Revealed: How Fraud is Evolving

When discussing bank fraud, the old adage “There’s nothing new under the sun” is apt.

Take phishing, a scam in which an individual receives an email requesting they wire a sum to Nigeria, Southeast Asia or even to a fraudulent account at what’s seemingly one’s own bank. While these requests were once littered with telltale typos or wonky logos, they now look quite convincing. That’s because ChatGPT allows anyone to send out letter-perfect requests in seconds.

Community bankers recognize that fraud is a growing problem. 

“We’re seeing multiple threat vectors, as well as increased threat velocity,” says Anthony J. Ranghelli, chief information officer at $950 million-asset Potomac Bank in Charles Town, West Virginia. 

As the types of financial fraud morph and multiply, community bankers are fighting on several fronts. 

“We worry about deepfakes, and rightfully so,” says Scott Anchin, senior vice president of strategic initiatives and policy for ICBA. “But we also need to worry about these age-old fraud mechanisms that continue to exist. And they exist not only in their traditional forms but in new ways that make it more challenging to manage.” 

The pain inflicted through financial fraud is attracting attention. In a late 2025 survey by Alloy, a fifth of financial institutions said they incurred losses from fraud of over $5 million in the past 12 months. What’s more, two-thirds (67%) of fraud professionals reported fraud events are on the rise.  

Anchin describes fraud as “an existential issue, because there are situations where a bank is responsible for losses, and they can overwhelm the balance sheet.”

Here are a few of the most prominent categories of bank fraud, along with ideas for how community banks can fight back.

Card fraud and synthetic identity theft

Credit and debit card fraud tops the list of serious types of fraud that community banks commonly encounter both in terms of how often they see card fraud and the dollars they lose to criminal activity, according to the 2025 Conference of State Bank Supervisors Annual Survey of Community Banks.

Often, card fraud takes the extreme form of “bust-out fraud,” says Miguel Rivera, fraud manager at $3.3 billion-asset Ponce Bank in Bronx, New York. It occurs when “someone applies for credit knowing they’ll max it out and never pay it back,” he says. 

Rivera notes that many bust-out schemes involve synthetic identity fraud or counterfeit credentials intended to “prove” the identity of a fabricated individual. Once a bust-out scheme has succeeded, “there’s not much the bank can do, because the person doesn’t exist,” he says.

Card fraud has existed for decades, yet the problem is even more serious because of online or card-not-present transactions, says Tracy (Kitten) Goldberg, director of cybersecurity at Javelin Strategy & Research.

In addition, she foresees a spike in card fraud fueled by the popularity of digital wallets. When a credit or debit card is compromised, financial issuers have begun to upload new card numbers to their customers’ digital wallets as a way of lessening the inconvenience. However, in cases where the digital wallet itself has been compromised or hacked, the fraudster gains access to the new information. 

Emerging forms of fraud pose unique challenges, but Goldberg names several ways to combat card and synthetic identity fraud, including anomaly detection and behavioral analytics. An area that’s too often overlooked, she says, is dark web threat intelligence. Here, a bank hires a vendor to monitor the dark web to learn whether their customers’ personal identifiable information is being shared or used to apply for new cards or loans. Some identity theft protection services, she says, partner with dark web vendors and bundle features like dark web monitoring with virtual private networks (VPNs) and firewalls, furnishing additional protection.

Finally, Goldberg sees an opportunity “for community banks to offer identity theft protection as an ancillary benefit to their customers.” She advises banks making this investment to select the platinum option and to obtain family (rather than individual) coverage. Studies show, she says, that when one member of a family falls prey to a scammer, the chances that other members of the household will also be victimized increases threefold.

Phishing, vishing and swishing

Phishing, vishing and smishing are all attempts to connect with individuals and steal from them. The terms specify which communication method is being used: 

• Phishing: fraudulent emails
• Vishing: voicemail
• Smishing: SMS (or text) messages

Regardless of the delivery mechanism, this type of fraud is more effective than ever thanks to “increasingly sophisticated AI tools,” says Anchin. 

“When fraudsters contact someone by phone, for instance, they can spoof the bank’s phone number, and they can even spoof the voice of someone working at the bank,” he says. “The bottom line: Now you can’t trust the voice or even appearance of someone. It really challenges banks to update their communications protocols.”

Rising to that challenge, community bankers are developing an arsenal of tools to fend off phishing, vishing and smishing attacks. Anchin explains that these defenses range from multifactor authentication to device recognition technologies.

Another powerful prevention technique is refining the security questions customers must answer. “Asking ‘What’s your address or Social Security number?’ is relatively useless,” says Ranghelli. “Most Americans’ Social Security numbers have been compromised at some point. It’s better to ask: ‘What are your last five transactions?’”  

Ranghelli also endorses the relatively low-tech solution of maintaining a photo of every customer at each bank branch. He says this precaution “helps when someone comes in with a fake ID, because you have an image of the actual client right there.”

Socially engineered attacks

“Social engineering is not new,” Goldberg says. “People used to knock on doors claiming they’d fix your roof or sell some service. But now instead of knocking on your door, they [contact you through digital channels] and start a relationship.” 

While social engineering scams work through many modes of communication, the underlying concept is the same: A scammer uses deception to earn a victim’s trust and then exploits that trust for financial gain. Historically, these scams were quite crude, but that’s no longer true. The arrival of deepfakes—or AI-manipulated images, videos and audio recordings of trusted individuals or businesses—means that even savvy individuals can be duped.

“Hands down, the socially engineered attacks are the biggest pain point that banks and financial institutions of all sizes face,” says Goldberg. One reason these attacks are so vexing is that they don’t follow classic fraud patterns. Instead of fraudsters secretly tampering with accounts, a victim willingly authorizes transactions or gives out personal information vital to opening new accounts.

Toni Fennell, compliance risk expert at Ncontracts, pinpoints elder and romance scams as two particularly thorny problems which are becoming more sophisticated, thanks to artificial intelligence and chatbots that allow scammers to manage several relationships at the same time.

“These scams became more prevalent during COVID, when people were lonely and started forming relationships online,” she says. The rise of social media, or forums in which older people regularly share names and other details from their personal lives, gave criminals grist to socially engineer conversations that include telling details. For instance, in one classic elder scam, a criminal phones a senior, impersonating a distressed grandchild who’s supposedly in jail and must raise bail money quickly.

If bankers are well trained, they can sometimes successfully run interference, says Ranghelli.

At Potomac Bank, tellers are encouraged to inquire why a customer is sending large sums to individuals outside their community. “A teller may try to dissuade a customer, and we’re usually somewhat successful when we can have these conversations,” says Ranghelli. He explains that a customer can always decide to ignore objections and withdraw money, and then a bank’s only recourse is to fill out a suspicious activity report, or SAR. 

Even the best-educated banker can’t necessarily combat fraud on their own. Rivera points out that often the police must be called in, because so many of these crimes originate overseas or even from behind bars. He cites a spate of recent impersonation scams that was run out of a state prison in Georgia. Rivera therefore advises community bankers to get acquainted with local law enforcement and to exchange information on a regular basis. 

As another way of staying abreast of emerging bank fraud, he recommends joining the International Association of Financial Crimes Investigators (IAFCI), a professional association that offers resources for reporting, investigating and preventing fraud.

Check fraud

Bankers are seeing a rise in check fraud fueled by everything from traditional techniques, such as fraudsters whitewashing stolen checks and adding a different payee’s name, to cutting-edge schemes, such as AI-generated fakes.

Ironically, some of the oldest methods of check fraud work the best. 

“If you’re able to whitewash a check, you’re often able to stay below AI thresholds, so [the check] doesn’t even get reviewed manually by a bank’s system,” says Ranghelli. 

Check fraud is such an intractable problem that Ranghelli trains staff to discourage customers from writing checks and instead use ACH or electronic bill pay. He also suggests that community banks consider lowering the machine-learning thresholds in their signature and check verification systems so that more checks are subject to manual review.

Finally, Anchin names check holds as an important tool against check fraud. He points out that the Federal Reserve’s Regulation CC provides broad flexibility for banks to hold checks to ensure they’re legitimate, but he’d like to see even greater latitude given the extent of check fraud.

Account takeover, new account fraud and student loan fraud

Identity theft and the creation of synthetic identities are common ways criminals use stolen credentials to open new accounts and wrest control of existing ones, says Goldberg. She notes that student loan fraud is an example of account takeover in which criminals target young people, often because their credit is untapped or damaged.

Social media posts often provide the germ of information scammers need to perpetrate fraud. Even something as innocuous as a post about banking preferences can tip off criminals and become the start of an account takeover, says Jill Castilla, CEO at $420 million-asset Citizens Bank of Edmond in Edmond, Oklahoma. 

Castilla warns bankers their own public announcements can also unwittingly aid wrongdoers. Say a bank issues a press release about a partnership with a new banking vendor. That news item may help a criminal infer what type of multifactor authentication is being used and then figure out ways to get around a bank’s security measures. In other instances, a criminal might use details within a press release to “impersonate the bank in a very sophisticated way,” she says.

Deed fraud or home title theft

When asked about new variations of financial fraud that might eventually cause major problems, Rivera lists “deed fraud” as a growing concern. He cited a recent case in which a Manhattan man transferred ownership of his 92-year-old grandfather-in-law’s property, worth nearly $700,000, while the man was in a nursing home.

To commit deed fraud, a scammer either uses AI to create a facsimile of an individual’s deed or goes to a city government office with forged deed-change documents, explains Rivera. From there, he says, the criminal can take out a home equity line of credit (HELOC) or even sell the house outright.

Rivera urges community bankers to monitor deed fraud and even fraud within unrelated industries because “at some point money [from fraud] comes to a bank.”

What’s more, knowing that a certain type of fraud exists can lead to swift action. “Even if I’m not seeing a type of fraud yet today, I live in New York City, and I know I may see it next week,” he says.

---