2026 Fraud Report
Fraud's identity crisis
What's in this report
The result is not just more fraud, but fraud engineered to blend in with legitimate customer behavior. That shift is changing where fraud risk sits, how it needs to be managed, and what it costs when it isn't.
This report outlines five themes defining fraud strategy in 2026:
1. Fraud has become systematic. Automation has turned fraud into a continuous test-and-learn cycle. Tactics are deployed, refined in real time, and scaled quickly, with successful approaches repeated across environments and targets.
2. Good customers have learned to game the system. First-party fraud and policy abuse increasingly operate within legitimate customer journeys. Merchants no longer need to only verify identity; they also need to understand intent.
3. Precision drives growth. The cost of stopping fraud is increasingly measured in lost customer lifetime value, not just prevented loss. False declines, rising manual review costs, and blanket controls suppress growth.
4. Identity cannot be a static indicator. Point-in-time checks are no longer sufficient. Trust is built over time through behavior, history, and recognition across sessions, devices, and environments.
5. Trust must extend beyond the transaction. As AI agents begin to act on behalf of customers, fraud prevention must start earlier, with the systems that govern behavior before payment occurs.
Chapters 1–3 establish the nature and scale of these shifts. Chapters 4–5 address how leading organizations are responding — and where the greatest leverage now exists.
The organizations pulling ahead aren't those with the strictest controls. They're those with the most precise ones.
Methodology
For this report, we retrieved transaction data from the Adyen platform for the full year 2025 (US$1.6T in data) and separately surveyed 1,000 US enterprise merchant decision makers. Survey data in the report is labeled as Adyen survey data. Platform data is labeled as Adyen platform data.
Foreword
Fraud’s identity crisis is as much about those trying to catch it as it is about those perpetrating it. While fraud has always been part of commerce, what’s changed is where it hides and how it appears.
For most of the past decade, the working model for risk teams was relatively simple: Flag what looks unfamiliar. New devices, unusual locations, credentials that don't match. That logic still holds for what it was designed to catch. But the fraud growing fastest today often doesn't trigger those signals. It comes from verified accounts, recognized devices, behavior that clears every checkpoint.
At Adyen, we process payments across the world's largest commerce environments. What we see in that data is a shift in how risk behaves. It's become automated, iterative, and in many cases indistinguishable from legitimate customer activity until you look across time and context rather than at the transaction in front of you.
Risk teams now face a different type of problem, one where getting the decision wrong has immediate commercial impact. It’s a problem that can’t be solved by tightening controls alone, especially as it’s often the controls themselves that are being exploited.
We need a different approach to decisioning: one that reflects how identity and risk actually behave in the real world. Instead of treating identity as something that is verified once and then assumed to remain static, we should view it as a continuous signal that evolves over time and requires ongoing interpretation. Just as importantly, we need to recognize that false declines are not just an operational nuisance but a material cost to the business, with consequences that deserve to be weighed as seriously as fraud losses.
This report examines how that shift is playing out — where fraud is becoming harder to detect, why conventional defenses are struggling to keep up, and what the organizations managing it well are doing differently. The second part explores how that approach translates into infrastructure and strategy.
The businesses leading in this environment aren’t the ones with the most aggressive controls. They’re the ones making more deliberate decisions about where and how to apply them.
The new face of fraud
Fraud isn’t new. But it’s no longer visible in a single moment.
Today, the behaviors that drive fraud often look legitimate at the point of transaction, such as a familiar customer on a recognized device. The pattern may only become clear over time, across accounts and interactions.
Fraud’s test-and-learn era
Fraud now adapts and operates in a continuous cycle, where tactics are deployed and refined in real time. What works is repeated, and what doesn’t is quickly dropped.
Rather than testing a single approach, attackers can run thousands of variations simultaneously — adjusting identity details, payment methods, speed at checkout, or transaction values to explore what gets through.
Automation keeps those attacks running continuously, applying what works and optimizing it in real time. Every outcome becomes feedback, with authorizations, declines, and downstream activity shaping the next attempt until it can pass a business’s fraud controls.
Automation and AI don’t create these patterns. They make them faster, more consistent, and easier to scale.
At the same time, automation and AI are changing how fraud behaves. AI has allowed fraudsters to bolster synthetic identities through deepfakes, falsified documents, and other tactics designed to evade standard checks.
Fraud affects everyone
Because these attacks are so easy to automate and scale, fraudulent actors no longer target only the largest platforms. Businesses of every size, in every industry, across every region can find themselves exposed to the same playbooks, executed with the same speed and precision. Fraudsters don’t operate within brand loyalty or competitive boundaries; once they uncover a loophole in one business, that same vulnerability is quickly tested and exploited across other businesses.
In practice, this means the same pattern can appear across multiple environments at once. The script that tests card numbers on one platform gets repurposed for another. The same promotion-cycling method runs across a dozen brands. The identity data that passed verification once gets reused until it doesn't. It may feel familiar, but the difference is speed and adaptability — how quickly tactics can be recycled.
Because these patterns span merchants, channels, and industries, businesses with access to larger, high-quality datasets are better positioned to spot and prevent fraud proactively.
Fraud is redistributing
Instead of only being concentrated in a small number of high-value transactions, fraud has expanded to include lower-value activity as it’s become easier to scale.
This changes the demands placed on fraud systems. Controls built for isolated, high-risk events now experience a continuous stream of activity, increasing both the volume of decisions and the ambiguity between legitimate and abusive behavior.
The impact goes beyond fraud losses. It shows up in rising manual review costs, increased false declines, and missed revenue opportunities.
The true cost of getting it wrong
Nearly 70% of businesses surveyed expect fraud and abuse to limit their ability to grow revenue. More than half report rising manual review costs.
Every fraud decision becomes a tradeoff. Block too loosely and fraud gets through. Tighten controls too aggressively, and legitimate customers are turned away, right when they intend to spend.
As 50% of businesses report an increase in false declines, the cost of caution becomes visible. Legitimate transactions are blocked, the customer experience deteriorates, and revenue is lost.
At scale, these decisions compound, and fraud puts continuous pressure on growth.
Case study: How a global sportswear retailer uncovered fraud hiding in plain sight
In August 2025, a global sportswear retailer appeared to be having a record month, with gift card activations surging more than 1,000%. In reality, the retailer was experiencing a coordinated fraud attack. Thousands of automated bots mimicking real shoppers were testing gift card numbers at scale and draining the balances. Losses exceeded $750,000 before the attack was contained.
Because the retailer’s fraud detection only flagged transactions after they had been authorized, they were hit twice: revenue lost to fraud, and processing fees on every fraudulent transaction.
By shifting to a pre-authorization fraud detection model, the retailer reduced the volume of suspicious traffic and was able to focus on what remained.
With the noise reduced, a clear pattern emerged: identical device signals linked to outdated iPhone models appearing repeatedly across transactions. A targeted rule shut down the attack within a week.
Known users, unknown intent
Fraud no longer sits only with unknown identities. It now operates through identities and interactions that appear legitimate.
For years, fraud detection focused on a narrow set of questions, including: Is this a real person, and are they who they claim to be? Those questions still matter. But they are no longer enough.
The challenge is no longer just static identity verification at a single point in time, but understanding behavior as it unfolds across the customer lifecycle.
The same account or device can represent a genuine customer in one moment and abusive behavior in the next — like a new account linked to a real customer but created only to access a new promotion or a legitimate purchase later returned under false pretenses.
"Fraud didn’t accidentally start looking legitimate. It chose legitimacy as a strategy."
The rise of legitimate-looking abuse
This shift is reflected in the types of fraud businesses are now facing.
First-party fraud, where customers make legitimate purchases then falsely dispute the charges through their bank — claiming non-receipt, defects, or unauthorized use when none occurred — is now one of the most common forms of abuse, reported by 44.3% of businesses in our survey.
Fake accounts and identity abuse, like cycling promotions, distributing activity, or accessing segment-specific offers, follows closely at 42.2%.
Policy and promotion abuse, where customers exploit merchant policies directly through serial returns, wardrobing, free trial cycling, loyalty point harvesting, or stacking discounts beyond their intent, are not far behind at 39.8%.
First-party fraud has entered the mainstream, and each type of abuse stems from legitimate identities, not by breaking into them. From the system’s perspective, these behaviors often look valid. They pass checks designed to identify unauthorized access or fraudulent payment details.
The challenge isn’t just identifying these users. It’s preventing abuse from being repeated.
Perspective: Legitimacy as a strategy
"Fraud didn’t accidentally start looking legitimate. It chose legitimacy as a strategy. The industry spent a decade improving identity verification, and that foundation is critical. But as fraud has evolved, so has the challenge. When the same verified customer can drive both your highest lifetime value and your highest loss, identity alone can’t explain risk anymore.
Likewise, fraud prevention must shift from static identity checks to dynamic identity: systems that continuously evaluate whether behavior aligns with expected use across the lifecycle. The shift isn’t just in better detection but in how businesses navigate risk — connecting identity, behavior, and policy to shape outcomes over time." - Andrea Ferrari, Sr. Product Manager, Fraud Management, Adyen
Exploiting weaknesses
Historically, fraud has moved to where defenses are weakest — for example, moving from exploiting physical cards in the days of magstripe technology to ecommerce. Now it’s increasingly moving back to in-person shopping. As online protections have matured, attackers are adapting by exploiting gaps in physical retail, where fewer signals and less mature controls make abuse harder to detect.
This pattern helps explain why issues like point of sale (POS) refund abuse are emerging as part of a broader redistribution of risk.
Emerging tactic: Unreferenced digital wallet refunds
Starting in late 2025, a repeatable fraud pattern emerged across US retailers, targeting unreferenced refund workflows at the point of sale.
Fraudsters exploit gaps in refund processes to issue payouts directly to digital wallets. By bypassing the standard flow, where refunds are linked to an original transaction, they can generate funds without a verified purchase. Once settled, the options for recovery are limited.
These incidents are often repeated across locations and typically occur in environments with more flexible refund policies, with losses ranging from $10,000 to $90,000 per incident.
The tactic relies on appearing legitimate. Attackers approach staff during high-volume periods, using impersonation or fabricated transaction details to push through refunds outside standard protocols.
In these cases, the vulnerability isn’t just in the system but also in how it’s used in practice. Store-level permissions allow unreferenced refunds without sufficient validation or escalation, while the pressure to maintain a seamless customer experience makes it harder to challenge requests or introduce friction.
These attacks expose a weakness even before payments come into the mix. In many cases, the deciding factor is how refund workflows operate under pressure, particularly during high-volume periods.
Reducing risk requires stronger store-level controls around unreferenced refunds like tighter permissions, clear approval workflows, and ongoing staff guidance on identifying suspicious behavior. Equally important is working with a payment partner that can quickly identify patterns, escalate incidents, and contain losses before they scale.
The gray area: Good customers, bad behavior
Not all abuse starts with malicious intent. In many cases, it begins with incentives.
A discount for new customers encourages multiple sign-ups. A generous return policy lowers the cost of misuse. Free trials become something to cycle through rather than a one-time benefit. Over time, activity that was once the exception becomes normalized.
Online communities openly share ways to “game” systems, from how to maximize promotions to how to get refunds approved. What might once have been considered fraud is reframed as a loophole, a hack, or simply a way to get better value. Customers who do not consider themselves fraudulent may still engage in actions that result in loss.
For businesses, this makes the problem harder to define, let alone solve. Welcome to the grey area.
The challenge is not a lack of signals. Frequently, nothing stands out at the transaction level, and the pattern only emerges through repetition:
Promotion access scaled across multiple accounts
Free trials repeatedly cycled across identities
Returns clustered just below policy thresholds
Activity deliberately distributed to avoid detection
Gift card fraud
Case study: Filtering out trial abuse to secure recurring revenue
In early 2025, a global software leader saw a rise in trial abuse. Users were signing up for free trials with no intent to convert, often using invalid or low-quality payment credentials. The issue only became visible later when the first billing cycle failed.
The problem wasn’t at renewal. It started at sign-up.
To address this, the business worked with Adyen to shift validation earlier in the lifecycle. Rather than relying on basic checks that simply confirm a card number exists, they introduced upfront validation of payment methods during trial registration.
This approach allowed them to assess whether the provided payment method could support the subscription amount once billing began — without charging the customer during the trial period. As a result, invalid cards, insufficient funds, and higher-risk payment instruments were filtered out before access was granted, while legitimate users continued to enjoy a seamless sign-up experience.
This shift improved control without adding unnecessary friction. Early-stage sign-ups became more qualified, improving the overall quality of the subscriber base.
With a higher-quality subscriber base, downstream conversion and retention improved, making revenue more predictable.
From identity to intent
Traditional fraud systems are built around matching identity to the payment instrument. They verify credentials, authenticate users, and assess whether a transaction is likely to be legitimate based on known signals. But when the same identity can be used for both legitimate and abusive behavior, those signals become less reliable on their own.
The question is no longer just “Who is this?” but “Is this behavior consistent with legitimate use over time?”
Precision drives growth
As fraud becomes harder to distinguish from legitimate activity, the cost of getting a decision wrong can exceed the fraud loss itself.
A small fraction of identities now drives a disproportionate share of risk. But the controls used to stop them are applied much too broadly. In trying to prevent abuse from a minority of users, businesses introduce friction that affects everyone.
The real cost of fraud shows itself not just in what gets through but in what gets blocked. In some cases, static controls block up to 10% of legitimate customers, according to Adyen platform data.
False declines, unnecessary friction, and rising manual review costs are no longer side effects; they’re central to how fraud impacts revenue.
Most fraud strategies were built to minimize loss. That model is now outdated.
Fraud management is increasingly understood as a series of commercial decisions that ultimately determine how much legitimate revenue a business can capture.
The question is no longer how much fraud a business is willing to tolerate. The question is how much legitimate revenue it’s willing to lose trying to stop it.
The need for more precise controls
When fraud rises, increased control can feel like the obvious response. More rules, more verification steps, more manual reviews, tighter policies — all of which add costs and friction.
The impact is already visible. Minimizing operational costs became the top priority for 29% of merchants in 2025, up from just 10% in 2024, according to MRC data.
Our survey shows 58% of businesses are experiencing rising manual review costs, while 50% report an increase in false declines. With additional controls often relying on static signals, up to 10% of legitimate customers are blocked.
There’s a disconnect between perceived risk and reality. In trying to protect against a concentrated minority of abusive identities, businesses introduce cost and friction. Every false decline not only suppresses conversion in the moment but also undermines trust, retention, and future spend. It becomes a tax on your most valuable customers.
Insight: When policy tightens without precision, customers pay the price
In the apparel and luxury sectors, merchants reduced refund rates by 21–25% in 2025 without a corresponding increase in disputes. Alternative resolution paths, such as exchanges or store credit, helped preserve customer trust while protecting margins.
In the dating platform sector, it’s a different picture. A 38% reduction in refund rates led to a 66% increase in chargeback volume. Without a resolution path, customers default to disputes.
So while tightening policies can reduce abuse without clear alternatives, it can also erode trust with legitimate customers, leaving chargebacks as their only course of action.
A series of compromises
For most businesses, fraud management is a series of compromises. According to our survey, 97% of businesses made at least one fraud-related tradeoff in the last year.
What's the right fraud strategy?
by Brigette Korney, Global Head of Performance Optimization, Adyen
The honest answer is the one most businesses don’t want to hear: It depends. Preventing fraud is more than just a regulatory obligation. Every approach involves tradeoffs between risk, friction, cost, and growth. In practice, the right approach depends on your business model. Here are a few considerations to think through:
Margin profile. Higher-margin businesses can absorb more risk to protect conversion. Lower-margin businesses need tighter controls but can’t carry the cost of broad friction or manual review.
Growth priorities. A business focused on acquisition will make different decisions than one optimizing for retention and lifetime value. Fraud strategy should shift with that.
Customer mix. Not all customers carry the same value or risk. Applying the same controls to a first-time buyer and a high-value repeat customer is where most strategies start to break down.
Where teams run into trouble is when a strategy designed for one context is applied everywhere across markets, segments, and lifecycle stages. Over time, that creates hidden costs: lower approval rates, increased manual reviews, and friction for the wrong customers. The goal isn’t to eliminate risk but to align risk and friction with where they create or destroy value.
What this means in practice
Managing those tradeoffs well comes down to three things:
The tools you use. You need tooling that can adapt in real time, whether that’s applying protection where risk is highest or scoring transactions with more precision. Static rules won’t keep up with how quickly fraud evolves.
The people behind the decisions. Performance improves when risk isn’t managed in isolation. Access to specialists, shared insights, and continuous optimization is what turns a strategy into something that actually works in practice.
The ecosystem you’re plugged into. Fraud patterns don’t stay contained to one business. The fastest way to stay ahead is through shared signals, industry insight, and visibility into how trends are evolving across the network
From fraud control to growth strategy
Fraud prevention no longer works as a blunt instrument.
Applied broadly, controls increase cost, reduce conversion, and erode trust. Applied precisely, they become a growth lever — improving approval rates, reducing unnecessary friction, and protecting long-term customer value. Not reacting to isolated transactions but understanding patterns. Not applying friction uniformly but allocating it where it has the greatest impact.
The next question is what it actually takes to tell the difference.
“The real challenge is no longer identifying risk but allocating the appropriate level of friction with enough precision that it protects margin without suppressing growth.”
Dynamic identity as infrastructure
If traditional identity checks can’t distinguish legitimate customers from abuse, what can?
Earlier chapters described a fraud environment in which a rapidly-growing risk comes from recognized users: verified accounts, familiar devices, and activity that passes every checkpoint.
This shift means that distinguishing legitimate customers from abuse is harder than ever.
The answer isn’t stronger verification. Identity is no longer a credential to be confirmed once. It’s dynamic — a continuous layer of context built from activity across the customer lifecycle, rather than validated at a single point in time.
From verification to recognition
Verification answers a binary question at a single moment — is this person who they claim to be? And recognition builds a view over time — does this activity fit the pattern of a trusted customer?
The difference matters because fraud has learned to pass verification. What it can't easily replicate is a consistent behavioral history. A returning customer purchasing within their typical range on a recognized device moves through with minimal friction. But when that same pattern shifts — into unusually frequent returns, promotion cycling, or activity distributed across multiple accounts — the change in intent becomes visible, even when the identity itself hasn't changed.
Trust is earned and tracked, not granted once and assumed.
Insight: Where smarter authentication outperforms friction
The evidence for this approach is clearest in markets where it's been put into practice.
Across 2024 and 2025, APAC merchants reported the heaviest fraud prevention burden globally according to our survey. Around 70% cited rising manual review costs, 60% reported higher false declines, and one in three said they couldn't resolve the tradeoff between blocking fraud and approving legitimate customers.
Among Adyen merchants in markets with higher authentication penetration — Japan, Australia, and Singapore — the picture is different. According to our platform data, risk approval rates reached up to 99.57%, up an average of 17 basis points year over year, while chargeback rates fell consistently across all three markets.
Source: Adyen survey and Adyen platform
Trust at scale
The value of connected identity compounds across a wider network. A single merchant can build behavioral context within their own ecosystem. But network-level recognition — drawing on signals across a variety of merchants and devices — creates a richer picture from the very first interaction.
Across Adyen's global network, there is an 84% chance that an identity has already appeared across transactions, businesses, payouts, or card issuing. That means even new customer relationships can begin with context, allowing for more confident decisions earlier and less friction for customers who've already demonstrated trusted behavior elsewhere.
It's a system where recognition becomes reputation.
Product spotlight: Building an engine for the future of fraud with Protect
Traditional fraud controls focus on blocking bad transactions after risk becomes visible. But modern fraud increasingly exploits the systems surrounding payment: promotions, guest checkout, account creation, returns, and stored value.
The more effective approach moves those risk-related decisions earlier. By combining identity continuity, cross-merchant recognition, and pre-authorization risk signals, businesses can distinguish trusted behavior from abuse before checkout friction, authorization fees, or downstream losses occur.
The advantage isn't simply higher approval rates or lower fraud losses. It's greater control over how trust is calibrated across margin profiles, growth moments, and customer journeys — giving teams the ability to reduce false declines, minimize unnecessary manual reviews, adapt risk appetite to business priorities, and surface abuse patterns earlier in the lifecycle.
The hardest balance in fraud is maintaining authorization success while improving fraud prevention. Traditionally, these are inversely correlated: Catch more fraud, block more good customers.
But in 2025, merchants using Adyen’s built-in risk engine, Protect, still saw:
+16% fraud recall YoY. Protect identified a higher share of actual fraud than the year before.
-33% false positive rate YoY. While catching more fraud, fewer legitimate customers were incorrectly blocked.
2x more authorization rate preserved compared to merchants without Protect.
As commerce becomes increasingly automated, the winning strategy isn't handing decisions to a black box. It's moving prevention upstream while keeping teams in control.
Source: Adyen platform
When the customer is an agent
Historically, fraud prevention has centered around two fundamental challenges: identifying good actors vs. bad actors — typically through behavioral signals — and authenticating authority to ensure the person initiating a transaction is allowed to do so.
Agentic commerce introduces a third participant, the agent, which both complicates these problems and creates new ones entirely. Merchants must now also:
Identify legitimate agents vs. malicious or exploitative ones
Verify that an agent is authorized to act on behalf of a customer
Ensure the agent is operating within the bounds of what the customer actually intended
This last dimension, intent, is new. Even a legitimate, authenticated agent may behave in ways that diverge from user expectations due to optimization strategies, adversarial manipulation, or misaligned incentives.
A new kind of indistinguishability problem
That shift makes agentic commerce a distinct fraud challenge — not simply a faster version of what came before. The risk isn’t only that bad actors will deploy agents. It’s that trusted agents and malicious ones are increasingly indistinguishable at the point of transaction, and that existing systems weren’t designed to tell them apart.
Agentic commerce is expected to influence a meaningful share of payment volume within the next five years. But its impact is uneven across industries, and so is the risk.
Evolving pattern: Agent-initiated promotion abuse
As AI-powered shopping agents become more capable, automated systems can exploit promotions and inventory windows faster than merchants can respond.
In a typical scenario, agents monitor pricing environments and trigger bulk purchases when conditions are met — combining discounts, loyalty credits, and payment incentives in ways merchants never intended. The transactions themselves are individually valid, and no single signal triggers a rule. But together, they produce systemic abuse.
A variant of this scenario targets limited-inventory product launches. Agents acquire inventory at scale within seconds of release, outpacing legitimate customers and the controls designed to protect them. What appears to be a successful launch may, in reality, be partially automated extraction.
Unlike traditional bot attacks, these patterns often don’t require stolen credentials or synthetic identities. They operate through legitimate accounts with real purchase histories.
Agentic commerce doesn’t create an entirely new category of fraud. It industrializes the edge cases businesses already struggle to contain.
The shift upstream
In the age of agentic commerce, it’s no longer enough to apply fraud controls at checkout. By the time an agent reaches that point, many decisions have already been made, often inside systems the merchant cannot observe or control. The result is greater exposure to chargebacks, refund abuse, promotion exploitation, and transactions that are technically valid but misaligned with user intent
In short, trust must be established earlier across systems, protocols, and participants — not just at the moment of payment.
Intelligence, identification, and authentication
These challenges are still evolving, but a few clear approaches are emerging:
Behavioral intelligence
Fraud systems must adapt to recognize agent-specific behavioral patterns, not just human ones. This includes training models on agent-driven interaction patterns, capturing signals earlier in the transaction lifecycle, and sharing more data across ecosystem participants including merchants, networks, issuers, and AI platforms.
Agent identification
A critical capability will be distinguishing trusted agents from untrusted ones. This will likely depend on collaboration with payment networks and financial institutions, shared identity frameworks or registries for agents, and standardized signals indicating agent provenance and reputation.
Authentication and delegation
Existing authentication systems were not designed for delegated commerce. Work is underway to extend current protocols to support agent-based authorization, define how consent and delegation are captured and verified, and align emerging transaction patterns with industry standards and regulatory frameworks.
Trust must start earlier
According to our survey data, a significant share of merchants already view AI platform trust scoring as critical — prioritizing the ability to assess not just who is transacting, but which system is acting, on whose behalf, and whether that delegation has been explicitly authorized.
Forward-looking organizations are responding by treating risk less as a checkpoint at checkout, and more as a continuous control layer. The businesses best positioned for this transition are those that recognize identity, delegation, and intent must be modeled separately and connected before the agent arrives.
Conclusion
The mechanics of fraud have fundamentally shifted. In 2026, the most significant risks no longer sit at the perimeter; they operate within the systems and behaviors built for legitimate customers. This shift makes traditional controls less effective and broad friction more costly.
It’s not about more controls but about more precision — using dynamic identity, behavior, and context to distinguish between trust and risk earlier in the customer journey.
In doing so, fraud management becomes more than a defensive function. It becomes a way to protect revenue and drive growth while making better decisions about where and how trust is applied.
Afterword: The policy shift
Today, more abuse sits outside classic unauthorized payment fraud. It shows up in scams, impersonation, first-party misuse, policy abuse, and other legitimate-looking activity that is harder to identify in a single moment and often only becomes visible across behavior over time.
Historically, fraud policy was built around a narrower problem. The focus was on authenticating the customer, authorizing the transaction, and deciding who should absorb the loss when something went wrong. That approach still has value, but it no longer solves enough of the problem.
Strong Customer Authentication (SCA), for example, can help with stolen credentials — but it doesn’t help as much when the consumer is persuaded to send the money themselves. Similarly, Verification of Payee (VoP) can help with misdirected credit transfers and crude impersonation scams, but it can’t catch conduct that only looks suspicious when viewed across time, counterparties, or channels.
For fraud that takes shape well before payment is sent, a framework built mainly around authentication and authorization at the point of transaction will always arrive late. Policy is starting to reflect this new reality in several ways:
In the UK, mandatory reimbursement requirement returns most in-scope APP scam losses to victims.
In Australia, Scams Prevention Framework is built around prevention obligations rather than reimbursement, with redress as a backstop.
In Brazil, the Pix special return mechanism allows the receiving institution to block funds and, with recent expansions, to trace them across subsequent transfers.
In the EU, emerging PSD3/PSR package extends the scope of mandatory payee name verification and provides an explicit legal basis for payment service providers (PSPs) to share fraud signals that previously sat in a privacy gray zone.
None of these models are complete, but overall, policy is moving away from any single party at a single moment and toward the spaces between participants.
Liability is another path regulators are using, and it’s easy to understand why: It rectifies real harm when scam losses arise. But it’s still an after-the-fact solution that doesn’t do much to identify scammers earlier, disrupt fraud itself, or stop funds from moving in the first place. In some cases, it can even encourage consumer complacency by reinforcing the idea that the system will absorb the loss afterward.
For the fraud patterns gaining ground now, that’s too limited a response, because the problem is not simply where losses land. It’s that the right actors often cannot see enough, soon enough, to stop fraud at all. That’s why better data sharing is so important. It gets us closer to the actual weakness in the system and offers a better chance of improving prevention, rather than merely reallocating the cost once prevention fails.
Get the full report
Get the full PDF to read, share, or revisit later.