By: Alex Clements, Head of Anti-Money Laundering at TransferMate

One of the earliest recorded examples of payment fraud occurred in 300 BC, when the ancient Greek sea merchant Hegestratos was said to have attempted to sink an empty ship in a bid to keep the insurance money. 

Fast forward to the 1900s, when opportunistic fraud attempts began to transition to large-scale forgery and identity theft. Think false names and fake signatures without the technology or knowledge to fact-check against what or who is real.

Moving into the 1960s, the introduction of credit cards led to new fraud techniques in the form of counterfeiting and card-skimming, both of which continued to grow in volume and sophistication as credit cards became democratised. Since then, the internet, online shopping, and other technological advancements have moved the needle for payment fraud further still in what has become a hugely sophisticated, complex, and massively profitable industry for fraudsters.

Technology has brought scale to the operations of those who commit payment fraud, operating with coordination and intent, using technology and behavioural insight to exploit weaknesses across people, processes, and systems. However, many of the controls designed to stop such fraud have not kept pace, evidenced by the fact that the value of the payment fraud industry is worth tens of billions of dollars in costs annually.

Worse still, it’s showing no signs of slowing down, given the projections indicating payment fraud will exceed $362 billion in cumulative losses by 2028. But why is it that attack methods seem to outpace the controls used to prevent fraudulent activity?

The new fraud playbook is designed to bypass controls

Even the earliest examples of fraud show that it has typically been about exploiting human behaviour as much as it is about the technical gaps left by protective measures.  Business email compromise is a clear example of this, where attacks are often highly targeted, carried out over a long time using credible language and timing to impersonate senior executives and push urgent payment requests through established processes.

Friday afternoons, the school run, and weekends are popular times for fraudulent payment requests, which often succeed because they apply pressure at the exact moment when scrutiny is lowest. If we consider the impact of time zones and the extent and speed at which money is moving around the world, with operatives in multiple geographies, this becomes far more scalable.

Deepfake technology is raising the stakes further, enabling fraudsters to replicate voices and video, undermining not just identity verification, but also trusted communication channels that organisations have historically relied upon as a control. What was once considered a secure step in the process has become another vulnerability. Changes to supplier bank details are a prime red flag for fraudulent activity, as payable workflows are often the target for manipulating processes that rely on trust and routine.

False names used to work due to a lack of official identity documents to verify against. When these documents were introduced, fraudsters began faking them to bypass the new level of security and so on. At each stage of development, payment controls have been trying to keep pace with the tactics used by those looking to commit payment fraud.

It’s a game of chess, but fraudsters always make the first move and payment controls are left playing catch-up in a defensive play.

Traditional payment controls are breaking down under pressure

The issue is that many existing controls have been designed for a different threat landscape than the dynamic, agile and sophisticated one that exists today. Static, rules-based controls (often designed around historical typologies) are increasingly ineffective against real-time, adaptive fraud tactics, requiring a shift towards continuous, behavioural, and risk-based monitoring.

There is still a heavy reliance on onboarding and KYC processes, as though risk can be assessed once and then considered managed. Risk evolves continuously, every transaction introduces new variables, and every interaction creates new opportunities for exploitation. In a game of chess, that would be the left-side bishop out of the game.  

Many organisations also lack the ability to intervene at the right moment, and fraud is often identified after a payment has already been initiated or completed, meaning it is reactionary rather than preventative. At that stage, recovery becomes significantly more difficult and, in some cases, impossible. The focus has been on one part of the chessboard while they’ve quietly moved around the other. There goes the Queen.

Fraud, compliance, and operations teams often work in isolation, limiting visibility and slowing response times and creating siloed responsibility, which adds another layer of vulnerability. Without a unified approach, gaps in coverage are inevitable. Check.

Closing the gap requires a new approach to control

Regulatory changes, including recent updates to the NACHA rules, are a positive step in strengthening fraud controls within the ACH ecosystem. These changes place greater accountability on originating depository financial institutions (ODFIs) and originators, particularly around the monitoring of WEB debits and the use of account validation to reduce unauthorised transactions.

However, these updates are evolutionary rather than transformational. They formalise expectations around fraud monitoring and accountability, but do not in themselves address the speed, scale, and cross-border complexity of modern payment fraud. As a result, firms must still rely on real-time, risk-based controls and behavioural analysis beyond what scheme rules alone can achieve.

Treating compliance as a periodic exercise is essentially letting an opponent take 3 turns on the chessboard for every one of your own. It must be treated as an active discipline, and one that is embedded in day-to-day operations. In cases of fraud, recovering funds once a payment has been made significantly limits options, placing greater emphasis on prevention over recovery, so the ability to flag and challenge suspicious activity before funds are sent is therefore critical.

Behavioural and contextual analysis play an increasing role. Identifying anomalies such as unusual payment patterns, last-minute changes to beneficiary details, or signs of urgency can provide early indicators of fraud.

Keeping pace with change

Effective fraud prevention is a pivotal function for any business to have for two reasons. Fundamentally, it protects against financial loss, but in an environment where trust is increasingly scrutinised, it also reduces regulatory, financial, and reputational exposure while strengthening trust with customers, partners and banking providers. With that trust being earned, not handed out, the ability to demonstrate strong controls is a competitive differentiator.

In many cases, the challenge is not just identifying fraud but having sufficient visibility of the underlying payer and transaction context, particularly in complex or intermediary-driven payment flows where critical information may not always be present or standardised. Fraud will continue to evolve, and attackers will continue to refine their methods, adopting new technologies and identifying new points of weakness. It is a constant battle to try to stay ahead of these shifts, and it means that actions must be taken in real-time. At the same time, the shift towards reimbursement models in markets such as the UK is fundamentally changing the economics of fraud, moving financial exposure from consumers to financial institutions, and placing greater emphasis on prevention over recovery.

The volume and speed at which payments are being made around the world today mean that preventing payment fraud requires control measures that are adaptable to change, and that are continuously assessed and amended. Done well, fraud prevention can be a powerful tool for competitive advantage. It isn’t easy, but when done well, businesses will find checkmate.