Constant Race: Fraud Threats and Anti-Fraud Techniques

In recent years, we have seen increasingly sophisticated attack patterns in card and account-to-account (A2A) sectors. Following the introduction of higher security standards, such as the mandatory two-factor authentication (2FA) requirement in the European Economic Area, fraudsters have shifted their focus to the weakest link in the chain: humans. Particularly in regulated regions, but not limited to them, there is a clear trend toward social engineering fraud. This can be categorized into three main forms.

Currently, the primary focus is on phishing, often combined with tricks to manipulate the victim into completing strong customer authentication (SCA). Common entry points include digital marketplaces where users are led to believe they are receiving a payment or SMS messages from purported logistics companies requesting additional postage fees.

More advanced attacks target onboarding and registration processes. Fraudsters’ goals here are not only to steal payment or login credentials but also to take over authentication methods or register stolen card details in mobile wallets like Apple Pay or Google Pay. A typical attack might start with a phone call from someone pretending to be a bank employee.

Particularly insidious are cases where bank customers are manipulated into authorizing large sums of money via credit card or transfer. The classic “grandparent scam” has evolved into love or investment scams, often originating on social media and now affecting all demographic groups, not just the elderly.

Several factors have contributed to the recent rise in social engineering fraud. One significant driver is the ongoing digital transformation. Platforms like social media and online marketplaces are deeply integrated into our daily lives, offering fraudsters countless opportunities to interact with potential victims and craft convincing scams. These digital spaces are also prime targets for attackers to collect information and impersonate trusted entities.

Another critical factor is the rise of fraud-as-a-service. Not only are vast amounts of personal data from data breaches readily available on the dark web, but an entire underground industry also provides novice fraudsters with sophisticated tools and strategies to execute large-scale social engineering attacks. These prepackaged solutions lower the barriers to entry for cybercriminals and have led to an increase in attack volume.

Finally, advances in artificial intelligence, such as large language models and deepfake audio and video technologies, have made social engineering fraud even more dangerous. Fraudsters can now easily create phishing emails in foreign languages or convincingly impersonate executives or trusted individuals. This added credibility makes their schemes far more convincing and significantly harder to detect. Together, these factors have created the perfect conditions for the growth of social engineering fraud.

We have a broad range of technologies and approaches at our disposal. Let’s start at the beginning of the problem chain. To curb the theft of sensitive data, tokenization of payment data will play a crucial role. Card numbers that aren’t stored cannot be stolen and later resurface on the dark web.

In combination with Click to Pay functionality, tokenization even offers the added advantage of improving the user experience, unlike other security measures. We recently published a case study with one of our clients highlighting the benefits of combining these two technologies.

We need to make every element of the security chain resistant to phishing, with no exceptions and no compromises on customer experience. Strong Customer Authentication (SCA) has already made significant progress, and it is highly effective against basic third-party fraud. One-time passwords and security questions should soon be a thing of the past. Biometric and passwordless authentication methods must become a widespread standard, with secure hardware tokens and FIDO playing a pivotal role in this shift.

Correct. We need to ensure absolute phishing resistance here as well. Fewer activation codes should be sent out, as these can easily be shared over the phone. Our clients’ end users can already activate a new phone without requiring an activation code, assuming they still have access to their old device.

Additionally, behavioural and contextual data can be collected on the authorization and checkout devices. Comparing this data and applying risk models based on it can prevent the takeover of authentication apps entirely or ensure that transactions are not approved on compromised devices.

Although card readers for payment authorization may seem outdated, they have the undeniable advantage of being immune to phishing. If the card only needs to be tapped on an NFC module to link it with a biometric authentication method, then it is secure and relevant.

Not quite. These measures significantly increase the complexity of a wide range of common fraud scenarios, rendering many phishing toolkits from the dark web ineffective. They also prevent users from mistakenly sharing their payment authorization methods with third parties.

Naturally, fraudsters will look for new ways to adapt, but the entry barrier will be much higher. Successful scams would then require well-trained call centre agents, who are far less accessible than ready-made phishing toolkits. This shift will make fraud significantly more resource-intensive for attackers.

On the prevention side, we also have artificial intelligence in the form of machine learning models available. These models can be highly effective when the correct data is available. Currently, however, the right or sufficient data often lacks.

In the future, behavioural and contextual data from online banking must converge with technical data from the 3-D Secure protocol and authentication apps, customer master data from banks, and wallet provisioning data. This integration will enable more reliable identification of suspicious behavioural patterns across all payment channels.

Additionally, we must share fraud-related data between banks and their service providers. In cases where risk models fail – such as when a genuine customer initiates and confirms payments on his device – banks and their partners must be empowered to share information about suspicious payment beneficiaries.

To ensure that technical measures against customer manipulation are effective and timely, banks must also invest in educating their customers. In the UK, for example, we see that banks need the right to verify instant A2A transactions with their customers under certain circumstances before processing them in real time. This approach is already a viable solution in the card environment. However, these measures must be coupled with educational efforts so that customers understand why their transactions are being questioned and feel confident they are dealing with their bank and not with a clever fraudster.

The fraud landscape will continue to evolve dynamically, mainly due to the ongoing growth of the e-commerce market and the increased volume of digital transactions. Social engineering tactics and targeted attacks on emerging payment methods will increase significantly.

Introducing the SEPA Instant Payments mandate is another major concern for fraud teams in European banks. While real-time transfers offer many benefits for consumers and businesses, they also put added pressure on banks and payment service providers to detect and block fraudulent transactions more quickly and accurately. Experiences from the rollout of instant payments in the UK and Australia have shown that fraudsters exploit the speed of these transactions to move funds within seconds before they can be frozen.

At the same time, fraudsters will increasingly leverage advanced technologies such as artificial intelligence and deepfakes to execute convincing attacks. Combined with fraud-as-a-service models that provide less experienced criminals with access to professional tools, we expect a more significant proliferation and diversification of fraud schemes.

Despite these challenges, significant advancements in security are also on the horizon. AI-driven systems for anomaly detection, behavioural biometrics, and the continuous enhancement of authentication methods will play a critical role. Additionally, educating and raising awareness among end-users will remain essential, as humans often remain the weakest link despite technological progress.

In the coming years, attackers and security providers will be in a constant race, especially in rapidly evolving sectors like e-commerce and instant payments.