give access to that digital wallet, when the new digital numbers are automatically updated, they have access to it,” Goldberg said.

“We have these digital wallets where our financial institution can reissue a compromised card to us digitally, which means we can start using that card before we get the physical replacement in the mail,” she said. “That convenience is wonderful, but it’s also made it easier for cybercriminals.”

For financial institutions, this can be costly—especially if they must continually reissue EMV chip cards in addition to bearing the broader costs of fraud.

Addressing this challenge is complicated by the limits of consumer education, which has typically been central to fraud prevention. It’s unrealistic to expect the average consumer to stop reusing passwords, regularly clear browsing histories, or log out of every device after each session.

As a result, a new type of solution is needed—one that may require the industry to hearken back to the early days of digital.

“What the solution is going to be, it’s something that we talked about years ago and we never made the leap and that is hardware tokens. These are physical tokens that you carry on your person that you use to log into your device,” Goldberg said. “Whether it’s your mobile device, tablet, or laptop, having that physical token is going to be the only solution.”

“We’re going to almost have to take a step back in time,” she said. “Just like we would use a hard key to open our door, we’re going to have to take a step back, and that’s going to cause challenges for convenience.”

Scouring the Dark Web

In addition to heightened security on the consumer end, dark web threat intelligence can make a broader impact. This intelligence comes not only from collecting the compromised data found on the dark web, but also data from monitoring threat actor communications in forums and chat channels.

Dark web threat intelligence has become critical because it helps uncover the connections between bad actors, who increasingly operate in organized groups. This kind of attribution is growing more important as technology advances and more sensitive data about online.

The growing repository of digital information must be protected, as bad actors are no longer just a threat to individual consumers or organizations—their actions can create ripple effects that reach the level of national security concerns.

“There are threat actors out there that on the surface may look like they are just targeting consumers for scams, but by looking at the tactics, techniques and procedures, dark web threat intel can tell us that there could be something more nefarious going on,” Goldberg said.

For example, a threat analyst combing the dark web may discover a series of compromised credit cards issued by a single financial institution. They might then notice that the cards belong to account holders clustered in a certain part of the country. From there, the analyst would dig deeper to identify further commonalities among the affected accounts and potential links to broader criminal activity.

“You’re able to say: ‘They all shopped at a certain grocery store or dined in a certain restaurant,’ and you just continue to narrow it down,” Goldberg said. “Perhaps you’re able to find out that all of these individuals were on a particular Facebook Marketplace forum and they were engaging with a certain individual who was selling BBQ equipment.”

“Then, you’re able to say: ‘This particular individual who is associated with the account that’s selling the BBQ equipment also has accounts that use different names, but have the same IP address,’” she said. “From here, we’re able to connect the dots, and ultimately the hope is that through this trail of attribution, you’ll find out who the individual or individuals behind some of these malware rings and groups are and take them down.”

The Benefits of Friction

Through these techniques, dark web threat intelligence can be a powerful tool to track infostealers and identify the victims they have affected. As the financial services industry gains deeper insight into these threats and the criminals behind them, it can take a proactive and preventative stance.

However, as these threats grow increasingly pervasive, cybersecurity has evolved into an everyday priority for everyone.

“The most basic thing from a consumer perspective is that we have to reel in our use of social media,” Goldberg said. “Social media is not just a concern for financial institutions and consumers because it’s a prime channel that’s used for spreading malware and targeting consumers for scams, it’s also used for disinformation campaigns. Everybody just needs to be skeptical of what they read and mindful of what they post on social media—that would be first and foremost.”

“Secondly, everyone needs to jump on board with the reality that it’s not going to always be convenient, and a little inconvenience and friction is good,” she said. “Moving toward an environment where we have a physical hard token key that we have to use to log into our device is just going to mean that our devices and accounts are more secure. I think that’s a direction that we’ll all be moving in.”

The post How Dark Web Intelligence Is Key to the Fight Against Infostealers appeared first on PaymentsJournal.

A group of cybercriminals dubbed “Jingle Thief” is using phishing techniques to gain access to gift card systems, then issuing cards to resell for personal profit.

Researchers from cybersecurity company Palo Alto Networks uncovered the group’s tactics as Jingle Thief targeted the cloud infrastructure of retail and consumer services companies. Once inside, the bad actors search for the mechanisms that allow them to issue gift cards and work to cover their tracks.

Gift cards have become a growing target for cybercriminals because of their ubiquity in retail and e-commerce, both for gifting and self-use. Prepaid products can be redeemed easily and require little personal information from the purchaser, making it harder for authorities to track and identify those who exploit them.

Stopping the Drain

More regulators have been taking steps to mitigate gift card fraud. For example, Maryland recently passed a law aimed at combating gift card draining scams, which have become prevalent.

In this scam, criminal networks largely target retail cards sold in stores. Bad actors tamper with the packaging to obtain the card number and then return the compromised card to the shelf. Once an unsuspecting consumer purchases and loads funds onto the card, the criminals quickly drain the balance for their own use.

To address this issue, legislation such as Maryland’s bill requires secure packaging for gift cards, mandates that merchants register with the state, and calls for employee training to help prevent fraud.

A Tribute to Success

The threats against gift cards and prepaid providers are, in many ways, a tribute to their success. Consumers increasingly prefer cash and cash equivalents as gifts, but buyers are often reluctant to give cash because it is less secure and impersonal. That’s why gift cards have become one of the most popular gifts year-round—and especially during the holidays.

Unfortunately, the boom in gift card sales and usage around the holidays also creates vulnerabilities criminals can exploit. In fact, the Jingle Thief group earned their moniker because they are particularly active around the holidays.

The post Jingle Thief Bad Actors Target Gift Card Issuers for Fraud appeared first on PaymentsJournal.

Officials in Germany have shut down more than 1,400 illegal domains in Eastern Europe linked to cybertrading fraud, marking a potential dent in the fast-growing international problem.

Dubbed Operation Heracles, the probe was led by Germany’s financial watchdog BaFin, alongside law enforcement agencies in Germany and Bulgaria. Users visiting the fraudulent websites were directed to brokers operating from overseas call centers, where they were subjected to high-pressure tactics encouraging them to invest large sums. Authorities said many investors only realized months later that their money had never been placed in legitimate accounts.

The criminals behind the fraudulent domains have not yet been identified, though the sites now redirect visitors to a seizure page. A similar operation last year took down around 800 illegal domains, yet authorities recorded 20 million subsequent attempted visits to those addresses—underscoring the scale and persistence of such scams.

Dangerous Websites

Fraud is growing rampant worldwide. In the U.S., social media remains the primary avenue for investment scams, while fake websites rank as the second-most common channel, with 6,007 fraud reports and $266 million lost, according to a report from BrokerChooser. Investment scams are the fifth most common type of fraud in the U.S., with 66,703 reports recorded in the first half of 2025. Overall, Americans lost $3.5 billion to investment scams during that period.

Artificial intelligence has enabled criminals to create realistic, sophisticated platforms in minutes, tricking victims into depositing funds that are then stolen. According to Authority Hacker, scams involving artificial intelligence cost Americans more than $108 million, with an average loss of $14,600 per victim. 

The Invesco Scam

Similar scams have been uncovered in Europe. Bafin recently reported that criminals posing as Invesco employees were contacting individuals by phone and email, offering the chance to open trading accounts that appeared to be linked to Invesco’s German branch. It is unclear whether these criminals were connected to the domains that were shut down this week.

“The impression is given that the trading accounts offered are connected to the Invesco branch in Germany, which is supervised by BaFin,” a regulator told the website Finance Magnates. “This is not the case. This is a case of identity theft. No Invesco employee would call consumers unsolicited or try to persuade them to invest in Invesco products via email or WhatsApp.”

The post Germany Shuts Down Investment Fraud Network appeared first on PaymentsJournal.

A substantial amount of customer data was stolen in a hack of Oracle’s enterprise software suite, an incident that could have far-reaching ramifications.

According to Google, the breach was carried out by CL0P, a group of cybercriminals responsible for a string of high-profile ransomware attacks. These attacks often target third-party software providers with the goal of pilfering large volumes of corporate data.

The criminals targeted Oracle’s E-Business Suite of applications, which clients use to manage vital operations like logistics, supplier data, and customer information. Google believes that CL0P conducted extensive research into Oracle’s potential vulnerabilities and began extracting data from Oracle clients as early as three months ago.

Because the breach may have gone undetected for such an extended period, the full extent of the damage is still undetermined. Google analyst Austin Larsen told Reuters that “we are aware of dozens of victims, but we expect there are many more.” He noted that due to the scale of CL0P’s previous ransomware campaigns, there were likely more than 100 companies impacted by these attacks.

An Organizational Epidemic

Ransomware attacks have become a global epidemic, impacting organizations of every type and size. Recently, state governments in Nevada and Ohio have both experienced ransomware attacks that disrupted administrative systems and potentially compromised residents’ data.

In addition to public infrastructure, healthcare providers and financial institutions are common targets for ransomware because their systems store vast amounts of personal and sensitive data.

Frequent and Severe

Regardless of the sector, both the frequency and severity of ransomware attacks continue to increase. Data from Trustwave SpiderLabs shows that the percentage of reported ransomware attacks involving U.S. organizations saw a substantial uptick last year—from 51% in 2023 to 65% in 2024.

Several factors contribute to this surge. One is the rise of new technologies such as artificial intelligence, which has supercharged the sophistication and speed of fraud and cyberattacks.

Another is the growing presence of organized groups of bad actors such as CL0P, which can carry out large-scale attacks with precision. While these groups may initially focus on stealing protected data, their ultimate goal is financial gain. Many of Oracle’s clients have reported receiving extortion demands from CL0P, with ransom requests reaching into the millions for the return of stolen company data.

The post Oracle Hack Likely Impacted Over 100 Companies appeared first on PaymentsJournal.

Identity theft is becoming an increasingly serious problem in auto lending, with fraud rates surpassing those seen in credit card applications.

According to data from SentiLink, fraudulent auto loans accounted for 3.3% of all applications in the first half of 2025, spiking to 5.5% in May during a coordinated attack on select lenders. By comparison, the identity theft rate for credit card applications was 2.7%.

The report identified several common warning signs of fraudulent auto loans. The most frequent red flag involved issues with the applicant’s phone, such as unusual geographic patterns—when the area code or other phone information does not match the applicant’s other data. Additional concerns include mismatched email data, suspicious email domains, and risky carriers.

Synthetic Fraud Is Less of a Threat

Synthetic fraud—where fabricated identities are used—has been less of a concern for auto lenders than applications that misuse real personally identifiable information (PII). Instances of Synthetic fraud fell to 0.8% in the first half of this year. Since many auto loans are completed in person, using a wholly synthetic identity typically requires at least a forged driver’s license; more commonly, an applicant will present their own license together with a stolen Social Security number.

“Auto loans are vulnerable to fraud because they involve large dollar amounts and multiple points of contact between the buyer, dealer, and lender,” said Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research. “Though identity verification at the dealer level is often the first line of defense, the process often relies on manual reviews that lack real-time verification. Those gaps give fraudsters using stolen identities just enough time to get approved before the lender reviews the file. Auto financing still depends on human review, which is often not sufficient to spot sophisticated fraud.”

How the Game Is Played

One Miami auto-theft and fraud ring carried out coordinated attacks using stolen identities, according to SentiLink. Mules purchased vehicles using false information on loan applications. Some dealership employees were complicit, and the buyers laundered titles through corrupt contacts at the DMV. The ringleaders then exported the cars or funneled them through luxury rental fronts.

Another tactic: the identities used in an attack had been previously used in applications with credit-builder companies to create a transaction history for the criminals’ stolen or fabricated PII, making the applications appear legitimate on first review.

The post Auto Loan Fraud Grows, Fueled by Identity Theft appeared first on PaymentsJournal.

Fraud has surged as cybercriminals have developed new technologies and tactics. Wealth management clients have become prime targets—in large part because they have more to lose. Even though high-net-worth individuals may be at higher risk from fraud, they also have a powerful resource to help protect them: their financial advisor.  

As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, detailed in The Understated Cyber Vulnerabilities of Wealth Management Clients report, wealth managers must consider particular variables when developing strategies to safeguard their clients. Creating these defenses is critical for financial advisors, not just to protect clients but also to build relationships that can span generations.

Considering the Whole Household

The fraud landscape has shifted dramatically in recent years amid the emergence of technologies like artificial intelligence. AI-powered tools have made it harder to discern fraud attempts from legitimate communications, and bad actors increasingly utilize phishing attacks that impersonate major companies like Amazon or PayPal.

Along with more convincing messages, cybercriminals can glean more data about their targets from the internet because individuals often post detailed information about themselves online. Armed with this knowledge, bad actors can send timely and crafted messages to potential victims, such as emails or texts purporting to be from a friend or relative.

What’s more, it is often not simply the wealth management client who is the target. Increasingly, cybercriminals are casting a net wide enough to include their families.

“One thing that stands out about wealth management clients from our survey that I think is surprising is that among the majority of wealth advisors that we surveyed, most of their clients have children under the age of 18 living in their house,” Goldberg said. “That raised a big flag for us, because we know from separate research that we do at Javelin that households that have children under the age of 18—by default—are at greater risk of being targeted by a social engineering attacks, such as a scam.”

Social engineering techniques, whereby bad actors manipulate their targets to goad them into compliance, have become a fixture of fraud attacks across the board. However, children can be especially vulnerable because they are typically more comfortable with interacting online and sharing personal data.

Children are also more likely to be present on social media platforms like YouTube or Instagram and be active in online gaming communities like Fortnite.

“It’s just simply that children are more likely to be targeted,” Goldberg said. “Children post a lot about themselves on social media. They’re more likely to interact with people they don’t know in real life. The prevalence and the use of online gaming platforms put them at risk. And if you have a child in the house who has been victimized, you’re more likely to have another adult or even child in the house victimized.”

In addition to children, wealth managers should consider that seniors are a top target for cybercriminals. Many elderly adults use social media and e-commerce platforms but may not be as equipped to identify threats or resist social engineering tactics as younger adults are.

Because more adults are caring for elderly parents or relatives, wealth managers must consider their clients’ whole households.

Protecting Identities and Accounts

Although wealth management clients may not face threats that are significantly different from those being deployed against consumers generally, they have an extra layer of protection in their financial advisor.

However, cybersecurity has sometimes been a blind spot for family offices. Many advisors may have developed robust strategies to protect their clients from medical or property emergencies without considering that a cyberattack can be just as damaging.

“This offers a unique opportunity for wealth advisors to build on the long-term relationships that they already have with their clients and to be there as a resource to provide their clients with guidance about cybersecurity best practices,” Goldberg said. “How can they protect themselves if they feel that they could be victimized by a scam? Most importantly, if they are victimized by a scam, knowing that they could turn to their wealth advisor for help.”

One of the most important steps wealth managers can take is to stay on top of fraud trends and educate their clients accordingly. Bad actors are constantly shifting their techniques to find vulnerabilities they can exploit. Additionally, financial advisors should detail the actions clients should take if they feel they have been compromised.

Beyond education, an ever-growing array of software tools can help wealth managers keep their clients’ data safe.

“One of the things that we highly recommend in the report is that wealth advisors offer white-labeled identity theft protection services to their clients,” Goldberg said. “This would be the wealth advisor partnering with a company that offers identity theft protection and then taking that identity theft protection and packaging it and white-labeling it.

“It’s putting your brand on it, but then selling it at a discounted rate or maybe even offering it free of charge to your high-wealth or high-value clients, because when their identities are protected, their accounts are protected. It just helps to reduce the risk of fraud.”

Building Relationships Through Cybersecurity

Like all consumers, wealth management customers are increasingly concerned about the rising fraud threat, and many are unsure about how to protect themselves.

Providing cybersecurity education and developing a prevention plan can substantially strengthen the relationships between advisors and clients. Once this trust is established, it can create relationships that can last for generations.

“As we’re looking at generational wealth, the more that wealth advisors can do to shore up and reinforce that relationship with the clients they have today, the more likely they’re going to get the children of their clients today and the grandchildren to stay on as wealth advisory clients,” Goldberg said. “It is just about relationship building and maintenance through cybersecurity.”

The post Uncovering the Cybersecurity Threats Wealth Management Clients Face appeared first on PaymentsJournal.

One of artificial intelligence’s key strengths is its ability to spot anomalies—a functionality that Bank of England Governor Andrew Bailey said banking regulators aren’t fully leveraging.

Bailey called for greater investment in AI and data analysis, despite the substantial investment many central banks have already made in the technology.

The regulator noted that in many cases, current models are generating vast amounts of data for regulators to sift through, but that, “none of us, I think, can put our hand on our heart to say that we’re sort of optimally using it all.”

This inefficient analysis of data, even with AI, raises concerns that there could be a “smoking gun” right under authorities’ noses—such as evidence of fraud or money laundering in the financial institutions they are tasked with overseeing—that they are unable to pinpoint.

Evident Fraud Protections

The significant benefits of deploying AI in fraud detection have become more evident as the technology sees wider adoption.

According to a FIS survey of business and tech leaders, over three-quarters of respondents said that AI enhanced their organization’s fraud detection and risk management programs. As a result, nearly half of these leaders indicated that their companies plan to increase AI investment over the next two years.

A separate study from the Bank for International Settlements (BIS) and the Bank of England found that AI models are a valuable fraud detection tool, even when analyzing real-time payments. AI not only proved more effective at detecting suspicious activity than traditional fraud defenses but also enabled financial institutions to uncover new fraud patterns much faster.

Actively Addressing the Issue

Although AI has been a game changer for fraud detection, it has also been a powerful tool for fraud perpetration.

Bad actors have been able to adopt AI much faster and at a larger scale than the financial services industry, as they are not constrained by compliance or regulatory requirements.

Both financial institutions and their regulators have often been overwhelmed by the volume of data AI can generate and unsure how to process this information or integrate it into their day-to-day operations.

Many banks and credit unions have also been hesitant to give AI free rein in fraud detection due to concerns that the tech could produce false positives, which may increase customer friction.

However, the growing threat of fraud suggests that consumers may be willing to tolerate occasional false alerts in exchange for stronger protections. According to data from the University of Notre Dame, most consumers stay with their bank if the institution actively supports and protects fraud victims.

The post UK Regulator Calls for More Efficient Analysis of AI-Provided Data appeared first on PaymentsJournal.

As bank fraud continues to grow, it’s more important than ever for financial institutions to be proactive in fighting it. Research shows that when banks make a clear effort to identify and catch the criminal, customer loyalty improves—even among those who were directly affected by  fraud.

When a bank can’t tell a victim who was behind a fraudulent transaction, that customer is far more likely to close their account and leave. A study from the University of Notre Dame found that fraud victims abandoned their banks at a rate 40% higher than customers who had never been defrauded.

But the story changes dramatically when the bank identifies the criminal. Not only do customers feel safer, but attrition drops sharply—62% fewer victims leave compared to customers who never experienced fraud at all.

“Intuitively, we might expect that any instance of fraud would harm the relationship between a customer and their bank, even if the case was resolved,” Vamsi Kanuri, author of the study, told Notre Dame News. “Yet in cases of correct attribution, not only do customers stay, but they also display higher levels of loyalty than those untouched by fraud.”

Long-Term Relationships

Banks need to show a strong willingness to fight on behalf of their customers.

“It’s not necessarily about the fraud itself that’s driving customers away; it’s more about how a victim’s financial institution is showing up for them and being an advocate,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “Banks can grow loyalty and trust in demonstrating that they care about what happens to their customers.”

That loyalty persists over the long haul. In fact, a bank that successfully catches perpetrators of fraud earns a lasting reputation for competence. On the other hand, a bank that fails to stop criminals immediately risks being seen as unreliable.

While that negative impression may fade over time, customers with shorter relationships or fewer touchpoints are more likely to leave if a criminal goes undetected. By contrast, long-standing customers or those who interact frequently with the bank are generally more forgiving.

Worth the Hassle

According to Javelin, victims who have a bad experience with identity fraud are similarly willing to close their accounts and move on.

“This says a lot given how interconnected our financial and non-financial accounts tend to be, with growing digital footprints,” said Sando. “The work involved in opening a new bank account and reconnecting various products and accounts is a better option than sticking with the financial institution where they suffered a bad fraud experience.”

The post Banks That Actively Fight Fraud Retain Their Customers appeared first on PaymentsJournal.

For many years, banks have promised not to send their customers correspondence that looks like scams. They would never ask consumers to click on a link and provide information or ask them for one-time pass codes over the phone.

But those strategies aren’t working anymore. Scammers are starting to mimic what bank professionals have been doing. As a result, the correspondence banks are sending increasingly looks like scams, confusing consumers. In a new study from Javelin Strategy & Research, Avoid the Fake: How AI Can Stop Bank Impersonation, Javelin Senior Analyst in Fraud Management Jennifer Pitt examines why this problem is so pernicious and how emerging technology can help rectify it.

A Message or a Scam?

Legitimate bank correspondence now asks customers to type in their account number first, so the bank knows that they are legitimate. Or it asks users to call the bank and provide the one-time passcode they had been sent. Both of these requests resemble traditional scams.

Banks are doing this for a couple of reasons. They want to eliminate customer friction, making it as easy as possible for potential victims to report fraud. Having customers click on a link or respond to a text message is much easier than making them contact a call center. The problem is that customers have been trained to regard such overtures as scams.

“If banks are going to send text messages or emails for fraud alerts, they should never ask customers to click on any link or to provide any sort of information, whether it’s your bank account number, your name, a one-time passcode, anything like that,” Pitt said. “If you’re going to send out fraud alerts that are text message or email-based, it should always provide the transaction information and direct the customer to contact their bank at the phone number they already have. Sometimes organizations will say it’s the number on the back of your debit or credit card, or visit the website and log into your account. There should never be an actual link provided for them to click on.”

Email vs. Text

Historically, scam education efforts drew heavily on protecting against email phishing. For a variety of reasons, text messages have become a common way for banks to communicate with their customers.

It’s harder for consumers and technology to detect whether a text message is fraudulent. Because the messages are so short, it can be harder to detect red flags than it is with an email.

“Because people are shifting from email to text message, it leaves these scammers with a wider victim pool,” Pitt said. “They are not leaving any gaps anymore. They’re going to use all the resources and basically hit every channel, every consumer base at one time.”

Banks now provide some of this correspondence in the form of in-app push notifications. These notifications may be the most secure method of delivering information because the person has to be in the app to receive the message. But many customers do not use the banking app, whether because of a lack of comfortability or perceived security concerns.

 “You can’t just tell banks just go through the app, because you’re essentially eliminating a lot of your customer base,” Pitt said. “There are some customers that still only do business through mail or email or text message. You have to address fraud alerts and fraud prevention education on all different channels.”

Confusing the Customer

Many banks have already trained consumers to call and verify whether any communication is legitimate. While that can be an important safeguard, it can also lead to conflicting impulses in the customer’s mind.

“The customer hearing that education says, OK, I received this scam correspondence. I’m going to call my bank,” Pitt said. “They call their bank and the bank says, no, that particular correspondence is actually from us, and it’s legitimate. In the mind of the customer, they can’t separate out this correspondence from a fake one, so now any correspondence they get is now legitimate. If they get a scam correspondence, they can be easily deceived into providing some sort of information or money or making a transaction.”

The ramifications of scenarios like this go beyond customers losing money to scammers. Now they don’t trust their bank to protect them. When their bank sends a legitimate fraud alert, warning them that they need to act now, customers will ignore it.

Banks are not only confusing their customers but also losing their trust—and risking eventually losing them as customers.

How AI Can Help

With the emergence of AI, nothing is 100% foolproof, not even an app. There have even been instances of scammers setting up fake apps in the app stores. If nothing is impenetrable, how can banks protect themselves and their customers?

One possible answer isrule-based alerts. If a behavior or a transaction is out of the norm for a customer, the bank could flag it as a potentially fraudulent transaction, then send manual alerts to the customer.

AI can help power not just the technology sending out the alert but also the technology gathering the information, looking at different behaviors of customers. Are the transactions unusual for this behavior of this customer? Is it different from what the customer said they would do? If the customer says, for example, I will never send wire transfers, the AI-powered technology would flag any wires as potential fraud.

By using AI to send out the alert, the communication could be tailored to the customer and thus more likely to get attention. It could say, “We notice that you typically don’t make transactions in Saudi Arabia, and we see a $900 transaction in Saudi Arabia. Is that yours?”

Pitt also recommends being upfront with customers when they’re onboarding about what will happen if they become a fraud victim. They will be better prepared, and there’s real value for hearing such information when they’re not in the midst of a fraud or other kind of attack and feeling like they need to react immediately.

Looking Worldwide for Solutions

Cooperation and collaboration are also key parts of the solution. Other countries are ahead of the United States in detecting and preventing these scams as well as in helping victims with reimbursement. Australia is at the forefront of such technology with its scam checkers.

“In the U.S., scam checkers essentially allow customers to type in or copy/paste text messages or images to see if it’s a scam,” Pitt said. “The difference is in other countries it’s already integrated in some banks, and they have procedures in place on regulations for scams. We don’t have that in the U.S., and we need to get on board.

“Regulators need to get into play here. But banks also need to start cooperating with other organizations like social media companies, telcos, and their customers, shifting the liability and taking on reimbursements. We need to build back customer trust.”

The post Why Fraud in Bank Communications Has Been So Hard to Shake appeared first on PaymentsJournal.

Younger people are far more likely to consider committing insurance fraud than older generations, a finding that aligns with other age-related patterns in fraudulent behavior.

Researchers at the University of Georgia surveyed respondents on whether they would consider such actions such as including damages from a previous incident in a new car accident claim or providing false or misleading information on an insurance application to get better coverage. Two out of five respondents between the ages of 25 and 34 indicated they were comfortable with these actions, often framing them as ways to save money or help friends in difficult circumstances.

By contrast, only about 5% of respondents ages 55 and older expressed approval such behavior. The study suggested that older adults may possess a stronger moral framework, with attitudes toward fraud largely shaped by ethical considerations.

Negative Feelings Toward Insurers

Overall, all age groups expressed negative feelings toward insurance companies; however, the study also noted that younger adults tend to interact with insurance companies in a more impersonal way, and often perceive fraud as a victimless act.

“Younger adults are more comfortable committing most types of fraud,” said Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research. “They rationalize their behavior by airing their dire economic situations and stating that fraud is a victimless crime because they are stealing from large companies—like insurance companies—that can afford the losses.

“Many younger adults also think that insurance companies are simply ‘stealing’ money from hard-working people just to line their pockets. So they have no problem stealing from the organizations that they believe are stealing from everyone.”

Unsure of Where to Draw the Line

The younger adults surveyed changed their views only when they feared significant consequences or broader harm resulting from their actions. There was a clear lack of understanding about what constitutes fraud. Many participants were unsure where the line is drawn between legitimate—but questionable—claim practices and outright fraud.

This appeared to be the case in the rash of check fraud committed against Chase Bank, which was driven by a viral TikTok post in 2024. Many participants convinced themselves that they were simply taking advantage of a banking “glitch.”

“People used to make decisions based on their moral compass—or by weighing the risks versus the rewards,” said Pitt. “Many of today’s youth are no longer weighing moral implications or risks versus rewards when deciding whether to commit crimes like fraud.”

The post Insurance Fraud: Not a Problem for Younger People appeared first on PaymentsJournal.

The modern financial landscape has created fertile ground for authorized push payment (APP) fraud, where victims are tricked into willingly transferring money under false pretenses. The expectation for real-time banking and instant payment settlement means transactions are often completed in seconds—leaving little room for reversal. Cross-border payments have become routine, even for everyday consumer purchases.

At the same time, advancements in artificial intelligence have made it easier for criminals to craft convincing scams. The FBI’s Internet Crime Complaint Center says losses from investment scams alone reached $4.57 billion in 2023 – up 38% from the year before. LSEG Risk Intelligence’s analysis shows that global APP fraud losses could reach $331 billion by 2027.

Addressing APP fraud requires a comprehensive approach, ranging from consumer education to advanced biometrics. In a PaymentsJournal webinar, Aravind Narayan, Global Director of Digital Identity and Fraud Proposition at LSEG Risk Intelligence,and Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research, discussed the tools available to financial institutions to counter this growing threat.

Why the Problem Is Growing

Consumers no longer find it unusual when someone asks for a payment immediately. What was once a red flag now feels routine, thanks to the rise of instant payments. But once that money leaves an account, the transaction is typically irreversible—often completed in 10 seconds or less.

Digitally savvy consumers can buy and sell goods across borders with ease, but that global reach makes fraud more difficult to detect. Each country has its own regulatory framework, and cross-border transactions involve at least two jurisdictions. This complexity slows investigations and delays potential reimbursements.

The fight against fraud has also become more challenging with the rise of AI. Today, generative AI enables criminals to easily write well-constructed, convincing emails that appear to come from executives or trusted contacts.

On the consumer side, AI-assisted grandparent scams are also increasing. A few seconds of someone’s voice from social media or a video clip is enough to create deepfakes using widely available tools.

“The CFO of a company in Hong Kong called for an urgent meeting with his direct reports in a Zoom call,” said Narayan. “None of the six people on the call could detect that the individual posing as the CFO—who they all knew—was not actually the real person. It was a deepfake live video call. He told them the company has some financial challenges and needed to move to a different type of business, and urged them to send millions to his account.”

While this is an extreme example, these types of intra-business attacks are a real threat. Business Email Compromise (BEC) accounted for 21,489 complaints and $2.9 billion in reported losses in 2023.

Anytime an employee receives a message from someone claiming to be another employee and requesting a large sum of money, the company must have clear procedures in place that encourage questioning the request. It’s also recommended to implement a second layer of verification, especially for large transfers. If the person is seeking sensitive information, the breach could potentially lead to a much larger security issue.

Claiming Responsibility

In the UK, liability for these authorized transactions shared among the various financial institutions involved. In the U.S., it has typically fallen 100% on consumers, although that is starting to shift.

For example, Nacha—which oversees the ACH network—is implementing new rules that will require all non-consumer ACH participants to monitor for suspected fraud by mid-2026. This signals a move toward shared responsibility.

“When a scam starts with social media, the telecom may be able to stop fraud before it reaches that consumer,” said Pitt. “Instead of just saying the customer is 100% liable for everything that’s a scam, maybe we should share some of that liability with the bank or with the social media company. That will help build customer trust and let consumers know that you’re doing what you can to help them out.”

UK banks also place greater emphasis than their U.S. counterparts on consumer education to fight APP fraud.

“I recently had someone come over to do building work in my house,” said Narayan. “When I was sending them money, I got frustrated because I had to click seven times: Are you sure? Are you sure this is not a scam? Did you really know this account? Are you sending money to the right individuals? It’s frustrating, but at the same time it’s giving me a good assurance that they care about my money.”

Pushing Toward Stronger Identity Verification

Some businesses have begun implementing some type of verification, like age, as a first step. But the real opportunity lies in going further, using things such as identity verification and account verification intelligence so businesses truly know who they are transacting with. This kind of proactive verification can help prevent fraud rather than just reacting to it after the fact.

“You want to have sufficient measures of fraud prevention to make sure you know who is coming into your platform,” said Narayan. “Whether it’s Booking.com, Meta or Google, they should know who they are doing business with, because then they can share any sort of relationship and behavior attributes with a financial institution to prevent fraud before it happens.”

As it stands, too many financial service providers treat consumer education as a check-the-box exercise, simply posting content on their websites because regulators require it.

“I think that’s a really bad approach,” said Pitt. “A lot of businesses are worried about causing too much friction and losing their customers. But scammers frequently try to foster a sense of urgency: Act now or you won’t get your Social Security benefits, or something like that. This few seconds of asking ‘Are you sure?’ will essentially snap our brain out of that panicky feeling and help somebody avoid becoming a victim.”

Authorized, Not Voluntary

When talking about authorized push payment fraud, the key word is authorized, not voluntary. The victim authorizes the payment to the criminal’s account under the false belief that they are dealing with a legitimate recipient. Voluntary implies that someone is doing something of their free will.

“This terminology may sound like just wordplay, but it’s not,” said Pitt. “It is authorized because they made the transaction, but it is not voluntary. I’ve seen firsthand in jury trials how this terminology can actually affect the outcome of the case. Somebody can be found not guilty by a jury if the term authorized is used, even though it’s based on deception.”

Behavioral analytics could offer a promising solution to this problem. Is the victim showing signs of hesitation? Are they typing different than usual? Are they accessing their account in an unusual way? Recognizing these anomalous behaviors can help banks detect situations where a customer may be under coercion.

“Imagine being able to block a transaction because the bank sees that that individual has been on the phone for a longer time,” said Narayan. “That could mean somebody’s actually causing that individual to send money. They could stop that payment from happening because they’re monitoring that this individual is actually on the phone to a potential fraudster.”

In the future, it may be possible to anticipate these attacks and identify who the next frontier might be. The key is that no bank can do this alone. They need visibility into fraud occurring elsewhere to anticipate what might happen within their own organization.

A Layered Approach

Preventing fraud requires layering multiple authentication approaches, including biometrics, and triangulating these signals to pinpoint both the individual and the recipient of the payment.

“Fraud prevention is not one and done, and it’s not detection anymore,” said Narayan. “It’s not like one data point will actually prevent fraud from happening.”

A strong program requires constant monitoring and a multilayered authentication approach. With, say, a corporate treasury, you might onboard a supplier, then three months later there might be a scammer who got hold of the domain. If the treasurer emails and ask to change the account number from X to Y it’s tempting to simply do that via that e-mail, and allow the payments to go through to the wrong place.

“You need to have constant validation of the beneficiary accounts and account numbers and account ownerships,” said Narayan. “It’s absolutely paramount from a corporate treasury perspective.”

The layered approach means that entities can no longer fight fraud with spreadsheets. Automating solutions and bringing new API-based or portal based services can make sure technology does the work for you, allowing you to focus on building your business. The right experienced partner can help you find the latest mix of tools to fight APP fraud.

“We can no longer just rely on one approach,” said Pitt. “We can no longer be reactive. We can’t just monitor transactions. We can’t just look at historical behavior. We can’t just look at some intelligence. We have to have this layered approach in cybersecurity. We want to put as many barriers before that fraudster as we can.”

The post Fighting Authorized Push Payment Fraud on All Fronts appeared first on PaymentsJournal.

As email fraud filters become more sophisticated, cybercriminals are turning to Apple’s iCloud to bypass safeguards and deliver phishing messages.

According to BleepingComputer, bad actors are sending fraudulent calendar invites that claim a victim’s PayPal account has been billed for hundreds of dollars and instruct them to review a purchase receipt.

The objective is to pressure the target into calling a fake customer service number to dispute the charge. Once on the phone, bad actors attempt to convince the victim to download software that grants criminals access to personal and financial data, while also creating a gateway to install malware.

Phishing Through Trusted Channels

This type of callback phishing scam is not new, and email filters are increasingly designed to weed out such messages. What makes the iCloud-based attacks particularly threatening is that they are sent from Apple’s legitimate website, giving them a much higher chance of reaching their intended audience.

In the example uncovered by BleepingComputer, the iCloud calendar invite was sent from a Microsoft 365 account controlled by the bad actors. Since the email originiated from an Apple account and was then forwarded by a Microsoft account, it didn’t trigger any red flags. Similarly, these attacks have a greater chance of fooling their targets since they appear to come from legitimate sources.

Suspecting All Communications

Impersonating brands like Microsoft, Apple, Amazon, and PayPal has been a common practice for bad actors. While these attacks were originally easier to spot due to typos or grammatical irregularities, phishing attacks have become increasingly hard to discern.

They are also often coupled with social engineering tactics, where an individual is pressed with urgent language that demands immediate action. The combination of realistic messages and strongarm tactics is too often effective—especially against older consumers.

In addition to fabricated messages, there is a growing trend where cybercriminals exploit loopholes in organizations’ platforms for financial gain. For example, bad actors have sent phishing requests to users on PayPal’s legitimate platform, which appear disturbingly convincing.

As phishing messages become more sophisticated, users must suspect all unsolicited communications, especially those that request immediate action.

The post Bad Actors Exploit Apple’s iCloud Calendar for Phishing Attempts appeared first on PaymentsJournal.

When a financial institution detects potential criminal activity, it is required to file a suspicious activity report (SAR) with Financial Crimes Enforcement Network (FinCEN). Tracking these incidents is critical in the fight against fraud, but preparing and filing SARs if often a time-consuming process.

To help streamline this effort, a reporting solution from DataVisor is being introduced that incorporates artificial intelligence to assist with drafting SAR narratives, populating report fields, and submitting reports electronically. Integrated into an anti-money laundering platform, the tool is designed to give organizations more efficient ways to track and report fraud.

There is a significant demand for a more efficient SAR process, as FinCEN reported that financial institutions filed roughly 4.6 million SARs last year. Each requires detailed information and supporting documentation, and according to DataVisor, preparing a single SAR can take an average of 21 hours.

Weighing on Institutions

Due to the recent surge in fraud, the SAR process will continue to weigh on financial institutions, who already face substantial compliance requirements.

According to FinCEN, the trends in SAR filings echo the overall fraud landscape. Check fraud remains prevalent as more criminal groups targeting the mail. Additionally, more SARs have been submitted due to elder fraud, as older adults have become frequent targets of impersonation scams.

The emergence of the digital economy has also created new avenues for fraud, with significant increases in identity theft, account takeovers, and ACH fraud stemming from e-commerce and online financial services.

Covering Their Bases

The pervasiveness of fraud means the SAR filing process will continue to be a drain on banks. Even more so because SARs aren’t just filed when fraud is verified—they are also filed when there is suspicion of illicit activity.

However, there is another reason why many financial institutions are filing more SARs: to cover their bases. FinCEN uncovered a trend of defensive filing, where financial institutions submit a SAR if there is any possibility that fraud occurred. While this may require more work on the organization’s part, this trend is likely to continue.

Although an organization isn’t likely to be fined for filing too many SARs, an error or a lapse in reporting can be costly. For example, U.S. Bancorp Investments was fined $500,000 because it failed to file 42 SARs over a three-year period after misjudging the transaction threshold for reporting.

The post DataVisor Aims to Use AI to Optimize SAR Filings appeared first on PaymentsJournal.

The Nevada state government is reeling from a ransomware attack that has disrupted nearly all state functions and compromised an undisclosed amount of personal information.

Governor Joe Lombardo revealed that government offices were closed and online services taken offline to prevent further intrusion in the wake of the network security incident. State Chief Information Officer Tim Gallluzi later confirmed that the attack involved ransomware.

Several state services have been brought to a standstill, including the closure of numerous offices like the DMV. The attack has also impacted the state’s ability to pay contractors and vendors. A local TV station reported receiving an email indicating that the Aging and Disability Services Division told vendors that no “state payment systems are working.” Businesses whose clients use Medicaid are also experiencing payment delays.

Little Information Shared

State officials did not share whether a ransom was demanded or why the state was targeted. Nevada law prevents the disclosure of technical details of the attack, as doing so could threaten public safety.

Officials also did not have a timeline for restoring state services. In his latest update, Galluzi acknowledged residents’ frustration over being unable to access these services, noting that restoring the systems is a “meticulous process.”

As a result, the governor’s office warned Nevadans to be cautious of unsolicited calls, emails, or texts requesting financial payments, which could stem from information stolen in the attack. “The State will not ask for your password or bank details by phone or email,” the memo said. “As official state websites return online, verify information.”

Governments Are a Target

Ransomware attacks on local governments have become all too common. The city of Columbus fell victim to a massive ransomware attack a year ago, prompting Ohio to require every government agency to implement a cybersecurity program. Other ransomware attacks have temporarily shuttered services in St. Paul, Minnesota, and Fulton County, Georgia.

“Smaller municipalities and utilities are common targets for ransomware attacks, which more often than not are traced back to a phishing attack that targeted an employee,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “DNS blocking and anti-phishing education are critical first steps, but so is dark web threat intel. As ransomware become more prevalent, entities of all sizes will have to turn to organizations that specialize in threat intel to help them better identify risks associated with specific types of malware strains and infostealers, and the threat actors behind them.”

The post Ransomware Attack Shuts Down Nevada State Services appeared first on PaymentsJournal.

Financial institutions in Germany flagged millions of direct debits linked to fraudulent activity following a temporary interruption on PayPal’s platform.

In total, payments worth more than $11.7 billion were blocked by banks in an incident where the details have yet to be fully disclosed. PayPal acknowledged experiencing a service disruption that was later resolved. This issue “caused delays in transactions for a small number of accounts.”

According to Sueddeutsche Zeitung, PayPal’s scam-filtering systems were either completely or largely disrupted late last week, leading to a surge of unchecked direct debits reaching Germany’s banks.

Following the attacks, a German association that represents over 300 financial institutions noted that instances of unauthorized direct debits originating from PayPal had a substantial impact on transactions both within Germany and across Europe.

Beefing Up Defenses

This recent news underscores the immense pressure financial services companies face from cybercriminals. Bad actors can now leverage technology like artificial intelligence to carry out attacks on a wide scale if they detect any gap in an organization’s fraud defenses.

Payments companies are frequent targets for fraudulent activity, which is why they have invested in systems designed to filter out scams. In fact, PayPal recently incorporated AI to strengthen fraud defenses at both PayPal and its subsidiary Venmo.

Larger Ramifications

Even when fraud defenses deflect cybercriminals—as they appear to have done at German banks—larger ramifications can still emerge. In addition to the service disruptions that often occur, widescale impacts can damage both a company’s brand and its profits. PayPal stock, for example, dipped immediately on the news of the service disruption in Germany.

For PayPal, this incident comes at a time where the company has launched a slew of new platforms and projects to gain traction in the market. These include everything from a new cross-border payments platform, to crypto checkout payments, to an agentic commerce partnership with Perplexity.

PayPal also announced a major milestone: it is launching a digital wallet to capture more share of in-store payments. The wallet will launch in Germany initially, before being rolled out to the rest of the world.

The post PayPal Disruption Leads to Fraud Surge at German Banks appeared first on PaymentsJournal.

China has been at the forefront of mobile payment adoption, but this progress has also opened the door to new attack vectors for cybercriminals.

Traditionally, stealing card data has been the central objectives of fraud schemes such as phishing and malware attacks. Now, however, a technique known as ghost-tapping allows criminals to use stolen credentials for in-store purchases.

Once they obtain card data, they can add it to digital wallets like Apple Pay or Google Pay by intercepting the one-time authentication codes sent by these platforms. Using burner phones, they then make payments to retailers or even withdraw cash from compatible ATMs.

According to researchers from Recorded Future’s Insikt Group found, this trend originated in Southeast Asia and spread quickly across the region. But ghost-tapping could prove equally effective anywhere contactless digital wallet payments are accepted.

An Organized Network

Perhaps more concerning than the specifics of the fraud vector is the substantial infrastructure that supports it. Insikt Group identified organized networks that disseminate both the phones and the phishing software used in ghost-tapping fraud.

It also means that once a criminal makes a fraudulent purchase, they have a network to turn to for selling their ill-gotten goods. Many of these networks had been using the Telegram messaging platform until the company strengthened its security measures last year.

However, the report noted that this only pushed bad actors to shift to other platforms, and that the substantial volume of advertisements and recruitment messages there indicates a burgeoning market for goods obtained through ghost-tapping.

Future Fraudulent Use

These networks represent a growing trend in fraud: the emergence of cybercrime-as-a-service. Such syndicates provide the technology and software used for malware or ransomware attacks to other parties—for a fee.

These groups can increase the scale at which fraud attacks occur, while simultaneously making it harder for authorities to pinpoint the bad actors. Additionally, they lower the barriers to entry for criminals. Insikt Group noted that syndicates would often recycle burner phones and send them back to criminals for future fraudulent use.

The post How Bad Actors Add Stolen Cards to Digital Wallets Via Ghost-Tapping appeared first on PaymentsJournal.

The FBI has issued a warning about Russian hackers who have been infiltrating thousands of networking devices associated with critical infrastructure IT systems. The gang has been leveraging a vulnerability in older Cisco software in its attacks.

Cisco Talos, Cisco’s threat intelligence organization, said the group attacked organizations in telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Rather than issuing ransomware demands, the hackers chose victims based on their “strategic interest” to Russia.

According to the Cisco Talos blog, the hacking group is Static Tundra, a Russian state-sponsored cyber espionage group that supports Russia’s long-term intrusion campaigns into organizations of strategic interest to the government. Their goal is to extract “device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government.”

“Attacks from Russia are nothing new, but critical infrastructure is at heightened risk during times of geopolitical unrest, especially from adversaries such as Russia, Iran, and China,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Recent negotiations between the Russia and U.S., as part of efforts to end the war in Ukraine, could tip the cybersecurity scales in either direction, meaning critical infrastructure industries, like the industrial and financial sectors, in particular, should be on heightened alert.”

Long-Term Missions

The investigation into the hacking shows how long-term the plans were. Static Tundra has been around for more than a decade and has been able to maintain access to its targets for years without detection.

In the recently discovered attacks, the hackers would modify configuration files to enable unauthorized access to those devices, then use that access to conduct reconnaissance in the victim networks. They seemed to be especially interested in protocols and applications associated with industrial control systems.

Exploiting Old Vulnerabilities

To get this access, the hackers exploited a seven-year-old vulnerability in Cisco IOS software. Although the vulnerability was detected and resolved years ago, the group targeted unpatched and end-of-life network devices to steal configuration data and establish persistent access.

“Most of the vulnerabilities exploited by cyber adversaries, such as Russia, are easily mitigated via the adoption and enforcement of zero-trust policies and regular network and software vulnerability testing and patching,” Goldberg said. “Financial institutions, in particular, should be using the third and fourth quarters of 2025 to revisit and test their disaster-recovery planning playbooks, to ensure cyberthreat response is adequately addressed.”

The post Russian Hackers Infiltrate Old, Unpatched Systems appeared first on PaymentsJournal.

The Swiss bank account has long been synonymous with anonymity and often associated with criminal activity, but Switzerland is working to change that perception.

According to Reuters, the country is considering joining the International Anti-Corruption Coordination (IACCC) task force, a UK-based group that targets kleptocrats and works to recover stolen assets. Launched eight years ago, the IACCC also includes law enforcement agencies from the United States, Australia, and Canada, among others.

If Switzerland were to join the IACCC, its authorities could share intelligence with these nations and coordinate crackdowns on money laundering operations. This would be a significant step for Switzerland—an indication that the world’s largest manager of offshore funds is seeking to distance itself from its reputation as a refuge for illicit activity.

Finding New Avenues

Mitigating money laundering has become a substantial challenge for nations and organizations worldwide. The rise of crypto and digital payments has provided bad actors with additional methods to launder illicit funds.

Fintech leader Block, which owns Cash App, recently incurred a $40 million fine due to activities identified on its platform.

This penalty was levied by the New York Department of Financial Services, which found that Block’s customer due diligence and risk controls were insufficient to prevent money laundering and terrorism financing activities on the platform.

A Dual Challenge

The compliance challenges at Block highlight a dual challenge for financial institutions.

On one hand, criminals now have access to more advanced technology, allowing them to conduct activities like money laundering with greater efficiently. On the other hand, the growing compliance demands from governments have become increasingly difficult for many organizations to navigate.

There is, however, evidence that information sharing between financial institutions can help address both challenges. Adopting a cyber fusion strategy creates an intelligence community where previously siloed banks can identify large-scale fraud or money laundering trends and stay aligned with industry standards.

The effectiveness of this consortium model is demonstrated by the successes of the IACCC. Since it was founded, the group has identified £1.8 billion in suspected stolen funds and frozen £641 million in assets.

The post Switzerland Considers Joining Anti-Money Laundering Consortium appeared first on PaymentsJournal.

Digital IDs are quietly reshaping how we pay, prove, and protect—but most people don’t even know they exist. As governments and financial institutions push ahead with digital identity systems to streamline payments and combat fraud, a surprising gap is emerging: public awareness. In a world where verifying who you are is as important as what’s in your wallet, not knowing what a digital ID is—or how it works—could leave many consumers behind

Don’t miss another episode of Truth In Data! Click on the red bell in the lower-left of your screen to receive notifications as soon as the episode publishes.

Data for today’s episode is provided by Javelin Strategy & Research’s Report: Digital ID Adoption Requires Digital ID Acceptance: How Payments Can Lead the Way.

Percentage of Consumers Indicating that Digital ID Is Available to Them

• 37% – Yes, used it
• 32% – Yes, plan to use
• 21% – No, but interested
• 10% – Yes, won’t use
• 9% – No, won’t use

Source: Javelin Strategy & Research, North American PaymentsInsights, 2024

About Report

Digital IDs are gaining ground in the U.S., with access approaching a major milestone: availability to more than half the population. As adoption accelerates domestically, the European Union’s mandated rollout offers a valuable case study in what to prioritize—and what to avoid—as digital identity systems mature.

This new report from Javelin Strategy & Research explores how digital ID is evolving in the U.S., analyzing issuance trends, usage patterns, and public sentiment. It outlines the key drivers of adoption and presents a framework for measuring progress—highlighting where the market stands today and where it’s headed next.

The post How Many People Know They Can Use a Digital ID? appeared first on PaymentsJournal.

A year after the city of Columbus fell victim to a massive ransomware attack, Ohio now requires every government agency to implement a cybersecurity program that safeguards their computer systems. The measure applies to counties, cities, school districts, and townships.

Local governments must establish cybersecurity training requirements for all employees. The law also mandates that local officials report cyberattacks to the Ohio Department of Public Safety within seven days of discovering a breach. Additionally, officials may only pay a ransom with the approval of the government’s legislative body.

Origins of the Policy

This was all the fallout from a cyberattack on Columbus’ IT systems last July. The Rhysida ransomware gang, based in Russia, claimed responsibility, stating they had stolen databases containing sensitive data, including employee credentials and footage from city video cameras. The stolen data reportedly included names, dates of birth, Social Security numbers, bank account details, and even records of residents’ interactions with city services.

Rhysida demanded 30 bitcoin for the stolen data. It is unclear whether Columbus ever paid all or part of the ransom, but the mayor later declared that the data was likely “corrupted” and “unusable.”

“Upticks in cyberattacks that lead to ransomware targeting regional and community municipalities, departments of education, schools, and governments is not new or surprising,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “These types of targets have long been low-hanging fruit for cybercriminals. It shouldn’t take a devastating ransomware attack for government entities to realize the importance of cybersecurity.”

A New Zero-Trust Approach

Columbus itself has now introduced a zero-trust network, which enforces strict identity verification for anyone accessing city systems, including all city employees. Under the zero-trust model, no user or device—whether inside or outside the organization—is automatically trusted, so every access request requires multiple layers of authentication.

This policy is just the first step toward a comprehensive cybersecurity plan.

“It’s interesting to see that the governor is making a public declaration that cybersecurity mandates for stronger security and training will be enforced, but it’s not likely that this declaration will have any real impact unless these new mandates have actionable and attainable cybersecurity guidelines and roadmaps,” said Goldberg. “Zero-trust is a bare minimum, but organizations cannot rely on regulatory mandates to implement stronger cybersecurity standards. Zero-trust has to be a cultural change, one that starts with the C-suite.”

The post Ransomware Attack Leads Ohio to Establish New Cybersecurity Protocols appeared first on PaymentsJournal.

One of the most effective tools in the fight against cybercrime is information sharing—particularly through anonymized consortium data signals—a practice increasingly referred to as cyber fusion. Despite its promise, many institutions remain wary of collaborating in this way, often even within their own organizations.

Greater cooperation—through shared data and interoperable fraud, anti-money laundering, and cyber tools—not only enhances the ability to detect and prevent financial crime, but also delivers measurable benefits to the bottom line.

In a PaymentsJournal Podcast, Teresa Walsh, an intelligence professional with over 20 years experience in both the government and financial services sector, and Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, spoke about the advantages of adopting cyber fusion and the key barriers that keep financial institutions from pursuing it more widely.

Breaking Down the Silos

The financial industry is notorious for operating in silos, with people focused myopically on their own teams’ responsibilities—often without considering how one function impacts another. As organizations network and build stronger internal connections, it becomes clear that no single group holds the complete picture. Combating cybercriminals effectively requires consolidating information and fostering collaboration across functions.

Companies approach cyber fusion in different ways. In some cases, it involves integration within the information security department—bringing together not only the cyber threat intelligence team but also incident responders, forensic teams, AML teams, and Financial Intelligence Units. Each of these groups plays a role in the broader effort.

“First you have to understand what exactly you’re fusing,” said Walsh. “I see an increasingly prominent blurring of lines between what we would define as cybercrime versus nation-state or cyber espionage attacks. We need to get outside the box a little bit and realize that whether it’s a scam that’s impacted a consumer or a phishing attack that has compromised an employee, all of this ties together. The sooner we can connect those dots and share information across these different industries, the better off we’re going to be long-term.”

Starting Within the Organization

Cyber fusion can start within the organization by cross-sharing information and tools across departments such as AML, communications, and HR. From there, the effort can expand to include cross-industry collaboration and broader information sharing. Cyber fusion should remain fluid. There’s no way to predict what the landscape will look like in five years, so it’s essential to develop a strategy that allows for adaptability and agility.

Intelligence needs to be integrated into the process, supporting decision-makers at all levels. It shouldn’t be produced for its own sake—it must serve a clear purpose.

“You’re trying to deliver intelligence to help people looking at expanding out into a new country or deciding whether or not the technology stack that they currently have is good enough, and you’re helping them make those decisions,” said Walsh. “They need objective intelligence that’s not just about the technical ones and zeros. Most risk equations are going to talk about the threat that’s out there.”

“There’s a certain threat actor, there’s a certain tool that they’re using, and it could present a risk to your company,” she said. “What is that and how much exposure do you have? Risk managers need to have good intelligence to help them understand that threat. Analysts try to bring to the table a good understanding of that threat intelligence landscape, helping risk managers decide whether we’re doing well, and if not, how can we do better?”

Cyber risk goes beyond technology; it also involves the human element, where individuals can be psychologically manipulated. Sourcing threat intelligence experts may require thinking outside the box, including those with backgrounds in psychology or behavioral analysis. Technology has its limits, especially as many risks stem from socially engineered attacks, such as phishing texts or direct communication through social media.

“The threat intel community has been thinking along these lines for a long time, but it has to get back to the decision-makers,” said Goldberg. “It’s going to be a cultural change from the top down, and we have to get buy-in from all of these players to move in a direction where cyber fusion can be successful.”

Conversation Is Key

Most industries could benefit from creating a cyber fusion by connecting cyber teams with other internal departments. Valuable insights often emerge from stepping out of isolated workflows and engaging in open dialogue across teams. Understanding what others are working on, how different efforts intersect, and where collaboration can enhance outcomes is key to strengthening cybersecurity efforts.

“Whether it’s a small group of internal people or peer organizations that would be considered competitive to your company, you’re all basically trying to do the same function,” said Walsh. “Some of these threats are not just targeting you, they’re probably targeting a lot of different companies just like you as well. If we want to fight cyber criminals that are trying to steal information or extort money from your companies, we need to work together. We all have pieces of the puzzle, but also it helps people just on a psychological level to know that they’re not alone.”

You Are Not Alone

Sometimes the job can feel overwhelming, and it helps to connect with someone who has already been through it—or is navigating it right now. Even someone in another department might be working through the other side of the same challenge. As Walsh noted, don’t hesitate to reach out and start a conversation.

“Once everybody starts bringing all that knowledge together, whether it’s actual intelligence or just even the best practice of how to do the job, it crowdsources all of this information together,” said Walsh. “You’re no longer just an army of one trying to figure it out by yourself. You have the capabilities of a strong network around you. I’m always going to be the champion of consortiums, whether they’re official, unofficial, big or small.”

Building Trust

Transactional data can be anonymized to help these consortiums function. Some players in the space—whether on the payment side or within digital banking platforms—have access to significant amounts of data and can observe transactions across multiple organizations. Anonymizing this information could support the formation of a consortium that brings all of these players together in a trusted environment.

The trust factor remains one of the biggest challenges. Many financial institutions are hesitant to share data due to concerns about overexposure or violating data-sharing regulations. If they do share data, there’s a risk of repercussions from law enforcement or regulatory agencies, potentially resulting in fines or other penalties.

“We have to get outside some of that thinking and ask vendors to step up to the plate and help with some of this consortium data sharing,” said Goldberg. “That’s where we need to have conversations with the regulators. When you talk to regulators, they’re surprised that people are hesitant about sharing different types of threats. That’s where clarity is needed, especially when we’re going cross-sector because the financial regulator, for instance, is not going to tell a telco what to do.

Walsh added: “We need more open conversations to make sure that we’re not putting roadblocks in front of ourselves, because the bad guys definitely aren’t. If we keep putting roadblock after roadblock in front of ourselves and taking a risk-averse approach of why we shouldn’t be working together, they’re going to be able to get away with what they’re already getting away with, which is billions of dollars worth of cybercrime.”

The post Share and Share Alike: The Promise of Cyber Fusion appeared first on PaymentsJournal.

Zelle faces a new lawsuit over allegations that it lacked critical safety features, enabling criminals to steal more than $1 billion from consumers. The suit builds on an earlier complaint from the U.S. Consumer Financial Protection Bureau, which was dropped in March. Although Zelle has since implemented protective measures, the lawsuit seeks to compel the company to further enhance its anti-fraud protections and provide restitution to victims.

Zelle is owned by seven of the country’s largest banks, including JPMorgan Chase, Bank of America, and Wells Fargo. The suit claims that these parent banks, operating under the name Early Warning Services, knew for years that the platform was vulnerable to criminal activity but resisted implementing basic safeguards. The result was widespread fraud, which Zelle at times allegedly failed to address.

According to the complaint: “EWS knew from the beginning that key features of the Zelle network made it uniquely susceptible to fraud, and yet it failed to adopt basic safeguards to address these glaring flaws or enforce any meaningful anti-fraud rules on its partner banks.”

A Hasty Rollout

The New York State Attorney General’s office said the problems started when EWS hastily rolled out an electronic payment platform to allow the major banks to compete with new payment apps like Venmo and PayPal. “In their rush to launch,” the complaint says, “EWS prioritized attracting new users through a simple registration process and quick transfers that left consumers vulnerable to scammers.”

As early as 2018, published reports indicated that scams were already a problem on Zelle. The platform’s rapid payment resolution became a boon for criminals, who could withdraw money quickly and irretrievably, then disappear. The New York complaint cites a victim who was told his electricity would be shut off unless he paid “Coned Billing” $1,477 via Zelle, and another who said Zelle refused to help him after he sent $2,600 in two installments via Zelle to buy a puppy.

Addressing the Problem

Zelle’s position is that scams result from criminals tricking individuals into sending money, rather than from issues with the platform itself. Zelle also stated that more than 99.95% of transactions are completed without any reported fraud.

The member banks have already taken steps to address the fraud problem. In March, JPMorgan Chase updated Zelle’s terms of service to grant Chase the right to delay, block, or cancel payments, specifically flagging social media as a high-risk area. The complaint acknowledges that Zelle adopted basic safeguards starting in 2023, but only after the CFPB and several members of Congress began investigating the service.

The post New York State Launches New Suit Against Zelle appeared first on PaymentsJournal.

Over the past four years, the U.S. Federal Trade Commission (FTC) has observed a more than four-fold increase in the number of older adults who have lost $10,000 or more to impersonation scams.

According to the FTC, these scams generally fall into three main categories.

In the first, a bad actor poses as a representative from a well-known organization and claims there is suspicious activity on the victim’s account. In the second, a scammer impersonates a government official and informs the individual that their personal data is tied to illicit activity such as money laundering. The third type involves a criminal pretending to be from a tech company—such as Microsoft or Apple—warning the target of a supposed security issue with their device.

Although these attacks vary in form, the underlying goal is consistent: to start a conversation that can be manipulated for financial gain.

Unfortunately, these tactics are proving highly effective. The FTC reported that combined losses for the seniors who lost over $100,000 increased eight-fold in the past four years, from $55 million to $445 million.

Mimicking Common Communications

Seniors aren’t the only ones at risk—many younger consumers have also fallen victim to criminals impersonating major companies, such as Best Buy, Amazon, and PayPal. Cybercriminals not only mimic common communications from these brands, but they also now use advanced technology that makes their scams much harder to detect.

For example, a recent phishing tactic involved bad actors sending emails that appeared to come from PayPal, complete with a legitimate-looking sender address. The emails used the platform’s actual money request feature to ask for payment. The only subtle red flag? The “to:” field contained the cybercriminal’s own email address.

“The PayPal phish-free phishing attack shows just how crafty cybercriminals have become with social engineering scams,” Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research, told PaymentsJournal. “Closely following advice given to consumers from FIs, fintechs, and other major financial industry leaders allows these scammers to circumvent the usual red flags consumers are told to look for when determining the legitimacy of a transaction request.”

“Consumers are primarily the first line of defense when it comes to scams, so when everything seemingly checks out and looks legitimate, it’s an easy decision to move forward with the transaction,” she said.

Personalized Fraud Tactics

These crafted messages are effective across the board, but especially so when criminals can personalize them. With younger users, criminals often leverage social media to reach their targets.

WhatsApp recently identified and deleted 6.8 million accounts on its platform linked to scams. These scams—which also appear on Facebook and Instagram—included fake investment opportunities and offers of cash in exchange for likes.

Since seniors tend to be less social media savvy, criminals use a different tactics. Phone calls are still the most common method for targeting older adults.

In addition to the communication method, criminals also tailor their messaging to maximize impact. Older consumers are more likely to take a caller at face value rather than question their legitimacy or hang up.

“Seniors are especially vulnerable because of the socially engineered techniques cybercriminals rely upon,” Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research told PaymentsJournal. “A sense of urgency and threatening rhetoric make victims feel as if they’ve been backed into a corner.”

“It’s a tactic that is particularly effective with seniors, especially when they fear a loved one might be in danger or that they could face some kind of penalty or fine if they don’t immediately comply with the criminal’s requests,” she said.

Keeping Criminals at Bay

The growing threat against seniors is prompting many organizations to take steps to prevent elder financial abuse.

Nacha’s Payments Innovation Alliance recently issued tools designed to help vulnerable consumers and raise awareness about elder fraud. Among them is a checklist to help banks assist seniors who may have been exposed to scams.

For its part, the FTC also issued guidance for seniors. It warned them not to move money to “protect” it or for any other reason. The FTC also advised older adults to immediately stop all conversations with unknown parties and verify that the individual is from the organization they claim to represent.

Additionally, the Federal Trade Commission recommended that seniors leverage call-blocking technology to reduce the risk of contact with criminals.

The post More Seniors Are Falling Victim to Impersonation Scams appeared first on PaymentsJournal.

WhatsApp took down 6.8 million scam-linked accounts—primarily in South Asia—during the first half of 2025 in a major crackdown on cyber fraud. It also announced new protective chat tools designed to combat criminal activity. The next question is whether the extensive fraud rings will be dismantled or simply adapt and find new ways to entrap victims.

Threat actors had been randomly adding users’ phone numbers to a WhatsApp group chatroom, offering lucrative returns on schemes such as crypto investments. Many of the removed accounts were traced to organized criminal networks operating in countries such as Cambodia, Myanmar, and Thailand. Meta, WhatsApp’s parent company, said these scam centers often rely on forced labor coerced into executing online fraud.

The sheer scale of these operations suggests that eradicating them won’t be a simple task.

“It’s great that they’re taking action on accounts they found to be fraudulent, but I think scammers won’t be deterred by this,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “It’s a great start in dismantling these larger criminal scam rings, but they’ll find another avenue to reach out to potential targets.”

Protection in Group Chats

WhatsApp is also introducing tools to help users identify scams, including alerts when they are added to a group chat by someone not in their contact list. According to Sando, these features could prove more impactful than simply eliminating existing scam accounts.

“The new controls that give the user visibility into the group they’re being added to is important, especially the ability to leave a group without even entering the chat,” Sando said. “By entering a chat, a potential scam victim might be curious about messages and be tempted to respond or inadvertently click on a malicious link, but by adding the ability to leave a conversation without even entering it removes those risks.”

Room for More ID Verification

One area that could benefit from further improvement is the ID verification running behind the scenes at WhatsApp, which has the potential to serve as a strong deterrent—even against major fraud rings.

“Will there be stronger controls in place moving forward to not even allow bad actors to sign up?” Sando asked. “On the flip side, how many of these accounts started out as valid accounts but were persuaded into participating in the scam centers?”

The post WhatsApp Removes Millions of Scammers, but Security Revamp Could Go Further appeared first on PaymentsJournal.

A recent fraud survey from a UK fraud consortium reveals a troubling evolution in criminal tactics, highlighting that fraud isn’t just growing—it’s getting smarter.

The findings from Cifas point to a critical shift: as traditional fraud methods are disrupted, criminals are rapidly adapting, leveraging more advanced and often AI-driven tools to bypass detection. Cifas noted that it received a record number of fraud reports in its National Fraud Database (NFD) in just through the first six months of this year. Although identity fraud cases declined 7% year-over-year, the organization stressed that this drop doesn’t signal a win—it reflects a pivot in criminal behavior.

Instead, account takeover is becoming more prevalent, especially on mobile devices. Cybercriminals are arming themselves with more powerful, automated tools—many driven by AI—that make these attacks not only easier to launch, but more likely to succeed.

Misuse of Facility

Another trend highlighted is the rapid rise in first-party fraud. According to Cifas, there was a 35% rise in misuse of facility cases, where legitimate customers abuse their accounts for nefarious purposes.

This sentiment was echoed in separate research from FICO, which found that nearly a third of respondents believe falsifying credit applications is either justifiable in many situations or considered commonplace behavior.

First-party fraud has become the most prevalent type globally, as many consumers view it as a victimless crime. Also, rising inflation and interest rates have driven many individuals to resort to fraud to make ends meet.

Digging a Deeper Hole

This financial strain has caused many consumers to take desperate actions that could have far-reaching impacts. Alarmingly, more people are selling their own identities, usually after being promised financial rewards, according to Cifas.

While selling personal data may offer a short-term fix, bad actors often take out loans or credit cards in the victim’s name—actions that can have long-lasting effects on their credit scores.

FICO issued a similar warning, noting that consumers who exaggerate or lie on credit card applications may receive a short-term credit infusion, but they are only digging themselves into a deeper debt hole. On top of an already strained budget, those who commit fraud could also face legal repercussions with lasting ramifications.

The post As Fraud Rises, Identities Are More Valuable Than Ever appeared first on PaymentsJournal.

As first-party fraud continues to surge, data from FICO reveals that nearly a third of respondents believe that lying on credit applications is either justifiable in certain situations or simply common practice.

Inflation and high interest rates have placed increasing pressure on consumers in recent years, leading to a surge in credit card debt. In response, many lenders have reduced credit limits, tightened lending standards, and shifted their focus toward more affluent customers.

FICO notes that many consumers are deliberately inflating or misrepresenting details on credit applications in an effort to secure financing—often without fully grasping how these “so-called liar loans” can strain their budgets or expose them to the legal and financial repercussions of committing fraud.

For the average consumer struggling to stay afloat, fraud may be a viable solution—but as FICO highlights, it often just adds fuel to the fire.

Muddying the Waters

First-party fraud, also known as consumer-engaged or friendly fraud, has become the most prevalent type of fraud worldwide. A separate report from Lexis-Nexis shows it accounted for more than a third of all reported fraud cases in 2024—up from 15% the year prior.

One of the biggest challenges for financial institutions is the variety of forms this fraud can take. In one common scenario, a consumer orders a big-ticket item and later files a false fraud claim. In another, the buyer claims that an item was never delivered or falsely reports it as damaged in transit.

Further muddying the waters are the instances in which a legitimate first party is manipulated by an outside bad actor into commiting fraud.

A Strange Dichotomy

Because of the increasing prevalence of first-party fraud, the first step for financial institutions is to classify fraud accurately. Only then can banks and credit unions begin to deliver the fraud defenses that customers expect.

This reveals a strange dichotomy: FICO found that even as more consumers commit fraud themselves, they are increasingly searching for stronger fraud protections.

According to its survey, nearly a third of respondents ranked fraud protection as their top priority when opening a new account—placing it above value and customer service. More than half said that solid fraud protection was a top three consideration when selecting a new account.

The post More Americans Think First-Party Fraud Is Justified appeared first on PaymentsJournal.

A consumer purchases a product and receives exactly what was described. However, they experience buyer’s remorse and want to return it. Unsure if they’ll be refunded, they falsely report the transaction as fraudulent instead.

This kind of misuse may seem minor on its own, but it is part of consumer-engaged fraud—a category often mislabeled and misunderstood.

In a recent PaymentsJournal podcast, Nicole Reyes, Managing Vice President of Risk Operations at Velera, and Suzanne Sando, Lead Fraud Management Analyst at Javelin Strategy & Research, discussed how to differentiate types of consumer-engaged fraud, the emerging threats within the category, and the steps organizations can take to protect themselves.

Defining the Divisions

As many businesses have strengthened their fraud defenses, criminals have shifted their focus to consumers. This shift has had an impact—consumer-engaged fraud has become one of the leading drivers of fraud losses in the industry for both financial institutions and merchants.

While there is broad consensus that consumer-engaged fraud is growing, there is still division over how to define it.

“It can be really hard to track and quantify this type of fraud for each financial institution, especially because of challenges such as mislabeling,” Reyes said. “Some people would consider first-party and scams together. Some would continue to keep first-party reported as fraud, and other financial institutions—once it’s determined it is first-party—they may move those into the collection bucket. So even from a settlement perspective, each financial institution can vary.”

Consumer-engaged fraud breaks down into two classifications: misuse and persuaded.

Misuse occurs when an authorized party reports a legitimate claim as fraud without any outside influence. This includes the traditional first-party fraud model, where a consumer orders an item with no intention of paying—knowingly exploiting a loophole in the system.

The persuaded form of consumer-engaged fraud happens when an authorized party acts under outside influence. Most scams fall into this category, such as when a criminal convinces a victim to pay upfront legal fees in exchange for a promised inheritance.

While there are just two overarching classifications of consumer-engaged fraud, a deeper look reveals a wide range of subclassifications.

“I think it’s kind of alarming when we lay out all of the various types of misuse and consumer-engaged fraud and the scams that there are out there,” Sando said. “It’s alarming to see all of the various ways that consumers are being targeted. But I think it also hammers home the importance of understanding the nuances of these types of fraud and that they each come with their own signals.”

Misuse and Persuaded

Under the misuse umbrella is unintentional fraud, where a consumer reports a fraud claim in error.

“They thought that they were purchasing something from Nike, but the billing website had a different name,” Reyes said. “When they called and asked to validate this transaction, maybe they didn’t recognize it. Then later they call back and say, ‘Oh, I do recognize that is my charge.’ Or they provide their card to a friend or family member and don’t recognize exactly what was spent.”

There are also various forms of intentional misuse. For example, a person may order an item—typically a big-ticket or luxury product—and then file a false fraud claim. Other types of misuse include cases where a consumer claims an item was never delivered or reports it as damaged in transit.

There are perhaps even more instances of persuaded consumer-engaged fraud. These include the many variations of scams and phishing schemes.

“One of the big ones that we’re seeing lately is the imposter or the impersonation scams, where a fraudster may impersonate an employee or a financial institution and convince the consumer to complete an action that would result in a financial loss,” Reyes said.

“Fake emails are another use of impersonation scams and one of the most successful ones—emails that appear to be from the authorized user’s financial institution asking them to click a link to update their information, which then leads to a malicious website design,” she said.

Attacking Through Multiple Avenues

In addition to the many subclassifications of consumer-engaged fraud, consumers are now under attack through multiple avenues.

“Our research at Javelin shows that consumers are dealing with a huge range of consumer-engaged fraud, and all of that is coming from a variety of communication channels,” Sando said. “You’re getting emails, texts, social media, DMs, and phone calls are still happening. There are friend requests from people you don’t know.”

“There are all these different kinds of communication methods with their own set of tactics that are constantly evolving, and so it makes tracking and preventing this kind of suspicious activity really difficult,” she said.

Technology has enabled bad actors to exploit these channels at greater scale. For example, billions of phishing emails are sent each day—a feat increasingly accomplished with minimal effort.

Artificial intelligence has also made these communications more realistic. In the past, fraudulent messages were easier to detect due to obvious grammatical errors or phony domain names—flaws that are no longer as easy to spot.

Adding to the issue is the vast amount of personal data users willingly share online. Cybercriminals can tap into this information and use it against their targets.

“They’re getting more sophisticated, where now they’ll start hacking into the email addresses and they will target a specific user,” Reyes said. “They’ll say, ‘Nicole, I know that you have a Netflix subscription and maybe you’re on a promotion that’s coming up in a year, so the email that I’m going to send to Nicole is going to be more tailored around trying to entice her to click on this link because it’s Netflix-related. Or I’m going to ask her to extend this rewards promotion.’”

The Other End of the Engagement

Because these communications are so sophisticated, organizations must place renewed focus on authentication.

“Any area or medium in which you allow consumers to engage with you—whether that’s via email, text message, over the phone, online banking—double-check the security of those, making sure you have advanced authentication measures in place, so that you truly know who the consumer is on the other end of the engagement,” Reyes said.

In addition to technology-based measures, financial institutions must ensure their education efforts are current, both internally and externally. This should go beyond simply sharing news about the latest scams. There should be interactive tools that help users become familiar with bad actors’ tactics.

Additionally, many financial institutions capture significant amounts of accountholder data that can be utilized to detect consumer-engaged fraud. For example, they could check purchases against past transactions and monitor for changes in IP addresses.

Although many organizations collect this data, they often can’t use it for fraud prevention because it is siloed in separate systems. To combat modern data-driven fraud, organizations will not only have to share data across departments but also collaborate with industry peers.

“One of my biggest key points here is to get out of the silo mindset,” Sando said. “We can’t make any progress if we don’t start somewhere. I feel like we’re just on the cusp—we’re so close to getting to this point where we can all start working together across financial institutions, across consumer advocacy groups. We just have to get past that siloed mindset of ‘I only know what’s happening in my own backyard.’”

The First Step

As institutions look for ways to move forward, many remain uncertain about the best steps to combat consumer-engaged fraud. The first step is to define the problem appropriately.

“That lack of standardization and categorizing the incident is what’s making it so difficult to effectively track what’s actually happening,” Sando said. “When there’s no industry-wide standard or even a standard set at your financial institution, that means FIs are left to make the determinations on their own of how they should categorize this. That can create delays across the board when it comes to investigating the crime.”

In addition to investigative delays, the lack of standardization often results in inaccurate reporting. Employees are frequently left to handle these incidents through manual review, making accurate trend tracking difficult.

“Those are all reasons why we created a consumer-engaged fraud classification guide—starting within our Velera partnerships—on how can we start to streamline and talk about this the same way,” Reyes said. “Not only to classify it—that’s the first step—but then the next step is how can we systematically tag these types of cases, so that we can start to put some data around it.”

“Then we can start to not only gain insights into what the true volume of the problem is, but also to start to put in preventative measures to combat it,” she said. “We can start to understand how fraud trends are going to shift and  what tactics fraudsters may use in the future, so that we’re set up for success to not only better report it and understand it, but to better fight it.”

The post Sorting the Scams: The Many Faces of Consumer-Engaged Fraud appeared first on PaymentsJournal.

Financial institutions are among the most trusted entities in the world. Consumers believe their banks act in their best interests—especially when it comes to protecting them from fraud. They expect strong, effective solutions that support their everyday financial activities, safeguard their accounts, and secure their identities.

But trust isn’t automatic—it must be earned. Nowhere is this more true than in the fraud dispute process. In a PaymentsJournal Podcast, Ryan Sorrels, CRO at Quavo, and Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research, discussed how, instead of letting disputes drive customers away, banks can use these moments to build deeper trust and strengthen relationships.

Restoring Confidence After Fraud

There is a lot of room for improvement within the fraud dispute process. According to Javelin, nearly half of fraud victims wished their financial institution had treated them like a victim—not a burden.

Banks need to refocus on ensuring that this difficult experience doesn’t lead to further negativity. In fact, many customers say the way a bank handles the resolution process has a greater impact on their trust in the institution than the fraud itself.

“They’re already having a negative experience of fraud,” said Sorrels. “We don’t want to compound that with another negative experience. Let’s take that negative experience and show up to give a great experience. You’re doing a tremendous amount to reinforce loyalty as opposed to compounding the problem and eroding loyalty even further.”

Many fraud victims want better tracking throughout the claims and dispute process. A small subset of bank consumers file fraud disputes and then never receive any follow-up. This could be due to a lack of standardized and automated procedures to make the dispute process more efficient. Some of these cases might be falling through the cracks, leaving customers feeling like they’re not a priority. Ultimately, that would make anyone feel unhappy with an organization they do business with.

The Customer Cost

Historically, the dispute resolution process has been viewed as a back-office function—primarily focused on cost, efficiency, and staffing requirements. What’s been less examined is the economic impact on the customer experience.

When banks deliver a strong dispute experience, they build trust and enhance loyalty. But a poor experience can have the opposite effect, driving customers away. In fact, many customers say the way their bank handles fraud disputes influences their loyalty—and some are even willing to switch banks after a negative experience.

“We’re so interconnected with our accounts, so it’s a lot of work to go through the process of closing an account, opening a new one and getting everything set back up,” said Sando. “There’s a lot of rigamarole around closing those accounts, reopening somewhere else, reestablishing all those connections, making sure your information is correct. If fraud victims are willing to go that extra mile, that speaks volumes to the importance of making sure that the customer experience is prioritized, and that you’re focusing on reducing that unnecessary friction and maintaining that loyalty and trust.”

Banks invest millions of dollars in customer acquisition, with the average cost exceeding $700 per customer. Maybe only 10% of people presenting disputes have a negative experience, but two-thirds of those are at risk of leaving. The cost to reacquire those customers can add up quickly. Even if just 200 customers ultimately leave due to a negative experience, that’s nearly $150,000 just in customer acquisition costs alone.

Customers who don’t leave risk moving the bank to the back of their wallet. They may stay, but they might adopting fewer products or use existing ones less frequently.

Eliminating Friction with AI

Much of the friction in today’s dispute process stems from outdated, inefficient systems. But with the right tools and automation in place, that can change drastically, and that’s exactly where Quavo is leading the charge.

Take the intake process, for example: on average, it takes a customer around 10 minutes to file a dispute. With Quavo’s AI-driven platform, that time drops to just two minutes.

But it’s not just about streamlining intake, it’s also about accelerating resolution. Accountholders don’t want to wait days or weeks for answers. These are emotionally charged moments, and every delay compounds the stress. Customers expect responsiveness and swift, fair outcomes.

Speed alone, however, isn’t enough. Transparency is equally critical. When accountholders are at their most vulnerable, they need to know their claim is being investigated, and that their financial institution is keeping them informed every step of the way.

With Quavo, issuers can deliver a faster, more transparent, and empathetic experience, end-to-end, through the digital channels customers already rely on, such as mobile and online banking.

Managing Expectations  

Fraud victims want a realistic timeline for resolution that aligns with the nature of their dispute. It’s entirely reasonable for them to want to know what to expect. By setting clear expectations, banks can turn a negative, stressful situation into a more manageable—and even positive—experience for the customer.

Customers are more cooperative when they know what to expect and when to expect it, whether the situation is stressful or routine. Financial institutions need to keep customers informed throughout the dispute process: when their participation is needed, what updates they can expect, and how the process works.

“I don’t think that’s a lot to ask for when you’re working through a process that isn’t standardized or is very much dependent on the employee that you as a customer happen to be working with,” said Sando. “Things tend to be dealt with on a case-by-case basis, and that introduces inconsistency, uncertainty, unnecessary friction into an already stressful situation.”

Certain cases, like first-party fraud, require more manual review and a personalized approach. However, in general, an unstandardized process accountholders valuable time—time that could be better spent on higher-priority, customer-facing matters.

The Advantages of Automation

There are solutions that can automate much of this process behind the scenes. When employees trust that these tasks are being handled efficiently, they can spend more time on special cases. This allows employees to devote more attention to customers who need it, making them feel like a priority.

Maintaining and growing brand loyalty and trust with the bank also involves improving these high-stress situations. It ultimately comes down to customer sentiment. At the end of the day, do they feel like they were treated as a priority? Do they have a satisfactory experience where they can say their bank handled the situation well and feel even better about the relationship going forward?

“Trust is the center of the customer bank relationship,” said Sorrels. “When there’s fraud on a customer’s account and a dispute process, it’s the banks opportunity to show up and create a great experience. On the flip side, if it’s a negative experience, it can really break that trust. The most important aspect to customer loyalty is: what are you doing with that customer’s trust?”

The post Turning Fraud Disputes Into a Win for Banks appeared first on PaymentsJournal.

As e-commerce scams mount, Amazon is investing in a 3D imaging company that could help address the growing problem of returns fraud.

The issue stems from a gap in the current online shopping model: a consumer can request a refund, and it is typically issued once the product is shipped back to the retailer. However, bad actors are increasingly sending back empty packages—or ones that don’t contain the original item—and still pocketing the refund.

To combat this, Amazon is backing Cambridge Terahertz, a startup that builds package-scanning technology for supply chain and security applications. Ideally, the tech can inspect returned packages to verify that they contain the correct items before Amazon processes a refund. It’s also compact enough to be installed at multiple points throughout Amazon’s supply chain.

Unlocking Attack Vectors

As data from Appriss Retail reflects, returns fraud is a growing issue, accounting for $103 billion in losses last year. It’s just one of many fraud concerns for e-commerce merchants.

The e-commerce zeitgeist has unlocked new frontiers for merchant—but it also opened new attack vectors for bad actors. One of the main ways cybercriminals are exploiting e-commerce is by impersonating well-known brands.

The emergence of AI has further empowered bad actors, giving them the tools to make their impersonations more convincing. Okta recently discovered that AI can be used to create realistic phishing sites that clone brands like Microsoft, Amazon, or eBay with just a few simple prompts.

Social Media-Driven Scams

Social media has given cybercriminals a new way to both study and attack their targets. For example, a bad actor may follow a social media influencer to learn which products they are promoting and attempt to capitalize on the latest craze by sending phishing emails that mention the influencer or the product.

Amazon and eBay have also been singled out in other scams driven by social media.

“You go to Facebook Marketplace, you click on an ad, and it redirects you to another site,” Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, told PaymentsJournal. “Often, it’s going to be a typo domain. Let’s say that I think I’m buying a Louis Vuitton. But when I click on that link and it takes me to the site, Louis Vuitton will be a typo domain, maybe with one of the T’s missing.”

“These particular types of attacks are getting much more sophisticated, and consumers have a false sense of trust. If they see a link that comes to them through a marketplace that they think is a trusted site, how often do we look at the domain once we click on the link?” she said.

Under Direct Attack

In addition to attacks aimed at social engineering customers, merchants themselves are often targeted by direct cyberattacks. Department store chain Marks & Spencer (M&S), a fixture of the UK’s retail landscape for over a century, faced significant losses and operational disruption following a ransomware attack.

A group of hackers infiltrated the company’s systems and threatened to shut down its network unless a ransom was paid. M&S refused to comply with the bad actors’ demands—resulting in the loss of access to critical systems. The department store was forced to halt all e-commerce operations and continued to grapple with the aftermath for months.

A Tipping Point

The constant onslaught against merchants’ systems, communications, and customers has brought the industry to a tipping point. Many fraud attacks are now powered by sophisticated technology and even perpetrated by organized cybercriminal organizations. As a result,  many merchants are seeking tech solutions of their own.

Artificial intelligence has factored into many of these solutions because the technology can parse vast amounts of data and identify red flags. This functionality is especially applicable in card-not-present environments like e-commerce.

However, any tech-based fraud defense comes with challenges. Because AI models are imperfect, the technology can make mistakes if given too much rein in the fraud mitigation process.

“Sometimes a decision is very obvious, but in cases where it’s not, if you’re not restrictive enough, you’re going to take a fraudulent transaction,” Don Apgar, Director of Merchant Payments at Javelin Strategy & Research told PaymentsJournal. “If you’re overly restrictive, you’re going to alienate a good customer who was trying to make a legitimate purchase.”

Playing Catch-Up

Customer friction, regulatory concerns, and brand reputation are constant concerns for merchants, but these considerations mean nothing to bad actors. This imbalance is a key reason why criminals have gained such a head start in adopting new technologies, leaving merchants in a perpetual game of catch-up.

Even Amazon, one of the world’s largest retailers, is only now beginning to close the loophole around returns fraud—after losing billions of dollars. To stand a chance against a rapidly escalating fraud epidemic, organizations will need have to think outside the box and embrace more innovative, proactive approaches.

The post Amazon Takes on Returns Fraud appeared first on PaymentsJournal.

After law enforcement agencies identified illegal activity, stablecoin issuer Tether froze $85,877 worth of its flagship USDT coin.

The freeze followed a user’s report that their Binance account has been hacked and their USDT was drained. However, this freeze is relatively small compared to the firm’s recent larger-scale actions.

In June, Tether froze $700 million in USDT across 112 wallets after U.S. authorities requested an intervention. To date, Tether says it has frozen over $2.5 billion in USDT after working with global authorities to identify illicit activity.

These freezes address one of the most long-standing concerns with digital assets: their potential for misuse in money laundering and fraud.

“Tether’s ability to track transactions and freeze USDT linked to illicit activity sets it apart from traditional fiat and decentralized assets,” Paolo Ardoino, CEO of Tether, noted in a blog post. “We take our responsibility to combat financial crime seriously and will continue working closely with global law enforcement agencies.”

The Foundational Tenets

The ability to identify and freeze funds at the smart contract level sets stablecoins apart from cryptocurrencies like Bitcoin and Ethereum. One of the foundational tenets of these digital assets is that they are decentralized and free from government oversight.

Privacy concerns have been one of the main reasons why stablecoins are often favored over government-issued central bank digital currencies (CBDCs). For example, critics of the digital euro said that the CBDC could be used to surveil the region’s citizens, an assertion denied by the European Central Bank.

Control and Visibility

Interest in CBDCs has continued to wane in most countries. In the U.S., legislation that would ban the Federal Reserve from issuing a CBDC has moved forward—even as the nation’s first stablecoin regulations have been signed into law.

However, stablecoin issuers’ ability to monitor and control their coins raises concerns about privacy. These concerns are amplified as a wave of new stablecoins are expected to enter the market. Retailers like Walmart and Amazon, tech giant Meta, and leading U.S. banks like JPMorgan Chase, Bank of America, and Citi have all announced plans to launch their own stablecoins.

As these products roll out, questions will persist about how these organizations will enforce the usage of their stablecoins—and how they will protect users’ data.

The post Tether Freeze Raises Stablecoin Centralization Concerns appeared first on PaymentsJournal.

As financial institutions face increasing compliance pressures, Nasdaq Verafin has introduced a platform that applies agentic artificial intelligence to assist with certain anti-money laundering (AML) processes.

Verafin, known for its cloud-based financial crime management solutions, recently unveiled its Agentic AI Workforce platform. The platform leverages AI agents to automate common compliance tasks with minimal human oversight. Two key focus areas are sanctions screening and enhanced due diligence (EDD) reviews.

Verafin’s Digital Sanctions Analyst is designed to help financial institutions manage false positive alerts—a persistent challenge in traditional fraud detection systems that often overwhelm compliance teams with manual checks.

The platform also addresses another resource-intensive area: periodic EDD reviews. Its AI agents are built to assess and close low-risk cases automatically, allowing compliance staff to concentrate on higher-risk accounts.

Significant Tech Resources

Technology-based solutions for fraud mitigation and compliance have become essential, as bad actors now have significant tech resources at their disposal.

For example, security firm Okta found that cybercriminals have exploited Vercel’s v0 generative AI tool to create full-scale phishing websites from simple prompts. It has been used to create convincing clones of sign-in pages for brands like Microsoft 365—sites that can be created in seconds.

Cybercriminals have also begun deploying AI agents. Symantec recently reported how OpenAI’s Operator agent could be used to carry out a phishing attack from start to finish.

A Double-Edged Sword

While AI can be a powerful tool for bad actors, it can be just as powerful in the hands of organizations.

A recent study from the Bank for International Settlements (BIS) and the Bank of England found that AI models are highly effective for fraud detection—particularly in identifying novel patterns of financial crime. BIS reported that AI outperformed traditional fraud defenses by roughly 26% in detecting suspicious activity.

Although AI’s potential applications come with inherent risks, financial institutions often see it as a double-edged sword. Still, with rising fraud and compliance pressures, increased AI investment seems all but inevitable.

The post Nasdaq Verafin Deploys AI Agents for AML Compliance appeared first on PaymentsJournal.

A bug in Google Gemini is allowing criminals to exploit the artificial intelligence itself, using summarized emails to launch phishing attacks. Although Google has reportedly known about the issue since last year, cybersecurity experts say it still hasn’t been fixed.

By slipping invisible text into an email—hidden with HTML tricks like white text or concealed formatting—criminals can plant a message the recipient never sees. The email appears harmless when opened, but Gemini reads everything, including what’s hidden.

If the recipient asks Gemini to summarize the email, the AI agent unwittingly includes the hidden text in its summary. That text might tell Gemini to produce a warning that the user’s Gmail password was compromised.

Since the notification appears to come directly from Gemini itself, the recipient is more likely to trust it—and to follow urgent instructions, like changing a password or calling a supposed support number.

Google’s spam filters tend to flag suspicious links or attachments, so criminals leave those out. That helps these messages slip past defenses and into inboxes, giving the criminals a way to redirect their victims to phishing sites without using obvious red flags.

Challenges for Detection

Detecting these malicious messages is a highly technical challenge. Some filters scan Gemini’s output for urgent messages, URLs, or phone numbers, flagging the content for further review. Other methods can remove, neutralize, or ignore content designed to be hidden within the body text.

As with most phishing attacks, one of the most effective defenses is education. Organizations need to ensure employees are trained to be suspicious of any urgent requests to take action—even if those requests appear to come from their AI client.

Turning AI Against Users

This isn’t the first attempt to leverage AI in phishing attacks. A technique called polymorphic phishing incorporates AI to randomize components of fraudulent emails—such as sender names, subject lines, and even the content. That helps the messages circumvent fraud detection systems trained to identify patterns in blanket emails.

Ironically, Google has long touted the abilities of Gemini to assist in cybersecurity efforts. It plays a pivotal role in the Google Threat Intelligence cybersecurity platform, which is designed to give users a more comprehensive understanding of the threat landscape and smarter insights into attacks. 

The post Phishing Attacks Target Vulnerability in Google Gemini appeared first on PaymentsJournal.

Security firm Okta discovered that cybercriminals have been exploiting Vercel’s v0 generative artificial intelligence tool to create full-scale phishing websites from simple prompts.

The AI platform was used to create convincing clones of sign-in pages for several recognizable brands, including Microsoft 365 and various crypto companies.

Vercel’s AI model is intended to help web developers in building sophisticated web interfaces using natural language instructions. However, Okta found that bad actors are manipulating the tool to design phishing sites. Additionally, there are publicly available GitHub repositories that replicate the v0 application—complete with manuals that guide other criminals to build their own AI phishing tools.

Tools at Their Disposal

This type of information sharing among bad actors is part of a disturbing trend. Additionally, more platforms offering cybercrime-as-as-service have cropped up. These platforms allow criminals to purchase ready-made ransomware, Distributed Denial of Service (DDoS), and other types of malware.

As a result, once bad actors gain access to an organizations’ systems—a feat often achieved through phishing—they have a wide array of tools at their disposal to inflict significant damage.

Taking Phishing to New Heights

While many cybercriminals’ early forays into AI focused on creating deepfakes, bad actors have quickly evolved their artificial intelligence-based attacks. One reason they have been able to successfully incorporate the technology is that they aren’t hindered by the regulatory and operational constraints that businesses—especially financial institutions—face.

This evolution is ongoing. Okta noted that attacks crafted by manipulating Vercel’s platform have taken phishing to new heights, as the AI model is highly effective at creating realistic sites.

Traditionally, part of the defense against phishing has been user education. For example, many phishing attacks were identifiable because they contained typos or originated from fake domains—flaws don’t exist with the v0-created websites.

While user education remains critical, AI-driven phishing threats demand stronger authentication methods to ensure only the right individuals access systems. In addition to rigorous vetting, organizations should treat authentication as an ongoing process—users should be constantly verified to keep bad actors at bay.

The post How Bad Actors Leverage AI to Build Phishing Sites in Seconds appeared first on PaymentsJournal.

For years, financial institutions have relied on static authentication methods to verify their users. Customers use a password or biometrics to identify themselves when they log in to an account, after which they have full access. But with account takeover attacks rising, it’s time for these institutions to consider continuous authentication methods, which monitor signs of fraud throughout the process.

In a new report, Account Takeover: Static Authentication Enables Access Without Confirmation, Javelin Strategy & Research Senior Analyst of Fraud Management Jennifer Pitt looks at the drawbacks of traditional authentication methods and why banks are increasingly turning to continuous authentication.

Current Ways of Fighting Back

Account takeover fraud cost consumers $15.6 billion in 2024, a sharp increase from $12.7 billion the year before. That’s more than double the dollar loss resulting from new-account fraud. Clearly, static authentication, the primary method of verifying identity, is not doing the job.

If a criminal logs into an account using legitimate (but stolen) login credentials, static authentication would likely validate them as the verified user. The only way the bank or organization can determine that it’s someone else is by examining account behavior: Is the user looking at the account information when they usually don’t? Are they trying to place transactions they normally wouldn’t? Continuous authentication looks at all this user behavior in the background, noting what is different from the verified user.

“It’s not going to prompt you to log in again or ask you for your credentials,” Pitt said. “With continuous authentication, AI-powered tools are essentially collecting information about what you’re doing in the account and making sure that that information is consistent with the actual user who was verified.”

If financial institutions determine that the activity is suspicious, such as an attempted transaction in a jurisdiction that is considered high-risk, they might use what’s called step-up authentication. This involves asking the user to verify using some other method, such as a thumbprint or a knowledge-based question.

Overcoming Legacy Systems

One reason many businesses have resisted continuous authentication is that it requires advanced technology. Legacy systems often don’t have the technology in place for it, and some banks might worry that continuous authentication would cause customer friction.

“Vendors that offer continuous authentication solutions really need to educate individual consumers better as well as financial institutions on what that means,” Pitt said. “It actually will mitigate friction for consumers, because you’re not requiring those continuous logins and that continuous information, but you’re still able to track unusual behavior for that consumer.”

Many financial institutions don’t know the risk indicators for account takeover because a lot of them constitute normal behavior. Indicators include somebody using a VPN or failing on a login attempt, which any user could do.

Using legacy solutions, financial institutions are left with two basic options: block everything that uses one of those risk signals, causing potential customer issues, or let everything else go because the signals may indicate something other than an account takeover.

Perpetual KYC

Similar concerns exist over traditional know-your-customer (KYC)  processes, which are done during onboarding only. Typically, a customer might get something from their financial institution asking various questions: If you have a business, what business is it? What’s your income? What are you going to use your bank account for? What types of transactions are you going to make, and at what dollar amounts?

All that information is critical to understanding and vetting the customer. Most financial institutions do that only once during onboarding, or they might do it annually when they review accounts.

“If something was missed during the initial KYC, or maybe the customer lied, then you don’t know who your customers are,” Pitt said. “Maybe that customer changes from a legitimate customer to a fraudster, and you don’t know because during that year gap you have not vetted that customer.“

Perpetual KYC, on the other hand, uses AI-powered tools to vet customers in real time. Every time a consumer uses the account, perpetual KYC assesses the risk. If the risk level is heightened, then it will flag the account or the customer and send it for possible manual or step-up review.

Traditional KYC processes miss a lot of fraud and money laundering, which has resulted in significant fines as a result. TD Bank, for example, last year was the first bank to be criminally charged for failing to find money laundering. That could have been avoided by implementing perpetual KYC.

More Than Just Banks

People think mostly of account takeovers in terms of bank accounts. But one reason this fraud is so pervasive is that every type of account is at risk.

If somebody takes over a social media account, they can essentially scam the user’s friends and colleagues. Somebody taking over an email account, they can do a great deal of damage with it.

“If I only know your username and password, when I log into your financial account, maybe now I can see your email address and your phone number,” Pitt said. “I can see your Social Security number. I can see that your account links to another account at a different bank, and now I’m going to try that account.

“Banks need to get out of the thinking that it’s solely financial accounts that are being taken over and one account. They’re after as many accounts as they can, as quickly as they can.

Criminals ultimately want money, and they can get the most amount of money with account takeover. The accounts are already vetted. They’ve already gone through KYC checks, the identity has already been verified, and accounts are often linked to other financial and non-financial accounts.

“Banks are still looking at fraud the way it was 20 years ago, where we didn’t have generative AI solutions that fraudsters are using,” Pitt said. “We didn’t have bots. We didn’t have the prevalence of account takeover, because it was much harder for them to actually take over an account. We need to look at subtle behavior changes instead of major things, and we need to make the process continuous.”

The post New Continuous Strategies for Battling Account Takeovers appeared first on PaymentsJournal.

Although nearly all Canadian banks are now using artificial intelligence in some capacity, the biggest returns are coming from its role in fighting off criminal attacks.

According to a new study from GFT, nearly 75% of Canadian banks are deploying AI for fraud detection, while roughly two-thirds are using it to bolster cybersecurity. Close behind, nearly 68% report using AI to enhance customer service.

Nearly all surveyed banks said their AI investments have paid off in some form. However, the strongest returns are coming from cybersecurity efforts, with 23% citing it as the area delivering the most significant ROI. Fraud detection follows at 22%, with automated customer support ranking third at 19%.

A Back-Office Function

That highlights another key finding from the study: AI has played a larger role in back-office initiatives than in customer-facing ones. Most retail banks have invested in AI to improve customer service, yet only 18% report seeing measurable results in that area. In contrast, although only a third have implemented AI for internal operational functions, the majority of those report that back-office applications are delivering the greatest value.

However, AI presents a double-edged sword for these banks. Half cite cybersecurity risk as their top challenge when considering AI adoption. With AI systems handling sensitive data and influencing critical decisions, banks are increasingly caught between the drive for innovation and the need for protection.

Searching for Outside Help

Altogether, 63% of Canadian banks are now using AI in some form. They are already allocating more than a third of their IT budgets to AI and plan to increase that investment by 20% over the next five years.

Banks recognize that they will need support to fully harness the technology. More than half of those surveyed said they plan to adopt a hybrid approach, combining in-house and outsourced teams to scale their AI efforts. An equal number of banks said they prefer to outsource their AI efforts to external partners as those planning on building strong internal capabilities.

“AI has become an absolute necessity in fraud prevention and detection,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “As attacks become more sophisticated and complex, AI and machine learning are detecting anomalies and suspicious behaviors in a way that older technology can’t. The key is that these models improve over time, making fraud detection more precise as time goes by.”

The post The Best ROI for AI in Banking? Cybersecurity appeared first on PaymentsJournal.

When a financial institution’s customer is tricked into sending a payment, there has often been little recourse for the victim. As credit push fraud becomes increasingly prevalent—amplified by sophisticated technologies—the financial services industry must strengthen its protections.

This is why Nacha has developed a framework of fraud management rules that will go into effect next year. In a recent PaymentsJournal podcast, Devon Marsh, Managing Director, ACH Network Rules & Risk Management at Nacha, and Elisa Tavilla, Director of Debit Payments at Javelin Strategy & Research, examined the requirements of the new rules and the steps financial institutions can take to comply and better protect their customers.

Attacking an Emerging Fraud Trend

Many bad actors have shifted away from attacks like account takeovers because financial institutions have implemented more robust fraud defenses.

As a result, the path of least resistance now runs through the end user, as evidenced by the rise of automated push payment (APP) fraud. These social engineering attacks have become increasingly convincing, with cybercriminals leveraging artificial intelligence and cybercrime-as-a-service tools.

The sophistication of these attempts makes it difficult even for well-informed users to distinguish scams from legitimate communications.

“Recently, from personal experience, I’ve been getting more communications from the financial institutions that I do business with, alerting me of the various types of new scams to be aware of—many of which seem to involve credit push payments or authorized payments,” Tavilla said.

“These include impersonation of a bank or sending SMSs with links that often express an urgency,” she said. “Last week I got a number of them saying I owed toll payments for states that I never even visited.”

As one of the most predominant payment methods in the U.S., ACH transactions are a common target for criminals. Nacha recognized this threat and began developing its fraud monitoring and risk management rules in 2022.

“We took an approach to develop a risk management framework to attack a developing, emerging fraud trend in credit push payment fraud,” Marsh said. “The risk management framework was well-received; we proposed some rules, the industry approved them, and that’s where we are today. We have some rules that have been implemented and then some that are pending implementation in 2026 to address credit push fraud.”

Risk-Based Processes and Procedures

The rules going into effect next year pertain to transaction monitoring, instituting a requirement for originators, third-party senders, and originating depository financial institutions (ODFIs).

The framework requires fraud monitoring for all transactions, including traditional and Same Day ACH. Under the framework, all ACH Standard Entry Class codes for both debits and credits must be monitored. This monitoring need not be completed prior to processing payments. While monitoring prior to processing is ideal, it is not required by the rule.

“It’s ideal if it’s done prior, but what the rule calls for are risk-based processes and procedures to detect fraudulently initiated payments,” Marsh said. “There’s a separate rule—it’s very similar—but it requires receiving depository financial institutions to monitor incoming credits that they receive.”

One of the most important aspects of the new regulations is that they require all financial institutions to institute processes and procedures—not technical solutions.

“That’s great if an organization wants to implement technology, but the rule would certainly allow for manual processes and existing processes—as long as they take that risk-based approach, they are documented processes, and they are effective within the organization’s risk tolerance,” Marsh said.

Assessment and Analysis

The first step for many financial services companies is to conduct a risk assessment and establish their risk appetite.

“Probably every organization today has something—even if it’s in the back of their mind or intuitive—that says this just doesn’t seem right,” Marsh said. “What are those things that make it not seem right today? Formalize the recognition of those things that aren’t quite right and make that part of your processes and procedures.”

A red flag could be an ACH Standard Entry Class code that is not appropriate for the receiving account, or an unusually high dollar volume going into an account that typically has a low threshold. For example, if a consumer account that normally only receives a paycheck as its largest deposit suddenly receives a $50,000 corporate transaction, this should be flagged as suspicious activity.

Many organizations already have solutions in place that can identify these red flags to some degree. However, after reviewing the requirements of Nacha’s new rules, they will have to perform a gap analysis to determine where their existing processes stand compared to the new paradigm. From there, they can begin to close these gaps.

To do so, many organizations will turn to third-party providers. While this can be an effective model, financial institutions must ensure that all parties have a clear understanding of their roles and responsibilities under the new framework.

This vendor vetting and implementation process is likely to be intensive, especially as the rules’ effective date draws near.

“There are technology providers out there who provide automated solutions or other tools that require more resources and implementation,” Tavilla said. “This would be a good time to start exploring appropriate partners and solutions in preparation for when the new rules go into effect next year.”

When a Fraudulent Transaction Occurs

Although these rules strengthen fraud monitoring procedures, their scope doesn’t end with fraud detection.

If a receiving depository financial institution (RDFI) detects a fraudulent transaction, the regulations dictate specific actions which institutions should incorporate into their procedures.

For example, after the RDFI has resolved the transaction—either by returning the payment to the originator or freezing the funds in the receiver’s account—it should conduct a thorough evaluation of the receiver.

“Is this an unwitting money mule?” Marsh said. “Is this a good customer who got maybe scammed into receiving the payment and is coached to send it on to the fraudster somewhere else? Or is the RDFI actually banking the fraudster? The response would be very different in those cases. They may need to talk to their AML team, because a money mule is literally involved in money laundering.”

In addition to assessing the involved accounts, Nacha provides a checklist of actions that a fraud victim can utilize in their recovery efforts.

For instance, the guide can walk an originator who has been scammed into sending a fraudulent payment through the process of contacting the financial institution and notifying them of the transaction details. The checklist can also guide them on how to contact the RDFI and request that it either freeze or return the funds.

There is also a post-mortem aspect of the checklist, which coaches the fraud victim through evaluating how they were scammed and what they may have missed, to help prevent future attacks.

“On the more technical side, the best tool we’ve got for bank-to-bank communication is through Nacha’s risk management portal,” Marsh said. “The originating institution can receive a call from their originator, recognize that they have to contact the RDFI, and they can use our contact registry to look up who they need to speak to in the ACH fraud department at the other financial institution.”

Along with the checklist, Nacha also provides tools for exchanging documents. An RDFI may respond that they have frozen funds and can return them, but first require a letter of indemnity (LOI). The ODFI can then send the LOI to the receiving institution using the Secure Exchange feature in Nacha’s Risk Management Portal.

Doing Nothing is Not an Option

Increased communication between financial institutions is a critical component of the cooperative effort needed to combat the rising threat of fraud.

This concerted collaboration is not only integral to accelerating industry-wide adoption of Nacha’s new rules, but also essential for their effective enforcement.

“The way Nacha is ultimately going to enforce this is indirectly, we have a requirement for a Nacha rules compliance audit, so we query the industry and we challenge to see who has completed their audits and if they’re compliant with the rules,” Marsh said.

“Beyond that, a more targeted approach is any stakeholder in the industry can file an allegation of a rule violation through Nacha’s National System of Fines,” he said. “If they see a shortcoming in an organization based on the transaction they’ve dealt with, they could possibly file a rule violation if they think someone’s not following these rules.”

Additionally, Nacha has established a Credit-Push Fraud Monitoring Resource Center, offering guidance and tools tailored to assist in complying with the new rules.

Although many financial institutions have been proactive in the fight against fraud, they should still use this opportunity to ensure their systems are fully optimized.

“With regard to transactions, we have made the point many times in training and speaking events that doing nothing is not an option,” Marsh said. “It’s not satisfactory for an organization to say we conducted a risk assessment, we don’t consider any of our transactional activity risky, so we’re not going to do monitoring. That’s not acceptable.”

The post What to Expect When Nacha’s Fraud Monitoring Rules Take Effect appeared first on PaymentsJournal.

A recent report from Cybernews spotlighted the discovery of 30 datasets containing 16 billion login credentials from major tech platforms, including Apple, Google, and Facebook.

The datasets were identified over the course of this year by Volodymyr Diachenko, co-founder of the cybersecurity consultancy Security Discovery, and were suspected to be the work of multiple parties using infostealer malware. This type of software extracts sensitive—and often financial—data from infected devices.

A data breach of this magnitude would rank among the largest in history. However, questions soon emerged about the validity of Diachenko’s findings. BleepingComputer reported that the incident was not a new data breach at all, but rather a compilation of previously leaked credentials stolen by infostealers.

Cyberscoop separately substantiated this assertion, reporting that a Google representative told the outlet the credentials weren’t obtained through a new breach. Instead, the stolen data had likely been circulating for some time before being collected and repackaged.

A Substantial Trove

Even if the data is mostly old, this trove of personal information is a testament to the threat posed by infostealers. Last year’s infostealer-driven breach at cloud storage company Snowflake led to data being stolen from more than 150 companies and more than $2 million extorted from victims.

There has also been an uptick in infostealer attacks. Roughly three-quarters of the 3.2 billion credentials stolen last year were obtained through infostealer malware. Additionally, modern infostealers are equipped with increasingly sophisticated evasion techniques, making them harder to detect.

A Constant Barrage

While there is no debate that infostealers pose a legitimate threat, detractors of the Cybernews report have pointed out that exaggerating claims about data breaches could have harmful effects.

The constant barrage of news about leaks and breaches has desensitized many consumers, who now believe their information has already been compromised and there’s little they can do about it.

However, reporting any compromise remains one of the most important ways to combat fraud. Especially for financial institutions, which are increasingly targeted by infostealers, sharing accurate data on threats is a key strategy for defeating bad actors.

The post Infostealer Threat Persists Despite Data Breach Questions appeared first on PaymentsJournal.

For years, Walmart turned a blind eye to criminals who coerced victims into sending them wire transfers through its in-store money transfer services, according to the Federal Trade Commission. Walmart has now agreed to pay $10 million to settle the allegations.

FTC’s investigation found that Walmart failed to implement basic anti-fraud safeguards, such as proper employee training and customer alerts.

The FTC also claims that Walmart instructed employees to process payouts even when fraud was suspected. The complaint cites a Walmart reference guide used by staff that said: “If you suspect fraud, complete the transaction.” 

“Walmart continued processing fraud-induced money transfers at its stores—funding telemarketing and other scams—without adopting policies and practices that effectively detect and prevent these transfers,” the FTC said. “In some cases, Walmart’s practices have even made it easier for fraudsters to collect fraud-induced money transfers at a Walmart store.”

A Giant in Wire Transfers

Walmart stores handle tens of millions of money transfers each year. Between 2013 to 2018, the stores sent or received nearly $200 million in payments that were the subject of fraud complaints, according to the FTC.

Walmart acts as an agent for multiple money transfer services, including MoneyGram, Ria, and Western Union. It also offers some services under its own brand, such as “Walmart2Walmart” and “Walmart2World.”

Taking Preventative Steps

In addition to paying a $10 million fine, Walmart stated it will no longer process money transfers it suspects may be fraudulent. The company also pledged to stop assisting any sellers or telemarketers it believes could be engaged in wire fraud.

“It’s encouraging to see accountability for larger organizations, like Walmart, to have stronger anti-fraud measures in place,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “What really stands out to me here is the callout of improving employee training. Proper training often goes overlooked, but it’s a huge piece of fraud prevention.

“Whether or not Walmart was turning a blind eye in this instance, the larger issue is that too often there is a sentiment among larger organizations that if it’s under a certain threshold or doesn’t ultimately affect their cost of business/bottom line, they can let things slide,” she said. “But that attitude affects consumers, and that’s the real issue here.”

The post Walmart’s Wire Transfer Policies Lead to $10 Million Fine appeared first on PaymentsJournal.

The Federal Trade Commission has fined Paddle $5 million over charges that the UK-based payment processor facilitated access to the U.S. credit card system for fraudulent foreign tech support operations. These schemes allegedly defrauded U.S. consumers out of millions of dollars.

The FTC alleges that Paddle used its position as “merchant of record” and a purported “reseller” to process credit card payments on behalf of unrelated third-party entities, obscuring their identities from card networks and banks.

According to the FTC, Paddle enabled pop-up-based tech support scams that used fake virus alerts—sometimes using brands like Microsoft or McAfee—to trick consumers into purchasing unnecessary software or services. Paddle was also charged with processing recurring subscription payments without clearly disclosing renewal terms or obtaining informed consent. The complaint further noted that the company continued processing payments even after clear warning signs about its clients’ fraudulent activities.

A Shift in Responsibility

In previous cases of online fraud, payment processors were often viewed as neutral third-parties. Having a processor identified as a responsible party in preventing this type of risk could have ramifications for the entire industry.

“We are now seeing a shift in accountability in preventing fraudulent transactions, in the name of protecting consumers from this kind of deceptive activity,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “Not only are we seeing a payout to affected victims of Paddle’s practices, but we are also seeing a requirement and, hopefully, strict enforcement of much more robust transaction and risk monitoring as well as required reporting of suspicious activity.”

The fine will go toward recouping losses for some of the fraud victims. Going forward, Paddle is required to obtain consumers’ explicit consent for subscriptions and provide a simple cancellation process. The company is also permanently banned from processing payments for tech support businesses that use telemarketing or using pop-up security alerts.

“I’m cautiously optimistic that this is a good sign of more consumer protections to come,” said Sando. “We have a serious problem with fraud and scams affecting U.S. consumers, and we need more action like this to significantly reduce suspicious activity.”

Downplaying the Charges

For its part, Paddle downplayed the charges, emphasizing that only a small fraction of its client base was invovled in illegal activity. The company also noted that the final FTC charges involved just two of its telemarketing clients.

“Paddle serves over 6,000 digital product companies, whose innovative technology collectively brings incredible value to consumers all around the world,” Paddle CEO Jimmy Fitzgerald said in a statement. “And whilst we believe that almost all digital product companies are ‘forces for good,’ it is sadly a reality that there are some bad faith actors out there.”

The post Payment Processor Paddle Fined Over Role in Scams appeared first on PaymentsJournal.

Nacha is expanding its support for banks and financial institutions in addressing elder financial abuse. The organization’s Payments Innovation Alliance has issued new tools designed to help account holders who may be at risk of elder fraud and to raise broader awareness about financial exploitation targeting older adults.

The tools are being released in conjunction with World Elder Abuse Awareness Day (WEAAD), observed annually on June 15. Among them is a checklist to help banks and credit unions assist older customers who may have been exposed to scams.

The guidance encourages banks and FIs to establish clear internal escalation protocols for suspected elder financial exploitation, to be accessible to account holders who have experienced fraud, and to support individuals in reporting attempted scams.

Nacha has also created an infographic highlighting the scale of the issue. In the U.S., adults over 60 lose an estimated $38.5 billion every year due to elder financial abuse, with the average loss of $83,000.  

Not Just Strangers

One reason elder fraud is such a concern is that it is often committed by someone the victim trusts. Nacha defines elder fraud as the use of deception, intimidation, or undue influence by a person in a position of confidence to obtain an elderly person’s property or resources. It can also include breaches of fiduciary duty, such as the misuse of a power of attorney or a guardianship appointment.

A major challenge for law enforcement, families of elderly victims, and the financial industry is that scam victims are often reluctant to ask for help, as Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, noted. In many cases, they don’t even want to acknowledge that they’ve been victimized.

Looking for More Help

An AARP study referenced in the Nacha infographic reports that 92% of adults ages 50 and over want employees at their financial institutions to be trained to recognize and prevent financial exploitation. However, the tools used are not always tailored to the specific type of fraud being committed.

“While education surrounding scams has dramatically increased, most educational campaigns are generalized, not only in their messaging, but also in their approach,” said Goldberg. “Older consumers should be targeted with educational campaigns that stress their need to be skeptical of anyone who approaches them with a sense of urgency, and refuses to let them hang up on a caller who seems suspicious.”

The post New Tools Available in the Fight Against Elder Fraud appeared first on PaymentsJournal.

Bad actors seeking to overwhelm organizations’ networks through distributed denial-of-service (DDoS) attacks have put the financial industry in their crosshairs.

Research from the Financial Services Information Sharing and Analysis Center (FS-ISAC) and cybersecurity firm Akamai found that DDoS attacks increased exponentially from 2014 to 2024, peaking in October with 350 recorded events. Due to the nature of these attacks, each incident involved thousands—or even millions—of malicious activities.

The financial industry was by far the most targeted sector in the study, and the frequency of DDoS attacks against it continues to rise. While these attacks often focus on organizations’ websites, there were also frequent DDoS attacks on APIs that facilitate aspects like logins and payments.

Multi-Dimensional Assaults

APIs are the connections that power modern banking infrastructure, allowing banks to work with partners to provide services ranging from credit scoring to peer-to-peer payments.

While these solutions have been game-changing for many financial institutions, the study also noted that the rapid adoption of APIs in financial services has expanded the potential attack surface for bad actors.

In many cases, DDoS attacks are mere nuisances that are easily defeated by financial institutions’ defenses. However, the most alarming finding in the study was not just the growing frequency of these attacks, but their increasing effectiveness.

“DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain,” said Teresa Walsh, FS-ISAC’s Chief Intelligence Officer and Managing Director, EMEA, in a prepared statement.

Outsourcing the Operation

Even though these attacks are becoming more complex, that doesn’t mean there are barriers to entry for bad actors. Overall, DDoS usage is increasing. This not only makes it easier for cybercriminals to outsource their operations, but it also makes it difficult to identify the perpetrators.

DDoS is a subset of the growing cybercrime-as-a-service model, where criminals provide illicit software or services to individuals or groups for financial gain. As these services offer sophistication at a wider scale, financial institutions will have to continually find new ways to defend themselves.

The post DDoS Attacks Increasingly Flood Financial Services Firms appeared first on PaymentsJournal.

Financial institutions are highly regulated to protect both customers and the organizations themselves, but this often hinders their ability to adopt new technologies like artificial intelligence.

To address this, Nvidia is building a platform for the UK’s Financial Conduct Authority (FCA) called the Supercharged Sandbox, which will allow UK banks to experiment with AI without jeopardizing financial data.

Rolling out this October, the Sandbox will allow firms to use Nvidia’s cloud and AI enterprise software. The chipmaker will also provide technical expertise, more robust datasets, and regulatory support. However, the FCA noted that any innovations developed through the project would be deployed via a separate platform.

Privacy and Fraud Questions

In addition to compliance concerns, many UK financial services companies have been reluctant to engage with leading AI models—such as those operated by Google and Open AI—because they are based in the U.S. This raises questions about how the privacy of UK consumers will be protected, as well as how data would be stored and processed.

Additionally, concerns about fraud are heightened whenever new technologies are introduced in a financial institution. Fraud is a growing issues as cybercriminals have been able to experiment and innovate with AI much faster than most financial services companies—largely because they aren’t constrained by any regulatory framework.

A Sorely Needed Infrastructure

A solution like Supercharged Sandbox could be a key factor in helping financial institutions catch up in the tough fight against fraud. This solution should also allay concerns about reliance on overseas companies. Even though Nvidia is a U.S.-based chipmaker, the infrastructure for the solution will be built from the ground up in the UK.

According to the company’s CEO, Jensen Huang, this type of infrastructure is sorely needed in the UK—one reason why UK Prime Minister Keir Starmer has unveiled plans to invest £1 billion ($1.36 billion) to increase the UK’s computing power twentyfold.

Huang said this is necessary because “the UK is the largest AI ecosystem in the world without its own infrastructure.” Once such an ecosystem is in place, it would ideally facilitate more startups, investment, and research in the country.

The post Nvidia Gives UK Banks a Sandbox for AI Innovation appeared first on PaymentsJournal.

Although child identity theft has received increasing attention in recent years, most parents don’t discover it—let alone take action—until after experiencing a financial loss. Among families who reported a financial loss due to identity theft, roughly 96% did not have their children included in a family protection plan until after the breach had occurred.

For the past four years, Javelin Strategy & Research has focused on the issue of child identity theft and the risks that threaten children. In a PaymentsJournal podcast, Tracy Goldberg, Director of Cybersecurity at Javelin, and Eva Velasquez, CEO of the Identity Theft Resource Center, discussed the dangers children face on social media and the steps parents can take to protect them.

At Risk of Oversharing

The risks associated with social media are extremely concerning when it comes to child identity theft—and for fairly simple reasons. Nearly every child over the age of 10 has some form of social media presence. This might include school-based platforms, mainstream social media platforms like YouTube, Facebook, or Instagram, and even online gaming platforms like Fortnite or Minecraft.

Having grown up in a digital age where social media has always existed, children are naturally comfortable interacting with others online. They’re also more inclined to share personal information. This makes them particularly vulnerable, as they may engage with individuals they don’t know in real life.

Social media is, by nature, a network. Information spreads rapidly depending on who you’re connected with—and who they’re connected with. If you’re sharing personal details publicly, or interacting with strangers on gaming platforms, you’re exposing yourself to serious risks.

“When I was a child, we were taught to be leery of people you don’t know,” said Goldberg. “Children don’t feel that same kind of concern when it comes to interacting online. The dark web was a powerful place for cybercriminals to hide what they were doing and buy and sell and trade information. But cybercriminals don’t even need the dark web anymore. They can use social platforms to trade information, steal information, sell information, buy information, anything they want right out in the open.”

The Parents’ Role

Even though children have access to many devices and may seem even more tech-savvy than their parents, they don’t always have the critical reasoning skills needed to navigate them safely. Add to that the fact that they are battling criminal enterprises using sophisticated social engineering tactics, and it can be hard for adults to fully appreciate what they’re struggling with.

Parents also put their kids at risk by sharing too much on social media—tagging their kids in pictures or posting when they go on vacation. There’s a lot of education needed across all age groups.

Many parents still hold the notion that when kids are home, they’re safe. That used to be true, but it’s no longer the case. If children have access to a device, particularly one with internet connection, parents can’t assume they are safe. They need a heightened level of concern, just as they would if their kids were playing at a park.

“At Javelin we’ve advised our clients about steps they can take to help educate their customers about provisions that can be taken to help enhance their security,” said Goldberg. “We’ve also suggested that financial institutions or even wealth managers offer identity theft protection or ancillary services that could help make their customers’ accounts more secure. We see opportunities through employee benefits programs, because if your employees and their children are exposed to cyber risk, it ultimately exposes your company to risk.”

It’s a win-win situation for employers to provide security provisions that not only secure corporate-issued mobile device and laptops, but also extend to VPNs for the home network. Since the pandemic, more people have been working in a hybrid environment and are doing work on personal devices. More than likely, if that employee has children at home, they are using the same Wi-Fi connection—and potentially even the same personal devices their parents occasionally use to conduct business.

Protectors from Outside

Another direction the industry should pursue, according to Goldberg, is pushing social media companies to take on a greater role. It took time for the industry to recognize the need to secure e-mail transactions interactions, as phishing became increasingly prevalent. Socially engineered attacks—whether delivered through SMS text messages or direct messages on social media—follow the same pattern.

“What can we do within the realm of DNS blocking or spam filtering that would help prevent these types of interactions from reaching the children to begin with?” Velasquez said. “That’s the direction that we need to move in as an industry. There’s a role for ISPs, mobile carriers, and—importantly—social media platforms to play.”

Social media companies could respond to account takeovers more quickly and thoroughly. Once an account is taken over, it’s no longer under the control of the true account holder.

“Even if their parents are monitoring and doing all the things that they have to do in today’s climate, that scammer is going to bypass all of that because the kids think they’re talking to a trusted adult,” said Velasquez. “They think it’s their auntie or their teacher. Because these accounts are allowed to stay online and active under the control of the scammer for long periods of time, they’re doing a lot of damage.”

The Emotional Toll

Until the industry takes more steps to combat child identity theft, parents will have to remain on the front lines. They should consider not only the financial damage but also the emotional damage and reputational damage that can come from these types of attacks, particularly on social media. The image that teens project to their circle is very important to them.

“Kids who are dealing with this issue sometimes resort to self-harm and even suicide,” said Velasquez. “Please realize how important this is. It’s not just a minor inconvenience or one of those life things you can have to deal with. It can be life altering.”

Communication is key. An important step for parents is learning to recognize the behaviors their child might exhibit if they were being cyberbullied or manipulated in some way. It’s also essential to keep the lines of communication open with the child’s educators. 

“If parents were more in tune with the warning signs, we could address a lot of these things before the consequences become so dire,” Goldberg said.

The post Stranger Danger: Protecting Your Children from Identity Theft appeared first on PaymentsJournal.

Are businesses too confident in their ability to fight identity fraud? Recent data suggests they might be. While many European businesses believe they’re effectively addressing the issue, many don’t consistently track its impact.

According to The Battle in the Dark 2025 survey by Signicat and Red Goat Cyber Security, only 5% of respondents expressed a lack of confidence in their identity fraud processes. Around three-quarters believe they are winning the fight—despite the fact that 47% don’t track fraud consistently.

“Part of the problem with fraud is you can’t detect what you aren’t aware of or aren’t looking for,” said Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research. “If consumers are not reporting fraud for a number of reasons, it creates the illusion that whatever fraud controls the organization has are working.”

A Growing Problem

Those confidence numbers are even more out of sync given that European businesses estimate that one in five transactions are fraudulent. Identity fraud and its associated costs impact up to 22% of their annual revenue.

And these numbers continue to grow. Signicat’s data shows that identity fraud attempts have increased by 69% over the past four years, with overall fraud attempts up 88%.

Difficult to Detect

Identity fraud accounted for 9.3% of all fraud attempts so far this year, making it the most common type of fraud in Europe. Account takeover and social engineering were the second and third most prevalent methods. The study found that ID fraud was the most common in the banking industry, while in the payments industry, the most common fraud tactic is account takeover.

“Certain types of fraud, like account takeover and synthetic identity fraud, are more difficult to detect, and organizations might not even know it’s happening,” said Pitt. “Some of these organizations may rely solely on one fraud detection method, rather than using a layered approach that is needed to combat the more sophisticated types of fraud.”

The study also found that 80% of businesses believe pushing back against criminals only prompts them to change their tactics. This constant innovation remains a key challenge in the fighting against fraud.

“Fraud is evolving faster than detection systems can keep up,” Pitt said. “Organizations still relying on legacy and static detection methods, which may be missing newer and more sophisticated fraud threats. Ironically, this lack of detection gives a false sense that their detection methods are working, when in fact, fraud is going undetected.”

The post Too Many Businesses Assume They’ve Beaten Identity Fraud appeared first on PaymentsJournal.

One of the main apprehensions with faster payments is the potential for faster fraud, but artificial intelligence could help mitigate these concerns.

A study from the Bank for International Settlements (BIS) and the Bank of England gauged AI’s ability to detect the sophisticated fraud activity perpetrated by cybercriminals.

The experiments were conducted in a simulation based on data gleaned from millions of bank accounts and transactions, designed to be indicative of real-time retail payments.

The study, dubbed Project Hertha, found that AI models are a valuable fraud detection tool, excelling at identifying novel patters of financial crime. BIS reported that AI was 26% more effective at detecting suspicious activity than traditional fraud defenses.

Additionally, AI analytics helped financial institutions uncover 12% more fraudulent accounts than they would have identified otherwise.

A Powerful Evolution

AI’s potency in fraud protection was underscored by separate data from FIS, where 78% of respondents reported that artificial intelligence has improved their company’s fraud detection and risk management strategies.

Nearly half of the business and tech leaders surveyed said they plan to increase their investment in AI over the next two years, with many indicating they intend to delegate more complex tasks to it.

One of the most powerful evolutions of artificial intelligence is agentic AI, where AI agents can handle many tasks autonomously. While AI agents have the potential to be a formidable tool against fraud, many experts increasingly view them as a double-edged sword.

Meanwhile, research from SailPoint found that 96% of tech professionals consider AI agents a growing security threat. Yet, nearly all respondents said they plan to expand their use of agentic AI in the coming year.

A Supplement, not a Solution

As organizations take steps toward incorporating AI, cybercriminals have already deployed both generative and agentic AI at scale, using them in fraud efforts ranging from deepfakes to ransomware attacks. One of the main reasons cybercriminals have gained such significant advantage is that they aren’t hindered by concerns around privacy or reputation.

While Project Hertha may be proof that AI is a powerful tool, there is still the chance that artificial intelligence models could make mistakes—either missing instances of fraud or generating false positives.

These limitations led BIS to conclude that AI tools should be seen as a supplement to fraud defenses, not a complete solution. Since organizations cannot fully rely on AI, they will need to think outside the box and innovate new approaches to keep pace with cybercriminals who have a substantial head start.

The post AI Can Uncover Novel Fraud, Even in Real-Time Payments appeared first on PaymentsJournal.

AI agents have featured in some of the most intriguing recent product launches, but cybersecurity experts have mixed feelings about the technology.

Data from SailPoint found that 96% of tech professionals view AI agents as a growing security threat. Yet, nearly all respondents indicated they plan to expand their use of agentic AI in the coming year.

The top concern voiced by respondents was the agents’ access to protected data, followed by the risk of unintended actions. The third-most reported concern was the possibility that an AI agent could share sensitive data without permission.

Data and Privacy

All these issues have been present in generative AI platforms, where models have frequently reached inaccurate or false conclusions. Due to the persistent black box issue, analysts are often unable to determine why AI made the wrong decision.

Additionally, privacy has been a constant concern for AI models that require vast amounts of data. While most of the well-established gen AI platforms—such as ChatGPT—are built to protect sensitive data, AI agents often require access to private information to carry out their tasks, including financial details.

In this light, a troubling finding from the SailPoint study was that just under a quarter of respondents reported their AI agents had been manipulated into divulging access credentials.

Furthermore, 80% of respondents said they had discovered their companies’ AI agents performing unintended actions, such as accessing systems without permission, disseminating protected data, and retrieving inappropriate content.

The Age of Agentic Commerce

Despite these concerns, the age of agentic commerce is advancing. Visa and Mastercard have unveiled platforms designed to transform AI agents into personal shoppers, enabling them to search for items and make purchases with minimal user interaction.

PayPal quickly followed these launches by partnering with Perplexity to integrate its payments directly in the AI platform’s chat.

Given the powerful potential of AI agents, many more initiatives are likely to emerge across multiple industries, including cybersecurity. However, organizations must constantly prioritize privacy and security in these initiatives.

This sentiment was echoed in the SailPoint study, where 92% of respondents stated that governing AI agents is essential to enterprise security.

The post Why Cybersecurity Experts View AI Agents as a Double-Edged Sword appeared first on PaymentsJournal.

In the never-ending battle against check fraud, a new capability may help address a frequently overlooked area of risk. ParaScript, a company specializing in AI-powered document processing, has introduced a feature that can detect, read, and interpret handwritten or stamped endorsements on the back of checks.

The update to Parascript’s check recognition solution, CheckXpert.AI, enables the system to identify phrases like “For mobile deposit only” or “Deposit only to account of payee.” It automatically detects the check’s orientation and matches the text against a customizable list of authorized phrases. Endorsements that appear missing, suspicious, or unauthorized are flagged immediately.

This enhancement helps ensure checks are deposited through authorized channels and reduces the risk of fraud. It’s important to note, however, that the tool doesn’t verify handwriting authenticity or match signatures to those on file—capabilities offered by some other investigative tools.

A “Practical Improvement”

There are key benefits to automating a task that continues to cause issues in remote deposits: endorsement verification.

“Most fraud tools focus on signatures or altered fields, but this fills a smaller gap by making sure the back of the check says what it’s supposed to,” said Jennifer Pitt, Senior Analyst of Fraud Management at Javelin Strategy & Research. “It does this in real time, which means issues can be flagged before the check is accepted, rather than caught later in back-office review.

“It’s not a major leap in handwriting analysis, but it’s a practical improvement,” she said. “For banks dealing with high deposit volume or compliance requirements, it helps reduce manual review and enforces basic controls more consistently.”

AI Advancements

AI is developing into a key tool in the fight against check fraud. The federal government remains a strong user of paper checks, with 23% of benefit recipients receiving assistance in the form of checks or vouchers. It has been using AI to detect check fraud with very positive results. According to CNN, machine learning technology helped the Treasury recover $1 billion in check fraud in fiscal 2024—nearly triple the amount recovered the year prior.

Banks issue nearly 700,000 reports of check fraud each year. Nevertheless, many organizations are still not taking this type of crime seriously. Only 22% of companies surveyed by Javelin said they use check fraud detection solutions.

The post Filling a Key Gap in Check Fraud Detection appeared first on PaymentsJournal.

E-commerce scams continue to plague online shoppers and now account for the majority of the consumer fraud reports fielded by the Better Business Bureau. With social media influencers playing a leading role in selling merchandise online, shoppers are warned to take extra care against these increasingly sophisticated scams.

In Fake Deals, Real Trouble: Cyber Risks in Online Marketplaces, Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, looks at how online stores can protect themselves, their customers, and their brand names from such scams. “Fifteen years ago, when e-commerce was becoming more mainstream and domain squatting was becoming more prevalent, there was a lot of concern about brand integrity,” Goldberg said. “With the more expansive use of these online marketplaces, it’s kind of coming full circle right now.”

‘The New Dark Web’

Social media has outpaced email as the primary avenue cybercriminals use to socially engineer consumers into giving up sensitive personal information and falling for scams. In 2023, 36% of U.S. consumers said their identity theft or scam victimization was initiated by a direct communication or message through a social platform. By 2024, nearly 50% of consumers who were victimized by scams said the crime was initiated through a connection or friend request from people or personas they did not know.

“Social media has quickly become the new dark web,” Goldberg said. “Rather than having to go through the hassle of stealing credentials and credit card information, then posting it on the dark web for sale, cybercriminals are finding it much easier to manipulate consumers directly through social media. It’s not just by these direct messages that they’re reaching out to consumers, but they’re actually posting fake ads on social media marketplaces.”

Hackers can mimic or spoof a well-known brand, then advertise that they’re selling something in a marketplace under that brand name. They often do this by watching what social media influencers are selling, so they can piggyback on a hot new item being marketed online.

The result is that a consumer clicks on an advertisement that is malicious. When the shopper willingly gives up credit card information and PII, the criminals are spared the hassle of social engineering. They don’t have to go through the complicated process of selling it on the dark web. They can steal it in one fell swoop.

The Scourge of Typo Domains

Larger merchants such as Amazon and eBay have become special targets. Malicious sales from these recognized retailers are often initiated through commonly used social platforms like Facebook Marketplace. Goldberg explained how the scams tend to work.

“You go to Facebook Marketplace, you click on an ad, and it redirects you to another site,” she said. “Often, it’s going to be a typo domain. Let’s say that I think I’m buying a Louis Vuitton. But when I click on that link and it takes me to the site, Louis Vuitton will be a typo domain, maybe with one of the T’s missing.

“These particular types of attacks are getting much more sophisticated, and consumers have a false sense of trust. If they see a link that comes to them through a marketplace that they think is a trusted site, how often do we look at the domain once we click on the link?”

Taking Protective Steps

Social media sites obviously have an obligation to protect their customers in this scenario, but many are falling short. In March 2023, Meta, which owns Facebook and Instagram, launched Meta Verified, a paid service that allows users of the platforms to verify the authenticity of their profiles with blue checkmarks. The service ostensibly protects users and companies from profile account takeover or impersonation in exchange for a monthly fee. In theory, there is also supposed to be some vetting of the user who posts the advertisement to prevent malicious users from selling on marketplaces run by Meta platforms.

“Some of the steps that Meta has put in place to help authenticate a user’s identity have fallen pretty short,” Goldberg said. “You just have to pay an extra fee to show that you’re verified. For the most part, anybody can post there.”

The situation raises serious concerns about brand integrity for the merchants, as well as for the brands themselves that are being mimicked or spoofed. Many companies have been working with firms like BrandShield that will help scour the web to see if their brand is being used maliciously.

But the average consumer is unlikely to be savvy enough to pick up on all of this. Unless consumers are reminded that the store they are entering could be a malicious site, they are not likely to look at the domain name closely.

Banks Are Taking Action

In March 2025, Chase Bank stopped its customers from sending peer-to-peer payments over the Zelle network to recipients originating from social media. Chase took the step after noting that nearly half of fraud reports from clients stemmed from interactions and real-time payments originating from social media platforms.

A consortium of leading U.S. banks own the Zelle network through a company called Early Warning. Chase, one of Zelle’s owners, blocked transactions that were being initiated through these social platforms because it knows that social media is by and large where most of the scams for P2P payments are being initiated.

Other financial institutions are likely to follow. But maintaining the balance between blocking P2P transactions and maintaining customer satisfaction will be tough as social media purchase preferences continue to evolve, particularly among younger users. Although social media marketplaces are attractive online sales channels for all age groups, younger consumers are at the greatest risk.

“I think it’s a wise move,” Goldberg said. “Maybe by the end of the summer we’ll see some of the other top-tier institutions follow suit. I don’t want to say Chase is doing it for selfish reasons, but they have an awful lot of customers, and it’s in their interest to keep them safe.”

The post The Hidden Threats in Online Marketplaces appeared first on PaymentsJournal.

In response to fraud attacks that increasingly target individuals, there have been continued calls to ramp up consumer education. Many financial institutions have introduced security centers in mobile banking apps that are designed to keep customers informed on the latest threats.

Although this is a positive step, as Lea Nonninger, Digital Banking Analyst with Javelin Strategy & Research, found in the reportSecurity Centers in Digital Banking: How to Tell an Empowering Story of Prevention, Detection, and Resolution that many security centers still have room to improve.

Shifting to Empowerment

In the past, financial institutions largely took the tack that security matters were better handled behind the scenes. The thinking was that it was best not to worry customers with a constant barrage of updates about potential threats.

“What we’ve seen the last five years is the banks are shifting that narrative and focusing on providing tools for the customer to improve security, because the customers are often the weakest link themselves,” Nonninger said. “There are so many things that customers aren’t doing to protect their accounts and security measures that they might not know about.”

As more financial institutions have realized that consumers are an integral part of security, they should now focus on including more education within their security centers. This can pay dividends by helping customers feel more confident in spotting and addressing fraud. In turn, they are more satisfied with their banking relationship.

Although banks have made substantial progress, creating a security center is just one step of a fraud protection plan—one that will be largely ineffectual if financial institutions stop there.

“Do they truly help to empower the customer?” Nonninger said. “One big thing that we talk about in digital banking is not just security, but security empowerment. It’s not just about being secure, but ensuring customers feel confident about their security and know what they can do to improve it.”

Measuring the Effectiveness

To measure the effectiveness of security centers, the Javelin report focused on three aspects: prevention, detection, and resolution. After a deeper examination, it became clear that financial institutions have significant room to improve.

“We looked at selected security center features to assess the availability across banks and quickly saw support for a holistic suite of features dropping,” Nonninger said. “Even though a lot of banks have security centers, they don’t often include all the necessary features that help customers prevent fraud.

“It doesn’t really help customers detect the fraud if it does occur. Then, if in the worst case it does occur, they can’t really resolve it. This is where the big problem comes in, is that we have all these security centers, but how useful are they really?”

The first step in fighting fraud, and ideally the only step, would be to prevent it from occurring.

One way to prevent fraud is to update consumers on emerging attacks. For instance, there has been a rise in phishing emails that impersonate well-known brands or government agencies. Such attacks are designed to manipulate users into making a mistake.

A dedicated article in a security center that informs readers about the hallmarks of these attacks could go a long way toward prevention. However, the study found that there was often more generalized information in security centers, which were lacking in relevant articles and interactive media that could make an impact with users.

Additionally, the way the information was organized in the security center was frequently opaque. A customer might be presented with a list of items to review or a series of menus to delve through, which could deter some deeper dives.

The End of the Road

For effective fraud detection, consumers need to understand how to monitor who has access to their account and how their money is moving. Alerts can play a significant role by notifying a customer when there is any activity that is outside the norm.

The last aspect that Nonninger measured was fraud resolution, which has been a long-term struggle for many institutions.

“It is especially important to provide tools that let customers resolve fraud in an end-to-end digital solution, which is what we saw basically at none of the banks,” Nonninger said. “That’s a big gap that if a customer even tries to stay on top of fraud—they have detected something and then they’re at the end of the road—they don’t know where to go from there.

“They can maybe call the bank, they can go to the branch, but there isn’t much in terms of digital features available to resolve this on their own.”

Fine-Tuning the Story

Another area of opportunity for banks is to centralize their educational material. Often, an article or guide might appear on the public site but isn’t integrated into digital banking.

“It should all be centralized because if the customer goes out of the way to go to the security center, that’s such a great step, and if they don’t find what they’re looking for then and there, they might not visit it again,” Nonninger said. “It’s all about creating that good experience and having everything available.”

Despite these gaps, financial institutions have made significant strides in consumer education.

“I think for me what was interesting for this report was just seeing that we are headed in the right direction,” Nonninger said. “Banks are taking note of the importance of empowering customers, and I think now it’s all about fine-tuning the security center, making sure it has all the essential parts and at the same time trying not to overwhelm customers.

“Just tell a coherent story of security features rather than just dumping everything into one place and letting the customer fend for themselves to find what’s important. It’s all about directing the customer and guiding them.”

The post Telling the Security Story: How FIs Can Leverage Security Centers to Fight Fraud appeared first on PaymentsJournal.

Despite concerns about bad actors using artificial intelligence to perpetrate fraud, there are encouraging signs that AI is helping organizations combat it.

In an FIS survey of business and tech leaders, 78% of respondents said that AI has improved their company’s fraud detection and risk management strategies. Nearly half reported that, as a result, their company plans to increase investment in AI over the next two years.

Perhaps more importantly, more companies are entrusting AI with complex tasks. Roughly 56% of respondents said their organizations are either scaling or fully implementing AI to support financial processes.

According to Firdaus Bhathena, Chief Technology Officer at FIS, this is a sign that organizations are “moving from acknowledging AI’s value to embedding it into the fabric of daily business operations.”

The Agentic Boom

The largest financial services companies have made significant strides in incorporating AI, as evidenced by the recent boom in agentic commerce.

Mastercard and Visa have launched new platforms that turn AI agents into autonomous shopping bots that can search for items and make payments with little customer interaction.

Additionally, PayPal has embedded payments directly into Perplexity’s chat, so that after conversing with an AI agent about a product or service, the user can purchase it directly on the platform.

Removing the Barriers

Amid all these innovations, fraud remains a constant concern. It is a given that bad actors will attempt to manipulate AI agents—especially now, as cybercriminals in many cases possess a greater understanding of the technology.

Criminals have already deployed artificial intelligence, including AI agents, across multiple use cases and on a wider scale, unimpeded by the regulations and obligations that have stifled businesses.

FIS report spotlighted several barriers to broader AI adoption. The top concern among business leaders was the high cost of implementing and maintaining AI-powered systems. The next most frequently cited challenges were a lack of in-house expertise and potential difficulties integrating the technology with existing systems.

Until organizations can move past these obstacles, bad actors will still be one step ahead.

The post AI Is Making an Impact in the Fight Against Fraud appeared first on PaymentsJournal.

For over 140 years, Marks & Spencer (M&S) has been a fixture of Britain’s retail landscape, but the department store has faced sharp losses and operational issues following a devastating cyberattack.

Shortly after the April ransomware incident, M&S halted online and in-app order—services the retailer has yet to restore. According to Reuters, Marks & Spencer hasn’t resumed its online operations out of an abundance of caution.

A group of hackers gained access to the store’s systems and threatened to shut down the company’s network if a ransom wasn’t paid. M&S refused to succumb to the threat actors’ demands and is now working to restore all its systems.

The attack is estimated to have cost Marks & Spencer $80 million, but the impacts could go beyond monetary losses. While M&S said it was surprised by customers’ willingness to shop in-store, store-sourced voices raised concerns that customers could eventually lose patience with the lack of digital options—potentially leading to reputational ramifications if the outage persists.

Aggressive, Creative, and Effective

The M&S attack was the handiwork of a loosely affiliated network of hackers known as Scattered Spider, which has carried out attacks around the globe. A smaller group within the network, called DragonForce, is behind the M&S hack as well as similar efforts against UK retailers Harrods and the Co-op.

Though British merchants have been the initial targets, Google recently warned that Scattered Spider could be just as likely to target their U.S. counterparts.

“US retailers should take note,” John Hultquist, Cybersecurity Analyst at Google, told The Independent. “These actors are aggressive, creative, and particularly effective at circumventing mature security programs.”

The Magnitude of These Attacks

Bad actors targeting large organizations is not a novel phenomenon, but the scale of damage is broadening. For example, crypto exchange Coinbase was recently hacked in an incident that could cost the company up to $400 million, after cybercriminals bribed Coinbase contractors to divulge protected customer data.

Similarly, the M&S breach derived from a contractor relationship. At least two logins used in the hack were linked to Tata Consulting Services, a company that provides IT and help desk services for the retailer.

The magnitude of these attacks will likely prompt many organizations to reevaluate their partnerships and reassess their security measures. However, as criminals become increasingly innovative, businesses will also need to find creative ways to defend themselves.

The post One Month Later, Marks & Spencer Is Still Reeling from a Cyberattack appeared first on PaymentsJournal.

Crypto exchange Coinbase was the target of an attack that resulted in stolen customer data and potentially $400 million in damages.

The company reported that a group of bad actors had been approaching its overseas contractors for months, attempting to bribe them into releasing customer information.

Once the criminals succeeded, they threatened to leak the data unless Coinbase paid a $20 million ransom in bitcoin. Although the company refused to pay and notified law enforcement agencies, it has decided to cover reimbursement expenses ranging from $180 million to $400 million for customers who have been or may be scammed by bad actors using the stolen data.

Coinbase noted that no passwords, private keys, funds, or Coinbase Prime accounts were compromised, and that less than 1% of its monthly transacting users were impacted by the attack. Additionally, the company announced a $20 million reward for information leading to the arrest and conviction of those responsible for the scheme.

A Prime Target

Employees have increasingly become targets for cybercriminals aiming to gain access to company data.

Financial organizations are prime targets because they hold troves of personal and financial data—this is why hackers targeted the U.S. Office of the Comptroller of the Currency, which monitors the activities of all U.S. financial institutions and has significant access to highly sensitive information.

As the largest crypto exchange in the U.S., Coinbase has leveraged the surging interest in digital assets by making large acquisitions and introducing new technologies. Given the company’s global scale, the likelihood that Coinbase would become a target for criminals has increased.

Intensifying the Vetting Process

Attacks designed to manipulate consumers or employees into revealing protected data have become increasingly creative, making fraud an issue that businesses can no longer afford to ignore.

Coinbase noted that after detecting the breach, it terminated the employees involved, warned impacted customers, and beefed up its fraud defenses.

Another ramification of this attack is that it will likely prompt the crypto exchange—and other financial services companies—to reevaluate contractor relationships and more thoroughly vet the employees who have access to protected customer data.

The post How Bad Actors Recruited Coinbase Agents for Extortion and Phishing appeared first on PaymentsJournal.

The Consumer Financial Protection Bureau (CFPB) is withdrawing a proposal, originally passed during the lame-duck period of the Biden administration, that aimed to curb the sale of personal information by data brokers. 

At the time, then-CFPB Director Rohit Chopra said the rule was necessary to address national security, surveillance issues, and the risk of criminal exploitation associated with data broker practices. But this week, in a Federal Register notice, acting CFPB Director Russell Vought said the agency had determined the rule was not necessary at this time. Vought stated that the rule didn’t align with the agency’s current interpretation of the Fair Credit Reporting Act (FCRA) of 1970, which is currently under review.

The rule sought to classify data brokers as consumer reporting agencies under the FCRA. Under this designation, any organization selling data on income, financial status, credit history, credit scores, or debt payments would be required to comply with the FCRA. Brokers could only sell such information if the buyer can demonstrate a permissible purpose, and marketing does not constitute as a legitimate business need.

Concerns Over Criminal Acts

In addition to legitimate data brokers, would-be identity thieves and criminals also had access to the same detailed financial profiles available to credit bureaus and other legitimate entities. The rule would have protected consumers from having such data sold to malicious actors.

As of December, when the CFPB introduced the rule, the United States was the only Western democracy not to have enacted similar nationwide data protections. The global data broker industry is expected to top $460 billion by 2031.

The data broker proposal is the latest rulemaking at the agency to be rolled back in recent days. Vought has withdrawn nearly 70 policy statements, interpretive rules, and guidance that the CFPB had issued since its creation in 2011.   

The Legislative Alternative

If the rule is reinstated, it will likely come in the form of a law. Last year, Republican and Democratic representatives from Washington State jointly introduced The American Privacy Rights Act (APRA), designed to regulate the buying and selling of personal data collected from consumers, both with and without their consent.

After reports that House GOP leaders planned to scuttle the bill, the measure was tabled last June before it ever came to a vote.

The post CFPB Rescinds Rule Limiting Sale of Personal Data appeared first on PaymentsJournal.

First-party has emerged as the most prevalent type of fraud worldwide. It accounted for more than a third of all reported fraud cases in 2024—an increase from 15% the year prior.

According to The Calm Before the Storm?, a new study from Lexis-Nexis, this surge places it ahead of other major fraud types, including third-party account takeovers, scams, and true identity theft.

First-party fraud, also known as friendly fraud, occurs consumers dispute legitimate charges, often resulting in a refund. These disputes may involve claims that an unauthorized purchase was made using their account, or that an item was not received or was stolen by a porch pirate. It can also include misrepresenting or providing false personal information for financial gain, such as when applying for a loan.

Factors Behind the Growth

Buy now, pay later transactions—an increasingly popular payment method—have contributed to the rise in first-party fraud, a trend often exacerbated by periods of inflation. Financial institutions are increasingly being held liable for scams, which is also likely influencing the uptick. Additionally, several recent regulations now require victims to be fully reimbursed for all scam-related losses.

“Banks have had somewhat lax stances when it comes to dispute and chargeback policies, making it easier for consumers who get away with friendly fraud,” said Suzanne Sando, Lead Analyst of Fraud Management at Javelin Strategy & Research. “They can claim fraud on smaller purchases here and there without raising any red flags. In order to keep customers happy, banks will approve these chargebacks without nearly enough investigation into the validity of the claim.”

More Common Among Young People

Another reason behind the growth of first-party fraud is that younger consumers are more likely to commit this type of crime. Separate data from Socure found that while 13% of respondents admitted to engaging in friendly fraud, that figure jumps to 40% among Gen Z respondents. As more young consumers enter the economy, first-party fraud is likely to increase.

“There’s an attitude of first-party fraud being a victimless crime, where the only ones who lose are corporate giants that won’t actually feel any effects from the fraud,” Sando said. “Consumers are generally feeling fatigued from the state of the economy, and that leads to what I would consider lax attitudes and moral ambiguity when it comes to committing friendly fraud.”

The post First-Party Fraud Now the Most Common Type of Fraud in the World appeared first on PaymentsJournal.

Artificial intelligence models are only as effective as the data they’re trained on, which is one reason why Stripe believes its AI-driven payments platform can better detect fraud.

At an event, the company said its Payments Foundation Model has been trained on billions of transactions that flow through its systems, which makes the AI model more attuned to the nuanced aspects of each transaction.

One example is card testing fraud, where criminals run small transactions to check if stolen card details are still active. Stripe said that while its previous AI tools had some success in blocking this kind of fraud, the new model could reduce card testing by 64% almost immediately—thanks to expanded access to the company’s transaction data.

Following in the Footsteps

Stripe is following in the footsteps of some of the world’s largest financial players, who are doubling down on their AI initiatives.

Both Mastercard and Visa have launched new platforms designed to capture the potential of agentic AI. Mastercard’s Agent Pay and Visa’s Intelligent Commerce platforms are built to handle all the aspects of a transaction autonomously—from picking out items to the final purchase.

In the crypto space, Coinbase has unveiled its x402 payments mechanism that leverages an existing HTTP protocol to enable both humans and AI agents to conduct stablecoin transactions during web interactions.

Replacing the Coach

As hot as AI is, stablecoins have also been making headlines in recent months. After PayPal launched its stablecoin two years ago, it seemed natural that Stripe would follow suit with one of its own. This launch became inevitable  after the company’s billion-dollar acquisition of stablecoin company Bridge.

However, Stripe has broader ambitions in the stablecoin market. The fintech’s leadership has indicated plans to bring stablecoin-backed, multicurrency cards for businesses. The goal is to give businesses in different countries the ability to operate using the same currency.

Additionally, Stripe is planning to roll out a range of new offerings, including everything from tax help to instant payment integration. However, it’s unclear whether this bevy of solutions will help the company move forward.

“Stripe is persistent, if nothing else, as it relentlessly chases global omnichannel merchants,” said Don Apgar, Director of Merchant Payments at Javelin Strategy & Research. “The press releases, product stack and required features/functions are all there, the only thing missing is the large enterprise merchants.”

“Like the sports team that continually replaces the head coach, at some point you have to wonder what the real issue is,” he said. “However, this fraud model could be a game-changer if it truly delivers the results that Stripe claims.”

The post Stripe’s AI Model Touted to Be More Effective Against Fraud appeared first on PaymentsJournal.

Account takeovers (ATO) continue to be a major challenge for cybersecurity professionals, fueled by the high resale value of compromised accounts—especially those with valuable rewards points. A new report found that over 6.8 million accounts listed for sale on criminal marketplaces in 2024.

According to the report from KasadaIQ, stolen accounts made up the majority of listings on these marketplaces in Q1 2025. One of the fastest-growing targets is the travel industry, where loyalty and reward programs are particularly lucrative for cybercriminals.

Focus on Frequent Flyers

Observed sales of stolen airline accounts increased by more than a third over the previous quarter, rising to more than 9,200 such ATOs. These accounts are being sold for nearly $30 apiece, with frequent flyer programs remaining high-value targets. Airlines ranked second only to retail as the most lucrative industry for ATO specialists.

Kasada also identified more than 13,000 accommodation and hotel/motel account sales in Q1 2025, with an average sale price of around $4.15 per stolen account. Accounts for hotel chains tend to command higher prices than many other types due to the redeemable rewards points they include. By contrast, homestay service accounts—such as AirBnB—sold for just 50 cents each.

Digging for Points

Rewards points seem to be a key factor attracting criminals. Kasada found that points were the most common feature attached to stolen accounts sold on criminal marketplaces. Criminals use open-source automated tools like OpenBullet not only to compromise dozens of accounts but also to determine how many loyalty points are associated with each one.

This adds value to otherwise innocuous accounts at places like quick-serve restaurants. Criminals can purchase these accounts for around $3.00—less than the cost of a meal. Because the value of each individual account seems small and may go unnoticed, this type of fraud is considered relatively low risk within the hacker community.

“ATO remains one of the financial services industry’s greatest fraud concerns,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Not surprisingly, consumers rarely consider accounts linked to rewards, such as retail and travel, at risk of attack. Because of that, consumers take few measures to ensure they use strong passwords that contain multiple and mixed characters across retail and travel accounts. That makes those types of accounts easy targets for cybercriminals to take over and cash out on.” 

The post Rewards Points Remain a Big Prize for Account Takeover Hackers appeared first on PaymentsJournal.

Bad actors continue to rely on phishing emails, with some of the most effective attacks against businesses masquerading as internal communications.

A KnowBe4 study analyzing user behavior during a phishing simulation found that roughly 60% of the failures involved emails referencing an internal team, with nearly half specifically mentioning HR. Some of the most convincing phishing emails included fake Zoom Clips (shortform asynchronous videos purporting to be from a manager), HR training reports, and mail server warnings.

Another tactic that increased the effectiveness of these attacks was the use of QR codes. The top three QR codes scanned by users were linked to a new HR drug and alcohol policy, a DocuSign document for review, and a birthday message sent through Workday.

Phishing for Emotional Responses

The data from KnowBe4 aligns with a recent report from the Association for Financial Professionals, which found that 79% of organizations surveyed had experienced attempted or actual payments fraud over the past year.

The most common tactic identified was business email compromise, often stemming from spoofed internal communications.

A combination of convincing emails and social engineering has been particularly effective for cybercriminals. Bad actors know that employees are less likely to question messages from HR or management and often feel pressured to respond quickly.

Unfortunately, once a user clicks a malicious link or scans a QR code, they can expose their organization to everything from payments fraud to ransomware attacks. For example, a recent breach at the U.S. Office of the Comptroller of the Currency gave criminals access to thousands of highly sensitive emails for over a year—all because they compromised a single administrator’s account.

Incumbent on Organizations

In addition to crafting fake internal communications, criminals are also impersonating the vendors that companies rely on. The KnowBe4 report found that organizations are highly susceptible to communications that appear to be from Microsoft, LinkedIn, and Google.

The focus on phishing means employee education is a critical component of an organization’s fraud defenses, and workers must be conditioned to question every communication. However, it is increasingly incumbent upon organizations to think outside the box to stay ahead of a fraud problem that is spiraling out of control.

The post Top-Clicked Phishing Emails Impersonate Human Resources and IT appeared first on PaymentsJournal.

Regulation continues to recede from the realm of cybersecurity, leaving organizations to fill these gaps on their own, using their own knowledge bases. The onus now falls on the financial services industry to self-govern and for cybersecurity leaders to come up with their own standards to ensure best practices.

In 2024, the nonprofit organization MITRE released ATT&CK for mobile, which maps out where a financial institution might be vulnerable to an attack. According to Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research, this could be an important step toward enforcing cyber resiliency in an age of lax compliance regulations. Her new report, Leverage MITRE Frameworks for Effective Cyber Investment, examines how financial institutions can use this and other new tools to preserve their cyber resiliency.

Looking for New Guidelines

As we see less regulatory oversight of financial institutions, particularly in the United States, cybersecurity teams must look to their own resources to make decisions on budgeting. Typically, financial institutions set their budgets for cybersecurity based on their need to comply with regulations or to meet certain standards. Without compliance regulations in place, they are forced to seek guidelines elsewhere.

For many years, organizations looked to the Federal Financial Institution Council, or FFIEC, for standards to follow. But the recent downsizing of the Consumer Financial Protection Bureau underscores the fact that the FFIEC has lost some of its efficacy in providing guidance for financial institutions.

This has put institutions in the position of not having much oversight or regulatory scrutiny, which is not necessarily a positive thing.

“There’s a void of regulatory oversight to ensure that they don’t risk exposing PII [personally identifiable information] from their consumers, or that they may be opening themselves up to some kind of breach that would expose proprietary information,” Goldberg said. “They’re going to have to self-govern. So what could they turn to that could serve as a guideline?”

MITRE Has an Answer

MITRE ATT&CK is emerging as an important answer. It is basically a framework that lets banks look at the techniques cybercriminals are using. The FIs can then map out where their systems are vulnerable to being breached or being exposed to a network compromise. By mapping out in a visual way where banks need to address risk, ATT&CK lets them see where they need to make their moves.

Frameworks like these have been around for a long time. But as regulatory guidance wanes, cyber teams could turn to some of these frameworks to potentially detect their own cybersecurity gaps.

That’s what MITRE and its cyber defense matrix can help with: mapping out a strategy so the institution is not just performing checkbox compliance. It can help FIs choose vendors and solutions that help them evolve along with the cyber threats.

“It’s a really dicey environment right now,” Goldberg said. “Cybersecurity and even fraud prevention is a cost center. Compliance is expensive, and a lot of times, financial institutions make investments in technology that they know is going to check a box for regulators. We’re not in that kind of environment now, so I think we’ll see more strategic investments made that are based less on checkbox compliance and more on actual necessity.”

Adhering to International Standards

U.S. financial institutions will have to rely on vendors and self-governance to determine their cyber investment strategic planning in the short term. They also should not shy away from the fact that they will be held to high cyber standards by international regulators, especially where the European Union’s recently released Digital Operational Resilience Act (DORA) is concerned.

DORA is extremely comprehensive, deemed by many to be the most far-reaching cyber regulation the financial industry has seen. In the absence of domestic regulation that that touches on consumer privacy and cybersecurity, U.S. financial institutions would do well to ensure compliance with what’s being put out internationally.

“This is especially true since we know that financial services knows no borders,” Goldberg said. “Financial institutions inevitably conduct transactions internationally, so they could turn to DORA when they’re looking to decide in which direction they should be led.”

Heading into the Future with OCCULT

In February, MITRE published its latest framework, OCCULT, also known as Operational Evaluation Framework for Cyber Security Risks in AI. The new framework’s methodology aims to standardize the testing of artificial intelligence used to execute cyberattacks. One interesting early finding is that OCCULT determined that the controversial AI platform DeepSeek poses a particular cyber risk because of the way its large-language-model-driven chain-of-thought reasoning can be exploited.

Although the MITRE ATT&CK framework is more about the techniques and tactics that bad actors use, OCCULT looks more at the social engineering perspective.

“Social engineering is a challenge because it doesn’t really have a strong technology solution,” Goldberg said. “Social engineering is where you’re doing something to manipulate a consumer into doing something. There obviously are cyber risks there, but we can’t really address them in the traditional way that we always have.”

Education plays a significant role, but it can go only so far. What MITRE is working toward through OCCULT is to help come up with some kind of technology that addresses social engineering.

“Scams are based on the same technique that we’ve seen with phishing attacks,” Goldberg said. “A phishing email tries to convince a consumer or an employee to click on a malicious link. A scam is doing the same thing: convincing a consumer or an employee to do something that they normally wouldn’t do, or that they shouldn’t do. But they are using those same types of emotional techniques—urgency, or feigning to be the boss, who’s saying, ‘I need you to schedule this wire immediately.’

“Spam filters prevent those phishing emails from getting to the employees. Could we do something similar with technology to prevent those scam communications from ever reaching the consumer? That is the direction that we’ll have to move in.”

The post Where Can Financial Institutions Turn for Guidelines in Cyber Resiliency? appeared first on PaymentsJournal.

A novel artificial intelligence feature is making phishing attacks—already the weapon of choice for cybercriminals—even more effective.

In the past, phishing emails were sent out en masse using the same template, making it easier for fraud detection systems to identify patterns among these blanket messages. Now, a technique called polymorphic phishing incorporates AI to randomize components of fraudulent emails—such as sender names, subject lines, and even the content.

This allows bad actors to launch customized email campaigns that can bypass many security measures. As with many AI-powered fraud mechanisms, polymorphic phishing attacks have rapidly gained traction. According to SecurityWeek, at least one polymorphic feature was present in 76% of all phishing attacks last year.

“Phishing attacks remain the leading way cybercriminals breach networks and systems, infect devices—both personal and corporate—with ransomware, and coerce employees and consumers to reveal and leak sensitive personal information and corporate intellectual property,” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research.

“DNS security features, used to block malicious websites and web-based attacks, and spam blocking, which traps suspicious emails based on domain, keywords, and email server rules, are being circumvented by these emerging polymorphic phishing attacks,” she said. “That means spam blockers and DNS filtering are increasingly less effective.

Innovating New Fraud Vectors

This new spin on phishing is part of a broader trend: through technology and social engineering, cybercriminals have gained an edge over organizations. This is especially true in the financial services industry, where longstanding compliance and risk concerns have made institutions slower to adopt new technologies.

Meanwhile, cybercriminals face no such constraints. They’ve been quick to experiment with emerging tech like AI, developing new and more effective methods of attack. One result: novel fraud vectors, such as AI agents, which can be developed to carry out fraud attacks autonomously.

Known and Trusted Users

To combat these innovations, organizations must look beyond their current limitations to find solutions against this growing threat. They will also need to adapt and integrate emerging technologies capable of identifying such threats more effectively.

“Verifying the authenticity of senders through protocols like Domain-based Message Authentication, Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM), remain among the best tactics to stop phishing and spam,” Goldberg said. “Additionally, AI can be used to help email security, by relying on defenses that analyze emails to detect content patterns that suggest the email has been automated, rather than written by a human.”

“That, of course, increases the risk of so-called ‘false positives,’ meaning legitimate emails that have been sent en masse—such as marketing emails or those sent through mail merge—are more likely to get blocked,” she said. “Companies will soon be forced to lean toward encrypted email security that limits email access to known and trusted users.”

The post How Polymorphic Phishing Campaigns Leverage AI to Evade Detection appeared first on PaymentsJournal.

Although many organizations are still strategizing and piloting their artificial intelligence implementations, bad actors have already made AI an integral part of their fraud operations. One of the main reasons that criminals have been able to implement emerging technologies so rapidly is they are free from the constraints that hinder many legitimate organizations.

In the 2025 Identity Fraud Study: Breaking Barriers to Innovation, Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research, detailed the rising fraud trends, the ways financial institutions can better educate their customers, and the out-of-the-box solutions required to battle fraud.

Growing Out of Control

Fraud attacks involving the unauthorized use of personal identifiable information have been a persistent threat over the more than two decades of the long-running Javelin study. Last year was no exception, as identity fraud incidents and dollar losses saw year-over-year upticks.

Many factors are involved in the increase, including the rising prevalence and scope of data breaches. There has also been an increase in cyber intrusions, whereby a criminal takes over an individual’s phone or computer.

One interesting finding from the report was that the financial losses and the incidence rate of scams—where the target is tricked into divulging money or data—decreased from the previous year.

A possible reason for the decline could be that the barrage of headlines about novel and pernicious scams—coupled with awareness efforts by financial institutions—has consumers on guard. While there has been some discussion about identity fraud, such as how consumers can protect their identity once it’s stolen, it hasn’t been as all-consuming as the focus on scams.

“The other thing is it’s hard for everybody, including consumers, to categorize things into separate buckets,” Pitt said. “How do you categorize a scam that leads to identity fraud? Is it a scam or is it an identity fraud incident? It very well could be that these consumers are thinking of how it finished and not how it started.

“Regardless, if we look at the combined victim count, it was an increase of one million victims, which is astounding. This fraud problem is essentially growing out of control.”

Opening Eyes on Information

Though many assume that fraud attacks are mostly perpetrated for financial gain, bad actors are often after something more valuable than money: information.

“I know that scams target information and money, but the fact that 71% of scam victims also were tricked into providing some sort of information was eye-opening,” Pitt said. “I think as an industry, we have a long way to go on educating consumers about how information can be used against them. A lot of consumers look at information like an email address, phone number, name, even date of birth as somewhat benign.”

Though these data points may seem harmless on their own, they can be used in concert to commit identity fraud against the individual or to perpetrate additional scams on a larger scale.

To mitigate this threat, financial services providers should expand their consumer education efforts. They will also need to take a hard look at their communications with customers—an area where some organizations muddy the waters.

“Many of us, including myself, have gotten text messages, emails, even phone calls from financial institutions where it was legitimate and they’re asking for things they say they’d never ask for—like one-time passcodes or to click on the link,” Pitt said. “Instead of questioning that, consumers are opting on the side of, ‘It’s probably legitimate, let me go ahead and give that information.’

“We as financial service providers do ourselves a disservice when we give consumers mixed messages, and that’s a huge thing we need to fix.”

Reporting Fraud Appropriately

Consumers are also falling short in reporting fraud properly. When a fraud event occurs, the first act by most consumers is to notify their financial institution. Unfortunately, it is often the only step they take.

“When people think of fraud, people typically think of their financial institution, so they contact their financial institution and think they’ll solve everything,” Pitt said. “Reporting to law enforcement is down, reporting to credit card companies is down, reporting to identity protection service providers is down. Some of that, I think, is consumers don’t know who to report their incident to anymore.”

One of the issues is that there are numerous providers that consumers should contact if they believe they are a fraud victim. Most consumers are unaware of this, and the ones who are aware are either unwilling or unable to report fraud appropriately.

Instead of looking at reporting as a vital way to get restitution for their loss and to stop the criminals from striking again, many consumers are simply calling their bank and moving on.

“I was recently asked an interesting question,” Pitt said. “I was asked, ‘Why would fraud victims report if it’s just a low dollar loss and we’re talking about, let’s say, a few hundred dollars? Is it worth their time to contact all these agencies or should they just say, it’s a few hundred dollars, let’s just forget about it?’

“That happens a lot, unfortunately. The reason to not discard your fraud reporting is because if you don’t report fraud, it can impact other victims as well. Other victims may have the same perpetrator or the same fraud ring that you had as a consumer, and that fraud will never stop if people don’t report it.”

Expanding AI Knowledge

One of the reasons cybercriminals have been able to carry out attacks on a larger scale is that they have deployed AI to do the heavy lifting. However, AI can play an equally essential role in financial institutions’ fraud prevention measures.

Organizations will first have to improve their education efforts—the Javelin report had a new set of questions this year that probed consumers’ comfort with how financial institutions utilize AI fraud prevention tools.

“What we found is over half of consumers said they had zero to little knowledge of what AI is,” Pitt said. “I know that sounds shocking to you and I—who hear about AI all the time—but clearly we’re missing the mark. If people don’t even know what it is, then they don’t know how AI can be used against them, and they don’t know how AI can be used to protect them.

“Of the people that had knowledge of AI, the majority of them were willing to allow their financial institution to use AI-powered products to help protect against fraud. If we can get the education level up to where they understand what AI is, we can get buy-in from consumers on using AI-powered tools and start using those tools.”

Combating Fraud Through Innovation

Implementing more robust educational measures and AI fraud detection tools are significant steps toward mitigating fraud. However, it is clear that bad actors have gotten a substantial head start.

This means that many institutions will have to dramatically shift their attitudes toward fraud. Banks and credit unions are highly regulated institutions that have traditionally been resistant to anything that could introduce risk.

The industry’s rules, regulations, and protocols have created an environment that has stifled innovation—exactly the ingredient needed to combat bad actors.

“Fraudsters aren’t doing that,” Pitt said. “They have no box; they have no rules. That’s how they were able to capitalize on AI so quickly and got ahead of us in that game, and quite a bit quicker than we anticipated. It’s because we’re still operating in this box.”

“What we need to do as innovative thinkers is pretend there is no box,” she said. “Start thinking of what all the possible solutions are for how we can prevent fraud and protect the organization and the customer. Pretending we had no regulations, pretending we had none of these requirements, we can at least see the solutions. Then, we need to make leaps and bounds to even catch up to this problem at this point.”

On May 1, join Javelin’s Senior Analyst, Jennifer Pitt, author of the 2025 Identity Fraud Study: Breaking Barriers to Innovation, as she moderates a panel with AARP’s Kathy Stokes and TransUnion’s Richard Tsai on how the industry can fight back with innovative fraud solutions.

The post Breaking the Rules: Why Organizations Must Think Outside the Box to Combat Fraud appeared first on PaymentsJournal.

The pervasive threat of fraud means organizations must be cautious when sending any payment, including when matching employee contributions to charitable organizations.

According to Forbes, there are increasing instances where employees are manipulating programs intended to benefit nonprofits and charities in order to funnel funds from their employers.

In some cases, employees have set up phony foundations and made contributions solely to exploit the charitable gift match. These bad actors have sometimes even recruited co-workers, friends, or family members to donate to these fake nonprofits to boost their company’s matching donation.

There have also been instances where employees made donations to legitimate entities to receive personal perks. This could include giving to a university to receive tickets to a sporting event or a parking pass, or contributing to a private school their child attends in return for discounted tuition.

Building Stronger Safeguards

These types of fraud attacks are often successful because many organizations are overly trusting. They assume their employees would not take advantage of programs intended for charities.

Because of this trust, many organizations have inadequate safeguards in place to prevent employee abuse. Some companies only require a printed receipt or a letter from the charitable organization as proof of donation—items that can be easily forged.

To protect against these types of internal attacks, experts suggest that companies conduct annual employee training on the proper use of the programs, require more stringent supporting documentation for donations, and perform regular audits of the program.

Making an Impact in the Community

For organizations, this emerging fraud trend might seem like just another fraud vector in a growing wave. Nearly 80% of companies reported experiencing some type of fraud attack or attempt in the past year, according to research from AFP. While there are plenty of attacks coming from outside, organizations also have to worry about threats from within—including employees, vendors, and customers.

One unfortunate repercussion of fraud is that it can cause organizations to overreact. For example, if an employee is found manipulating a gift matching program, the company might hamstring the program or eliminate it entirely.

This can adversely affect legitimate nonprofits and hinder a company from achieving what is often a core objective—to make an impact in the community. That why it’s essential for companies to put safeguards in place to protect against the misuse of charitable donations.

The post How Some Employees Exploit Donation Matching Programs to Commit Fraud appeared first on PaymentsJournal.

Fraud is still a persistent and ubiquitous threat, as evidenced by a recent study which found that 79% of organizations surveyed experienced attempted or actual payments fraud over the past year.

The study by the Association for Financial Professionals (AFP) found that while this figure was down one basis point from the previous year, it was not a significant drop considering the time and resources many companies have invested in strengthening their fraud defenses. Additionally, organizations that lost funds due to payments fraud were much less likely to recover more than three-quarters of the stolen amount—down from 41% to 22% year-over-year.

Corporate emails continue to be the most popular target for cyberattacks, with business email compromise (BEC) cited as the most common tactic.

“Socially engineered attacks, like business email compromise attacks—which are nothing more than targeted phishing attacks—are common points of entry for all cyber-attacks, including those that result in fraud,” said Tracy Goldberg, Director of Fraud & Security at Javelin Strategy & Research. “Stronger domain name system (DNS) controls that block malicious domains not only trap or block phishing emails but also prevent employees from accessing malicious websites, which also can be used by cybercriminals to exploit network vulnerabilities and deploy malware, once they’ve lured an unwitting user to engage. DNS controls also can be used to protect network devices and routers, to ensure the entire attack surface is secured.”

Cybercriminal Tactics Shift

A single BEC event can have dramatic consequences, as evidenced by the recent breach at the U.S. Office of the Comptroller of the Currency. In this instance, hackers accessed thousands of emails containing highly sensitive information for over a year—all because they compromised an administrator’s account.

According to the AFP study, most email attacks originate from spoofed emails that appear to come from reputable sources. In many of the early BEC attacks, cybercriminals impersonated senior executives within the organization to deceive employees.

As more companies strengthen their defenses against such tactics, bad actors have shifted their focus. Increasingly, they are exploiting the trusted partnerships many organizations rely upon. Emails in which criminals impersonated vendors or third parties saw a substantial uptick last year.

Targeting Payment Mechanisms

In the reported BEC incidents, the AFP found that wire transfers were the most popular targets for criminals. With wire transfers, users can send large amounts in a single payment, and it is often difficult for customers to retrieve their funds once they’ve been manipulated into making the transfer.

Outside of BEC, the payment mechanism most frequently targeted by criminals is still paper checks. Despite the many payment innovations available to organizations, many have been reluctant to move away from checks. However, continued reliance on checks substantially increases an organization’s vulnerability. The AFP study found that 63% of respondents had experienced fraud attempts or attacks involving checks.

The post Most Organizations Experienced Fraud Last Year appeared first on PaymentsJournal.

After months of floating various anti-fraud proposals, the Social Security Administration (SSA) has settled on what appears to be a more or less permanent program to combat fraud. Effective immediately, the agency will conduct anti-fraud checks on all phone applications for benefits. Applicants flagged for suspicion will be required to verify their identity in person.

SSA estimates that about 70,000 of the 4.5 million claims filed by phone each year will be flagged. The new policy is expected to be less burdensome for retirees than earlier proposals, which would have required everyone applying for retirement or disability benefits to either appear in person, or use the website, which has its own identity verification process.

Initially, the agency said that individuals would no longer be able to file for retirement and disability benefits over the phone, citing an inability to sufficiently verify applicants’ identities. However, it later clarified that the phone restriction would apply only to those filing for retirement, survivors, or family benefits—not to those applying for disability benefits, Supplemental Security Income, or Medicare.

Increasing the Burden

Flagging phone applicants that present fraud or security concerns has the potential to make a difference, though some remain skeptical.

“With these rapid policy changes, do SSA customer service representatives even know what to look for?” said Suzanne Sando, Senior Analyst of Fraud & Security at Javelin Strategy & Research. “It seems unlikely that there has been enough training on how to handle these scenarios.

“Some of the warning signs usually include mismatched or outdated personal information, hesitancy in answering questions to verify information, and requests to change or add information banking and deposit information,” she said. “But there will also be an influx of call volume for legitimate beneficiaries wanting to ensure they don’t need to do anything, which will add to the workload of SSA representatives, who also now need to be on the lookout for potential fraud.”

Controls on Direct Deposits

The agency is also rolling out a new policy that prohibits beneficiaries from changing their direct deposit information over the phone. According to the agency, about 40% of Social Security direct deposit fraud stems from phone calls requesting bank account changes.

Going forward, beneficiaries will need to update their bank account information either through their agency’s website or by visiting a local office. Sando notes that while change in direct deposit details is generally considered a yellow flag—it remains a key indicator that warrants close monitoring.

The post Social Security Unveils New Anti-Fraud Controls appeared first on PaymentsJournal.

A consumer receives a text about an unpaid toll bill demanding immediate payment—only they haven’t driven on a toll road recently. A homeowner locked out of their house calls a locksmith, only to discover the business listing on Google Maps was fake, and they have been redirected to a criminal trying to manipulate them into sending funds.

These scams are alarmingly common, with new tactics emerging every day. Yet despite the persistence and damage caused by these threats, many financial services companies still fail to allocate sufficient budget to protecting themselves and their customers.

In the Battle of the Budget: Prioritizing Scam Classification for Future Cost Savings report, Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research, examined the scam identification and prevention tools available to financial institutions—and the growing urgency of dedicating more resources to the fight against fraud.

Altering the Priority List

Though most financial institutions often notify their customers about emerging scam types, there have not been as quick to invest in the technology needed to mitigate them.

“A huge issue as far as budgets go—whether the funds are there or not—there’s always something flashier to spend the budget on,” Sando said. “This goes for any organization. So many are going to spend their money on enhancements that will improve the user experience and keep them competitive in the market, or things that might handle regulatory issues that come up. As these things crop up, the priority list changes.”

Unfortunately, initiatives to reduce scams are frequently delayed. This means that while institutions may want their customers to be informed, scam prevention often isn’t a high budgetary priority for many banks and credit unions.

“It’s all over the place,” Sando said. “We all get emails constantly, saying, ‘This is your bank, Suzanne, and these are the common scam types. This is your financial advisor coming to you live with all the scam types we’re hearing. This is Amazon, here are the scam types.’ It’s obviously a huge, persistent issue, but what are we going to do about it?”

Revisiting the Budget

One reason it can be difficult to combat scams is the lack of a consistent system for categorizing and documenting scam types. Criminals use a variety of increasingly sophisticated methods to reach and manipulate their targets.

Because scams take many forms, there’s little standardization in how they’re categorized—varying not just from one organization to another, but sometimes even within the same institution.

The first step toward understanding how to allocate budgets appropriately to address scams is standardizing documentation. To that end, the U.S. Federal Reserve recently released its ScamClassifier model, an offshoot of the FraudClassifier system launched five years ago.

ScamClassifer is a free system designed to help financial institutions track and monitor attempted and successful fraud attacks, threat actors, and emerging fraud trends.

A more organized view of the scams organizations face could help them more effectively allocate budgets for fraud and scam detection. However, even though ScamClassifier has been available for over a year, many banks remain unaware of it—or uninterested in adopting the model.

“The framework is free, but you’re going to spend all this money for your developers to do the integration into your existing system,” Sando said. “You are going to have to spend money on analyzing these huge back-end legacy code systems. That is not an easy task when you have millions of lines of code, where even if you make one change, you might have to change, test, and redeploy 20 to 30 programs.”

The effort and potential costs of implementing these scam documentation systems can be daunting, but the benefits are substantial.

“It seems like the payoff isn’t there to implement something like the ScamClassifier model because you think: I’m going to spend all this money, and for what?” Sando said. “Well, to figure out how much you’re losing on scams. In my mind, once you know what you’re up against, then you can revisit your budget.”

Using Data Effectively

Aside from ScamClassifer, there are other technologies that financial institutions should consider. Real-time scam detection is becoming more critical, as once a payment is authorized, it’s often too late to intervene.

Effective real-time detection typically relies on predictive AI that can flag suspicious activity using existing signals, such as account behavior and transaction history. AI can also streamline processing for organization, minimizing friction for consumers.

Beyond real-time detection, financial institutions should also make better use of the troves of data they already have at their disposal.

“I had a purchase that was blocked by my bank, and I got a fraud alert, and it was me making the purchase,” Sando said. “I was buying parking for a concert at Soldier Field at the exact same parking facility I have purchased parking three times in the recent past. I wasn’t even doing it at a weird time, and they blocked it.”

“Part of me is thinking, you’re collecting all this data and for what?” she said. “Are you even using it? Hopefully, we’re getting to a point where financial institutions are getting the right technology in place that is going to effectively use that data, so they’re not blocking transactions that should go through and they’re catching the ones that are suspicious. But I think we’re still behind the game on that one.”

A Grand and Sweeping Statement

The financial institutions that haven’t invested in these technologies could be in tremendous jeopardy if there is a spike in scams targeting their customers or institutions. They may be forced to continuously divert resources toward fraud and scam prevention, making it hard stay afloat.

For these reasons, it is critical that institutions reevaluate their budgets.

“Long story short, financial institutions are not budgeting appropriately,” Sando said. “That is a grand and sweeping statement, and there are certainly institutions out there that are making the right investments. There is always going to be something flashier and more exciting to spend your money on, but scams have got to be a priority—plain and simple.”

The post The Cost of Inaction: Why FIs Are Investing in Scam Prevention Now appeared first on PaymentsJournal.

Last October, TD Bank was fined more than $3 billion after pleading guilty to violations of the Bank Secrecy Act and conspiracy to commit money laundering. The unprecedented charges stemmed from the bank’s failure to detect and prevent illicit financial activity. Specifically, it was cited for not implementing robust Know Your Customer (KYC) procedures, neglecting to conduct periodic account reviews for illegal activity, and failing to file suspicious activity reports.

TD Bank serves as a cautionary tale for other financial institutions. Failing to adopt modern, continuous KYC solutions can be catastrophic—resulting in financial losses, reputational damage, and erosion of customer trust. And according to Jennifer Pitt, Senior Analyst in Fraud and Security at Javelin Strategy & Research, most banks are dissatisfied with their current KYC systems.

Continuous Checks in Real Time

In KYC Revolution: Automated Solutions Tackle Compliance and Fraud Challenges, a report from Javelin, Pitt found that many banks, in response to the Bank Secrecy Act’s requirement to implement KYC solutions, are simply checking the box by adopting outdated systems. These legacy KYC tools often fail to effectively mitigate fraud and money laundering.

“They’re not doing continuous checks in real time so that they can actually vet their customers,” said Pitt. “What they should be doing is implementing what we call perpetual or continuous KYC solutions. These happen throughout the entire customer lifecycle, not just during onboarding or annually like most are being done.”

Perpetual KYC solutions include a continuous authentication process, which verifies who is gaining access throughout an entire login session. Every action—whether it’s logging in, making a transaction, adding account information or users, or linking new accounts—is re-authenticated in real time. This process runs in the background using automated tools, minimizing customer friction.

Vetting these customers’ actions can strengthen the due diligence typically performed manually through traditional KYC processes. If the bank identifies a customer as high-risk—due to, say, a criminal history— additional scrutiny may be applied using perpetual KYC solutions. These measures are initiated only when the automated system flags unusual activity or detects a higher-risk client.

“They’re literally hiring people to do Google searches for what we call negative news in order to vet their customers,” said Pitt. “If you have financial service professionals typing that information manually, it’s not being done in real time. I could be searching for this person in LexisNexis, trying to find out if they have a criminal history. Today they could be all good, and then tomorrow they could have different information.

“Some traditional banks never check their customers again, or they’re only checking annually,” she said. “That person could change addresses three times in the interim or transact to highly suspect counterparties.”

Reducing the Friction

Ensuring that KYC processes are invisible is an important step toward reducing customer friction and preventing them from feeling like they’re being treated as criminals.

Most financial institutions, following current privacy laws, inform customers about the data typically collected. These can include name, date of birth, Social Security number, and credit history—at the time of account opening. But many fail to communicate what information is continually required throughout the account lifecycle.

“One of the things that that Javelin stresses is the need for transparency by financial institutions,” said Pitt. “What we found is that consumers will be more apt to provide information that’s necessary for KYC if banks are transparent about why they’re collecting the data, what information is being collected and what’s being done with it.

“They need to know if the information is being shared or sold, or if it is just being used to vet the customer,” she said. “That transparency is a key in getting perpetual KYC systems on board. It ensures that the customers are providing the necessary information.”

The Necessity of Collecting Data

The industry has struggled to balance customer friction and privacy with the need to gather sufficient information to vet their customers. The TD Bank scandal served as a tipping point, pushing banks to err on the side of collecting more data.

The criminal charges happened because regulators believed TD was already aware of deficiencies in their program and chose to look the other way.

“The fact that they were criminally charged, that tells you it’s not just oops, they didn’t understand,” said Pitt. “It’s that they willfully chose not to update their programs.

“That was pretty much the first time that any financial institution has been charged criminally for failing to stop money laundering or fraud,” she said. “Regulators aren’t going to idly stand by anymore and let these failures in KYC happen. There’s a higher need to protect your consumers than there is for these privacy regulations.”

Turning to Outside Help

One reason banks have been reluctant to adopt perpetual KYC solutions is that even larger legacy banks would likely need to rely on vendor solutions to implement them. Legacy KYC systems are often incompatible with some of the perpetual KYC processes that leverage artificial intelligence.

“This is a generalization, but traditional banks typically aren’t the innovators of the world,” said Pitt. “It’s fintechs that are the innovators of the world.”

Pitt cites iDenfy, Persona, and Moody’s as three leaders in the perpetual KYC space. These fintech vendors can generally offer perpetual KYC solutions at a lower cost than would be required for financial institutions to adapt their systems and upskill their personnel independently. Partnering with other financial institutions will be key.

In preparing the report, Pitt was struck by how many banks were unaware of KYC solutions in general, let alone perpetual KYC.

“Financial professionals do ourselves a disservice when essentially we try to silo all our products and not share that information with the industry,” Pitt said. “A lot of financial institutions that had no idea that there were even such solutions. Now they are thinking, ‘Oh my gosh, there’s perpetual KYC out there. Imagine if we knew this two years ago.’

“Organizations are going to have to figure out how to get these solutions,” she said. “The TD Bank incident really struck home. It was the industry’s way of saying, whether or not you can afford it, you don’t have a choice anymore.”

The post Perpetual Motion: The Case for Continuous KYC appeared first on PaymentsJournal.

The U.S. Office of the Comptroller of the Currency (OCC) confirmed that a breach of its email systems in February was a significant incident that exposed highly sensitive information.

An independent bureau of the Treasury Department, the OCC monitors the activities of all U.S. banks, including federal savings associations and agencies of foreign banks. In addition to safeguarding trillions of dollars in assets, these institutions also hold substantial stockpiles of private data belonging to consumers and businesses.

According to Bloomberg, hackers gained access to the mailboxes of 103 OCC officials, including senior deputy comptrollers and international banking supervisors. The breach went undetected for over a year, until a Microsoft security team noticed unusual network behavior.

All told, the bad actors were able to access over 150,000 emails during the they had access to the OCC’s systems. These communications included information about the condition of banks under federal oversight.

A Threat of National Proportions

According to a Bloomberg source, the cybercriminals were able to breach the OCC’s systems after hacking into an administrator’s account. It is unclear how the threat actors gained access, who they are, or what their motivations were.

However, it is clear that the emergence of new technologies has elevated cybercriminals to a threat of national security proportions. The U.S. National Security Administration (NSA) recently issued a cybersecurity advisory about fast flux—a tactic that allows bad actors to rapidly change the IP address associated with a domain name.

The NSA stated that because fast flux enables cybercriminals and nation-state actors to build command-and-control infrastructures that conceal nefarious activities, the technique poses a threat to national security.

Harm to Public Confidence

As fraud and scams have spiraled out of control, the extent of financial losses and data breaches has reached new heights. In addition to these losses, the constant barrage of fraud attacks could have even greater impacts—such as the loss of consumer confidence in critical aspects of the country’s essential infrastructure.

“The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence,” wrote Kristen Baldwin, Chief Information Officer at the OCC, in a draft letter to Congress.

The post Year-Long Breach at U.S. OCC Exposed Thousands of Emails, Sensitive Data appeared first on PaymentsJournal.

Although bad actors are constantly working to undermine financial institutions’ defenses, roughly 90% of U.S. banking customers report being satisfied or very satisfied with their primary bank.

According to a study sponsored by the American Bankers Association (ABA), many respondents also held favorable views of their financial institutions’ customer service and felt their bank was transparent about disclosing fees.

This positive sentiment may be driven by the highly competitive nature of the U.S. financial services market. Many respondents noted that multiple banks are actively competing for their business. In fact, roughly 83% said they had several options when choosing products like bank accounts, loans, or credit cards.

Keeping Customers in the Know

In addition to keeping customers informed about competing solutions, digital banking technologies have greatly enhanced the way financial institutions engage with their customers. Mobile apps and online banking serve as vital touchpoints, offering customers a direct lifeline to their bank. Features like push notifications and real-time alerts play a crucial role in keeping customers in the know about account changes, security updates, and new products.

These technological advances are also driving a shift to expand the onboarding process—extending it beyond the initial sign-up to span the entire customer lifecycle. This allows the bank to be the central hub of a consumer’s financial life, fostering long-term, advice-driven relationships built on trust and ongoing engagement.

Proactive Steps Against Fraud

However, the foundation of every banking relationship is security. As banks have improved their tech, criminals have also adopted increasingly sophisticated tools—now often supercharged by AI—to perpetrate more convincing and effective fraud attacks.

Scams have proliferated to the point where there is no consistent way for financial institutions to classify and report them effectively. This has forced many financial institutions to confront the issue and take action.

These fraud prevention efforts have not gone unnoticed. According to the ABA survey, roughly 86% of respondents said their bank takes proactive steps to protect them from fraud and scams. Additionally, nearly three-quarters of respondents believe their bank does more to protect them than businesses in other industries.

The post U.S. Consumers Are Confident in Their Bank, Even When It Comes to Fraud appeared first on PaymentsJournal.

While retailers recognize the importance of fighting fraud, their attempts to mitigate it often cause friction and makes things difficult for consumers.

More than three-fifths of U.S. e-commerce businesses and 58% of U.S. retail businesses reported increased customer churn due to fraud prevention measures, according to a LexisNexis True Cost of Fraud study.

The study broke down the reasons for customer abandonment in both retail and e-commerce settings. Interestingly, customers seem to resent fraud prevention measures more when shopping in person. For brick-and-mortar retailers, the top reasons consumers cited for abandoning the account creation or onboarding process were a poor user experience and friction caused by fraud prevention.

In contrast, for e-commerce, concerns shifted: lack of communication and delayed responses replaced friction as the main reasons for abandonment.

This remains true despite the fact that online and mobile transactions account for the largest share of fraud losses. In the U.S., 53% of fraud losses stem from online purchases, with another 30% resulting from mobile purchases.

The good news is that businesses are increasingly aware of the need to minimize customer friction during checkout and account creation. According to LexisNexis, half of all U.S. retailers reported being extremely focused on reducing friction during the account creation process, while 45% said the same about the checkout experience.

“We get a lot of reports that consumers are not happy with onboarding processes,” said Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “They always say, ‘I thought I already gave you my information. Why do I keep having to give you this information?’”

More Than Just the Dollars Lost

The cost of fraud extends far beyond the direct financial losses. According to LexisNexis, the average merchant spends $4.60 for every dollar lost to fraud—a figure that has nearly doubled since 2016.

In addition to the immediate revenue hit, fraud can negatively impact customer trust, diminish brand loyalty, and damage brand integrity. More than a third of respondents report rising fees as a significant consequence of fraud.

Seamless Ways to Fight Back

Experts say that AI-powered solutions can help balance customer friction with the need to prevent fraud and money laundering and address cybersecurity concerns.

“Implementing AI-powered fraud solutions will also allow banks to shift human personnel to where they are needed most–to customer facing roles,” said Pitt. “Shifting personnel ensures that customers feel valued and protected, reducing customer loss.

“There will always be a cost,” she added. “It may be on the front end – purchasing strong fraud detection solutions. Or it may be on the back end – hiring personnel for lookbacks, or paying fines, or losing customers. Banks are going to have to figure out how to implement some of these real-time solutions. In the next few years, regulators may not give them the choice.”

The post Friction From Fraud-Fighting Weighs Heavily on Consumers appeared first on PaymentsJournal.

For years, criminals have attempted to impersonate the U.S. Internal Revenue Service (IRS), tax preparation services, and other entities during tax season.

However, this year, cybercriminals present an even greater threat due to increasingly sophisticated technology, according to Microsoft. The tech giant reported discovering several tax-themed phishing campaigns designed to deliver malware or remote access trojans (RATs) to unsuspecting users.

In one example, emails with subjects like “Notice: IRS Has Flagged Issues with Your Tax Filing” or “Unusual Activity Detected in Your IRS Filing” included attached PDFs containing embedded links. When users clicked these links, they were redirected to a phony DocuSign website that evaluated their system and IP address—potentially installing malware that could be exploited in future attacks.

“I think a huge part of this is generative AI, which is making these emails way more convincing. So the average consumer will say, ‘I don’t think this is real, but maybe it is,’” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research.

“We all know, and we push the point that the IRS is never going to call and ask for your information,” she said. “They’re never going to e-mail you and ask for information, but people are still going to give it up.”

A Barrage of Communications

While technology enables criminals to craft more convincing messages, phishing techniques have also become more effective because of the use of social engineering tactics that prey on common consumer concerns.

“A lot of consumers have likely not yet filed their taxes and are probably feeling the pressure of, ‘Oops, I have a week left and I will be looking for a tax preparation service to complete this for me,’” Sando said. “And we are also getting a barrage of legitimate emails from the H&R Blocks, the TurboTaxes, and all of the tax preparation services out there.”

“In between, you’re also getting the phishing emails that are posing as H&R Block, that are posing as TurboTax, maybe sending you text messages saying you filed in the past with TurboTax, click this link to get your return started,” she said.

Creating an Environment of Security

With scams becoming increasingly convincing, consumer education is essential. However, it’s equally critical that organizations avoid overwhelming customers with messages that mimic the tone and tqactics used by criminals.

“Part of the problem is that some of these legitimate service providers are also emailing out real links and texting out real links,” Sando said. “It’s incumbent on the service providers and the government—any entity that is asking for personal information or payment for a service—they should be directing customers to their website, to download the secure app onto their mobile phone, and to get the process started that way.”

“We have to start creating that environment of security so that consumers just automatically can tell what is real and what isn’t,” she said.

The post As the Tax Deadline Looms, Cybercriminals Ramp Up Phishing Attacks appeared first on PaymentsJournal.

The United States National Security Administration (NSA) has issued a cybersecurity advisory about fast flux, a technique commonly used by cybercriminals to avoid detection.

Fast flux allows bad actors to rapidly change the IP address associated with a domain name. The NSA said that because fast flux allows cybercriminals and nation-state actors to create highly resilient and available command-and-control infrastructures that obfuscate their activities, it poses a threat to national security.

This infrastructure can be exploited to conduct espionage and hide other cyberattacks, like phishing campaigns and distributed denial-of-service (DDoS) attempts. For example, a group known as Gamaredon, which is believed to be linked to Russia, recently used fast flux to conceal spear-phishing attacks against Ukrainian organizations.

What is particularly concerning about this incident is that even though the group’s attacks have been described as “reckless and not particularly focused on stealth,” the threats have still managed to evade detection by leveraging techniques like fast flux.

Cyber Fusion Deployment

This is part of a growing trend where sophisticated technology is lowering the barriers to entry for criminals. Often, bad actors use phishing attacks to gain access to an organization’s systems, after which they can deploy various forms of malware.

As cybercriminals become more cunning and creative, organizations must adapt by expanding their cybersecurity strategies.

“The best defense for financial institutions, and any critical infrastructure industry, is to ensure that threat intel sharing is brought to the fore, through information sharing and analysis center (ISAC) participation and consortium efforts facilitated via private sector collaboration,” said Tracy Goldberg, Director of Fraud & Security at Javelin Strategy & Research.

“The DDoS attacks (waged against the U.S. by the Iranian government) of the mid-2010s took top-tier banking institutions offline,” she said. “It was only after strong intel sharing—facilitated by ISAC participation—around suspicious IP addresses and domains became commonplace that U.S. banks were able to successfully mitigate those attacks. A similar strategy is required here, heightening the need for more cyber-fusion deployment across the financial services sector.”

The post NSA Warns Fast Flux Technique Makes Cybercriminals a National Security Threat appeared first on PaymentsJournal.

As cyberattacks grow more sophisticated, organizations are increasingly worried not just about data theft but also about threats to their critical infrastructure. With hackers backed by rogue nation-states, the risk landscape has expanded exponentially—affecting  consumers, employees, and even supply chains.

A report from Javelin Strategy & Research, New Stakes of Cyber Resiliency in the Era of Cyber Warfare, explores how large organizations can protect themselves against these risks. Tracy Goldberg, Javelin’s Director of Fraud and Security and author of the report, emphasizes the importance of cyber resiliency, which she defines as an organization’s ability to withstand and recover from attacks.

Attacks From an Array of Enemies

Privacy risks associated with social media and artificial intelligence have become even more severe, especially as political adversaries such as Iran and China back these cyber threats. These groups are researching financial institutions’ supply chains, exploiting vulnerabilities in API networks through island hopping techniques, and launching attacks to infiltrate systems.

Cyber resiliency is essential for long-term defense against these escalating threats. To enforce cyber resiliency, Goldberg recommends a holistic approach. This includes securing every device connected to the enterprise, educating employees on phishing attacks, ensuring the use of VPNs, and thoroughly assessing third-party connections and supply chain risks.

All of this requires a forward-thinking mindset. Organizations building a cybersecutiry strategy should look not just at the next year but at the strategic evolution of cyber resiliency as the company grows.

A holistic approach is especially necessary as hackers have become sophisticated enough to launch multi-pronged attacks. Take, for example, a distributed denial-of-service (DDos) attack that could serve as a smokescreen for something more nefarious on the back end.

“When a DDoS attack takes an online banking site down and consumers can’t get to their online banking, that’s going to distract cybersecurity teams from getting the site back up,” Goldberg said. “It also takes them away from another attack that could be using some kind of back door to get into the network.”

Target suffered such an attack through its supply chain over a decade ago. Cybercriminals infiltrated a heating and refrigeration vendor, then used that access to funnel their way through and breach Target’s network.

“It’s outside of your purview if one of your vendors gets hacked,” said Goldberg. “But if you have a vendor that’s connecting to your network, there should be certain access points they can’t enter through.”

The Risk for Financial Institutions

Financial institutions have a specific vulnerability in this area. With the instability of the financial market and the rise of mergers and acquisitions, some smaller institutions will either close down or be acquired by other institutions.

These mergers and acquisitions pose significant cybersecurity risks. As entities merge, disparate systems must be integrated, creating potential security gaps.

Obsolete servers may still house sensitive information or provide access to forgotten networks. If not properly secured, they present a tempting target for hackers.

The Threat from Nation-States

The lines between nation-state threat actors and cybercriminal rings have become blurred. Nation-states are funding and supporting cybercriminals who often serve as a front for more nefarious.

“We have not done a good job as an industry of attributing the attacks to specific groups,” said Goldberg. “There was an argument a decade ago that indicators of compromise and attribution didn’t really matter–if you were seeing fraud, you were seeing fraud. But now we’re finally realizing that that’s not necessarily the case.”

Nowadays, proceeds from cybercrime are being used to finance terrorism and launder funds that ultimately support entities like the Iranian government, for example. What might seem like a simple romance scam could, in reality, be tied to a significant national security threat.

The Promise of Anti-Money Laundering Tools

Financial institutions have tools at their disposal that can effectively promote cyber resiliency. Anti-money laundering (AML) processes can connect many dots, but because these tools have been used in isolation for decases, they have failed to make critical connections that could more readily detect fraud and preemptively prevent cybercrime.

According to the U.S. Patriot Act and the Bank Secrecy Act, from an AML standpoint, there are certain entities that banks cannot provide funds to. Red flags may be raised on the AML side, preventing funds from being transferred to an account holder in a particular region. However, similar alerts are often absent when the fraud team reviews a consumer’s claim of being scammed. These teams should be working in tandem.

Fraud, cyber and AML often compete for budget. AML teams typically receive larger budgets for technology investments due to regulatory compliance mandates, but the same technology can be leveraged across all three departments when signals are shared. This approach reduces cybersecurity gaps and AML concerns simultaneously.

Technology investments across the enterprise can ultimately enhance cyber resiliency. For example, anti-phishing campaigns led by the fraud department could contribute to cyber resiliency by tracking suspicious actors. Even if individuals don’t initially appear to be the same, the fraud team might identify commonalities, such as shared IP addresses or mobile phone numbers linking multiple accounts.

Looking for Direction

In the past, the federal government has set standards for organizations to adhere to. But in the new landscape, financial institutions will have only themselves to turn to.

The Biden administration issued an 11th-hour cybersecurity executive order, calling for far-reaching inclusivity and accountability among government agencies, industry sectors, and tech and software providers to strengthen cybersecurity resilience. However, with the transition to a new administration, the order will have little direct impact on cybersecurity resilience and responsibility.

“When there’s no policy, what standards do we look to?” asked Goldberg. “Financial institutions need to find other standards or regulatory agencies to look to for guidance. Cyber resiliency is going to be the responsibility of the organizations themselves.”

The post Building Cyber Resiliency into Financial Institutions appeared first on PaymentsJournal.

The days of receiving phishing emails with subject lines like “Payment Overdue!” may be coming to an end. As users grow desensitized to alarmist messages, malicious actors have shifted to more subtle approaches.

“Request” was the most common word in phishing subject lines in 2024, according to research from Cisco. Threat actors have largely abandoned urgent or time-sensitive language, instead opting for ordinary terms that blend seamlessly into a user’s daily inbox.

Microsoft Outlook was the most commonly spoofed brand, appearing as the sender in 25% of suspicious emails, followed by Amazon and LinkedIn. Other frequently impersonated names  include PayPay, a Japanese payment service, and Chinese e-commerce giant Shein.

A Hot Market for Credentials

One reason phishing remains so prevalent is that adversaries find it easier to compromise networks and accounts by obtaining credentials for illegal log ins rather than using more complex methods like deploying malware.

According to a report from Javelin Strategy & Research, 2025 Identity Fraud Study: Breaking Barriers to Innovation, identity fraud incidents and financial losses skyrocketed over the past year. The survey found that over half of consumers surveyed experienced an increase in unusual text messages, while slightly fewer noticed a rise in emails with suspicious links. In total, consumers lost $27.2 billion to identity theft in 2024—a 19% increase from the prior year, according to Jennifer Pitt, Senior Analyst of Fraud and Security and author of the study.

A thriving market for stolen credentials further fuels this trend, with valid username and password combinations frequently bought and sold on the dark web. According to Cisco, bulk lists of credentials commonly sell for as little as $10 on dark web marketplaces.

System Vulnerabilities

One of the most common organizational vulnerabilities leading to successful phishing attacks is weak multi-factor authentication. Pitt recommends that organizations implement MFA protocols incorporating behavioral and device analytics, as well as biometric authentication methods such as fingerprint and voice recognition. These password-free methods can also prevent criminals from using stolen credentials to create fraudulent new accounts. 

Another critical security weakness stems from unpatched and vulnerable systems. Many widely used systems are several years old, and patch management remains a continuing challenge for many organizations. 

The post Phishing Attacks Shift to More Subtle Enticements appeared first on PaymentsJournal.

Last year, a breach of cloud storage company Snowflake resulted in data stolen from more than 150 companies, with more than $2 million extorted from victims. The attack was carried out by an infostealer, a type of malware that didn’t directly infiltrate Snowflake but instead entered through a client with weak security measures. The growing market for financial data stolen by hackers has made these attacks an escalating threat to financial institutions worldwide.

In a PaymentsJournal podcast, Mike Kosak, Senior Principal Intelligence Analyst at LastPass, and Jennifer Pitt, Senior Analyst in Fraud and Security at Javelin Strategy & Research, looked at the threat that infostealers currently pose to banks. They discussed how infostealers present risks even to third-party vendors, and how organizations can stay one step ahead in protecting their sensitive information.

What Are Infostealers?

Infostealers are a specific type of malware that collects critical information from victims’ computer systems. They primarily target browser-based data, such as credentials, session tokens, and details about software that can be extracted from the operating system and sold to malicious brokers.

Infostealers are generally small, lightweight programs built for speed. They’re designed to execute quickly and then delete themselves. This rapid execution is a key reason why infostealers are so difficult to detect. In 54% of the cases that security service Spycloud examined, the victim had an active antivirus program running on their system.

Infostealers are typically sold by initial access brokers, a subset of the cybercriminal ecosystem focused on gaining entry to systems. This initial access allows other, more specialized groups to take action using the stolen information, including ransomware operations and nation-state threat actors. These brokers are agnostic to the buyer, willing to sell the data to anyone.

FIs Are Especially Vulnerable

Infostealers often target financial institutions, not just because they hold the money, but because they can scrape passwords from customers’ browsers, which frequently include login credentials for financial institutions. This tactic is a way to circumvent many of the fraud and account takeover prevention measures that FIs have in place.

Customers at financial institutions often reuse passwords across multiple accounts, including those at different banks. Many of these financial accounts are linked to other services like email or social media, with the same passwords being used. These reused credentials are especially valuable to infostealers.

These kinds of attacks are not limited to customers; employees have also fallen victim. If multi-factor authentication is not enforced for employees, they often use weak, short passwords or reuse them across multiple systems. Some employees continue to access personal accounts or use personal devices at work.

In recent months, major browsers have implemented strong mitigations, but larger infostealers have been quick to figure out workarounds.

“They’re constantly evolving,” said Kosak.  “It’s a very effective marketplace and a very effective tool. It’s cost effective and it works. That keeps bringing on more of these threat actors, both people who are trying to make money on the initial access broker sites and the developers themselves.”

Infostealers are also targeting session tokens, which can be used to circumvent credentials if the right protections aren’t in place. If criminals get the data fresh enough, most of it ends up available for sale within a day of the of the time that it’s stolen.

The Hidden Risks

The risks to financial institutions from infostealers are broader than they might initially appear. While the primary threat is theft, there is also fraud loss, operational risk, and reputational risk. Once a financial institution starts losing a significant amount of money from this, if it lacks proper protections in place with the media, the reputational risk can be massive.

FIs should also consider their business-to-business connections. Infostealers can target supply chains and third-party vendors just as easily as customers or the business itself. Supply chain vulnerabilities can have second- and third-order effects, impacting customers as much as a direct breach of the institution.

When an organization hires cloud service providers or third-party vendors to protect its data, the original institution remains responsible for vetting that third-party processor. It must ensure the vendor has the proper security protocols in place to deter infostealers.

“The Snowflake data breach happened because they hired a third-party company that didn’t require multi-factor authentication,” said Pitt. “Ultimately, the customer is going to hold the initial institution responsible. They’re going to start leaving banks for somebody else that will actually protect their credentials.”

The Latest in Prevention

Identity and Access Management (IAM) programs can significantly reduce the risk posed by infostealers. An effective IAM strategy includes strict access controls and continuous monitoring to detect and respond to suspicious activity. When only authorized users can access sensitive data, it becomes much harder for threat actors to exploit stolen credentials.

Multi-factor authentication remains absolutely critical, as is requiring customers to use unique and complex passwords for every account. If passkeys are an option, use them as well.

“That’s an absolutely critical next step when we think about how to mitigate this risk in the longer term,” Kosak said. “Passkeys are going to become more and more important. We’re still very early in the adoption cycle on that, but they’re phishing resistant.”

Another important factor for FIs to be aware of is cracked software. People concerned about infostealers should resist the temptation to download and install free software applications.

“If you see something that looks a little off the books, it’s probably going to come with a nasty surprise,” said Kosak. “They direct people to these YouTube links that deliver malware. Stick to known app stores.”

Behavioral detection, including user behavior analytics and device fingerprinting, is emerging as a strong defense against infostealers. They help detect account takeovers, for instance. If an FI detects any anomalous behavior, they can have processes in place to mitigate these risks and cut off the actions as they’re happening.

Polite Paranoia

All financial institutions have annual training requirements that everyone must complete to understand the threat environment. There’s another aspect that can be a bit harder to implement and articulate—the culture side. The core issue is instilling a culture of polite paranoia.

“You’ve got to be willing to raise questions both up and down the chain if you see something that’s suspicious,” said Kosak. “Being willing as a new junior associate to raise your hand and say, ‘hey, this seems suspicious to me, that’s a cultural aspect to an institution.’ Being willing to be challenged if you’re a senior in that institution and say, ‘hey, I’m glad you’re asking that question.’ That’s really powerful too.”

“These threat actors will use fear and intimidation and psychological pressure to get people to act without having the time or feeling like they have the channels to raise questions,” he said. “Polite paranoia takes that away from them.”

The post Infostealers: The Latest Cyberthreat Facing Financial Institutions appeared first on PaymentsJournal.

There’s a growing consensus among organizations as diverse as financial institutions, consumer advocacy groups, and card networks that scams are out of control. And yet, the U.S. still lacks a consistent framework to identify, categorize, and address this spiraling threat.

In the Getting Personal With Scams report, Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research, detailed how the many methods criminals use to perpetrate scams demand a more holistic solution for identifying and sharing threat intelligence.

A Damaging Threat

Scams peaked during the pandemic as more consumers engaged on social media and shopped online. While there has been a slowdown with the return to brick-and-mortar stores and increased face-to-face communication, scams remain a significant threat.

Although the total number of scams may have declined, the number of scam victims surpasses those affected by other types of fraud. For example, in 2023, there were 15 million traditional identity fraud victims in the U.S., according to Javelin. In comparison, 24.1 million people fell victim to scams last year.

The prevalence of scams has even begun to impact consumer shopping patterns. Some victims have shied away from purchasing items online, and many have closed accounts entirely. Some consumers have stopped using digital banking services. While individuals must take steps to protect themselves from scams, completely withdrawing from the digital world is an ineffective strategy.

Many consumers are taking these actions because they believe their governments, financial institutions, and businesses aren’t doing enough to reduce this threat. According to Javelin, scam mitigation efforts vary by country, and the U.S. has plenty of room to improve in this area.

“We’re just not doing enough,” Sando said. “Financial institutions are not required to reimburse scam victims, and there are a lot of other international economies that have regulations to do so. I’m not saying that’s the way it should be—I don’t think we are going to get to a point in the United States where scam reimbursement happens anytime soon—but it doesn’t mean there aren’t things that we can do to at least tackle the problem better.”

Standardizing the Nomenclature

One of the biggest issues in the U.S. is the lack of a comprehensive system to categorize and log scams and bad actors. The Javelin report identified over 16 categories of scams, yet it was still not an exhaustive list. Criminals exploit any method of communication to reach their victims and leverage all available technology and tactics to accomplish their goals.

Because scams take so many forms, different organizations may use varying names for the same scheme. Even within the financial industry, one institution might categorize a scam differently than another. Without standardized nomenclature, understanding the full scope of the problem becomes extremely difficult.

The issue is exacerbated because there is no overarching system to track scams.

“You may have a consumer who became a victim of a scam that might report it to the FTC, or to their financial institution, or to law enforcement,” Sando said. “They might even go to the IC3 Internet Crime Complaint Center. But none of those systems will talk to each other, so we’ve got this skewed idea of what’s happening within the realm of scams.”

There have been efforts to standardize scam documentation, such as the ScamClassifier Model that was recently released by the U.S. Federal Reserve. Based on the Fed’s FraudClassifier system launched five years ago, ScamClassifer is a voluntary framework designed to serve as a central hub for documenting attempted and successful scams, threat actors, and fraud trends.

A more structured approach to scam documentation helps organizations understand the trends affecting their institution and customers. This, in turn, allows them to allocate fraud and scam detection budgets more effectively, focusing on the most relevant threats.

“The idea is how do we get to a point where we can at least be united to fight scams,” Sando said. “A lot of those problems come down to how you’re categorizing it. If you don’t have a handle on what’s going on in your own backyard, you can’t fight the problem.”

Keeping the Cards Close

One of the challenges with systems like the ScamClassifier model is they are voluntary. Even if organization does utilize it, many are reluctant to share this data with others, especially if it could include proprietary information. Financial institutions, in particular, have been hesitant to communicate with competitors.

However, better communication is the key to fighting a growing problem that can irreparably damage the relationship between an institution and its customers.

“At the very least, have your own organized way of tracking scams,” Sando said. “But sharing the information is just as important. You have to know what’s going on within your own neighborhood to fight the crime. And how can you do that if you’re keeping your cards so close to your chest?”

Framing the Problem

Once banks and credit unions become more informed about scam trends, they can better educate their customers and members. Understanding these trends also helps financial institutions implement technologies that can mitigate the issue.

For example, many organizations don’t have real-time scam detection. Especially when consumers aren’t reimbursed for falling victim to a scam, financial institutions should have measures in place to prevent fraudulent transactions from settling.

While there are clear actions organizations can take, criminals still have a head start. This makes it critical to take proactive steps to combat scams now.

“With this report, it’s just framing the problem,” Sando said. “There’s not even a huge solution, because we are still at this point in the U.S. where we haven’t done anything to fix this problem—and that’s the problem.”

The post Fighting the Surge in Scams: Why Standardization and Communication Are Key appeared first on PaymentsJournal.

Sophisticated malware is becoming an increasingly potent threat, as evidenced by the remote access trojan (RAT) that was recently discovered by Microsoft.

Dubbed StilachiRAT, the malware is designed to scan the Google Chrome browser for any of 20 crypto wallet extensions, including platforms like Coinbase Wallet, MetaMask, and Trust Wallet.

According to Microsoft, once the RAT detects a crypto wallet, it employs various techniques to siphon information from the system. These include extracting saved browser credentials and monitoring clipboard activity for passwords or crypto keys.

Once this sensitive data falls into the hands of bad actors, they can quickly drain the victim’s crypto wallet.

Bringing Awareness to the Capabilities

Microsoft first discovered evidence of StilachiRAT in November, and the tech firm said that it hasn’t yet been able to identify the cybercriminals behind the malware.

Though the RAT hasn’t yet gained widespread traction, Microsoft felt it was necessary to raise awareness about the malware due to its capabilities, the rapid evolution of the malware ecosystem, and to help reduce the number of potential victims.

One of the functions that makes StilachiRAT more impactful is its built-in evasion and anti-forensics mechanisms. For example, the malware can clear event logs and detect if it is operating in a sandbox environment to stave off detection.

To protect themselves from this threat, Microsoft suggests that crypto holders ensure they have up-to-date antivirus software, anti-phishing tools, and anti-malware defenses on their devices.

Threats Against Crypto Owners

Cryptocurrencies have gained significant attention over the past few years, but their decentralized nature—coupled with an often lacking regulatory framework—has made digital asset owners prime targets for cybercriminals.

These threats are supercharged by technology like Malware-as-a-Service (MaaS) platforms, which lower the technological bar for criminals and even allow them to outsource attacks. According to data from Darktrace, MaaS-based attacks picked up steam in the latter half of last year and now account for 57% of identified fraud activities.

One of the most commonly used malware tools identified in the Darktrace study was remote access trojan software, because of its efficiency and capability.

The post Microsoft Identifies Remote Access Trojan Built to Drain Crypto Wallets appeared first on PaymentsJournal.

Phishing is already a favored technique among criminals, and a demonstration by Symantec showcased how AI agents can supercharge these attacks.

The security company tasked OpenAI’s recently launched Operator agent with carrying out a phishing attack on a member of Symantec’s organization from start to finish. First, the agent identified the person who performed a specific role within the organization and located their email address. Then, Operator created a PowerShell script designed to gather systems information and sent an email the target using a “convincing lure.”

Teaching AI Cybercrime

The AI model initially refused the instructions on grounds they involved “sending unsolicited emails and potentially sensitive information” that could violate privacy and security rules. However, after researchers convinced Operator that they had proper authorization, the agent complied—a vulnerability that is also present in OpenAI’s ChatGPT.

Once assigned the task, Operator located its target using publicly available data. While the target’s email address was private, the AI agent deduced it by analyzing similar addresses within the same company.

Operator then studied websites to learn about PowerShell scripts, after which it drafted its own and sent the email. According to Symantec, the email—sent from a fake account—was reasonably convincing.

Working With Little Prompting

AI has quickly become a mainstay in fraud attacks, enabling bad actors to create deepfakes and cheapfakes that can fool consumers into making a financial mistake. However, at this stage, most of these attacks aren’t sophisticated enough to convince most individuals.

The attack orchestrated by Operator was relatively straightforward and did not reach the same level of most human-generated phishing attacks, which are increasingly hard to spot.

However, AI agents pose a formidable challenge because they can operate tirelessly with minimal input to accomplish their goals. This autonomy allows criminals to scale their attacks on a much wider scale with fewer technological barriers to entry.

The post How AI Agents Can Perform Autonomous Phishing Attacks appeared first on PaymentsJournal.

Just as organizations are implementing artificial intelligence and machine learning in novel ways, cybercriminals are continually looking to incorporate AI into their attacks. The disruptive technology allows criminals to find targets more effectively, scale their efforts, and forge better attacks that are increasingly harder to detect.

In a PaymentsJournal podcast, Alex Cox, Director of Threat Intelligence, Mitigation, and Escalation at LastPass, and Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research, discussed the AI-powered methods cybercriminals use, the impacts of AI-related fraud, and the ways that organizations can protect their customers and themselves.

A Big Data Problem

One of the areas where AI excels is in sifting through massive datasets to pinpoint an anomaly. Many organizations use that capability to identify fraudulent activity. On other hand, criminals use that functionality to find their next target.

“Bad guys have a big data problem that AI is helping them address,” Cox said. “For example, there was the MOAB list that came out recently, which is the Mother of All Breaches, and it had billions of username/password pairs. If you think about the magnitude of credentials that are available publicly, the amount of data makes it difficult. The bad guys figured out that if they put these things into language learning models and use AI to help them manage that data, they’re able to pull things out more efficiently and summarize it.”  

Once criminals have parsed large data sets to find their target, AI can also be implemented to make fraud attacks more effective. In the past, phishing attacks were much easier to spot. There may have been incorrect grammar in the email, a logo that wasn’t quite right, or other cues that the communication was fraudulent.

“Enter AI and LLMs, and criminals can go to this LLM and say, ‘Help me craft this phishing e-mail based on this lure,’” Cox said. “It will write it for you in very convincing English language that appears it’s from a native speaker. Once you get past all the technical controls, the final barrier is the person. If the person can look at an email and think it sounds like a person, it’s not a phishing e-mail, and they respond to it, it has made the bad guys that much better.”

A Blended Threat

Another way that cybercriminals are employing AI is to create deepfakes, with the objective of either creating a convincing persona or assuming an existing identity. This ability is just one aspect of the growing AI arsenal available to criminals.

“The combination of these capabilities is significant,” Cox said. “Microsoft has analyzed how some of the bad guys use ChatGPT, and you see them using it the same way that the traditional good guys are using it. They’re summarizing, they’re getting help with coding, and they’re getting ideas on how to improve their attacks. With this blended threat, they are able to use AI to pull information on a target, based on their internet presence, and craft an attack that is potentially able to compromise the target’s machines.”

The powerful technology has led to a decrease in the technical sophistication required to carry out damaging cybercrimes. There has even been a shift toward AI agents, which are fully autonomous fraud engines. It means criminals can lean on artificial intelligence to do much of the heavy technical lift.

“AI is allowing these bad guys to do this en masse,” Pitt said. “We used to see phishing emails where you’d have one single attacker that would have scripts and send out a few phishing emails or a few social engineering attacks. Now it’s all being automated with AI, so it’s thousands of emails, thousands of social engineering attacks, thousands of malware attacks all at once. It’s just easier for them to get that information out there.”

People, Process, Technology

Just as criminals find new ways to implement AI, many financial institutions are searching for ways to combat these attacks. To do so, a three-pronged approach that considers people, process, and technology is required.

On the people side, it means education. Organizations should ensure that their employee base, and potentially their customer base, understands that fraud attacks are now more sophisticated. The end user should understand that they can never fully trust the communications they receive, and they should question unusual asks.

From a process standpoint, organizations should take a zero-trust approach which includes constant authentication.

“We need to look at what we call perpetual KYC,” Pitt said. “In banking, traditional Know Your Customer processes often occur once, typically during onboarding, or on a cyclical basis. We look at the sanctions list, the person’s income, perform their identity verification, and then it’s set aside. Perpetual KYC uses AI to do continuous authentication in the background automatically in real time.”

Integrating AI to combat AI-driven fraud is one of the most powerful technology approaches available to organizations. Fraud and security teams can use artificial intelligence for anomaly detection among large data sets, and they can use it to summarize the gist of a large collection of documents. Organizations can also use AI to make their fraud prevention efforts more effective at a larger scale.

Tracking the Threat Environment

Though there are powerful benefits to adopting the disruptive technology, AI has many well-documented flaws. For instance, the technology is only as good as its data set, and it has been known to produce false or misleading information. These issues have caused some misgivings about AI adoption among many professionals.

“It’s important to use these tools as fraud professionals,” Pitt said. “We may be hesitant to use tools that we think are going to be used by the bad guys. Start using the tools and get familiar with that, if you’re not already as an individual. Tell your organization how AI can be beneficial. Yes, AI is absolutely used by the fraudsters, but if we don’t how to use it for good, we will never, ever beat them.”

For many institutions, another barrier to AI adoption is the organization’s resistance to change.

“I spent about half of my career working for big banks,” Cox said. “Typically, when a new technology comes out, they will ban it and then bring it on board over time in a way that makes sense. I think that AI is moving so fast that that approach is not going to work anymore, because you’re going to be at a disadvantage.”

One benefit for financial institutions is the sheer amount of education that’s available to them about artificial intelligence. AI has dominated the attention of the tech world for over a year, and the disruptive technology has been heavily scrutinized from every angle.

The amount of information available means security and financial professionals have a multitude of training opportunities they can use to educate themselves and their organizations. There is also constant news about the emerging capabilities of AI, and the techniques that cybercriminals use.

“Think about what you do day-to-day,” Cox said. “Think about the work that you have to do at your job and then start thinking: how can AI help me here? It should be clear very quickly that it will be valuable for a lot of different things. Just keep track of the threat environment, understand what’s going on, and that will help you make the right decisions to protect your firm.”

The post AI Has Become an Integral Part of Fraud Prevention—and Fraud Attacks appeared first on PaymentsJournal.

The UK has announced it will abolish its payments oversight body, The Payment Systems Regulator (PSR), and transfer its functions to the Financial Conduct Authority (FCA). While many financial institutions have welcomed the move as a step toward reducing bureaucracy, it leaves the UK’s fraud-fighting framework up in the air.

The government stated that its decision to eliminate the PSR was driven by concerns that the UK’s financial regulatory system had become overly complex. The country has operated under three financial regulators: the PSR, the FCA, and the Bank of England’s Prudential Regulatory Authority.

Until now, the PSR has been, at least nominally, a fully independent subsidiary of the FCA. However, since last July, it has been led by FCA director David Geale, and the two agencies have shared office space in London.

A Single Point of Contact

By absorbing the payments watchdog into the FCA, the UK government hopes to provide a single point of contact for businesses. The goal is to reduce expenses, particularly for smaller companies.

The PSR has also taken a leading role in fighting financial fraud in the UK. Eliminating the agency has left many concerned about the financial system’s ability to combat fraud.

“We believe that abolishing the Payment Systems Regulator at a time when the efficacy and resilience of payment systems, as well fraud risk management, are under intense review and focus, may not be the most opportune course of action,” Willem Wellinghoff, Chief Compliance Officer at Ecommpay, told Fintech Magazine.

Fighting APP Fraud

Some have felt that the PSR overstepped its bounds, particularly with the introduction of a mandatory refund system for authorized push payment fraud (APP fraud)  last October. The regulator initially proposed that banks reimburse APP fraud victims up to £415,000. However, after criticism that this amount was too high for smaller and mid-sized banks, the cap was reduced to £85,000, with the reimbursement split 50/50 between the sending and receiving payment service providers.

The system got off to a slow start, raising further doubts about its effectiveness. Last month, Fortune reported that PSR’s platform had processed just 10 claims since its launch.

The PSR has also maintained oversight of the payment rails operating in the UK. Just last week, it criticized Visa and Mastercard for increasing fees and exerting dominating over the card market. The agency claimed that debit and credit card fees on these payment rails impose an extra £170 million in annual costs on businesses.

The post UK Government to Shut Down Its Payments Regulator appeared first on PaymentsJournal.

Cybercriminals have more tools at their disposal than ever before, and they’re using them to target consumers in increasingly complex and effective ways. However, just because one of a financial institution’s customers falls victim to a scam, it doesn’t mean it was an isolated incident. In fact, emerging technologies are allowing criminals to organize and carry out attacks on a much larger scale.

2025 Cybersecurity Trends, a report from Javelin Strategy & Research’s Tracy (Kitten) Goldberg, Director of Fraud and Security, Suzanne Sando, Senior Fraud and Security Analyst, and Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research detailed how criminals are using technology to accomplish everything from scams to disinformation campaigns, and it also highlights the steps financial institutions can take to protect themselves.

The Dual Role of AI

Artificial intelligence has become a key component of fraud mitigation systems, but it has also become a fixture in many fraud operations. However, at this juncture, AI is having a greater impact in the fight against fraud.

“You don’t have AI that is successfully fooling authentication technology, but you do have AI that’s fooling consumers,” Goldberg said. “They’re not able to take my image and fool facial recognition technology, but they could potentially fool my neighbor. AI is a concern, but I think the concern is more on the social engineering piece and how humans are manipulated.”

There have always been criminals willing to exploit others for fraudulent purposes, but the techniques and tactics they use have become more complex. For example, cybercriminals are leveraging AI to create deepfakes which can mimic voices or personas, using this technology to create fictitious communications.

Criminals also deploy cheapfakes, where they edit or alter actual videos or audios and present an individual’s words out of context to commit fraud or spread disinformation.

The proliferation of social media and the increased isolation of many individuals has fueled the rise of romance scams, where cybercriminals feign romantic interest to obtain personal details from consumers.

Because more children have unmonitored access to the internet and social media, cybercriminals have also engaged in manipulation and cyber bullying tactics in efforts to get kids to provide their personal information.

Though there are more types of fraud attacks, there is still an overarching theme.

“Whether it’s someone trying to socially engineer a consumer into providing access to their bank account details or a hacktivist group that’s spreading disinformation, the end is the same,” Goldberg said. “They’re convincing consumers of something that is not true and getting these consumers to provide information about themselves, or to believe a falsehood.”

Rethinking Security: Biometrics Over Passwords

Fraud attempts are designed to manipulate consumers, so financial institutions should bolster their consumer education efforts. However, organizations will never be able to fully account for the actions of its customers. This means institutions must find ways to remove the consumer from the cybersecurity equation.

One of the most effective ways organizations can do this is to move away from username and password verification. Criminals can hack passwords, manipulate consumers into providing them, or purchase login information from bad actors on the dark web.

Because usernames and passwords are an increasingly ineffective means of security, FIs should lean on biometrics to verify their customers’ identities. In addition to fingerprint scanning and facial recognition technology, there are behavioral biometrics platforms, which monitor how a user interacts with their device. There are also tools to verify the validity of the device itself to ensure the right consumer is granted access.

All in all, financial institutions must take a bigger-picture view of fraud. The advent of technologies like machine learning and AI means it is easier for organized groups to carry out fraud at scale.

A bank might uncover what initially appears to be a conventional scam, where a criminal has socially engineered a customer into providing access to their bank account details. However, the perpetrator could have ties to a nation-state threat actor or a fraud ring conducting attacks or spreading disinformation.

“For the financial services industry, this is why we’re talking about cyber fusion deployment,” Goldberg said. “It’s where they’re bringing in some of the tools that they use for anti-money laundering, Know Your Customer compliance, and fraud mitigation. This helps with some of the scam detection, but then also with how they can tie that into who is behind some of these attacks.”

Following the Trails of Cyberthreats

A cyber fusion approach emphasizes the importance of shared threat intelligence within an enterprise. One of the key components is attribution, which involves identifying the actors behind cyberattacks.

“You’re pulling in anonymized data signals that could help to track money mule activity or fraud activity that might go into a Suspicious Activity Report (SAR),” Goldberg said. “This could potentially tie the attempt in with other indicators that you might have on the fraud side that could relate to potential scams or social engineering. Then it’s sharing that, not only across your enterprise, but with other organizations as well.”

Collaboration across the financial services industry—whether through a consortium or other mechanisms—is critical for exposing fraud techniques and tracking threat actors. Unfortunately, significant progress toward industry-wide collaboration or widespread cyber fusion adoption has been slow.

That said, solutions do exist. Many larger financial institutions are already implementing cyber fusion strategies, potentially setting an industry precedent. In addition, vendors are available to aid financial institutions with implementation. The strategic use of partners and tools across an enterprise, coupled with consortium data and anonymized data signals will be essential for achieving a holistic cyber fusion approach in the financial services industry.

“The whole ecosystem is a complex puzzle with a lot of different pieces, but we think that it all fits together,” Goldberg said. “It’s hard to connect those dots, especially when you have something as common as a romance scam or a pig butchering scheme. But if you start to trace the breadcrumbs, you might find that this is connected to a much wider network that is supporting something much more nefarious, which could even be a national security issue.”

The post A Robust Cyber Fusion Strategy Is Integral to Fight Fraud Threats appeared first on PaymentsJournal.

Healthcare organizations safeguard substantial troves of personal and financial data, making them prime targets for cybercriminals.

According to a survey from the Healthcare Information and Management Systems Society (HIMSS), more organizations are strengthening their defenses. The study found that 55% of healthcare organizations plan to boost their cybersecurity spending this year.

“Healthcare must invest more in cybersecurity, perhaps second only to education, à la the PowerSchool breach,” said Tracy Goldberg, Directory of Fraud and Security at Javelin Strategy & Research. “Healthcare is widely known for its cybersecurity vulnerabilities, and exposure of employee and patient Personal Identifiable Information.”

“Breaches and ransomware attacks—which exfiltrate sensitive PII and then hold the healthcare organization for ransom under the threat of exposing the stolen data on the dark web—are and have been all too common for many years,” she said.

The Change Healthcare Data Breach

Just as concerning as the frequency of ransomware attacks is their magnitude. Many healthcare leaders are reevaluating their cybersecurity solutions and third-party relationships in response to the largest healthcare data breach of all time—last year’s ransomware attack on UnitedHealth Group Subsidiary Change Healthcare.

The attack compromised the PII of over 190 million people and, much like the PowerSchool breach, was traced back to a cybersecurity lapse. Cybercriminals gained access to Change Healthcare’s systems using a single set password on a user account that lacked multi-factor authentication.

Increasing Cybersecurity Budgets

This incident, along with the rise in ransomware attacks targeting healthcare organizations, has forced a shift in the industry. According to HIMMS, healthcare organizations have historically allocated 6% or less of their IT budgets to cybersecurity. Now, nearly a third of respondents plan to spend more than 7% of their IT budget on cybersecurity this year.

This heightened focus on cybersecurity is critical because the ramifications of data breaches extend far beyond the healthcare industry.

“The lack of cyber focus and investment on the healthcare side has a domino effect on other industries, such as financial services,” Goldberg said. “These sectors eventually have to pick up the pieces of stolen consumer PII that turns into identity theft and subsequent fraud.”

The post More Healthcare Providers Are Bolstering Cybersecurity Infrastructure, Study Finds appeared first on PaymentsJournal.

While many consumers are busy preparing their 2024 tax returns, a new study shows that nearly a thousand data breaches last year could have led to tax fraud.

Data from credit agency TransUnion found that there were 970 data breaches in 2024 where criminals obtained the types of personally identifiable information (PII) required for various forms of tax fraud. In total, 640 million consumer records were exposed, containing critical details like Social Security numbers, address histories, and full names.

Data breaches are significant because even a small amount of stolen information can enable criminals launch attacks. Exposed data can help criminals file false tax returns in a victim’s name or access bank accounts to intercept tax refunds. Many criminals also target call centers to verify stolen PII or use it to gain access to online government portals.

Keeping Data Out of Criminals’ Hands

A fairly new scheme involves a mailing that arrives in a cardboard envelope from a delivery service. The letter, featuring an IRS masthead, falsely claims to be “in relation to your unclaimed refund.” It requests sensitive personal information from taxpayers—including photos of driver’s licenses—which identity thieves can use to obtain a tax refund.

To protect against tax-related identity theft, experts recommend that consumers file their taxes early and electronically rather than mailing documents. Additionally, they suggest having tax refunds sent electronically instead of receiving a check by mail.

“You should also request an Identity Protection PIN through the IRS website,” said Jennifer Pitt, Senior Fraud & Security Analyst at Javelin Strategy & Research. “This prevents someone from being able to use your Social Security number to file taxes. And sign up for credit monitoring or identity protection services to monitor any use of your personal information.”

Watch How Notices Are Delivered

The IRS continues to see a barrage of email and text scams targeting taxpayers. These messages arrive as unsolicited texts or emails, attempting to lure unsuspecting victims into providing personal and financial information.

The IRS advises taxpayers to pay close attention to how they receive communications. The agency primarily contacts taxpayers through regular U.S. mail delivered by the U.S. Postal Service. Emails or texts are generally sent only with the taxpayer’s permission.

While the agency may call to verify information or set up a meeting, it never leaves prerecorded voicemails or robocalls—taxpayers can safely ignore those. Additionally, the agency will never initiate contact through social media.

The post Stolen Data Too Often Fuels Tax-Related Fraud appeared first on PaymentsJournal.

More than two-thirds of U.S. adults have experienced a financial scam or fraud in their lifetime, with nearly a third falling victim in the past year, according to research from Bankrate. However, there’s some good news—more consumers are taking steps to protect themselves from scams.

The financial fraud survey from Bankrate found that 34% of respondents have been targeted by a scam since January 2024. But thanks in part to better education about cyberattacks, only 37% of those targeted actually lost money. This includes cases where criminals accessed personal information, victims sent funds directly to a criminal, or paid for a fraudulent service.

Protecting Against Fraud

The most common form of fraud in the past year involved attempts to access personal financial information, such as credit card details or Social Security numbers. Encouragingly, more than half of those targeted reported that these attempts were unsuccessful.

Consumers are taking action after experiencing fraud. More than three-quarters of U.S. adults who have taken precautionary steps to protect their finances in the past year say they have been scammed at some point.

Overall, Bankrate found that 89% of respondents have taken steps to protect themselves from scams in the past year. These measures range from updating passwords and enabling two-factor authentication to checking credit reports and shredding sensitive documents.

Technology Can Help

Technological advances are making this easier for modern consumers, but in many instances, they still need to be proactive. For example, biometrics such as fingerprint and facial recognition have become less intrusive methods of authentication, eliminating the need to remember a password or passcode.

Behavioral biometrics can include factors like how someone holds their phone or the cadence they use when entering a number. However, these recognition factors are not installed automatically, according to Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research. When someone receives a new iPhone, for example, Goldberg recommends enabling facial recognition or finger biometrics, allowing them to use Touch ID for any app connected to the mobile device.

Of course, technological advances have also benefited criminals. A 2024 study by Authority Hacker found that the number of scams using artificial intelligence had doubled in the past year, costing consumers more than $108 million.

The post As Cyberscams Grow, So Do Protections Against Them appeared first on PaymentsJournal.

In January, hackers launched a cyberattack on what might seem an unlikely target: PowerSchool, a provider of student systems for the educational industry. While the young individuals tracked by PowerSchool may not have much money of their own, the children’s identities are worth a great deal to cybercriminals.

A report from Javelin Strategy & Research, 2024 Child & Family Cybersecurity Study, highlights the online threats that children face, and what parents can do to mitigate these risks. For many criminals, a child’s identity can be just as valuable as an adult’s.

“Once that information is out there because a kid gave it up through a social engineering attack, cybercriminals have enough data to start opening up new accounts,” said Tracy Goldberg, Director of Fraud and Security at Javelin and the author of the report.

Targeting the Affluent

Children from more affluent households are at greater risk of being targeted and compromised by cybercriminals. Among children victimized by identity theft, more than half come from households with an annual income exceeding $100,000.

These children often have greater access to social media and other online accounts across multiple devices. They are also more likely to use payment cards, mobile accounts, online gaming, and other e-commerce platforms that cybercriminals target. Criminals have also become increasingly sophisticated in identifying and exploiting children from wealthy families.

“It doesn’t take long for cybercriminals to connect the dots if they know where a child goes to school,” said Goldberg. “They can also determine things like where they’re going on vacation. If the parents are connected to the child, they can figure out LinkedIn connections and where their parents work. They can connect the dots pretty easily.”

Among child ID fraud victims, social media ownership is a common thread. Nearly all child identity fraud victims in the past six years were active social media users when their identities were compromised. This highlights the importance of  parents preparing their children for the threats posed by social media.

“A lot of these kids are socially engineered into giving up information about themselves,” said Goldberg. “If they meet someone on an online gaming platform, they oftentimes reveal pieces about themselves that make it pretty easy for cyber criminals to figure out whether they come with family or not.”

A Crime That’s Hard to Detect

Once a child’s identity is stolen, criminals often take over their payment accounts. credit and debit cards being the most commonly compromised instruments. More than half of such victims found that their mobile numbers and login credentials were misused soon after their identities were stolen. Had those accounts been more closely monitored and secured with stronger identity verification, victims might have been alerted that their identity had been stolen or that personally identifiable information (PII) had been compromised long before any fraud occurred.

Using a child’s identity allows criminals to conduct traceable transactions with ease, making these activities appear trusted and worry-free. Neither parents nor children are likely to monitor such breaches. However, the stolen information can still be exploited, even though children themselves would be unlikely to get a loan on their own.

“If the hackers have all of those bits of data, they can open up a credit card, they could open up a peer-to-peer account like a Venmo, they could do all types of things,” said Goldberg. “What makes the children so attractive is that new account fraud on a child’s credit report isn’t going to raise flags because kids aren’t getting credit reports.”

“It’s not typically until a child buys a car for the first time or goes away to college to get an apartment or tries to get a student loan that then they find out that their credit has been compromised,” she said. “There have been all these things on the credit report that the child didn’t open. But at that point it could be several months to years after the initial compromise.”

The Threat of Synthetic Identities

When criminals compromise children’s identities, as in the PowerSchool breach, they reuse bits of their PII in new ways. Traditional credentials, such as email usernames and passwords, can lead to full account takeovers or new account fraud through synthetic identity creation.

Cybercriminals exploit these stolen fragments of personal information by assembling them from multiple sources to create synthetic identities—essentially fabricating a new identity.

“They take maybe the Social Security number of someone who’s recently deceased, the date of birth of someone who lives down the street, and the address from a child that they’ve compromised,” Goldberg said. “It’s all legit pieces of information, but they’re putting it together to create a fake identity. Unless the algorithms on the back end are detecting that this date of birth does not go with this Social Security number, it’s not going to raise a flag.”

To protect children from these types of attacks, an identity protection service (IDPS) is key. Only 5% of parents and guardians report that they covered their children by an IDPS before they became victims of identity fraud. But 95% said they enrolled their child in IDPS only after the victimization. Some parents and guardians never make the investment, even if their children experience identity theft.

“Our Social Security numbers are out there,” said Goldberg. “But because we have credit reports that we’re tapping into on a regular basis, we’re getting alerted. Every financial institution, for the most part, will let you know what your credit report looks like. Anytime I log into my Bank of America account, I’m getting an overview of what my profile looks like. Kids don’t do that.”

Parents need to take the lead in teaching their children about the dangers that are out there.

“The main thing is educating kids to not share information about themselves,” said Goldberg. “Just like stranger danger. You wouldn’t go out and tell somebody at the supermarket who you are, where you live, what your phone number is. Don’t do that online either.”

The post Stealing Children’s Identities: The Threat That Parents Overlook appeared first on PaymentsJournal.

In response to scams involving bitcoin ATMs that cost consumers more than $100 million annually, four Democratic senators have introduced the Crypto ATM Fraud Prevention Act.

The proposed law, spearheaded by Sen. Dick Durbin (D-Ill.), would prevent new users from spending more than $2,000 per day or $10,000 over a 14-day period to buy cryptocurrency from a bitcoin ATM, NBC News reports. Additionally, it would require that companies personally communicate with new customers attempting transactions exceeding $500 and offer full refunds to those who report fraudulent activity to the police within 30 days.

In the first half of 2024, consumers lost $65 million to scams involving bitcoin ATMs, according to the U.S. Federal Trade Commission. Adults ages 60 and older were more than three times as likely as younger adults to report losses.

At least 15 states are considering bills to curb these scams, according to Governing magazine. Most proposals would limit crypto ATM transactions to $1,000 per customer per day and cap fees at $5 or between 3% and 15% of a transaction’s value. At least three states—Minnesota, California and Vermont—already enforce daily transaction limits for bitcoin ATMs.

How the Scam Works

There are nearly 40,000 bitcoin ATMs across the U.S., according to Coin ATM Radar. These ATMs are often found at gas stations and retail stores, including the Midwest convenience store chain Kwik Trip, which offers customers the chance to buy bitcoin at more than 800 locations.

Criminals frequently target victims, typically older individuals, by posing as representatives from a bank or law enforcement agency. The victims are told they need to withdraw a large sum of cash from their bank to pay—such as  for missing jury duty—and deposit it into a bitcoin ATM.

The victims are then instructed to scan a QR code or enter a warrant number associated with their case. In reality, these numbers are linked to the criminal’s virtual wallets, giving them access to the funds and making recovery nearly impossible.

The median reported loss across all age groups was $10,000, though losses can be significantly higher. Eric Calendine of the Beaufort County Sheriff’s Office in South Carolina told NBC News about a local retired couple who were misled for months into believing they were protecting their savings by depositing them at bitcoin ATMs. They eventually lost almost $390,000.

The post Senate Moves to Rein in Crypto ATM Scams appeared first on PaymentsJournal.

Back in 2011, a group of Iranian hackers launched a series of distributed denial-of-service (DDoS) attacks against nearly 50 U.S financial institutions. The attacks were alarming enough, disabling bank websites and preventing customers from accessing their online accounts. However, the situation became even more troubling when it was revealed that these attacks were sponsored and directed by the Iranian government.

Since then, nation-state cyberattacks have remained a top concern for cybersecurity professionals. Countries like Russia, China, and North Korea have joined Iran in being held responsible for these advanced persistent threats, commonly referred to as APTs. In a PaymentsJournal podcast, Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass, spoke with Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research, about what financial institutions can do to combat these threats from rogue nations.

The Big Four

The four nations carrying out these attacks are playing the long game. They’re patient, developing tools and tactics to achieve their objections, and essentially have an open checkbook to fund their operations. They’re also good at remaining undetected for as long as possible, allowing them to continuously siphon information or maintain access for future operations.

Understanding these nations’ geopolitical context and their distinct motivations for engaging in cyberattacks is key.

The Chinese government, for example, conducts cyber activities to advance their national interests and economic position. They’re interested in obtaining intellectual property and data from private and public sectors to position themselves as an economic powerhouse. By actively infiltrating Western critical infrastructure, they’ve aimed to establish persistent access for potential disruption during future conflicts.

The Russian government enables broad-scope cyber espionage to suppress certain sociopolitical activity, such as in their ongoing war in Ukraine. Their focus is on stealing valuable information related to active conflicts to position themselves as a great power, rivaling the West and the U.S.

North Korea aims to collect intelligence, conduct disruptive attacks, and generate revenue. They continue to seek ways to get around their heavy economic sanctions to fund their weapons program.

Finally, the Iranian government has exercised increasingly sophisticated cyber capabilities to suppress sociopolitical activity. They also see themselves in competition with the West, specifically the U.S. Interestingly, Iran has also started to conduct more financially motivated attacks, like ransomware. Like North Korea, Iran is under tight sanctions and needs to generate revenue. But they’re also interested in creating chaos and disrupting their adversaries’ incident responses, as the 2011 attacks demonstrated.

“Iran’s attacks were a big wakeup call,” said Kitten. “That catapulted information-sharing among financial institutions. That helped to cement the fact that we need to be sharing threat intelligence and looking for indicators of compromise.”

The Nature of the Threat

There are three basic types of threats at play here. The first is monetary attacks, particularly as several of these countries seek ways to bypass restrictive sanctions. As a result, they’re targeting banks and trying to steal cryptocurrencies. Financial espionage also provides an avenue for gaining political leverage.

“Think about the sensitive personal information that a bank has access to,” said Schneider. “They’re trying to erode customer trust in critical infrastructure, things that regular citizens depend on. If they can shake that trust, that can also be beneficial for them.”

Then there’s the idea of hybrid or unrestricted warfare. There is an increasing number of attacks on critical infrastructure, including not just financial institutions but also sectors like energy and water. These attacks are designed to disrupt operations, incite panic, and spread misinformation in the background of ongoing conflicts.

Security professionals are growing more concerned about the idea of collaboration between these nation-states. Different techniques are being used by China, for example, as opposed to Russia. If Russia collaborates with China, it could become challenging to determine whether a cybercrime is being perpetrated by Russia or China.

“In the coming year, the discussions around threat intel—and especially around attributing indicators of compromise to specific threat actors—is going to become critically important,” said Schneider.

Tools of the Trade

Nation-states are continuing to invest and develop their tools to be harder to detect and defend against. They tend to use large language models (LLM) like ChatGPT in their cyber operations as support for their campaigns rather than using these tools to develop novel techniques.

But for the most part, they’re turning to the easiest way in, which tends to be social engineering and phishing. Humans remain the weakest link in security.

“We’ve seen time and time again these Russian APT groups using watering holes and conducting social engineering to get folks to click on links,” said Schneider. “It’s really basic stuff, but it’s effective.”

Criminals have also been creating synthetic identities, using them to set up bogus accounts and carry out attacks against financial institutions.

“The APT groups purchase bits and pieces of PII [Personally Identifiable Information] from multiple sources and then create a new identity,” said Kitten. “That’s been challenging for financial institutions to detect and track.”

Technology is moving toward creating realistic deepfakes specifically designed for fraud and account takeover attacks. As the financial sector uses more voice verification, someone could take voice samples of an individual and create a deepfake call powered by an LLM that’s been trained by using stolen credentials, biographical, or personal information from that individual. The result is that voice-authenticated AI could respond to challenge questions based on that stolen data in real-time.

Taking Protection

What should organizations do to protect themselves from these threats? The first step is practicing good cyber hygiene.

“APTs have access to advanced tools and resources, but they will use the easiest method available so that they don’t burn those novel tools,” said Schneider. “Using a password manager, creating long complex passwords for each account, making sure that your systems are up to date—those types of things are really simple, but really important to get right.”

The entire organization should buy in to these efforts, from the CEO down, to provide investments in solutions that can be used across departments. Employee training and awareness is crucial to protecting against things like social engineering threats.

About half of the population is now using pass keys to mitigate cyber threats, according to some reporting. These allow users to log into a site or device by using something like a fingerprint or PIN.  Pass keys have the advantage of being phishing-resistant, reducing the human element, and they cannot be shared.

Finally, organizations should consider setting up an advanced threat detection program, including threat intelligence.

“I would encourage financial institutions, especially smaller ones, to ensure that they’re working with third-party vendors who are trusted, experienced partners,” said Kitten. “Make sure they’re asking the right questions and thinking five years out about what this solution is going to look like.”

Schneider added: “If we’re aware of who is interested in targeting us, and staying up to date on the latest tactics, techniques and indicators of compromise, we will be in a much better position to defend against those threats.”

The post The Growing Threat of Cyberwarfare from Nation-States appeared first on PaymentsJournal.

The current wave of ransomware attacks from the Chinese hacking operation known as Ghost infiltrates systems by exploiting vulnerabilities in organizational software. The Federal Bureau of Investigation warns that the hackers are primarily targeting outdated versions of software and firmware.

Ghost uses publicly available computer code to exploit security weaknesses in systems that have not been updated or patched, particularly in VPNs and firewalls. Unlike many other cybercriminal groups, Ghost’s attacks typically do not rely on phishing techniques, which have been the most notorious method of data compromises in recent years.

According to data from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), everything from healthcare networks to religious institutions in more than 70 countries has been compromised by these attacks. Despite their widespread nature, the overall damage has been fairly limited thus far.

The group’s ransom notes threaten to sell stolen data if the ransom is not paid. However, the hacks have not resulted in the removal of significant amounts of information, such as intellectual property or personally identifiable information (PII). The FBI reported that the typical data exfiltration is less than hundreds of gigabytes of data.

In addition, Ghost hackers usually spend only a few days attacking each victim network. If an attack is not immediately successful, they tend to move on to another target.

Protecting Organizations

To protect an organization’s data, the FBI recommends patching any known vulnerabilities, including applying all available security updates to operating systems, software, and firmware. They also emphasize the importance of network segmentation  to restrict lateral movement from initially infected devices to other systems within the organization.

Maintaining regular system backups can also mitigate  concerns about stolen data. Ghost ransomware attack victims with robust backup systems have generally been able to restore operations without needing to pay a ransom.

The FBI and CISA also discourage victims from paying the ransom, noting that it only emboldens attackers while providing no guarantee that the data will be returned.

Research from Trend Micro and Waratah Analytics found that less than 10% of victims of ransom attacks surveyed refuse to pay the ransom. But those who do pay often end up paying more than initially demanded.  

The post Ghost Ransomware Attacks Target Outdated Systems appeared first on PaymentsJournal.

Malware-as-a-Service (MaaS) now accounts for over half of cyber threats targeting organizations. These threats have become more prevalent as cybercriminals increasingly outsource their operations.

According to a research from Darktrace, the use of MaaS tools picked up steam in the latter half of 2024, making up 57% of identified fraud activities. One of the most commonly used malware tools is Remote Access Trojan (RAT) software, which allows cybercriminals to take control an infected device remotely. Once inside, they can steal data, harvest credentials, or monitor a user’s activities.

MaaS is a subset of the broader Cybercrime-as-a-Service (CaaS) model, where criminals offer illicit software services to individuals or groups for financial gain. These services—sold through CaaS platforms—can include ransomware attacks, data breaches, and Distributed Denial of Service attacks that can cripple an organization’s website for days or even weeks.

Phishing for Entry

The most common entry method for CaaS attacks remains phishing.  Darktrace’s survey uncovered over 30 million phishing emails in the past year alone. Of these attempts, 38% were highly customized spear phishing attacks targeting high net-worth individuals.

However, spear phishing can also be directed at specific customer bases, as seen in the attacks on CrowdStrike’s customers following the global outage caused by the company’s software update last year.

Impersonating Services

As with the attacks targeting CrowdStrike’s customers, Darktrace observed that many phishing communications impersonated third-party services that organizations frequently rely on. The report identified phishing emails that appeared to be from Microsoft SharePoint, Adobe, and QuickBooks, among others.

Cybercriminals have also increasingly impersonated major merchants to scam consumers. Separate data from the Federal Trade Commission revealed that Best Buy, Amazon, and PayPal were among the most frequently impersonated retailers.

The advent of new technologies like artificial intelligence has made these scams more effective. According to Darktrace, 32% of phishing attempts now employ novel social engineering techniques designed to manipulate recipients. Many of these messages feature AI-generated text that is both complex and compelling.

As CaaS platforms provide advanced tools to even tech-challenged threat actors, organizations face growing risks in an evolving fraud landscape filled with emerging threats.

The post Malware-as-a-Service Lowers the Technology Bar for Threat Actors, Study Finds appeared first on PaymentsJournal.

The fallout from last summer’s ransomware attack on California’s Patelco Credit Union continues. State regulators have fined Patelco $100,000 and ordered it to implement a new cybersecurity program, which includes hiring a security consultant and providing training for all employees.

But Patelco’s troubles don’t end there. The credit union is also facing a class-action civil lawsuit in state court, as well as a federal lawsuit filed by two of its members. Since news of the attack broke, Patelco’s membership has dropped by nearly 9,000, according to call reports filed with the NCUA.

The breach has also led to many instances of what Patelco describes as first-party fraud. In October, two members filed a lawsuit claiming they discovered 26 fraudulent transactions on their account, all made using the Apple Cash app, totaling more than $14,000.

According to court filings, Patelco denied that the transactions were fraudulent. The credit union said that the decline in membership following the attack was because of accounts it had closed for first-party fraud.

The attack, which began last June, disrupted Patelco’s online banking services for weeks and exposed the personal information of more than a million customers and employees.

Patelco says it did not pay a ransom to the hackers but reported losses of more than $39 million in Q3 2024, attributing them to covering overdrafts for its members after the attack.

Taking Precautions After the Fact

The consent decree, agreed to by both Patelco and California’s Commissioner of Financial Protection and Innovation, requires the credit union to designate a qualified individual to oversee its cybersecurity program. Patelco must also maintain a training program to ensure its employees understand the risk profile and compliance obligations.

In addition, Patelco is expected to hire a qualified, independent, and unaffiliated third-party compliance consultant to support its efforts to enhance the cybersecurity program and to maintain independent testing.

Cybersecurity experts agree that financial institutions should proactively address these incidents and implement the measures that Patelco is only now taking.

“Our main recommendation would be heightened education for credit union staff, about socially engineered schemes that come in via email and to the call center,” said Tracy (Kitten) Goldberg, Director of Fraud and Security at Javelin Strategy & Research. “Additionally, they should invest in cybersecurity insurance policies that cover ransomware attacks, ensuring that losses are covered.”

Often, after such attacks, weaknesses in the security apparatus become glaringly obvious. Following a cyberattack on Change Healthcare last year, its parent company, UnitedHealth, admitted that it hadn’t been using multi-factor authentication to secure its most critical systems.

The post Patelco Credit Union Faces More Blowback from Ransomware Attack appeared first on PaymentsJournal.

Cyber fraud presents a unique threat to small and mid-sized financial institutions, which often lack the resources or expertise that major banks possess to fend off account takeovers and other cyberattacks. However, they face the same risks from hackers as any larger institution.

In a PaymentsJournal podcast, Mike Kosak, Senior Principal Intelligence Analyst at LastPass, spoke with Tracy (Kitten) Goldberg, Director of Fraud and Security at Javelin Strategy & Research about the evolving threat landscape confronting smaller financial organizations. Their discussion covered the emergence of nation-states as threats, the rise of deepfakes, and why information-sharing may be the most effective defense.

Where the Threat Lies

The biggest threat currently facing FIs is financially motivated cybercriminals. Their attacks typically focus on finding other ways to access legitimate accounts, as well as infiltrating the institutions themselves. Their goal is to either steal money directly or collect data to use as ransomware.

These institutions are also facing threats from so-called hacktivists aiming to cause reputational damage. Such actors seek to acquire data that can embarrass either the institutions or their customers.

While these infiltrators are often assumed to be rogue operators or members of hacker gangs, there’s also the possibility that they’re sponsored by nation-states, such as Russia, Iran, or China.

“One of the things that smaller financial institutions need to keep in mind is that it’s not just the data, it’s not just the money, and it’s not just ransomware gangs,” said Kosak. “It may be their connections to other organizations. A lot of nation-states are increasingly targeting FIs based on their connections to other organizations, to get their foot in the door within that larger sector.”

How Criminals Are Leveraging Social Engineering

In the fight against cyberattacks, humans are always the weakest link. The same techniques used to socially engineer consumers into falling for scams can also be waged against bank employees or contact center staff. These employees may then be coerced into divulging sensitive information, such as intellectual property or details about customer accounts.

One tactic that has grown in popularity in recent years involves performing reconnaissance on LinkedIn or other social media platforms to figure out the right individuals to target. Once a criminal successfully impersonates an employee, they call the IT help desk to try and reset a password, which also gives them access to protected information.

“These attacks are getting much more targeted,” Goldberg said. “They could include everything from stealing from consumers to roping them into money mule activity that’s being used to launder funds. This could be used to support some kind of terroristic financing. You might assume it would be larger institutions that would be more concerned about that, but it can trickle down to the smaller institutions as well.”

One of the most dangerous threats to smaller banks comes from infostealers, a type of malware designed to collect information from targeted computer systems. Over the past five to seven years, industry specialists have seen these attacks grow by more than 200%.

Initial access brokers leveraging infostealers are quick, efficient, and they’ve got plenty of buyers for the data they pilfer. From a supply-and-demand perspective, this creates strong incentives for others to move into this space. Even when law enforcement disrupts the work of a significant infostealer, there are still plenty of opportunities for initial access brokers to fill the resulting void.

Collective Insights Help Fight Fraud

When institutions share the threats they encounter and their analysis of the situation, everyone gains from the collective insights. However, when banks choose not to share that information, the only ones who benefit are the threat actors themselves.

Smaller, resource-constrained financial institutions may find it challenging and time-consuming to determine not only how they’re being targeted but also who is behind the attacks. Yet, this information is key.

“If you can understand not just how they’re targeting you, but who’s targeting you, you get a much broader picture of the sort of tactics, techniques and procedures you need to defend against,” said Kosak. “If you’re just focusing on activity, you’ve already seen, you can block against those efforts, but you don’t know what’s next.”

The Growth of Deepfakes

The democratization of deepfake technology has advanced rapidly, leaving every financial institution vulnerable to its threats. Technology has progressed to the point where criminals can now create deep fakes on their phones, with just a few seconds of an audio clip.

Increasingly, deep fakes are being used to call into customer service centers and impersonate legitimate customers. This creates a problem for voice recognition technology as an authentication factor, intensifying the arms race between institutions trying to verify customer identifies and criminals attempting to bypass those efforts.

While the number of deep fake calls has gone up substantially over the last two years, the long-term concern is around video deep fakes. Perhaps the scariest part of this threat is that it’s only the beginning of how far it can go.

A related threat comes from synthetic identities. Criminals steal personally identifiable information (PII) to create new personas that can open accounts and infiltrate supposedly secure systems. These identities can be very difficult to detect since they do not involve using the identity of an actual customer.

Fighting Back

So, what should smaller FIs be doing to protect themselves from these threats? The enforcement of basic multi-factor authentication, for both customers and employees, remains absolutely critical. Moving toward passkeys as a technology, which are more phishing-resistant, is also important.

Beyond that, a right-sized threat intelligence program can be beneficial for any financial organization. A program that includes external engagement can help facilitate information sharing, allowing even small institutions to make critical connections.

Consumers have come to rely on financial institutions or other entities to let them know if their identities have been breached in some way. That makes educating both customers and employees a key part of any strategy.

People interacting with cybercriminals will always be the weak spot in the defense against them. Identity and Access Management (IAM) programs, which manage user identities and control who can access certain resources, are a way to automate a critical part of the process. Kosak and Goldberg advocate automating as much of the defense as possible.

“The more you can take the human out of the authentication process, the better off you’re going to be,” Goldberg said.

The post The Looming Cyber Threats Targeting Smaller Financial Institutions appeared first on PaymentsJournal.

The Justice Department has shut down a Pakistan-based network that had been openly selling hacking and other cyber fraud tools online. The group, known as Saim Raza or HeartSender, had been in operation since at least 2020, controlling 39 domains and their associated servers, and was responsible for at least $3 million in victim losses in the U.S. alone.

The Saim Raza-run websites advertised and facilitated the sale of phishing kits, scam pages, and email extractors to malicious actors worldwide. According to cybersecurity journalist Brian Krebs, the HeartSender homepage openly promoted a series of tools designed to target users of specific internet providers, including Yahoo, Intuit, and iCloud. The group also provided training for end users, linking to instructional YouTube videos on how to use the tools.

Saim Raza’s customers primarily used these hacking tools to carry out business email compromise  schemes, tricking companies into transferring funds to hacker-controlled accounts. The group advertised its tools as fully undetectable by anti-spam software.

Phishing Is Big Business

The bust, conducted jointly by the FBI’s Houston field office and the Dutch National Police, highlights how the international hacking trade has become a major business. Saim Raza was a sizable entity in its own right, developing its own FudCo-branded phishing services, managed in secret by a front company called We Code Solutions. However, Saim Raza was merely a middleman, selling tools to transnational organized crime groups, nation-state threat actors, and other cybercriminals.

Phishing attacks continue to increase as these tools become more accessible. The 2024 Phishing Intelligence Report from SlashNext stated that the number of phishing emails tripled in H2 2024.

Businesses targeted by these attacks must pay closer attention to the dark web, where such illegal activities are planned and marketed.

A report from Javelin Strategy & Research, New Stakes for Cyber-Resiliency in the Era of Cyberwarfare, found that financial services providers that invested in dark web intelligence have found it to be an effective deterrent.

“While most FIs and even vendors have been reluctant to invest in dark web threat intel, businesses that have made the leap to make these investments have reaped the cyber benefits,” said Tracy (Kitten) Goldberg, Director of Fraud and Security at Javelin Strategy & Research.

The post An International Marketplace for Hacking Tools Gets Shut Down appeared first on PaymentsJournal.

Most consumers in Canada use instant payments and will continue to do so, but fraud remains a top concern.

A recent FICO report found that 91% of Canadians have sent a real-time payment, with 87% planning to maintain or increase usage over the next year. However, more than two-thirds would feel reassured if banks could better detect and block fraudulent transactions.

Roughly half of respondents said stronger fraud detection would be the most impactful step financial institution could take. Their concerns are likely amplified by the fact that most Canadians have received a communication they suspected was a scam. In addition, 44% of  respondents reported that a friend or family member had fallen victim to fraud in the past year—a 5% increase year-over-year.

Global Counterparts

Fraud attacks have become increasingly prevalent worldwide, and criminals will exploit any available mechanism to them. However, real-time payments present an added challenge because account-to-account transfers are conducted in seconds and are often irrevocable.

The concerns of Canadian consumers were echoed by their global counterparts. FICO found that a growing number of consumers worldwide reported that their family and friends had been victims of real-time payment scams last year. In North America as a whole, 47% of individuals said their family and friends were scammed, a figure on par with the EU.

In Asia Pacific and Latin America, the percentage of respondents who said a friend or family member had been affected by instant payments fraud last year rose to 56% and 69%, respectively. These numbers were likely higher due to surging instant payments adoption in areas like Brazil and India.

Full Clarity

For all the fraud concerns that come with instant payments, the benefits outweigh the drawbacks. Real-time payment settlement allows both consumers and businesses to have full clarity on where their funds are and make better financial decisions.

While the adoption of instant payments is likely to increase, consumers’ fraud concerns are real and should be top of mind for financial institutions moving forward. According to the FICO study, 12% of respondents in Canada and 13% of respondents worldwide reported they would change banks if they were unhappy with their financial institutions’ fraud detection and mitigation solutions.

The post Canadians Have Adopted Instant Payments, but Fraud Concerns Linger appeared first on PaymentsJournal.

Criminals are continually looking for ways to circumvent fraud detection systems, and money mules have become a popular vehicle to move illicit funds between accounts. Mules are favored because they are effective—often, they are everyday people, many of whom are already customers of a financial institution who have passed verification checks.

Glenn Fratangelo, Head of Fraud Product Marketing at NICE Actimize, and Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research, sat down for a PaymentsJournal podcast to discuss the evolving ways money mules are deployed, their impacts on banks, and the ways financial institutions can protect themselves from this emerging threat.

Scam-Fluencing Recruits

One of the most disheartening aspects of the money mule phenomenon is that it often isn’t difficult for criminals to recruit help. In many cases, mules are ordinary people that are willingly moving funds for criminals in exchange for a portion of the proceeds.

These individuals can be students, retirees, or lower-income individuals who are looking for financial relief. Criminals deliberately target those who seem unexceptional to avoid raising suspicion. In many cases, mules are recruited through social media, where there is often a receptive audience.

“On TikTok, Facebook, and YouTube, there is almost a gamification or a scam-fluence, where individuals are diminishing the level of criminality associated with becoming a mule,” Fratangelo said. “When it’s being presented on social media platforms with fast-paced music and an engaging speaker, magically it becomes not illegal to become a money mule. It’s being driven by the idea of easy money.”

Though some mules are willing participants, there are also many instances where the mule is being coerced, blackmailed, or tricked into moving the funds. In these cases, the mule is just as much a fraud victim as the institution.

“There is a victim/perpetrator paradox here, where these mules are active participants, but many are scam victims themselves,” Fratangelo said. “It makes it even more morally and legally complex, because how do you classify these individuals? Oftentimes, financial institutions find themselves stuck between wanting to stop the criminal activity, but also not wanting to further victimize the mule if they are in the cycle of scam and victim.”

A Trojan Horse

Regardless of how the mule was recruited, many of them are already in the institution and have already passed control checks. Once they become a mule, they have effectively become a trojan horse within the financial institution that is used for short-term, high-value transactions.

The technology available to criminals since the advent of generative AI only adds to the sophistication of money mule operations. Cybercriminals can combine AI agents and automation to create accounts and facilitate mule recruitment on a massive scale.

“The ability of generative AI tools to create synthetic identities that look indistinguishable from real people makes it hard to identify fraud,” Fratangelo said. “They operate in a 24/7 environment where thousands of accounts can be created simultaneously, and they’re incredibly believable.”

In addition to AI, the digital payments revolution has created vulnerabilities that criminals can exploit. Payments are faster, more frictionless, and increasingly global, which allows criminals to move money quickly and in substantial amounts.

Perpetual Verification

The emerging technologies, coupled with the availability of mules, has created a devastating ripple effect that goes beyond fraud. Money mules enable money laundering, terrorist financing, and a multitude of other nefarious activities.

Addressing money mules requires an approach that considers the whole customer lifecycle. From the start, there should be robust identity verification checks, but Know Your Customer (KYC) checks shouldn’t stop there.

“I would suggest that financial organizations invest in what we call perpetual KYC,” Pitt said. “Current KYC processes during onboarding look at identity verification, customer due diligence, account monitoring, and income verification one time. Instead, perpetual KYC would perform these checks on a constant basis with technology in the background.”

Inbound monitoring might be a standard part of the onboarding process, but most institutions’ systems won’t detect the initial mule activity. From a fraud detection perspective, there’s no fraud loss associated with an inbound transfer so there is no need to scrutinize it. It is not until after bad actors move money out that the transaction is flagged, which is often too late.

Because many mules are recruited after they have already completed the onboarding stage, more sophisticated detection methods, such as behavioral analytics, are necessary.

“It’s not only looking at historical data based on the typical customer, but looking at the behaviors of that specific customer,” Pitt said. “What are they doing with their keyboard? What is their keystroke pattern, their mouse pattern? How long does it take them to enter in data? Does it look like they’re copying and pasting things like date of birth, that are generally typed in?”

No Lone Wolves

Though identifying individual mules is important, financial institutions shouldn’t take their eyes off the bigger picture.

“Mules do not operate in isolation,” Fratangelo said. “There’s no such thing as a lone wolf in the mule world. They operate in herds, and they will even use the term ‘mule-herder.’ Criminal syndicates will connect multiple accounts into networks for moving money undetected, so institutions need to uncover these hidden relationships.”

Because these relationships are often indirect, financial institutions will have to deploy their own machine learning models to analyze connections between accounts. This includes shared phone numbers, e-mail addresses, or device transaction patterns. Graph database technology can visually map these networks and identify clusters of accounts that may belong to a mule ring.

AI-powered network analysis can also pick up on unusual relationships between new and existing accounts and flag collusion. The goal is to connect mules to the overarching scam network, where usually mules are only one aspect of the operation.

The final piece of the money mule prevention plan is sharing collective intelligence through industry consortiums. Mule activity might take place—and be documented—at the financial institution where it occurred, but other banks could be affected, and they would never know it. A consortium could be an essential component to facilitate data sharing.

Infused With Intelligence

To get ahead of money mule schemes, organizations must take a layered, proactive approach that incorporates cutting-edge technology. Traditional scam prevention is often reactive—and ineffective—in identifying and neutralizing mules.

“To combat mules, banks need to strengthen their technology and data infrastructure, develop scalable AI and machine learning solutions, and create more seamless data integration to break down silos,” Fratangelo said. “This means understanding onboarding, fraud, aftercare, claims, and recovery. The institution needs a 360-degree view of the customer’s activities.”

As fraud evolves, every aspect of a financial institution, including data, analytics, strategy, and operations will need to be infused with intelligence that can proactively work to identify threats.

“Every mule transaction leaves a trail of damage. This is why it’s not just banks, but society as a whole that needs to address mules,” Fratangelo said. “At the end of each mule operation is a scam victim, whether it’s a romance scam or an investment scam. It’s the movement of ill-gotten gains from things like drug trafficking or terrorist financing. Ultimately, it can leave significant reputational and regulatory damages for financial institutions.”

The post Money Mules Up the Ante on Fraud, Creating Significant Impacts on Financial Institutions appeared first on PaymentsJournal.

Friendly fraud results in losses to retailers of more than $100 billion a year. However, most people who commit this crime feel justified in their actions.

According to data from Socure, more than half of respondents who engaged in friendly fraud over the recent holiday season cited financial struggles—such as rising interest rates and inflation—as the primary reasons for their behavior.

Friendly Fraud Over the Holidays

Friendly fraud, also known as first-party fraud, happens when consumers dispute legitimate charges, often resulting in a refund. These disputes may involve claims that an unauthorized purchase was made using their account or that an item was not received or was stolen by a “porch pirate.”

Consumers stressed out from the holidays believe that retailers can handle these losses better than they can. According to Socure’s data, nearly two-thirds of first-party fraud offenders agree that large businesses can afford to cover the cost of disputed charges. More than half of also say that strict return policies make first-party fraud more justifiable. Furthermore, 64% of respondents admit to being tempted by revenge fraud—the idea of disputing legitimate charges if a business makes a mistake on their bill.

As Socure noted, one reason this problem persists is that the industry has not done a good job of deterring people. Nearly half of those who committed first-party fraud during the 2024 holidays said they had also gotten away with it in 2023.

“To a certain extent, financial institutions can’t handle the volume of chargebacks we’re seeing,” said Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “Consumers committing friendly fraud on lower-value items are able to sneak through the cracks, take advantage of their FI’s limitations, and get their chargeback approved.”

The Younger Mindset

It’s no surprise that younger consumers are more likely to commit this crime. While 13% of all respondents surveyed admitted to engaging in friendly fraud, that figure jumps to 40% among Gen Z members.

“Many consumers, especially younger generations, don’t feel a sense of loyalty to huge retailers, especially as we see the enormous profits of big businesses,” said Sando. “The attitude among this group of consumers is: if I keep this product and get refunded, what’s the big deal? It’s just a drop in the bucket of annual earnings for the business. To these consumers, this is perhaps a small act of protest against big corporations.”

Nevertheless, many consumers seem to be aware that what they’re doing is a crime. Three-quarters of respondents revealed that they hid their first-party fraud from their partners over the holidays.

The post How Consumers Justify Friendly Fraud appeared first on PaymentsJournal.

The UK’s Home Office is considering regulations that would ban many of the country’s critical organizations from making payments to criminals in the event of a ransomware attack.

The proposed rules would make it a criminal offense for public entities like schools, city councils, and healthcare providers to make payments to cybercriminals who are holding their data hostage. These regulations would also extend to companies in critical infrastructure sectors, including energy and communications. Notably, the UK has already restricted its government agencies from making payments to ransomware criminals.

Another key proposal introduces a mandatory reporting system for ransomware incidents, requiring  all victims of fraud—regardless of whether they fall under the new rules—to report such attacks. The Home Office is also considering technology solutions that would give them the power to limit ransom payments.

Striking at the Heart

The proposed legislation is intended to “strike at the heart of the cybercriminal business model” after a rash of ransomware attacks plagued UK organizations. One  prominent  attacks was on Synovis, a pathology testing partner with the UK’s publicly funded National Health Service (NHS).

Hackers infiltrated Synovis’ systems and demanded ransom payments in exchange for the return of critical patient data. It is not known if Synovis engaged in negotiations with the Russian-based cybercriminals, but it appears they did not—the hackers subsequently published hundreds of patient records to the dark web.

The loss of patient data at Synovis caused months of disruption to the company’s operations, and also caused ramifications across the UK’s healthcare system. While many patients were impacted, there were two cases where the data breach directly caused lasting health damage.

Nationally Significant

According to Home Office data, the UK’s National Cyber Security Center managed 430 cyber incidents over the 12 months prior to last August, 13 of which it considered to be nationally significant. These attacks were largely perpetrated by Russia-affiliated bad actors which the Home Office considers an “immediate and disruptive threat” to the UK’s infrastructure.

Concerns about the prevalence of ransomware attacks have been echoed in the U.S., where a recent study found that the percentage of reported ransomware attacks involving U.S. organizations increased from 51% to 65% in 2024.

Ransomware attacks often target sectors like the healthcare and the financial services industries, which safeguard critical health and financial data. The impacts of these attacks drove the U.S. to organize a 40-country alliance designed to put an end to ransom payments, but American lawmakers have stopped short of instituting a ransom payment ban.

The post UK Mulls Ransom Payments Ban Amid Surge in Ransomware Incidents appeared first on PaymentsJournal.

Criminals have found a workaround that allows them to bypass the robust phishing protections that Apple has built into iOS, according to BleepingComputer.

The operating system will automatically disable links in text messages that come from unknown numbers. However, if an iPhone user replies to a message, Apple’s tech reenables the links under the assumption that the recipient trusts the sender.

To exploit this mechanism, criminals are adding language at the end of their texts, instructing users to reply. Users are asked to respond with “yes,” “no,” or “stop” to perform actions like confirming appointments or opting out of communication. By including similar instructions in their phishing messages, criminals are hoping to trick users into replying to their message—and re-engaging with malicious links.

“For a long time, it felt like financial institutions were the only organizations with any real accountability and responsibility in detecting scams and preventing consumers from interacting with cybercriminals and authorizing transactions or sharing sensitive information that could lead to further fraudulent activity,” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “The reality is, several industries have skin in the game, especially technology companies like telecommunications (e.g., Verizon and AT&T) and global mobile phone operating systems (e.g., Apple and Samsung).”

A Gateway to Phishing Attacks

According to BleepingComputer, iPhone users have received fake texts about USPS shipping issues and unpaid road tolls. The links were initially disabled, so users were directed to, “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it.”

Following the instructions in these messages would initiate a fraud attack, but even replying could expose the user to risk. A reply lets the criminals know that the number is active, making the user a potential target for other types of phishing attacks.

Fraud at Scale

Criminals have continued to search for vulnerabilities in tech platforms they can exploit for phishing operations. Recently, the chief information security officer at cybersecurity company Fortiguard received an email that appeared to be from PayPal and used legitimate PayPal channels. The “no-phish” scam raised concerns in the cybersecurity community because of how difficult it is to detect.

Criminals are increasingly able to send messages that impersonate major companies, and they are often employing sophisticated technology like artificial intelligence to send convincing communications at scale. It’s imperative for users to avoid clicking on links or replying to texts from unknown sources. Instead, recipients should directly contact the organization that allegedly sent the message to verify its legitimacy.

“Consumers continue to adopt payments innovation like digital payment methods (e.g., digital wallets and P2P methods) and expanding ecommerce, which means more sensitive consumer information is being collected and stored by a growing number of companies,” Sando said. “Financial institutions can’t be the only ones preventing scam activity, especially when much of this fraudulent activity starts with the criminal reaching out through a text or email received on a consumer’s phone.”

The post How Criminals Are Circumventing Apple’s Fraud Protections for iPhone appeared first on PaymentsJournal.

The chief information security officer at cybersecurity company Fortiguard has raised concerns after encountering a new type of “no-phish” phishing threat using legitimate PayPal mechanisms.

In a blog post, Carl Windsor reported receiving an email that appeared to be from PayPal, complete with a valid sender address. The email requested money through the platform’s money request feature. While both the email and URL were legitimate, the only anomaly was that the “to:” address field in the email was not addressed to him; instead, it was addressed to a free Microsoft 365 test domain.

If a user responded to the email, they were directed to the PayPal site, where everything appeared to be a valid money request from that point onward.

“The PayPal phish-free phishing attack shows just how crafty cybercriminals have become with social engineering scams,” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “Closely following advice given to consumers from FIs, fintechs, and other major financial industry leaders allows these scammers to circumvent the usual red flags consumers are told to look for when determining the legitimacy of a transaction request. Consumers are primarily the first line of defense when it comes to scams, so when everything seemingly checks out and looks legitimate, it’s an easy decision to move forward with the transaction.”

Mimicking Tactics

It’s a common tactic for criminals to send phishing communications that mimic those used by major corporations like PayPal. However, most impersonation scams direct the target to either click on a link to a false website or call a fraudulent number.

What makes the PayPal “no-phish” scam unique is that it directs users to the legitimate PayPal site, but exploits a vulnerability in the platform. Windsor reported that the payment request was for $2,185.96, an amount small enough that it might not raise suspicion in many corporations.

A Human Firewall

Phishing attacks have become more common and increasingly sophisticated. Criminals are leveraging more convincing technology, including AI, to create scams that are harder to identify. To combat this, Windsor wrote that the best solution to complex fraud attacks is the “human firewall”—meaning that the recipient has been trained to disregard or double-check any email that hasn’t been specifically requested.

However, most user education focuses on detecting emails from suspicious sources. The fact that the phishing attempt against Windsor used the genuine PayPal site means the threat is much harder to detect.

“This is, once again, a prime example of never clicking on a link in an email, even if it appears to be legitimate,” Sando said. “The best advice FIs and customer-facing financial services organizations can give to their customers is to bypass clicking on any links in an email or text message, and log into their account to directly address any transaction requests, fraud alerts, etc.”

The post Cybersecurity Exec Sounds Alarm About PayPal “No-Phish” Phishing Scam appeared first on PaymentsJournal.

Today, we carry devices with us wherever we go, making us highly vulnerable to imposter scams, call spoofing, and data breaches. With the rise of artificial intelligence, threat actors can now commit fraud by mimicking a person’s voice over the phone. This troubling trend is affecting both consumers and businesses, with financial institutions being especially at risk.

In an increasingly common imposter scam known as the “grandparent scam,” the threat actor calls someone, posing as a family member. They claim to be in some kind of trouble, such as a car accident or an arrest, and request money to help get them out of the predicament. The criminal is able to mimic the voice of the person they’re impersonating by closing it with AI. Today’s technology is so advanced that only a short audio clip is needed.

According to 2024 Federal Trade Commission data, consumers reported that imposter scams were the leading method of fraud in 2023, with the highest losses per person coming from phone scams. Scammers have stolen over $10 million from U.S. consumers this year, reaching an all-time high, according to the FTC.

A separate report on cyberattack trends found that financial services is the most impersonated industry by criminals. Case in point, a Hong Kong finance worker was duped out of more than $25 million after falling prey to a deepfake video call scam earlier this year, in which the attendees looked and sounded just like his coworkers.

Call Spoofing: An Essential Tool for Threat Actors

Call spoofing is the deliberate falsification of a caller’s phone number and caller ID information. Criminals commonly use this tactic so that calls to their victims seem real. A common banking phone scam involves calling a bank customer and pretending to be a bank employee—ironically, in the fraud department. The incoming number the customer sees looks like a legitimate number from their bank.

The caller then tells the customer there has been fraudulent activity on their account and asks for their personal banking details. Through social engineering schemes, threat actors convince targets that their accounts have been hacked, which leads to the customer providing sensitive account information or, in some cases, wiring the caller money via apps such as Zelle and Venmo.

Data Breaches Are Fueling Financial Fraud

More than 1,500 data breaches affected over one billion people in the first half of 2024, including those impacted by multiple incidents. This represents a 14% increase in the number of breaches reported in 2023, which was a record-setting year. Financial service-related data breaches increased by 67% year-over-year, making financial services the most compromised industry in H1 2024, according to the Identity Theft Resource Center. This rise in data breaches creates a higher risk of financial fraud and call spoofing—a vicious cycle that leaves consumers and businesses vulnerable.

Armed with the victim’s name, address and other personal details obtained from data breaches, the dark web and phishing attacks, criminals can make an even more convincing case over the phone. Fraudsters use their persuasive stories during these vishing attacks, coupled with the highly personal nature of voice calls, to create a false sense of trust. They often seal the deal by sending the target a fake text link, known as “smishing.” These text and phone scams are so common, that one in three Americans has received one.

Just this month, more than a third (35%) of Americans said they were notified that details about their identities or online accounts had been stolen in a data breach—up from 28% last year according to the TransUnion 2024 Q4 Consumer Pulse Report.

One might assume that the larger the bank, the greater the temptation for fraudsters, but smaller banks and credit unions are seeing the most fraud. According to a recent report, 79% of credit unions and community banks saw more than $500,000 in direct fraud losses in 2023—higher than any other segment surveyed. Smaller banks and credit unions lack the fraud prevention resources, data and technologies used by larger banks, and they provide more personalized, phone-heavy customer service, leaving them more susceptible to fraud.

Technology Can Help Combat Call Spoofing

Though customers are increasingly aware of call spoofing and other phone-related scams, they enjoy the personal touch that only the phone can bring. Nonetheless, they’re demanding that more be done to protect them against phone fraud and unwanted calls. Customers want to feel safe to answer the phone when they receive a wanted call from their financial institution, school or physician’s office.

Industry-developed protocols such STIR/SHAKEN call authentication, which digitally validates a caller’s identity, have helped to combat call spoofing. However, STIR/SHAKEN is not always sufficient to ensure that mobile operators can differentiate between legitimate and spoofed calls. Due to the limitations of legacy networks and inconsistent implementations, they often lack the information they require to distinguish legitimate calls from robocalls calls, causing legitimate calls to be mistagged as spam. That makes it impossible for consumers to know when to answer the phone.

Other measures are available to help financial institutions reduce call spoofing, such as technology that allows them to digitally “sign” their own calls. This option stops spoofed calls from reaching the customer by providing mobile operators with the intelligence they need to block spoofed calls with confidence through complete end-to-end call authentication. 

Because this method ensures mobile operators receive the authentication information they need, it greatly reduces the number of legitimate calls that are mistagged as fraudulent. That means fewer customers would block calls from those numbers—including calls from the business.

Empowering enterprises to take the reins on call authentication this way is a sound business strategy; after all, no one has a larger stake in protecting their customers and their business than the financial institutions themselves.

The post Fraudsters on the Line: The Rise of Call Spoofing in the Financial Industry appeared first on PaymentsJournal.

Last year’s TikTok-fueled spate of check fraud—allegedly taking advantage of a glitch at Chase Bank—was among the most widely publicized fraud cases of the year. The scheme involved individuals depositing fraudulent checks and withdrawing funds before the bank could verify their validity.

Most of these participants may not have realized they were committing a crime. A study from Javelin Strategy & Research, 2025 Fraud Management Trends, looks at the TikTok scheme within the larger context of friendly fraud and explores what banks can do to fight it. The report also delves into other emerging trends, including the growing use of passcodes and digital wallets.

Defining Friendly Fraud

Friendly fraud, also known as first-party fraud, happens when consumers dispute legitimate charges, often resulting in a refund. The dispute may involve the consumer claiming an unauthorized purchase was made using their account or that a purchase was not received or turned out to be defective.

As mentioned, many individuals don’t realize they are committing a crime when engaging in friendly fraud. For example, someone might claim a product they received was defective and request a refund, even though they simply changed their mind about wanting the product. If the purchase is small enough, the financial institution or merchant may decide the dispute isn’t worth investigating.

Even when someone knowingly commits fraud because they feel a giant corporation owes them something, they may not perceive it as a crime. Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy and Research and author of the report, uses the phrase “morally ambiguous” to describe these disputes.

“There needs to be an explanation from financial institutions and from merchants about what constitutes friendly fraud,” said Sando. “You need to be explicitly clear about what kinds of fraud threats are out there. Younger generations don’t feel the same brand loyalty—they are just out here making purchases and moving on. They don’t feel guilty committing this crime.”

Finding the Right Tone

Financial institutions need to be delicate in how they share this information.

“The number one thing that we hear from consumers when we’re doing our survey data is that victims are sensitive about whether they were made to feel like they were the criminal, like they weren’t trusted,” said Sando.

There’s a way to communicate with consumers without directly accusing them of anything. At the same time, it’s important for consumers to understand that their bank is aware of the prevalence of fraud and is actively monitoring for suspicious activity.

The method of communication is key. Younger consumers may feel completely comfortable receiving text messages or email alerts about trending crimes such as check fraud, impersonation scams, and account takeover. Older consumers, however, may prefer to hear about these issues in person at their branch or through an article on the bank’s website.

“You can’t just give somebody a four-page paper to say, ‘Here’s friendly fraud, don’t do it,’” said Sando. “It needs to be a quick-hitting popup, maybe when you’re filing your charge or planning your chargeback. Maybe when you’re logged in to make a Zelle payment, a popup can say, ‘Do you know this person that you’re sending your money to?’”

In many instances, FIs themselves are partly to blame. Billing descriptions that make sense to back-end processing systems can be completely opaque to consumers. Unclear transaction descriptions often confuse consumers, resulting in disputes or fraud claims for transactions that are, in fact, legitimate.

The Promise—and Threat—of AI

Artificial intelligence has a role to play as well. Fis are already collecting ample amounts of data on their customers, which can be leveraged in the fight against friendly fraud. Advanced analytics like behavioral biometrics and device information can be combined with account and transaction history, recent activity, and typical spending habits to build a robust customer profile. This helps verify both the identity of the consumer and the legitimacy of disputed transactions.

However, there is skepticism around AI. Many have heard about deepfakes and worry that the technology could be used against them.

“AI that’s being used by criminals is not necessarily as sophisticated as some of the technologies out there,” Sando said. “The info sharing being used by banks can protect you from any other AI threat that’s out there.”

Privacy Concerns

Consumers are justifiably concerned about privacy issues surrounding data. Sando admits  she does not know the extent of the information collected about her.

“As I was doing this report, I was researching some of the companies out there that do behavioral biometrics and have information-sharing consortiums,” Sando said. “I was looking at lists of data points they collect and use. I don’t feel as though I’m being told that this information is being collected about me. The main takeaway for me has always been if you just tell me what it is that you’re monitoring and what it is that you’re collecting about me, I will likely be OK with it.”

“What happens if it gets out?” she said. “FIs have to be transparent about what we’re collecting, why we’re collecting it, how it might be used, and how long we are keeping it. As we move forward with sharing information across the industry, and using it in AI, you need to be really clear with your customers about what’s happening on the back end.”

Impersonation scams are shaping up to be another significant issue in 2025, especially with the added threat of AI. Real-time payments add to the complexity. It is no longer just a regular payment that a consumer might dispute as fraud and easily recover their money. This is a scam involving an authorized transaction.

“We have to be using this information to try and stop these scams, because otherwise they will keep growing out of control,” said Sando. “That’s why we need AI. We need info sharing across the industry to better tackle these scams.”

The post How Financial Institutions Are Fighting Friendly Fraud appeared first on PaymentsJournal.

Pig butchering—a drawn-out process in which criminals gradually entice victims to hand over assets—has become the number one fraud threat for crypto investors.

In 2024, pig butchering scams resulted in $3.6 billion in stolen assets from crypto investors. A report released by Cyvers, a Web 3 security firm, revealed that the most targeted currency in these scams was not bitcoin, the most popular cryptocurrency, but ethereum.

The report also highlighted a 40% increase in cyber threats this year compared to the previous year.

Ethereum is considered particularly vulnerable to such scams. According to separate analysis from Kryptocasinos, ethereum accounted for 18% of all stolen crypto funds in 2024, compared to just 2% for bitcoin.

Ethereum’s blockchain utilizes smart contracts, which automatically carry out transactions without the need for banks, brokers, or other third parties. However, criminals have found ways to create one-time-use smart contracts that are difficult to flag as fraudulent. Since smart contracts are irreversible, there is no way to halt automatic payments once they have been authorized.

The Latest in Scams

In pig butchering, a criminal uses a social media account to convince a victim to invest their money in a fake transaction, often involving crypto. The “pig” gets stuffed over several weeks, watching the apparent growth of their investment, which encourages them to invest even more money.

These types of scams appear to be on the rise. Last year, cybersecurity firm Hacken reported that rug pulls were the most common type of crypto scam, accounting for 65% of all incidents within the crypto ecosystem. A rug pull occurs when a developer promotes a new currency as a lucrative investment opportunity, then disappears, taking investors’ funds along with them.

Social media frequently plays a significant role in these crimes. Last year, Lloyds Bank issued a warning stating that 66% of investment scams are initiated through social media, particularly on Facebook and Instagram.

Everyone Is at Risk

Even the most financially savvy individuals are vulnerable to these scams. In August, the CEO of a Kansas bank pleaded guilty to embezzlement after falling victim to a pig butchering crypto scam. Ultimately, he transferred $47 million of the bank’s assets to the criminals, leading to the bank’s collapse.

Even Mark Cuban, the star of “Shark Tank” and owner of the Dallas Mavericks, admitted to being scammed, losing $870,000 to a crypto fraud after downloading a fake version of MetaMask, a crypto wallet used to manage ethereum-based assets.

The post Crypto Criminals Ramp Up Pig Butchering Scams appeared first on PaymentsJournal.

One topic has dominated every technology discussion across the financial services and insurance industries for well over a year—and it is going to be even more prevalent in 2025.

Mass investment in AI integration is now moving well beyond the pilot phase, and the impact of its proliferation will start tangibly reshaping FSI in the coming year—for both good and ill. Here are a few snapshots of what AI will be driving in 2025:

Retail Banking, Including Lending and Payments

AI-driven personalization will raise privacy concerns and regulatory scrutiny. By the end of next year, retail banks will leverage AI to offer hyper-personalized products and services. However, the extensive use of customer data will trigger heightened privacy concerns, prompting regulators to impose stricter data usage and consent laws.

Real-time fraud detection will also become a competitive necessity amid rising cyber threats. Banks adopting advanced AI for instant fraud detection in payments will gain a significant edge, and institutions lagging in AI integration will face increased cyber attacks, leading to financial losses and reputational damage. The sophistication of AI-driven cyber threats will compel banks to significantly increase their cybersecurity budgets, focusing on AI-based defense mechanisms and robust data protection protocols.

Expect to see mandatory explainable AI in lending decisions as regulators will require banks to use explainable AI models to prevent biases in lending. This will force banks to overhaul their AI systems to ensure transparency and fairness, impacting their data management strategies.

Wealth and Asset Management

The proliferation of AI-driven robo-advisors is set to disrupt the wealth management industry, forcing firms to reassess their human capital and value proposition amid clients’ growing trust in automated services. This shift will coincide with enhanced regulatory oversight of AI algorithms. Regulators are expected to implement stringent audits of AI algorithms used in asset management to ensure compliance and prevent market manipulation, increasing the complexity and cost of data management.

At the same time, wealth management firms  will face heightened cybersecurity threats, mirroring trends across the financial services sector. These companies will become prime targets for cybercriminals, with any significant breach resulting in loss of client trust, legal penalties, and a push for more robust cybersecurity frameworks.

Efforts to monetize client data through analytics will also face challenges. Privacy concerns are likely to spark backlash, resulting in stricter regulations and potential legal challenges. Despite these obstacles, a shift towards sustainable investing via AI analytics is emerging. AI will enable a more precise analysis of ESG factors, leading to a significant shift in investment strategies towards sustainable assets. However, it will also raise questions about data reliability and standardization.

Property and Casualty Insurance

Insurers adopting AI for real-time data analysis in underwriting will outperform competitors, but may encounter regulatory concerns regarding data privacy and algorithmic bias. At the same time, the rise of sophisticated, AI-driven insurance fraud will force companies to invest in equally advanced AI detection systems, straining budgets and requiring new data management approaches.

Cyber insurance is emerging a dominant market segment and due to increasing cyber threats, driven by escalating cyber threats. While demand for cyber insurance is expected to grow, insurers will struggle with underwriting risks in an area lacking historical data, complicating data management.

Regulators will also mandate the inclusion of climate data in risk assessment models as regulators will require P&C insurers to incorporate climate change projections into their risk models. This will significantly increase data management burdens and drive the adoption of advanced AI analytics to handle these complex requirements.

Additionally, stricter privacy regulations will impact claims processing efficiency. Enhanced privacy laws will restrict the use of personal data in claims processing, forcing insurers to find a balance between efficient service and compliance, potentially leading to slower settlement times.

Private Equity and Private Credit

In 2025, firms utilizing AI for rapid due diligence will have a competitive advantage yet may face regulatory scrutiny over data sources and the potential for overlooking nuanced risks. Investors are intensively evaluating the cybersecurity posture of target companies, as the acceleration of AI-driven threats means that poor data protection measures could result in deal cancellations or reduced valuations.

What’s more, regulatory bodies are intensifying their focus on AI-based credit scoring. Regulators will demand transparency in AI credit models to combat discriminatory lending practices, compelling firms to adjust their data management and AI systems accordingly. That said, heavy reliance on AI for investment decisions may result in biased outcomes, leading to legal disputes and harming the firm’s reputation among investors and the public.

Adding to these challenges, stricter data privacy regulations are reducing the availability of alternative data for AI models. This will push private equity and credit firms to seek new ways to gain insights without violating laws.

A Year of Challenges

In 2025, the finance sector will broadly start displaying many of the amazing operational efficiencies and capability gains well-implemented AI really can deliver. But it will also be a year where its rapid integration into financial services will have real consequences.

AI use in financial services has already outpaced the speed at which regulations are developed, leading to a complex landscape where institutions will struggle to stay compliant amid evolving legal requirements and potential penalties.

As regulatory bodies catch up, they will begin enforcing strict transparency and explainability standards for AI algorithms in financial decision-making, as well as regional and global data privacy regulations that will significantly restrict how financial institutions collect, store, and use customer data. Firms must be prepared to overhaul their data management practices to ensure AI models are interpretable, fair, and free from bias. Existing AI models reliant on extensive datasets will be challenged, pushing firms to adopt new methods like synthetic data generation and federated learning. Such eventualities will impact operational efficiency.

All the while, the industry will face a new wave of sophisticated cyberattacks, driven by AI and targeting vulnerabilities in financial systems. This will force companies to invest heavily in advanced cybersecurity measures — ironically including AI-based defense mechanisms and AI-driven comprehensive data protection protocols.

There is no putting this genie back in the bottle. In 2025, AI use in financial services won’t be a differentiator. It will be a requirement for survival in a landscape that it has already irreversibly altered.

The post How AI Will Reshape the Financial Services Sector in 2025 appeared first on PaymentsJournal.

With artificial intelligence gaining prominence as the next frontier in fraud detection, Visa has completed its acquisition of Featurespace, a developer of real-time AI-powered payment protection technology.

Featurespace works with many of the world’s largest banks and financial institutions, including HSBC, NatWest, Worldpay, and Danske Bank. The company processes more than 100 billion payment events each year.

This move mirrors a recent announcement from Mastercard, which earlier this year revealed plans to acquire Recorded Future, an AI company specializing in payments fraud. Recorded Future bills itself as a threat intelligence company with more than 1,900 clients across 75 countries. The deal will expand Mastercard’s existing suite of identity, fraud prevention, and cybersecurity services, primarily under the Brighterion label.

Both credit card giants recognize the importance of deploying AI as widely as possible. In addition to being one of the top buzzwords currently in the financial sector, the technology has already demonstrated its worth as an effective crime-fighting tool. 

“There’s so much information that is collected by a financial institution or a merchant that could be used to help detect fraud or suspicious activity,” said Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “This data might contain signs of irregularities in the way that transactions are being made, and that’s where AI comes in. There is a wealth of data that is not being used, and it needs to be used to create a more holistic view of the entire transaction.”

Buying the Expertise

It appears that both Visa and Mastercard opted to acquire an AI company rather than further developing these capabilities in-house. For example, Visa says that Featurespace’s capabilities complement its existing fraud prevention and risk scoring offerings.

Visa’s existing Cybersource service addresses fraud in e-commerce and retail. This solution also uses machine learning-based models for risk scoring, but primarily on the merchant side. Cybersource specializes in combatting payment transaction fraud, such as criminals using stolen credit card numbers on a merchant’s website.

Similarly, in 2017, Mastercard’s first major foray into AI came with the acquisition of Brighterion, which is now its primary fraud detection arm. Overall, these acquisitions make sense from a branding perspective. Not only does it allow an established company like Visa or Mastercard to bring proven, turnkey technologies into the fold, but it also sends a strong message to criminals and competitors alike that they are leveraging AI in a significant way.

The post Visa Builds Out AI Capacity with Acquisition of Featurespace appeared first on PaymentsJournal.

The Consumer Financial Protection Bureau has proposed rules designed to reduce the impact of coerced debt on victims of domestic violence and elder abuse.

In many cases, abusers manipulate or intimidate their spouse or family member into applying for credit cards or loans. Abusers may open accounts in the victim’s names without their knowledge, coerce them into signing financial documents, or make unauthorized purchases on their accounts.

The effects of financial abuse can be significant for survivors. Nearly three-quarters of domestic violence victims report staying in an abusive relationship longer because of coerced debt, according to the CFPB. The impact is even greater for women of color, who are more likely to experience financial abuse and carry higher amounts of coerced debt.

Expanding Protections

Financial abuse can have a dramatic effect on a victim’s credit score. The CFPB noted that once survivors clear these debts from their credit report, roughly a third see their credit score jump by over 20 points. This increase can be the difference in qualifying for a loan or securing a better interest rate.

“People trapped by domestic abuse must often sign documents under the threat of violence, ruining their financial lives and making it even more difficult to escape,” said CFPB Director Rohit Chopra, in a prepared statement. “Expanding identity theft protections could help survivors rebuild their financial lives and would ensure that our credit reporting system is not used as a tool for domestic and elder abuse.”

Searching for Insight

The CFPB is in the initial stages of developing rules to address financial abuse and is looking to the public for insights on the true effects of coerced debt on credit scores, as well as potential barriers that may prevent victims from receiving aid.

The CFPB is also interested in understanding the challenges that coerced debt creates for specific groups, including children in foster care, survivors of intimate partner violence, and older Americans.

Elder abuse, in particular, can be hard to detect because many older individuals are more likely to trust others at their word and less likely to report being victims of abuse. This is why older adults have been under particular duress from both in-house abusers and from criminals who seek to coerce the elderly or prey on their emotions.

The post CFPB Aims to Reduce the Financial Impacts of Domestic Violence appeared first on PaymentsJournal.

New U.S. Treasury Department regulations set to take effect next year aim to keep criminals from using businesses as fronts for fraud or money-laundering.

The rules represent the realization of the Corporate Transparency Act, which was passed several years ago, which requires over 30 million U.S. small businesses and corporations to submit a Beneficial Ownership Information report identifying individuals who directly or indirectly own or control organizations.

“When conducting money laundering investigations (and some fraud investigations), many organizations fail to address the identities of businesses and other legal entities,” said Jennifer Pitt, Senior Fraud & Security Analyst at Javelin Strategy & Research. “Until the Corporate Transparency Act of 2021, small businesses were not required to provide beneficial ownership information.”

“When setting up an LLC and obtaining an employer identification number (EIN) with the IRS, some businesses would list only one person (such as an attorney) as the statutory agent,” she said. “No one was able to determine who had a vested interest or beneficial ownership in the business. Money launderers used this lack of required transparency to create LLCs with vague ownership to conduct or facilitate illicit activity.”

Threatening Viability

Though the new framework is expected to reduce the use of anonymous corporations for illegal activities, the new rules could also have substantial effects for law-abiding small business owners.

If they fail to submit their ownership data to the Treasury Department by January 1, they could face significant fines. According to FinCEN, businesses that don’t file their report on time may incur civil penalties of up to $591 per day, while owners could face criminal penalties of up to $10,000 and up to two years in prison.

These fines could quickly mount and threaten the viability of many small businesses at a time when so many are under financial pressure and scrambling for financing. According to CNBC, many organizations are unaware of the new rules—as of December 1, only roughly a third of companies have filed their reports.

Following the Developments

The Treasury Department has insisted that the regulations—and the accompanying penalties—aren’t designed to punish small businesses. FinCEN said that businesses who correct a mistake or an omission within 90 days of the January 1 deadline can avoid penalties. In addition, larger companies and financial institutions are exempt from the rule, as they already report ownership data to the government.

The new regulations have faced some legal pushback, most notably in Texas. However, in most states, small businesses will still be required to file their BOI reports in the coming weeks. While small businesses may undoubtedly experience some pain points in the months ahead, the new regulations could ultimately have a positive impact on banks.

“For financial services providers, the Corporate Transparency Act of 2021 allows them to more effectively conduct know-your-business (KYB) checks and assess the risk of banking their business customers,” Pitt said. “With the newly required information, financial services providers can conduct research on each person listed as a beneficial owner, searching sanctions and watchlists—as well as known criminal history—and understand their behaviors.”

“This business transparency does have some concerned about privacy and government overreach, as exemplified by the Texas federal court ruling,” she said. “It will be interesting to follow the developments with the Corporate Transparency Act, and Javelin will be creating a KYB scorecard that will focus on the need to understand beneficial ownership.”

The post Rules Designed to Mitigate Fraud Could Impact Small Business Owners appeared first on PaymentsJournal.

As the world hurtles headlong toward real-time payments, speed and efficiency have often been prioritized over security. However, with faster payments comes faster fraud, and just as organizations deploy technology to streamline their systems, criminals are deploying complex schemes on a global scale.

In a recent PaymentsJournal podcast, Dal Sahota, Director of Trusted Payments at LSEG Risk Intelligence, and Brian Riley, Director of Credit and Co-Head of Payments at Javelin Strategy & Research, discussed the prevalence of fraud, the challenges it presents as payments accelerate, and the ways organizations can defend themselves.

Sophistication at Scale

Criminals seize upon any weakness they can exploit. They might imitate genuine companies or individuals using deepfake IDV profiling and attempt to manipulate organizations, or use authorized push payment scams to defraud vulnerable individuals.

“Is there ever a day where I don’t hear a new anecdote about fraud, or new evidence of fraudsters’ sophistication?” Sahota said. “The sophistication is at a scale we’ve never seen before, and it’s across the globe. It’s not one or two individuals, its highly sophisticated networks that are creating a dramatic impact and financial consequences across the ecosystem.”

Traditionally, payment systems had built-in delay payment processing, particularly to provide a buffer for merchants, customers, and institutions. The added time gave all parties an opportunity to ensure that the transaction was legitimate and authorized.

As technology has accelerated payment processing, the objective has shifted to delivering funds to recipients in real time. However, this eliminates the longstanding safety net, as instant payments are often irrevocable.

“A good example is credit cards, which traditionally took three days to reconcile,” Riley said. “It was practical because the business model was built in the 60s and 70s and that delay was inherent. Now even debit card payments, or a clearance on a check, they happen in a snap. It’s important to have controls on the front end of the process rather than on the back-end settlement.”

A Perfect Storm

Guardrails are even more critical as cross-border payments gain traction. Fraud is more difficult to catch when payments are sent across different jurisdictions, and criminals know that.

“It’s a payments perfect storm where on one side you have faster payments, which create a lot of benefits across the marketplace,” Sahota said. “But at the same time, on the right-hand side of that storm, the deep clouds of fraud are exposing vulnerabilities due to the speed at which payments can move today.”

Faster cross-border payments face issues on several levels. Some countries have fraud controls built into their financial infrastructure that make it simpler to conduct bank account verification, and to identify and share data on fraudulent accounts and cards.

“Banks are typically linked through the central bank, so there’s an easier flow in countries like the U.S. or Canada,” Riley said. “Without that link, there’s no universal banking rule for fraud mitigation or vetting payments. You have that complexity where it’s going faster, it’s crossing borders, and countries have different standards for fraud management throughout.”

High Exposure

Fraud vulnerability is especially pronounced in industries that are less regulated or lag behind in adopting digital payment processing. These organizations are more likely to rely on paper-based or email-based communications, which create exploitable weaknesses for criminals.

Authorized push payment fraud, where criminals send phony invoices or pose as vendors, has become a rampant threat. Criminals know it can be difficult for larger organizations that receive invoices from multiple supply chains and multiple vendors to keep tabs on each invoice.

“When an update comes through from a vendor that their bank details have been updated, there aren’t effective ways for companies to carry out verification on all those types of invoices and all the updates coming through,” Sahota said. “That creates high exposure on the side of corporates, who might not have the anti-money laundering or fraud controls to mitigate that exposure.”

Within the payments infrastructure, there is often an assumption that companies will establish their own frameworks to manage risk. In contrast, regulators typically assume that consumers lack the knowledge or the resources to protect themselves. While consumers protection is crucial, the risks faced by organizations can be equally damaging.

“Instead of consumer payments where you’re moving high-volume, low-value payments in the thousands of dollars, corporates are moving low-volume, high-value payments in the millions, or tens of millions of dollars,” Riley said. “If you picture a multinational company where invoices are coming in, It’s a great environment for fraud.”

An Array of Protections

Because criminals are constantly probing for weaknesses, organizations require multiple layers of defense. Protections should be in place at every critical touchpoint: during customer onboarding, when users make account changes, and as transactions occur.

“It’s not one defense, it’s multiple defenses,” Sahota said. “At any touch point where a customer—or a potential fraudster—is engaging with your business, you want controls and defenses in place. Continue to update them on a cyclical basis because as criminals get smarter, they’ll find ways to sophisticate and infiltrate an enterprise. “

One of the reasons why it is so critical to have ongoing fraud prevention initiatives is because, in many large companies, there can be delays in implementing new solutions and procedures. On the other hand, criminals don’t need meetings and approvals to shift course.

“How do we get in front of the problem and get ahead of the fraudsters, when they seem to be somewhat ahead, if not way ahead, of the market?” Sahota said. “The agility of the fraudster means not all these problems can be solved by one mechanism.”

The Right Hands

In discussions about innovation, faster payments, and new fraud prevention solutions, the impact of fraud can sometimes be dismissed.

“We should not lose sight of the emotional impact fraud creates,” Sahota said. “It could be for anybody—brothers, sisters, moms, dads, grandparents—there’s no immunity here. At the corporate level there can be reputational impacts, but there are also impacts to employees. If an accounts payable member pushes out a payment to a fraudulent vendor, they may have the fear of being fired or facing repercussions.”

Fraud has such far-reaching impacts on both a corporate and individual level that it should always be top of mind for organizations. That is especially true as faster payments continue to gain traction.

To combat that threat, many companies are turning to solutions like LSEG Risk Intelligence’s Global Account Verification platform. The platform was specifically designed to combat authorized push payment fraud—it is a global account verification product which allows customers to input key data elements and verify a recipient before a payment is issued.

“It provides greater certainty that you’re not getting duped out of funds, that you’re not getting scammed,” Sahota said. “There is greater certainty at the point of payment initiation, so an organization knows that the money is going to land in the right hands, and not the wrong hands.”

The post As Payments Speed Up, Slowing Down Fraud Is More Critical appeared first on PaymentsJournal.

While credit bureaus collect detailed information about individuals’ personal and financial lives, they are legally restricted in how they use it, limiting its application to specific permissible purposes such as evaluating someone’s eligibility for credit or employment.

In contrast, the data brokerage industry has operated with no such constraints—until now.

Currently, would-be identity thieves and scammers can legally buy the same detailed financial profiles available to credit bureaus and other legitimate entities. These criminals can use this data to execute sophisticated fraud schemes, phishing attacks, and other malicious activities. The Consumer Financial Protection Bureau (CFPB) has issued a proposal that would require data brokers to comply with the same protections as the credit bureaus.

The Proposed Measures

The CFPB’s proposed rule would treat data brokers in the same category as credit bureaus and background check companies. Anyone that sells data about income or financial status, credit history, credit score, or debt payments would be considered a consumer reporting agency and required to comply with the Fair Credit Reporting Act of 1970. Brokers could only sell such information if the buyer can demonstrate a permissible purpose under the FCRA. The proposal also clarifies that marketing does not constitute a legitimate business need.

The proposal would also specifically restrict the sale of personal identifiers, sometimes referred to as credit header data. This would make it substantially harder for bad actors to improperly obtain sensitive information like Social Security numbers and home addresses, while still allowing financial institutions to use this data to stop identity theft and fraud.

Additionally, the CFPB would require clear consumer consent before sharing any sensitive data. Companies would need to obtain separate, direct authorization to share a consumer’s credit report, rather than relying on permissions buried in the fine print.

Legislative Solutions

Congress has attempted to address this issue before, though previous legislative efforts haven’t gained much traction. In April, two bipartisan lawmakers from Washington State introduced The American Privacy Rights Act (APRA) to regulate the buying and selling of personal data collected from consumers, both with and without their consent.

The goal was to establish a national data security standard that gives consumers more control of their information. However, the bill was tabled in June in the face of Republican opposition.

The post Why the CFPB Needed to Curb Data Brokers’ Access to Financial Data appeared first on PaymentsJournal.

For various reasons, the U.S. Department of Agriculture faces challenges in issuing personal identity verification (PIV) cards to all its workers, despite these credentials being essential for accessing government systems. This presented a problem in combating fraudulent attempts to breach these systems—until USDA developed a pilot program featuring FIDO, or Fast Identity Online.

The issue arose because USDA employs a significant number of seasonal workers who are ineligible for PIV cards. To address this, USDA introduced a waiver process that allowed employees to obtain a user ID and password. However, it quickly became clear that these efforts were vulnerable to sophisticated credential phishing campaigns. 

USDA sought a technical solution that could deliver phishing-resistant multi-factor authentication (MFA) and reduce the risk of malicious actors tricking employees into providing their login credentials. What’s more, they required a solution that offered the same protections as a PIV card while addressing the decontamination challenges present at many USDA sites.

The answer was FIDO, which USDA now touts as a major step forward in fighting phishing attempts. A biometric authentication system, FIDO has allowed approximately 40,000 registered users to securely access USDA’s network without the vulnerabilities associated with usernames and passwords.

Calling FIDO

FIDO authentication has been around for several years, although its adoption is not yet widespread. It relies on physical characteristics, such as a fingerprint, rather than something that can be easily guessed or stolen, like a password. Organization can use FIDO alongside other authentication methods, such as usernames and passwords or two-factor authentication. This layered approach ensures that even if one method is compromised, the other can still verify the user’s identity.

Apple, Google, and Microsoft have been working on a multi-device FIDO credential known as passkeys. According to the FIDO Alliance, global awareness of passkeys has grown significantly in the two years since their introduction—from 39% familiarity in 2022 to 57% in 2024.

“Many different organizations are already using FIDO authentication standards, mostly fintechs, social media companies, search engine providers, email service providers, and gaming companies,” said Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “But only a couple financial institutions have adopted FIDO standards. The biggest hindrances are the time and cost of updating current technology that may not be compatible with FIDO standards.”

The post USDA Signs on to FIDO to Deter Phishing Attempts appeared first on PaymentsJournal.

Fraud always seeks the path of least resistance. In the world of payments, hackers look for vulnerable spots to exploit. The rise of artificial intelligence introduces yet another layer that criminals can manipulate and enhance their methods.

In a recent PaymentsJournal webinar, Juan Funes, Director of Fraud and Decisioning Products at Mastercard, and James Wester, Co-Head of Payments at Javelin Strategy & Research, discussed best practices organizations can use to maintain effective fraud mitigation strategies and stay ahead of evolving threats.

 The Multiplying Avenues of Fraud

With the proliferation of digital payment methods, both opportunities for convenience and avenues for fraud have exploded.

Taking into consideration the diverse ways you could use a single card in a day:

“Living in New York City, I can use the stored card in my digital wallet to tap and get on the subway; I can order lunch using a delivery app with my card on file; later in the day, I might use the same card to buy sneakers from a new online merchant by manually entering the card details. In the evening, I might go to a restaurant for dinner and pay using my physical card,” said Funes.

Such varied transaction scenarios create multiple points of vulnerability:

“I’m one of those people who loves payments, so I have wacky things like a payment ring that I wear when I’m going for a run so I can buy water because I don’t want to carry a wallet,” said Wester. “I have all of these things that I pay attention to. Most people don’t, and yet they still use all of these new modes of payment. It’s just unconscious, so most people don’t even think about the fact that they use information that’s stored in their phone.”

The Interconnected Digital World: A Playground for Criminals

As our world becomes more digital and interconnected, the threats multiply. Organizations must brace for attacks from diverse and distributed criminal networks.

Advanced technologies enable fraudsters to refine their strategies continuously. “At Anti-Fraud conferences, I’ve seen examples of fraudsters promoting their services via social media, bragging about the success of their exploits via encrypted messaging apps. It’s the commercialization of fraud.”Funes mentioned.

AI isn’t just for automating legitimate tasks; it is also accelerating the evolution of fraud. It enables criminals to streamline costly manual processes and rapidly process data for maximum advantage.

“The fraudsters are very smart. They go through the same processes that we do when evaluating a business case. They’re asking, ‘What are my costs? What are my benefits?’” Funes and Wester explained.

The Imperative of Communication and Shared Vigilance

Effective fraud prevention doesn’t exist in a vacuum; it necessitates robust industry-wide communication and vigilance:

“My team is constantly communicating across functions to understand what’s trending in their space,” Funes stated. “It’s not just about looking at metrics but understanding the intelligence behind them. We see trends shifting from location to location, region to region.”

This collective understanding allows organizations to tailor their defenses more precisely. If a particular fraud pattern is successfully thwarted in one region, the insights gained can be leveraged globally.

Putting the User First

Fraud prevention is fundamentally about balancing risk control with consumer convenience. Persistently advancing technology presents a dual-edged sword: while it offers robust new defenses, over-reliance can inadvertently create user friction.

Therefore, it’s crucial to strike the right balance. “If fraud prevention protocols significantly impact cardholders, they may switch to other products. Finding the right balance is essential for each organization and the industry as a whole,” emphasized Funes.

Looking Ahead

Given the global scale and complex fraud patterns that are difficult to detect in isolation, organizations must stay agile and informed as we forge ahead in this rapidly changing landscape. A comprehensive set of rules, combined with the latest technologies and industry collaboration, will be essential in combatting fraud on a global scale.

Mastercard, a leader in the industry, has been at the forefront of innovation, leveraging AI for over two decades. As the landscape continues to grow and evolve, the company remains committed to safeguarding the entire digital ecosystem through its AI-fraud solutions.

“With global perspectives and the ability to adapt learnings from one region to another, we can mitigate these threats more effectively. Efficiency, balance, and robust rule sets are the future of fraud prevention,” Funes concluded.

The post Keeping Up with Fraud Attacks in the Age of AI appeared first on PaymentsJournal.

As fraudsters become more innovative in their schemes, Nacha is rolling out new rules to address emerging fraud risks, particularly scams involving business email compromise, vendor impersonation, and the increasing use of money mules.

These key changes, centered around the ACH rules, began rolling out in October and will continue through 2026.

In a recent PaymentsJournal podcast, Glenn Fratangelo, Head of Fraud Prevention Product Strategy and Marketing at NICE Actimize, and Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research, discussed what financial institutions need to do to enhance their fraud detection programs to better protect both banks and customers.

The Growing Threat

There’s no doubt that authorized fraud is on the rise. Fraud threats have increased in both volume and complexity, especially as payment innovations evolve to keep up with advancements in technology, as well as consumer and business needs.

“Javelin has noted these increases over the last few years in terms of imposter scams, fraud, and other new activity,” said Sando. “Anecdotally, we’re hearing so much about imposter activity, which is becoming more sophisticated and convincing. It relies on that sense of urgency for the unsuspecting customer to act, and it’s not going to go away anytime soon. The digital and fast-paced nature of payments has really emphasized the importance of dealing with the problem.”

In the past, Receiving Depository Financial Institutions (RDFIs) managing ACH transactions on behalf of their customers could take a more reactive approach, handling each transaction as it came through. The responsibility for detecting fraud primarily rested with the originating institution, or ODFI. However, the new rules now hold RDFIs accountable for catching fraud in real time—or as close to real time as possible.

This shift means actively reviewing suspicious activity, flagging transactions that seem off, and taking the initiative in returning funds that do not belong in certain accounts. RDFIs can now return questionable transactions, and ODFIs have more leeway \to request returns when issues arise on their end. Starting in 2026, these monitoring requirements will become even more stringent.

Increasing the Burden

In terms of operational burden, RDFIs will now bear greater responsibility for real-time fraud detection and case management to effectively identify and prevent fraud.

“Traditionally, that fell under the purview of the ODFI, but with the shift RDFIs will have to dedicate resources to monitor suspicious transactions and potentially fraudulent activity that is incoming, something they previously did not have to do,” said Fratangelo. “That’s going to create increased workloads for an already stretched operations team, which will now be required to flag and investigate suspicious incoming transactions in real-time.”

Larger financial institutions will need to implement new machine learning models, which will require additional governance time and introduce another layer of complexity to their existing fraud detection systems.

“Larger institutions may have the capacity and ability to scale their teams, but we all know quality investigators are hard to find,” Fratangelo said. That’s why there’s a ramp up period to train analysts and investigators and get them up to speed.”

Smaller institutions will face even more difficulty, as they often lack effective automation. As their transaction volumes grow and new alerts are added, scaling up their workforce can be cost-prohibitive. These costs are sometimes passed on to customers in the form of lower interest rates or higher fees.

Maintaining Business As Usual

Generative AI and deep fakes are making this situation even worse, exposing corporations to business email comprise and account takeovers. Previously, the RDFI took a passive approach to matching account numbers, but now it’s not just the account number that needs to match—the individual must also be verified, and the organization needs to ensure the recipient is not a bad actor.

“It can become more difficult to maintain business as usual if you’re a smaller institution, like a community bank or credit union,” said Sando. “With operational shifts like these, there are often also impacts to the customer experience for the customer, particularly when financial institutions personnel are now faced with spending significantly more time manually reviewing suspicious transactions instead of spending time with their everyday customer needs.”

For financial institutions, fighting these threats involves more than just securing incoming funds. They need to focus on the accounts and applications they receive, ensuring that they aren’t being created with synthetic or fraudulent identities.

“Fraud is all interconnected,” said Fratangelo. “It’s not just a singular fraud typology that’s coming through. But we have to follow the breadcrumbs, as we’re seeing more responsibility shift to receiving banks to address the current issues. Ultimately, it’s about protecting customers, and we need to ensure protections are in place to protect those customers. Bad actors can’t have access to these funds.”

The post How FIs Can Get Ready for Nacha’s Upcoming New Rule appeared first on PaymentsJournal.

A payments platform grappling with fraud losses grew frustrated when its risk scoring system failed to differentiate effectively, leaving every transaction in the same neutral-risk category. Even high-risk transactions slipped through undetected.

The organization then turned to a collaborative intelligence network that was focused on flagging suspicious email accounts. This shift led to a 327% increase in fraud detection.

This is just one of the success stories featured in a report from LexisNexis Risk Solutions, Global State of Fraud and Identity. Another example highlights how a U.S. bank improved its high-risk event detection by 1,700% by combining email risk assessments with digital identity signals. Similarly, a U.S. card issuer was able to raise its fraud detection rates 23-fold by employing multiple data points from a range of sources.

The bottom line is that organizations can significantly improve fraud detection by using shared intelligence networks.  These collaborative networks enable members to flag suspicious activities related to devices, IP addresses, email addresses, and more—overall enabling all participants to improve their fraud risk assessments.

LexisNexis’ analysis found that a device displaying negative behaviors poses a fraud risk five times greater than the baseline. When an anti-fraud solution flags both a device and an email address tied to a single identity, the fraud risk jumps to eight times higher. This approach not only helps organizations recognize fraudulent activities but also improves their ability to recognize genuine customers, streamlining login and transaction processes for a smoother user experience.

Sharing Initiatives

Surprisingly, only 27% of financial services and retailers in the EMEA region are using fraud insight exchange initiatives. However, several associations have been working to raise awareness of the importance of collaboration on this front.

The UK’s Payments Association highlighted Australia’s approach as a model in a recent white paper. In September, Australia’s government introduced the Scam Prevention Framework, which fosters collaboration among financial institutions, telecom companies, and digital platforms to share information on scam trends and emerging threats.

Similar initiatives are underway in the U.S. Nacha, which oversees ACH payments, is set to implement new rules in mid-2026 aimed at enhancing cooperation in fraud detection. The regulation will require institutions to adopt procedures for handling suspicious ACH credits, encouraging a collaborative approach. Both sending and receiving financial institutions will work together to combat unauthorized transactions, strengthening the fight against ACH fraud.

“By using consortia data and combining various data signals, financial institutions can reduce false positives—which often take necessary resources away from actual fraud incidents,” said Jennifer Pitt, Senior Analyst in Fraud and Security at Javelin Strategy & Research. “Banks who still rely on viewing customers from a small lens of a single transaction or single account are missing out on preventing fraud and detecting fraud in near-real time—a problem that could be remedied by using consortia data and broader identity signals.  Showing consumers the benefits of using various data points to combat fraud will also build trust and more of a buy-in for consumers who might otherwise be hesitant to share information.”

The post Collaboration May Be the Strongest Weapon Against Payment Fraud appeared first on PaymentsJournal.

As cross-border payments fuel an increasingly globalized economy, concerns about fraud in these transactions have also grown.

Although cross-border payments make up just 11% of total card payment transactions, they account for 63% of card-related fraud. This issue is particularly acute in the UK, where losses due to authorized push payment (APP) scams reached £239 million in the first half of 2023, according to UK Finance. One in three UK cross-border payment users reported falling victim to APP fraud, in which individuals are tricked into sending money to criminals.

With international payments, the physical distance between the fraudsters and their victims significantly reduces the chances of criminals being caught, leaving victims with limited options for recourse after being defrauded. In response to these risks, the UK’s Payments Association released a white paper exploring how governments and financial institutions can work to deter fraud in the cross-border payments space.

Tony Craddock, Director General of The Payments Association, said that the lack of cohesive international standards for Know Your Customer and anti-money laundering protocols allows criminals to exploit regulatory inconsistencies. The research highlights Australia’s approach as a model: a collaborative framework among banks, law enforcement, and technology providers has led to improved fraud detection.

Taking Protective Steps

Many financial institutions are not fully prepared to handle the complexity and speed of cross-border payments, particularly when it comes to information sharing.

“Financial institutions that share risk signals and historical data across the payments ecosystem are in a much better position to identify and block criminal activity,” said Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “Instead of solely relying on in-house data, access to a consortium offers a rich historical data pool to better detect and handle risky transactions, providing visibility into critical datapoints that may have otherwise not been available.”

Another promising solution recommended by the Payments Association is tokenization. Tokenization involves creating digital tokens, often on a blockchain, to represent financial assets. This approach is gaining traction as a way to increase the speed and security of cross-border payments, which is crucial when it comes to reducing fraud and ensuring transaction integrity on a global scale. Several organizations are exploring tokenization for these benefits, with private banks including, UBS, JPMorgan Chase, and Citi making significant dents in this arena.

There’s also the global communications standard ISO 20022, which establishes a common language for sending and exchanging payment data. Its enriched data allows for more precise fraud controls for cross-border payments, which are expected to strengthen further as ISO 20022 adoption grows, enhancing security and trust in global transactions.

The post New Tools in the Fight Against Cross-Border APP Fraud appeared first on PaymentsJournal.

Artificial intelligence is fueling a major transformation in the financial fraud landscape. AI has democratized criminal sophistication and fraud at a very low cost of conducting business, generating more malignant actors that financial institutions have to fight against.

What can these institutions do to mitigate increasingly sophisticated frauds and scams? In a recent PaymentsJournal podcast, Kannan Srinivasan, Vice President for Risk Management, Digital Payment Solutions at Fiserv, and Don Apgar, Director of the Merchant Payments Practice at Javelin Strategy and Research, discussed how fraudsters are using generative AI to hone social engineering and bypass authentication, and how we can fight back.

The Deep-Fake Threat

Driven by AI, deep fakes represent a new frontier in fraud. There has been a 3000% increase in deep fake fraud over the last year and 1200% increase in phishing emails since ChatGPT was launched.

Synthetic voices have been around for decades. They used to sound like a hollow robot, but recent advances in technology have allowed voices to be cloned from just a few seconds of audio. They are so realistic that fraudsters were able to use a deep-fake voice of a company executive to fool a bank manager into transferring $35 million to them.

“In banking, especially at the wire desk, talking to the customer is always considered the gold standard of verification,” said Apgar. “So if somebody sends an e-mail and says I want to initiate a wire, they’ll actually have to talk to a banker. But now, if the voice can be cloned, how do bankers know if it’s real or not?”

In business applications, single-channel communication should not be accepted, said Srinivasan. “If you get a voice call from somebody to do a certain thing, don’t just act on that,” he said. “Send an email or a text to confirm that you heard it from that person. Or hang up the phone and confirm through another channel that this is exactly what they wanted.

“We hear stories about a phone call coming in and saying your son has met with an accident and they’re in a hospital, you need to send $8000 for an emergency procedure. They prey on human emotions. We have to make sure that we step back, think about what’s happening, then call your family or friend to make sure that the news is accurate.”

A Range of Use Cases

Imposter scams have also exploded recently across other use cases. Large language models can take a phishing email, customize the content and iterate it until the scamster gets a successful response from the victim.

Sophisticated criminals are creating packages for less-sophisticated criminals to buy. For $100 a month, a would-be hacker can purchase a bot-as-a-service turnkey application. To conduct a fraud operation, they just need to upload the victim’s information, such as their phone number and the impersonating business name and phone.

The bot will automatically call the victim and impersonate the business, often requesting that they read out the one-time password. Once the criminal gets the OTP, they can do whatever they want with it, including logging into the institution under attack, authenticating transactions, and changing passwords.

The entry barrier to committing fraud has come down significantly. “There’s almost a multiplier effect on the attack vectors end,” said Apgar, “because AI is not only making it easier to crank out more and more phishing emails more efficiently, but it also makes them more realistic.”

How Are We Stopping Fraud?

Machine learning models have allowed us to identify pockets of fraud and scam so that we can detect and stop them. Auto machine-learning tools have allowed Fiserv to perform this function at scale.

Srinivasan said that Fiserv is also deploying self-learning models, which will generate models at a more automated pace. Since the models can be generated much more frequently, they can more effectively detect any change in fraud patterns.

“We use more than 500 risk signals to identify any emerging trend and deploy preventative measures against them,” said Srinivasan.

Getting Started

For a financial institution initiating a strategy against AI fraud, the first step is to make an inventory of all the touch points they have and conduct a vulnerability assessment. Determine all the possible risk areas that could be subject to a fraud attempt, such as the new account opening processes or login controls. Don’t forget about money movement, changes in user behavior, and brand-new patterns of usage.

Two other back-end processes are critical for assessment too. The first is customer education on scam awareness. Reach out to consumers via multiple channels to make sure they are aware of the nature of these new scams. When they are targeted by a scam artist, they should alert the bank to what is happening.

The second is to educate employees and frontline representatives on the techniques used in fraud, to ensure that they are not social engineered by fraudster when they are reviewing a transaction or removing a hold. Then, when a user calls, they can educate the consumer on potential scam activity to make sure that they are not falling into one.

The most successful fraud mitigation outcomes result from adopting a hybrid approach. Machine learning has to work in conjunction with an intelligent human to ensure a contextual application of the response being deployed. Make sure that the organization has absolute good governance and oversights on whatever results it’s giving, so there is no bias in the strategy.

“Having a variety of mitigation options offered to the client or the financial institution helps a lot,” said Srinivasan. “Pick and choose or deploy all of them, so that we can keep the consumer safe.”

While fraud attempts will always be an issue, Fiserv and financial institutions are working toward solutions that mitigate fraud while improving the customer experience. Working together, we should be able to manage fraud losses to very low levels. By combining layered security strategies, the industry can foster a more robust difference against both existing and new fraud payment threats.

The post Taking On the AI-Assisted Fraudsters appeared first on PaymentsJournal.

Thousands of credit card readers at gas stations and supermarkets in Israel experienced issues this past weekend, potentially linked to a suspected cyberattack.

According to The Jerusalem Post, this incident is the latest in a series of point-of-sale (POS) threats. The challenges and disruptions caused by these attacks arise partly from the unpredictability of which consumers’ data might be affected and the varying levels of security among the small businesses impacted.

POS malware extracts credit card and other transaction-related data from payment systems and card skimmers. Hyp Credit Guard, which monitors payment system cybersecurity in Israel, said the attack targeted the communication services relied upon by many retailers. Fortunately, the issue was mitigated in just over an hour.

Given that gas stations process hundreds of credit card transactions daily, a successful cyberattack can compromise sensitive financial data on a large scale, often without consumers realizing their data has been breached. The effectiveness of a POS attack largely depends on the security measures in place at the targeted business.

A Worldwide Problem

Some experts suspect that Iranian-linked hackers may have been involved in the cyberattack. Just last month, a major Israeli payment company, Sheba, was hit by a similar attack, which caused delays in processing debit card transactions.

The U.S. has also experienced several large-scale POS attacks. In 2014, POS malware allowed criminals to gain access to millions of credit and debit card account numbers of customers at Target stores across the country.

More recently, NCR reported that a POS attack had impacted its Aloha restaurant payment system. Although NCR did not disclose how many customers were impacted, it did acknowledge that more than 100,000 restaurants use its payments platform. Like gas stations, individual restaurants may be more vulnerable to such attacks due to a lack of cybersecurity preparation.

“If you don’t have strong cybersecurity policies in place, POS attacks, like any other cyberattack, are much more likely to be successful,” said Suzanne Sando, Senior Analyst in Fraud and Security at Javelin Strategy & Research. “If you don’t encrypt data, if you aren’t complying with PCI DSS standards, if you aren’t monitoring for suspicious activity—all of these are steps organizations can take to reduce the likelihood of a successful POS attack. It’s all about finding those vulnerabilities and locking them down.”

The post Credit Card Reader Cyberattack Exposes Point-of-Sale Risks in Israel appeared first on PaymentsJournal.

Virtual cards—digital versions of physical credit or debit cards typically used for online transactions or recurring payments—offer a powerful opportunity to streamline operations while enhancing security. When combined with the power of AI, virtual cards provide a safe way for individuals both inside and outside of the organization to purchase the goods and services they need.

Enhanced Internal Control

The success of virtual cards lies in their ability to provide targeted, controlled spending. Unlike traditional company-paid credit cards, virtual cards are issued with a specific intended use or purchase scenario. This could be for a single purchase or a series of purchases.

When a virtual card is issued, it is configured with built-in internal controls tailored to its specific purpose. Any purchase made with this card must adhere to these controls; if it doesn’t, the transaction is declined at the point of sale. Controls can include spending limits, effective date ranges, and merchant restrictions based on the merchant’s name or category.

For example, Mike, a construction manager at a commercial construction company may need to buy materials or tools while on-site. Mike could be issued a virtual card with a merchant category control that limits purchases to suppliers of construction materials or tools. To maintain budget control, the card might also have a spending limit and an effective date range specific to a particular job. These enhanced internal controls reduce the risk of fraudulent spending, as cardholders are restricted by more than just the company’s overall credit limit—they’re bound by targeted constraints that align with the card’s purpose.

AI Helps Further Reduce Fraud Exposure

While enhanced internal controls significantly reduce fraud risk, certain vulnerabilities remain. AI plays a crucial role in addressing these gaps.

Take Mike’s virtual card purchase, for example. He might buy thousands of dollars’ worth of materials from a home improvement store but hidden among the legitimate items is a $500 gift card for himself. The transaction meets all the internal controls: It’s at a valid merchant, within the spending limit and occurs during the allowed date range. However, the fraudulent purchase is concealed within the receipt’s line-item details. This is why receipts must be submitted with full line-item details. Only by auditing these details can fraudulent spending be detected. AI can be instrumental in discovering potential fraud like this. The methods it uses depend on whether the receipt is submitted as an image or as data.

Detecting Fraud in Receipt Images

Fraudsters sometimes create fake or altered receipt images. For this type of situation, AI uses several methods to detect fraud:

Pixel-level analysis: AI can analyze individual pixels to identify inconsistencies in texture, lighting, or noise patterns. Edited portions of an image often have different pixel characteristics compared to unaltered parts.

Machine learning: Machine learning algorithms can be trained on a large dataset of authentic and altered receipts to recognize patterns specific to genuine receipts from specific merchants.

Deep learning and convolutional neural networks (CNN): Deep learning models, particularly CNN, are highly effective in detecting image alterations by identifying patterns invisible to the human eye.

Shadow and reflection analysis: AI can analyze the natural shadows, reflections, and lighting present in a receipt image. When a receipt is digitally altered, these features may become inconsistent with the rest of the image.

Detecting Fraud in Receipt Data

Receipts can also be submitted as data, either directly from online purchases or converted from images using AI-powered optical character recognition (OCR). AI analyzes this data for potential fraud by:

Anomaly detection in spending patterns: AI systems can analyze large volumes of receipt data to detect unusual or unexpected spending patterns.

Duplicate receipt submission detection: AI can detect when the same receipt is submitted multiple times, either accidentally or fraudulently.

Cross-referencing with external data: AI can verify the authenticity of receipt data by cross-referencing it with external databases.

Fraudulent modifications in amounts or items: AI can detect subtle changes in amounts or item descriptions that may indicate fraud. In our gift card example, AI can identify when expensive items are falsely itemized under allowable categories, such as labeling personal electronics as office supplies.

A Safer Path Forward

The combination of virtual cards, which inherently provide enhanced internal controls, and AI-driven receipt fraud detection offers operational managers a powerful tool for safeguarding purchases. Built-in safeguards like transaction limits, vendor restrictions and real-time monitoring make it harder for unauthorized expenses to go unnoticed. In an environment of ever-increasing ways in which bad actors are committing fraud, AI-powered virtual cards not only reduce the risk of fraudulent spending, they also allow organizations to modernize their financial operations in new and secure ways.

The post How Virtual Cards and AI Revolutionize Safer Operational Purchases appeared first on PaymentsJournal.

The newest version of OpenAI’s popular chatbot, ChatGPT, can be used to perform financial scams with a low to moderate degree of success.

ChatGPT-4o was launched in May, offering an enhanced platform that includes inputs and outputs for text, voice, and vision. OpenAI has said it included safeguards to identify and block harmful content, like replicating a voice without permission.

However, a report from the University of Illinois Urbana-Champaign found that those safeguards aren’t adequate to prevent criminals from exploiting the platform. The researchers explored how ChatGPT can be manipulated for voice phishing, also known as vishing, to conduct scams such as bank transfers, gift card fraud, crypto transfers, and credential stealing from social media or Gmail accounts.

“AI-assisted vishing scams pose a threat to individuals and businesses alike and have been cropping up in the wild over the past several years,” said Kevin Libby, Fraud and Security Analyst at Javelin Strategy & Research. “Schemes targeting individuals usually proceed by some variant of the tried-and-true ‘grandparents scam.’ Schemes targeting businesses usually involve impersonating C-suite officers or business owners and connecting with legitimate employees to initiate money transfers.

“In both cases, publicly available AI tools that afford criminals the ability to impersonate the voices of their assumed identities increase the chances of success and pose an undeniable threat to potential victims. The more signals a criminal can create that seem to affirm their assumed identity, the more likely victims are to fall for the scam.”

Bypassing Protections

In the UIUC tests, the AI agents used voice-enabled ChatGPT-4o automation tools to navigate websites, input data, and manage two-factor authentication codes. Even though the platform will sometimes refuse to handle sensitive data like credentials, UIUC researchers were able to bypass those protections by using simple prompt jailbreaking techniques.

Vishing scams are accomplished using deepfake technology, which has quickly become a multibillion-dollar issue for businesses and financial institutions, and AI-powered text-to-speech tools only increase their efficiency. Criminals are using these tools to perpetrate scams on a much larger scale, with less manual interaction required.

Receptive to Research

In response to the concerns raised by the UIUC researchers, OpenAI told BleepingComputer that it was continually working to protect its chatbots from bad actors and that its upcoming version of ChatGPT would be its safest offering yet. Until then, however, consumers will have to be vigilant about potential misuse.  

“Sadly, the public is not sufficiently aware of just how far AI-assisted voice impersonations have come and how easily tools like ChatGPT can be used to create convincing auditory forgeries,” Libby said. “It’s good that companies like OpenAI are receptive to research like the UIUC report and they are reportedly addressing the concerns raised.

“However, ensuring that AI tools cannot be easily used for fraud is only one focus of the companies pioneering the technologies. Using the tools to that end—committing fraud—is the sole focus of the criminals intent on increasing the success rate and scalability of their vishing schemes. For this reason, it’s likely that criminal use of public-facing AI tech to assist with and improve vishing scams will likely get worse before it gets better.”

The post New ChatGPT Model Can Be Exploited for Voice Scams appeared first on PaymentsJournal.