Module 1

The Fraud Landscape

Understanding fraud types, economics, and the attacker's toolkit in 2026

---

The State of Fraud Today

Financial fraud is not slowing down. It is accelerating. According to Nasdaq and Verafin's 2025 annual fraud report, global fraud losses climbed 9.2 percent year over year, reaching historic levels. Card fraud alone cost institutions over $28 billion in 2025. Account takeover fraud grew 17 percent, synthetic identity fraud up 22 percent. The trend is clear: every fraud prevention measure creates pressure on attackers, and attackers are responding faster than defences evolve.

The scale of the problem makes fraud an existential architectural concern. Fraud is not an edge case. It is a structural component of financial services infrastructure. Every decision you make about authentication, transaction routing, customer onboarding, and risk scoring will be tested by adversaries with sophisticated tools, real financial incentives, and no time constraints.

Fraud prevention is not a feature. It is a design principle that runs through every layer of the stack: identity verification, transaction scoring, settlement, chargebacks, and customer support. Organisations that do not architect for fraud get caught flat-footed when attacks scale.

The economics tell the story. Direct losses from fraud are large. But the operational costs of fraud prevention are larger. And the cost of false declines (when legitimate transactions get blocked) is often larger still. A merchant might lose 3 percent of revenue to fraud, but lose 5 percent to false declines. That math drives every design choice in modern risk architecture.

Why Fraud Matters Now

Three shifts have made fraud harder to catch and more expensive to fight:

• Generative AI has weaponized identity spoofing. Deepfakes, synthetic portraits, and AI-generated documents are now commodities. What took weeks and hundreds of dollars five years ago takes minutes and dollars now. The identity verification industry is in a perpetual arms race with AI.
• Transaction velocity has exploded. Authorisations that used to happen over minutes now happen in milliseconds. Fraud scoring has to be instantaneous, which means you have seconds to make the difference between blocking a fraudster and incorrectly declining a legitimate customer.
• Attacker sophistication has matured. Modern fraud is not random. It is highly coordinated. Attackers operate across multiple merchants, sharing synthetic identities, testing cards in patterns designed to evade detection, and moving money through complex chains. Single-merchant fraud detection is insufficient. You need network-level insight.

---

Fraud Types and the Transaction Lifecycle

Fraud is not monolithic. Different attack vectors hit at different points in the transaction lifecycle. Understanding where the fraud happens is the foundation for preventing it.

Synthetic Identity Fraud

A synthetic identity is a combination of real and fake personal information. The fraudster might use a real tax ID with a fake name and address, or a real Social Security number paired with forged documents. Synthetic identities are built to pass KYC checks on first attempt, then systematically build credit history or transact at scale before being shut down.

Synthetic identity fraud is the fastest-growing fraud segment. It targets onboarding directly. The attacker's goal is to create a verified account that looks legitimate to every system it passes through. Modern synthetic identity attacks leverage generative AI to create documents that fool OCR systems and liveness detection. The attacker runs thousands of synthetic identity applications in parallel, knowing that 1 percent conversion equals massive scale.

The challenge: catching synthetic identities requires behaviour signals that do not exist yet. A brand new account is, by definition, a new account. You cannot catch it on velocity (no history to be slow). You cannot catch it on device fingerprint (no device history to compare). You have to catch it on document quality, biometric match, and behaviour that does not match the profile that was created.

Card-Not-Present (CNP) Fraud

CNP fraud happens when a stolen card is used in a remote transaction: ecommerce, phone, mail order. The fraudster does not need the physical card. They just need the card number, expiration, and CVV. For digital products and instant goods, the transaction can clear before the legitimate cardholder even knows the card was compromised.

CNP fraud is the bread and butter of ecommerce fraud. Unlike account takeover, it does not require compromising an account. It only requires a card number. Carding (testing stolen card numbers against multiple merchants) is a commodity operation. Attackers run automated card testing at scale against hundreds of merchants in parallel, looking for cards that work and targeting those merchants for larger transactions.

The attacker's toolkit: purchased card dumps from the dark web, automated testing infrastructure that tries thousands of cards per second, proxy services that mask geographic origin, and knowledge of which merchants have weak fraud detection. The defence is instantaneous: fraud scoring at authorisation time, behavioural analysis of the transaction, device fingerprinting, and velocity checks that flag impossible patterns.

Account Takeover (ATO)

ATO happens when an attacker gains control of a legitimate customer account. This could happen through credential compromise (phishing, password breach reuse), session hijacking, or social engineering. Once in, the attacker can make transactions, change contact information, reset passwords, or drain payment methods stored on the account.

ATO is more valuable to the attacker than single-transaction fraud because it provides access to an account with history, payment methods, and trust. The attacker might run small transactions first to avoid triggering alerts, then escalate to larger ones. ATO fraud is harder to catch because the transactions are coming from an account that legitimately exists, with legitimate payment methods, possibly with some history of legitimate transactions.

The modern ATO attack leverages credential leaks from third-party breaches. Attackers buy lists of email and password combinations from dark web marketplaces, try them against financial services companies, and convert successful logins into fraud. The secondary attack vector is SIM swapping: the attacker convinces the telecom provider to transfer the victim's phone number to a device controlled by the attacker, then uses it to reset passwords and bypass 2FA.

Friendly Fraud (Chargeback Fraud)

Friendly fraud is when a customer makes a legitimate purchase, receives the goods or services, then disputes the transaction with their bank and claims they never received it or never authorised it. The customer gets the refund, keeps the goods, and the merchant loses both the revenue and the product.

Friendly fraud is growing because the chargeback process is designed to protect customers, not merchants. The merchant has a limited window to provide evidence of delivery or authorisation. If that evidence is weak, the bank rules in the customer's favour. Organised friendly fraud rings operate at scale, using repeat tactics against merchants known to have weak chargeback response processes.

The economics of friendly fraud are brutal: the merchant loses the product cost plus the transaction cost plus a chargeback fee (typically $15 to $100). For a $50 transaction, a merchant might lose $75 total. The customer risk is minimal because the bank trusts the customer and wants to maintain the relationship.

Merchant Fraud and Transaction Laundering

Merchant fraud happens when the merchant themselves commits fraud. This could be processing transactions that were never authorised, running currency conversion schemes, or processing transactions for merchants that are prohibited (gambling, illegal goods, high-risk businesses operating under false merchant accounts).

Transaction laundering is when a merchant with a high-risk merchant category code (MCC) processes transactions through a merchant account with a lower-risk MCC to hide the true nature of the transaction. A gambling operation might process transactions through a shell company with a retail MCC. The networks and acquirers try to catch this through merchant monitoring and transaction pattern analysis, but the most sophisticated schemes can hide in plain sight for months.

---

The Attacker's Toolkit in 2026

Fraud has evolved from opportunistic to industrial. Modern attackers have tools and infrastructure that would have required the resources of nation-states a decade ago. Understanding what they have access to is the foundation for building defences that actually work.

Generative AI for Document and Biometric Spoofing

Large language models and diffusion models have made synthetic identity creation industrial-scale. An attacker can now generate realistic fake documents, produce deepfake videos for liveness detection, and create synthetic portraits that pass facial recognition systems. The quality is high enough to fool humans, and increasingly high enough to fool algorithms.

The economic shift is stark. Five years ago, creating a fraudulent passport took specialist skills, physical materials, and days of work. Today, an attacker can generate 1,000 realistic fake documents in parallel using publicly available AI tools. The marginal cost approaches zero. The detection cost is increasing. This is a fundamental asymmetry that favours the attacker.

The most sophisticated attacks combine AI-generated documents with real identity information. The attacker uses a real name, address, and date of birth from a data breach, then generates documents that match those credentials. To the identity verification system, everything looks consistent and real, because some of it actually is.

Automated Card Testing and Carding Infrastructure

Carding is the art and science of testing stolen card numbers against merchant systems to find which ones work. Automated carding infrastructure tests thousands of cards per second against multiple merchants in parallel. The attacker does not need 100 percent conversion. They just need a 2 to 5 percent hit rate. At scale, that is enough to generate millions in fraudulent revenue.

The cards come from data breaches, point-of-sale compromises, or payment processor breaches. They are bundled into lists called "card dumps" and sold on dark web marketplaces. The cost is often less than 1 dollar per card. The infrastructure to test them costs even less. The return is enormous.

Carding operations exploit merchant-side weaknesses: weak fraud detection, slow velocity checks, merchants that are not part of major card network fraud intelligence networks. The attacker targets merchants known to have fast checkout, no 3D Secure enforcement, and slow fraud review processes. The goal is to find working cards before the merchant shuts down the transaction.

Botnets, Proxies, and Geo-Spoofing

Carding and ATO attacks need to mask their origin. Botnets provide distributed traffic that looks like it is coming from millions of different devices. Proxy services route traffic through intermediary servers to hide the attacker's IP address. Residential proxy services route traffic through actual consumer ISPs, making the traffic look like it is coming from a home network, not a data centre or bot command-and-control server.

Geo-spoofing makes fraudulent transactions look geographically legitimate. If a card is registered in New York, the attacker routes the transaction through a proxy in New York so it shows the "correct" geographic origin. Velocity checks that flag impossible geographic jumps are rendered useless.

Credential Stuffing and Password Breach Reuse

ATO attacks often start with credential lists from third-party data breaches. When Target was breached in 2013, attackers used those credentials to compromise accounts at other retailers. The attacker does not need to crack the password. They just need to wait for someone else to get breached, then try the email and password combination everywhere else.

Credential stuffing automation tests millions of credential pairs against login endpoints in parallel. The attacker needs only a tiny percentage to work. For a list of 100 million credentials with a 0.1 percent conversion rate, that is 100,000 compromised accounts. At that scale, the attacker can be selective about which accounts to exploit.

Data Brokers and Synthetic Identity Building

Data brokers compile personal information from hundreds of sources: public records, warranty registrations, social media, data breaches, purchase history. An attacker can purchase a list of names, addresses, and phone numbers, then use that list to build synthetic identities. The foundation is real (pulled from a breach or purchased from a broker). The identity is fake (constructed to pass KYC).

The sophisticated approach combines real data with AI-generated documents. The attacker takes a real person's name and SSN from a breach, generates documents that match that identity but with fake biometric data (AI-generated face), and submits a KYC application. If the identity verification system trusts document quality over biometric match quality, the application gets approved. The attacker now has a verified account that is legally attached to someone else's identity, but fully controlled by them.

---

From Rules to Machine Learning: The Detection Evolution

Fraud detection has evolved through three distinct eras. Understanding where your organisation sits in this evolution determines whether your fraud prevention is ahead of or behind the current threat landscape.

Rule-Based Detection (Pre-2015)

Early fraud detection relied on human-written rules. If a transaction exceeded a threshold velocity (too many transactions in too short a time) or came from an unexpected geography, it was flagged. These rules were explicit, auditable, and easy to explain. They were also brittle. Every new attack vector required a new rule. Attackers quickly learned the thresholds and operated just below them.

Rule-based systems are still in use, but as a supplementary layer. They are fast, require no training data, and are trivial to explain to regulators. But they are fundamentally reactive. You write rules in response to attacks you have already seen. You are always one step behind.

Machine Learning Transition (2015-2020)

As fraud evolved, organisations realised that static rules could not keep pace. Machine learning models could learn patterns from historical data and identify anomalies without explicit rule programming. A model trained on millions of legitimate transactions could learn what "normal" looked like for a customer or merchant, then flag deviations.

The challenge was data quality and model interpretability. Models trained on noisy data with incomplete feature engineering produced garbage outputs. And when a model denied a transaction, the customer demanded an explanation that the model could not provide. Machine learning was powerful but opaque.

Modern ML-Native Detection (2020-Present)

Today's best-in-class fraud prevention combines rule-based detection (for known attacks), machine learning (for pattern detection), and network-level signals (for coordinated fraud). The architecture is hybrid: rules for speed, ML for precision, network signals for scale.

Modern models are feature-rich. They ingest hundreds of signals: device fingerprint, IP reputation, velocity, geolocation, biometric match quality, network associations, merchant category, transaction characteristics, and historical customer behaviour. The model learns which combinations of features signal fraud, and crucially, learns to down-weight features that are easy for attackers to spoof (like geolocation) and up-weight features that are hard to spoof (like biometric consistency, device fingerprint entropy, velocity patterns).

The key innovation is explainability. Modern ML models output not just a fraud score, but a reasoning chain that explains which features drove the decision. This allows humans to review high-value decisions, understand why a legitimate customer was declined, and catch model drift before it becomes a problem.

---

The Economics of Fraud Prevention

Fraud prevention is an optimisation problem, not a binary choice between preventing fraud and allowing it. You are optimising across three competing costs: direct fraud losses, operational costs of fraud prevention, and false decline losses.

Direct Fraud Losses

Direct fraud losses are the money lost to fraud. A customer makes a fraudulent $500 transaction. The bank or merchant loses $500. This is the most visible cost and the most commonly cited in board meetings.

Operational Costs of Fraud Prevention

Preventing fraud costs money. You need people to investigate cases, technology to run models, infrastructure to process signals, and continuous monitoring to catch model drift. A large bank might spend tens of millions annually on fraud prevention. The cost grows non-linearly as prevention intensity increases. You start with the easiest wins (obvious patterns, high-confidence rules), then progress to harder cases that require more human investigation and more sophisticated models.

False Decline Losses

False declines are when a legitimate transaction gets blocked. The customer loses the sale, the merchant loses the revenue, and the customer might switch to a competitor. The cost of a false decline is not just the transaction amount. It is the lifetime value of the customer relationship at risk.

For a merchant, a 5 percent false decline rate can cost more in lost revenue than a 3 percent fraud rate costs in fraud losses. A customer declined on a $100 transaction is not just a $100 loss. It is the customer's future purchases, their reviews, their referrals. That customer might close their account and move to a competitor with friendlier fraud rules.

This economic reality forces a strategic choice: optimise for catching fraud, or optimise for customer experience? The answer is neither. You optimise for the total economic cost. You accept some fraud and some false declines, and you calibrate your system to minimise the sum of both.

The Total Cost Optimisation

The optimal fraud prevention strategy minimises the total of all three costs. This is rarely 100 percent fraud prevention. It is usually somewhere in the 90 to 98 percent range, with the exact threshold varying by business model, customer segment, and competitive landscape.

A high-value merchant (luxury goods, high transaction size) optimises for false decline reduction because each customer is valuable. A commodity merchant (fast fashion, low transaction size) optimises for fraud reduction because chargeback rates destroy margins. A lending platform optimises for fraud detection in onboarding because a fraudulent account costs more to recover from than false declines cost in acquisition.

---

Network-Level Fraud Detection

The frontier of fraud detection is not single-transaction analysis. It is network-level analysis. Organisations like Visa, Mastercard, and companies like Sift process trillion-event datasets that show how fraud moves across merchants and networks.

Network-level signals reveal coordinated fraud that single-merchant signals miss. One merchant might see a card tested 100 times and flag it. But network-level systems see that same card tested 100 times across 500 different merchants, revealing a coordinated carding operation. One merchant might see 50 accounts opened with similar documents and flag it. But network-level systems see 50,000 accounts opened across the entire network with documents generated by the same synthetic identity pipeline.

The challenge is access to this data. Only the largest networks and payment processors have the visibility. A mid-market merchant does not see fraud patterns beyond their own customer base. This creates an asymmetry: large merchants and acquirers get better fraud intelligence because they see more data. Smaller merchants are left to build their own fraud prevention or rely on third-party services.

This is driving a shift toward specialized fraud-as-a-service platforms. Sift, Kount, Radcom, and others aggregate signals across merchants and networks, then license intelligence back to individual merchants. It is a de facto data co-op where smaller merchants get access to network-level intelligence they could not build on their own.