Fraud vs Scams: The Architectural Shift Required to Protect Real-Time Payments
By Jon Draper
Authorized manipulation has displaced unauthorized access as the primary method by which criminals extract money from the financial system — and most institutional defenses are still built for the threat that no longer dominates.
The financial sector spent two decades learning to keep bad actors out of customer accounts. Behavioural biometrics, device fingerprinting, and layered transaction monitoring made the industry genuinely proficient at detecting when someone other than the account holder was trying to act. That proficiency has not disappeared, but it has become increasingly peripheral to the losses that now accumulate fastest. In the first half of 2025 alone, UK Finance recorded £629.3 million stolen — roughly £2,300 and eight victims every minute — and the majority of that figure was not the result of compromised credentials or broken perimeters.
The numbers in the United States make the directional shift explicit. Deloitte estimates that losses from authorized push payment fraud reached $8.3 billion in 2024 and are forecast to reach $14.9 billion by 2028. That trajectory — nearly doubling over four years — reflects not a failure of cybersecurity investment but a structural mismatch: the industry hardened the door while criminals persuaded customers to open it themselves.
The Taxonomy of Theft: Understanding the Scam and Fraud Difference
The scam and fraud difference matters precisely because the two categories require entirely different defenses.
Traditional fraud — card cloning, account takeover, credential stuffing — is an unauthorized intrusion. A criminal bypasses security protocols and acts without the account holder's knowledge. The appropriate defense is identity-centric: if the device, IP address, or biometric signature is unrecognized, the system blocks the transaction. This model works reasonably well because the anomaly is detectable at the point of origin.
Authorized push payment (APP) fraud operates on a different principle entirely. The victim, having been manipulated through social engineering or impersonation of a trusted institution, initiates the transfer. The payment is technically clean. The customer authenticated correctly, the instruction came from a verified device, and the transaction cleared every rule the sending bank had written. The crime is invisible to point-of-origin defenses because the point of origin is, in every technical sense, legitimate.
This is not a marginal edge case that existing frameworks can absorb. It is the dominant attack method, and the gap between the sophistication of the manipulation and the sophistication of payment fraud detection is widening.
The Blind Spot of Transaction Monitoring
The core challenge is structural. When a victim sends money to a mule account — an account used to layer and move stolen funds — the sending bank observes a legitimate customer performing a standard transfer. The receiving bank observes an incoming payment indistinguishable from any other. Neither institution holds sufficient context to identify the crime in real time, because the relevant context is distributed across both of them simultaneously.
Criminals have engineered their operations around this gap. Mule clusters — networks of accounts spread deliberately across multiple institutions — are constructed so that no single bank ever sees enough of the pattern to act. High-velocity layering moves value through these accounts faster than bilateral intelligence sharing can follow. Circular fund flows obscure the origin. The crime is not hidden within any one institution; it is hidden in the space between them.
Catching these networks requires a shift in analytical frame. Examining individual transactions, even with sophisticated rule engines, cannot surface a pattern that only becomes visible at the level of the entire payment ecosystem. Treating that ecosystem as a single connected graph — applying structural community detection to identify clusters of accounts exhibiting mule-like behaviour regardless of which institution holds them — changes what is detectable. The account cluster that is invisible to any one bank becomes visible the moment the graph is complete.
Identifying those networks is, however, only the first step in moving from reactive monitoring to a genuinely preventive posture. The second step is acting on the intelligence in time to matter. Scammed funds cross institutional boundaries within minutes; coordinated freezes that depend on sequential bilateral communication arrive days too late.
What that gap demands is not better tools within individual institutions but a different operating architecture between them — national-level infrastructure capable of sharing intelligence and triggering coordinated responses in real time, across every institution simultaneously, through a single neutral layer that no single bank owns and no criminal network can route around.
Deploying the National Anti-Scam Architecture
Financial Network Analytics (FNA) has built that architecture. The award-winning National Fraud Portal and Money Trails platforms are designed specifically for deployment at the jurisdictional level, enabling cross-institutional fund tracing, AI-driven network detection, and secure intelligence sharing across entire financial ecosystems.
Operational deployments have processed over 100,000 fraud cases across 48 financial institutions, with case resolution times reduced by 75% and transaction volumes reaching 15 million per day. The problem of authorized manipulation is solvable — but only at the scale at which it actually operates.
To explore FNA's approach to national anti-scam infrastructure, visit fna.fi/solution/fraud-portals/.
