Traditional Fraud Controls Fail to Stop Scams | Proof
Traditional fraud controls focused on securing accounts are failing as scammers increasingly use sophisticated social engineering and impersonation tactics, leading to nearly $3 billion in losses from imposter scams and a rise in first-party fraud—where customers themselves exploit systems—highlighting the need for banks to adopt more strategic, context-aware approaches beyond traditional authentication methods.
Fraud, Scams, and Broken Policy - Part 2 of 3
Welcome back to Cracking the Identity Code! This installment, “Fraud, Scams, and Broken Policy,” is part two of a three-part series breaking down the current state of scams in the U.S. In Part 2, we examine how novel payment systems have created new fraud threats, from impersonation to first-party fraud, why securing account access is no longer enough, and why banks must think more strategically about the context behind every identity and transaction.
Traditional Fraud Controls Fail to Stop Scams
Previously, fraud attacks mostly involved stolen cards or hacked accounts. As banks and merchants strengthened their systems, criminals shifted focus to the human element. Today’s fastest-growing fraud tactics center around deception, using increasingly sophisticated social engineering and impersonation attacks.
Imposter scams—where someone poses as your bank, a government agency, a romantic partner, or even your CEO—are now a leading type of fraud in the U.S., responsible for close to $3 billion in losses in 2024. These scams don’t involve stealing your passwords; instead, scammers exploit your trust, fears, hopes, and dreams.
Another rising fraud type in the U.S. is first-party fraud, where customers themselves (or those posing as customers) game the system from within. This includes falsely disputing charges or taking out loans with no intent to repay. First-party fraud is now the leading type of fraud globally, accounting for 36% of all reported fraud cases in 2024.
Both trends—scams that manipulate genuine users and users who themselves commit fraud—reveal a core truth: current fraud controls are not built to handle fraud that blurs the line between victim and perpetrator.
Authentication Can’t Catch a Con
Financial institutions have invested billions of dollars into securing accounts. Sophisticated device fingerprints, biometric logins, and two-factor codes are designed to ensure only the rightful customer can log in or approve a transaction. However, no matter how many correct passwords or Face ID unlocks, systems designed to secure access can’t interpret the intent behind a transaction. If a system sees a customer as “real,” transactions flow smoothly. As a result, social engineering scams often go undetected until it’s too late.
Banking apps can confirm it’s you logging in, but they have little way of determining if you really know that the money you’re sending is actually to your electrician—or to a scammer. By the time the fraud is discovered (usually when you call your bank in a panic hours or days later), the money is gone. Banks have never been better at keeping the wrong people out of your account, yet have little protection when it’s you who lets the scammer in.
There’s also a blind spot on the receiving side of transactions. When you authorize a payment, banks struggle to verify simple things, like whether the payee’s name matches the actual account holder’s name. In the UK, banks implemented Confirmation of Payee checks to address this, alerting customers if a payee’s name doesn’t match. Newer payment technologies like Zelle, Venmo, and Square Cash have implemented similar approaches, but these measures have yet to gain widespread adoption in the U.S. Even for these newer technologies, scammers navigate this by directing payments to accounts they control, often opened under fake or stolen identities. When payment companies confirm a scam, they create negative lists (using cell numbers, emails, social security numbers, etc.) to limit future damage. The issue is that all of those “keys” can be manufactured to facilitate a scam—even SSNs. These vulnerabilities are exposed because someone’s true identity is not tethered to the manufactured key.
Evolving Scams Outsmart Static Defenses
Traditional fraud filters, which are good at catching unauthorized access (like blocking a login from an unusual location), are far less adept at sensing the subtle signs of a con in progress. The “red flags” in an authorized scam are more contextual: timing, behavior, and communication surrounding the transaction. For example, a customer suddenly emptying their account via multiple rapid transfers might be a sign of distress or coercion that a basic rule-based system could miss. To truly thwart scams, banks need to deploy more nuanced, real-time behavioral analytics that can detect when a customer’s pattern suggests something is off.
Scenarios that might warrant step-up monitoring include:
- Unprecedented new payee or destination: A large transfer to a brand-new payee or an account in a foreign country that the customer has never transacted with before.
- Unusual timing and frequency: A flurry of transactions or a very large payment made outside the customer’s normal routine (e.g., late at night, or multiple transfers in minutes).
- Signals of communication or urgency: Transactions that occur immediately after the customer receives a phone call or message, especially if the customer is actively on a call during the banking session (a sign they might be coached by a scammer in real time).
Identifying these red flags is technically tricky, but not impossible—and it’s where much of fraud prevention is headed. Some banks have started to integrate “session behavior” analysis, such as noticing if a user copies and pastes a number (possibly from a scam message) or toggles rapidly between apps during a transaction, which might indicate they're following instructions. The key is context: understanding not just the transaction, but the situation around it. A rule that says “block all $5,000 transfers” would be overkill; but a system that says “pause and verify this $5,000 transfer because it’s the first-ever payment to a new overseas account right after the customer got an inbound call” will impede scams. The issue remains: if someone is being scammed, they have an element of emotion attached. Even designed roadblocks will be dismissed if someone is sending money because they feel they have to. This is why institutions, payment systems, and vendors must focus on the true identity of the receiver.
Another new threat vector is the rise of AI-powered scams. Artificial intelligence is turbocharging social engineering by making impersonation easier and more convincing. Fraudsters can now clone voices and create deepfake videos with startling accuracy. Imagine getting a call that sounds exactly like your panicked spouse or child, pleading for money—today’s AI tools are fully capable of making that a reality. (Side note: my family has a safe word to verify if we get one of these calls.)
Scammers have used AI voice cloning to pull off “vishing” heists, where victims truly believe their loved one is in danger on the phone. AI can also churn out limitless personalized phishing emails or texts that are grammatically perfect and contextually tailored, making scam messages harder to distinguish from legitimate communication. In short, fraudsters are embracing every tech tool available to make their deceptions more believable. This puts even more pressure on institutions to verify and confirm intent before money leaves a customer’s account.
In Part 3—the final in this series—we’ll propose a shift from one-off authentication to a persistent identity model purpose-built to tie identity to transactions, to fight scams and other fraud associated with first-party bad actors.