Payment Fraud Exposed: Top Techniques and How Financial Institutions Respond

Payment fraud (i.e. the unauthorized or deceptive use of stolen payment information to obtain money, goods, or services) remains a major challenge for financial institutions. With new regulations requiring banks to compensate fraud victims, fraud prevention has become a top priority. However, fraud techniques are evolving rapidly, often outpacing even the most diligent security measures.
This blog explores the types of financial fraud and the strategies institutions use to protect customers.

In this article, we categorize payment fraud into six primary types and discuss the tactics behind each.

• Account Takeover and Identity Theft: Fraudsters gain unauthorized access to a customer’s account and initiate transactions under the customer’s identity.
• Authorized Push Payment (APP) Fraud: Customers unknowingly authorize payments to fraudsters.
• Deposit Scams: Fraudsters trick customers into believing they have received a legitimate deposit.
• Internal Fraud: Employees manipulate or intercept funds, sometimes in collusion with external actors.
• Chargeback and Return Fraud ("friendly fraud"): This involves customers disputing legitimate charges or exploiting return policies to gain refunds.
• External Hacking attack: Fraudsters hack into financial institutions' systems to extract data, initiate fraudulent transactions or carry out malicious actions.

Let us explore these six types a bit more in detail.

Account Takeover and Identity Theft

Account fraud typically involves unauthorized access to a customer’s account, often achieved by bypassing the authentication factors set by financial institutions to secure account access. Therefore, understanding which authentication factors are in place, how they may be bypassed, and what actions financial institutions can take to enhance security is crucial.

Authentication factors fall into three main categories:

• Possession (Something You Have): Examples include a bank card or a mobile device used to receive verification codes or generate OTPs via an authenticator app. Common bypass methods involve physical theft, such as stealing a card or phone, or skimming (e.g. creating a duplicate of a card at an ATM or merchant terminal). While customers bear most of the responsibility for safeguarding these items, financial institutions can support security by offering swift, user-friendly options for device deactivation in case of loss or theft. Financial institutions should also offer the possibility for temporary deactivation, allowing customer to still unblock (without cost and inconvenience) if the item can be quickly recovered.
  
  Another challenge with possession-based authentication is the reset procedure when customers replace their phones or phone numbers, requiring re-linking with their accounts. While necessary, this process introduces potential vulnerabilities that fraudsters may exploit.
  
  
• Knowledge (Something You Know): This factor relies on information only the customer should know, like card details (card number, card expiration date and CVV), passwords, PIN codes, or security questions.
  
  Fraudsters use several methods to obtain this information:
  
  
• Brute Force Attacks: Here, fraudsters systematically try multiple secrets, often trying first common secrets like for passwords "12345678", "password" or "qwerty". Financial institutions can mitigate this by limiting login attempts, requiring strong secrets (e.g. minimum number of characters), and banning frequently used passwords and PIN codes (like 1234 or 9876 or even birth of customer).
• Password Reuse: Many users recycle passwords across accounts as they do not want to memorize multiple long, complicated passwords. This makes them as vulnerable as the least secure site they use. When one site is compromised, fraudsters use a technique called "credential stuffing", i.e. they use automated software to try a large number of leaked credentials on other sites.
  
  Interesting here is the concept of specialization in criminal networks. A first group hacks poorly secured websites to gain a large number of credentials, which is then sold to a second group using automated software to test them out on financial service websites and finally a third group really commits the fraud.
  
  Financial institutions can combat this by alerting customers if their credentials appear in data breaches (e.g. via https://haveibeenpwned.com), encouraging unique passwords (e.g. via password manager tools), and monitoring login activity - including failed logins - to block potential credential stuffing (via throttling and blacklisting IP or MAC addresses) and block immediately accounts for which a successful login happened in the past from IP/MAC address identified as doing "credential stuffing".
  
  
• Phishing, Hacking, and Physical Methods: Fraudsters use also multiple techniques to directly obtain the credentials of a customer for the account of a financial institution, e.g.
   
  • Phishing: fraudsters use phishing mails (Email phishing, Spear phishing or Whaling), SMS (Smishing) and calls (Vishing) to trick people into providing personal information (e.g. asking to provide secret credentials or even rebuilding complete look-a-like websites of a financial institution’s website) or clicking on a link that installs malware (e.g. keylogging software) on their computer (e.g. Fake parcel delivery texts).
    Via social engineering the phishing scams can use very personalized information (e.g. names of colleagues or info about recent purchases you did) to win someone’s trust.
  • Hacking: the customer’s computer system is hacked into (by targeting unpatched software and other cybersecurity weaknesses) and the criminal steals sensitive information.
  • Physical methods: criminals can also exploit physical methods, like searching through trash or recycling bins or stealing wallets and purses.

Financial institutions can combat this by educating customers, e.g. clearly informing that financial institutions will never ask for credentials via SMS, mail or phone or learn customers to recognize phishing attacks, like incorrect URLs, sense of urgency, tone which does not correspond with the tone of the financial institution, communication not in customer language…​ Additionally they can learn customers to always use direct site access (i.e. never access the financial institution via a link).

Finally an indication in the banking app, that you can see if a call is coming from the bank, allows customers also to check if a call is legitimate.

• Exploiting Reset Procedures: Password resets are a necessary but risky process, especially if the customer’s email has also been compromised. Advanced reset procedures requiring multi-layer verification can reduce this vulnerability.
• Direct Attacks on Financial Institutions: While all above credential theft techniques are directed at customers, fraudsters often also target financial institutions directly to obtain credentials—call center fraud being a common example.

Every financial institution has a customer support desk capable of executing certain financial transactions. In call center fraud, a fraudster contacts the support desk, impersonating a legitimate customer. Traditionally, support desk employees would verify identity by asking for personal information such as a birth date, national register number, Social Security number, or answers to security questions (e.g. "What’s the name of your first pet?" or "What’s your favorite color?"). However, with so much personal information readily available online and on social media, criminals can often gather this data with ease.

To counter this, financial institutions now deploy advanced authentication techniques, such as pushing an in-app verification notification that the customer must confirm. Since mobile banking apps are typically secured with strong protections, this ensures the call center employee can confirm they are speaking with the actual account holder.
However, this approach has its limitations. Not all customers — such as older individuals — have access to a mobile app or may not be able to use it at the time of the call. Ironically, one reason a customer might call the support desk is to resolve an issue with their mobile app, which could make this method impractical in such scenarios.

• Biometric Authentication (Something You Are): Biometric authentication — fingerprints (cfr. Touch ID), facial recognition (cfr. Face ID), iris scans (cfr. Sam Altman’s crypto project World) — is often considered secure because it is unique and difficult to transfer. However, biometrics are not foolproof. Techniques like AI deep fakes, AI voice cloning or fingerprint spoofing can pose risks, and biometric data breaches can have long-term consequences, as stolen biometrics cannot be changed.
  Financial institutions should rely on local storage for biometrics and use encrypted mathematical representations instead of raw biometric data. Additional security, such as requiring certain actions (e.g. blinking or moving) for facial recognition, can help prevent deep-fake spoofing.

Individually, each authentication factor clearly presents challenges, so the most effective defense combines multiple factors. Multi-factor authentication (MFA), e.g. 3D Secure (3DS) for online card payments, significantly raises the bar for fraudsters. However, it is important to balance security with usability, as excessive MFA can frustrate customers.

To address this, financial institutions increasingly use risk-based authentication. Here, the required level of authentication varies based on the transaction’s risk level. Factors like transaction type, counterpart, amount, and contextual information help assess risk, e.g.

• Location Factor (somewhere you are): this additional authentication factors takes all kind of information of the location where the customer is, e.g. geo-location, but also information about the device where customer is working on (IP address, MAC address, Browser model and version, Operating system, Hardware device information…​).
• Time Factor (what time is it): based on the customer’s profile, there are typical hours when this customer will perform an action. E.g. a customer working at daytime, will unlikely do certain financial actions during the night.
• Behavior Factor (something you do): here the activity of the user during the session is observed, e.g. Mouse movements, keystroke patterns, how the customer holds his mobile device or the typical way a customer navigates (e.g. actions a user usually does in a session).

For more insights on "Multi-factor authentication", see my blog: "Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry" (https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html).

The goal of this layered approach is to maintain strong security while minimizing user friction. Financial institutions can adaptively require extra authentication, send alerts and notification (e.g. mail or SMS to customer when unusual activity is detected), or even temporarily block accounts if suspicious activity is detected, achieving a good balance between security and user experience.

Authorized Push Payment (APP) Fraud

In this type of fraud, customers unknowingly initiate payments to fraudsters. Common techniques include:

• QR Code Scams: Fraudsters manipulate QR codes to redirect funds to their accounts.
• Invoice (falsification) fraud: Criminals alter invoices to reroute payments to fraudulent accounts.
• CEO Fraud: Criminals impersonate a company’s CEO or another high-ranking executive to push an employee to authorize fraudulent payments.
• Advance fee fraud: Here, fraudsters lure victims with enticing but unrealistic investment opportunities or promises of substantial rewards, such as fake lottery winnings, in exchange for an upfront payment. Once paid, victims either lose contact with the fraudster or are pressured into further payments to unlock even larger returns.
• Fraudulent merchants and charities: In these cases, fraudsters pose as legitimate merchants or charities (sometimes replicating well-known websites) to deceive customers into making purchases, only to steal the funds. Social media marketplace scams continue to rise and becoming one of the major causes of fraud nowadays.

To combat these types of fraud, financial institutions can implement several countermeasures, including:

• Customer education: Financial institutions should educate customers on recognizing these scams. Recommended steps include double-checking messages through alternate channels, reconciling invoices with order forms, validating payments through appropriate managers and recognizing common scam traits like urgency, unusual requests, foreign account numbers or unrealistic promises ("if it sounds too good to be true, it likely is").
• Verification of Payee (VoP): VoP services verify if the name of recipient of a payment provided by the payer corresponds with the account holder of the beneficiary account. Such a check helps to prevent both authorized push payment (APP) fraud and misdirected payments. Companies like SurePay, OB Connect, Worldline, Tell Money, iPiD and Banfico offer these services.
• Extra Controls and Warnings: Banks can add controls and issue warnings for payments to new recipients or large transactions.
• Trusted Contacts: Customers can invite a trusted friend or family member to review transactions exceeding a certain limit. This added layer of validation helps prevent fraudulent transfers by involving someone the customer trusts.
• Counterparty Risk Verification: Financial institutions can leverage data to verify a counterparty’s credibility, solvency, and liquidity (cfr. CPRA software of Capilever). Offering this verification to customers could reduce fraud by assessing the legitimacy of URLs or verifying company names and company registration numbers. Crowd-sourcing tools enable financial institutions to maintain comprehensive, current lists of known fraudulent websites.

Deposit Scams

This type of fraud occurs when fraudsters deceive customers into believing they have received a legitimate deposit. For example, a fraudster posing as a buyer of a second-hand laptop might show a fake payment confirmation to the seller. Convinced the payment has been made, the seller hands over the laptop, only to later discover that no payment was ever received. Fraudsters may even use counterfeit banking apps to create realistic-looking payment confirmations, further tricking victims into believing the transaction was completed.

Solutions to prevent such scams include implementing real-time payment confirmations through instant payments and utilizing Request-to-Pay (RtP) services, which allow sellers to verify transactions before releasing goods.

Internal Fraud

Bank employees themselves can manipulate or intercept funds, sometimes acting in collusion with other employees or external fraudsters. Common examples of internal fraud include:

• Payment Injection: Adding unauthorized payments to the payment flow after all compliance checks have been completed.
• Payment Suppression: Deleting legitimate payments within the flow.
• Payment Tampering: Modifying key payment details, such as the creditor’s account number or the transaction amount.
• Collaboration with External Actors: Employees may assist in hacking attempts or share sensitive customer information, enabling fraudsters to carry out attacks.

Financial institutions can mitigate internal fraud risks through:

• Business Activity Monitoring: Payments should be monitored at various interception points throughout their lifecycle. For instance, an injected payment would lack prior interception events, while tampered payments would show inconsistencies in attributes between consecutive interception points.
• Internal Fraud Monitoring: Identifying suspicious patterns in payments can help detect fraudulent activity by employees.
• Robust Internal Security: Measures such as unique user credentials, strong authentication mechanisms, data encryption, four-eyes (dual approval) controls, and clear segregation of roles and responsibilities can minimize risks.
• Access and Audit Logs: Tracking all employee activities and conducting regular audits is crucial. For sensitive accounts—such as those belonging to employees, high-net-worth individuals, or celebrities—spot checks should be conducted. These checks involve asking employees to justify their access to specific data to ensure it aligns with legitimate business needs.

Chargeback and Return Fraud

Sometimes called "friendly fraud" this involves a customer disputing legitimate charges or exploiting return policies to gain refunds. Typical examples are:

• They did not authorize a transaction to get a refund or to avoid paying for goods or services that they received
• They never received the goods or services that they ordered, when in fact they did
• The goods or services they received were not as described or were defective.

Obviously most of the measures here need to be taken by merchants, like clear policies and procedures in place for handling customer complaints and disputes, documenting all transactions and customer interactions as evidence in the event of a claim, signatures upon receipt of goods, tracking information for deliveries, clear communication on return and refund policies to customers.

Financial institutions can help to educate merchants about this type of fraud, but also collect info about customers who have committed friendly fraud and potentially block them of certain payments.

External Hacking attack

Finally, there is the possibility that the financial institution is externally hacked and is compromised as such. The result can be that the hackers:

• Gain access to data and sell this data on black market for social engineering purposes
• Gain access to data and use to blackmail the financial institution, as they could make secret financial information about their customers public.
• Gain access to operational system and execute certain financial transaction
• Ransomware: software that locks a user’s files and devices, rendering them inaccessible. Cybercriminals will demand a ransom, usually in cryptocurrency, to unlock them.
• Man-in-the-middle attacks, i.e. place certain software to detect authentication credentials of customers and use those to legitimately authenticate on customer account

Obviously, financial institutions protect themselves against this via proper security mechanisms (advanced firewalls, encryption, immediate patching of vulnerabilities, proper internal authentication…​) and by educating employees about the risk their actions impose.

While targeted strategies are essential for addressing each above-described type of fraud, a holistic (360°) approach is the most effective defense. By centralizing authentication, activity, and transaction data, financial institutions can more effectively identify and respond to suspicious patterns. While individual actions may seem innocent, combining them often reveals clear indicators of fraudulent activity. Additionally, sharing information across institutions strengthens industry-wide defenses against fraud.

To combat financial crime effectively, institutions must not only rely on traditional methods but also incorporate advanced techniques that adapt to evolving threats. Key strategies include:

• Equip Customers with Necessary Tools: Empower customers with resources to validate transactions and protect themselves:
  • Merchant Credibility Checks: Enable customers to assess the legitimacy of merchants or websites before completing transactions.
  • Self-Protection Settings: Allow customers to set personal transaction limits or apply restrictions based on amount, time, or geography.
  • Customer Education: Educate customers on identifying fraud risks and effectively using protective tools. Incorporate gamification techniques to make learning engaging, fun, and rewarding.
• FRAML (Fraud and Anti-Money Laundering): The convergence of fraud and anti-money laundering (AML) efforts is revolutionizing how financial institutions tackle financial crime. FRAML aligns fraud detection with AML operations, breaking down silos between security and compliance teams. This approach targets not only how illicit money is acquired but also how criminals attempt to obscure its origins within the financial system.
• Behavioral Analysis and AI: Leverage artificial intelligence and behavioral analysis to detect anomalies in real time. Analyze customer behavior such as typing speed, location, device usage, and navigation patterns to flag suspicious activity.
• Information Sharing Across Institutions: Collaboration between financial institutions is critical for building resilience against fraud attacks. Banks can share key information to identify fraud patterns and enhance detection, such as:
  • IP Addresses
  • Account Numbers (e.g. IBANs). Include lists of generic accounts often used for legitimate purposes but also frequently exploited in financial crime schemes. While these accounts pose a higher risk, they should not be fully blacklisted due to their dual use.
  • Merchant and Terminal Identifiers (POS)
  • Beneficiary Names: Supplement official sanction lists with crowd-sourced lists of suspicious names.

Information sharing can vary in complexity — from simple blacklists to detailed data exchanges containing flagged transaction metadata. Combining multiple suspicious indicators strengthens fraud detection and enhances risk assessments, enabling institutions to proactively address potential threats.

By fostering collaboration between customers, banks, and the broader financial industry, institutions can outpace fraudsters and mitigate emerging threats. Combined with proactive technology and a holistic strategy, these efforts create a robust, unified defense against financial crime, ensuring greater security and trust in the financial ecosystem.