The 2026 Fraud & AML Report makes one thing abundantly clear: most fraud programs are currently optimized for a type of attack that no longer exists.

While much of the industry conversation remains focused on the novelty of deepfakes, the more dangerous shift is happening in the industrialization of fraud. Attackers have moved past running isolated incidents to managing permanent, multi-stage operations. By the time a payment is even initiated, the fraud has already occurred, hidden within layers of identity and customer behavior that legacy point solutions were never designed to connect.

The cost of preparedness
‍Ignoring this tactical evolution creates a massive financial drag. When factoring in labor, recovery efforts, and customer attrition, recent research shows that U.S. financial institutions lose $3.99 for every $1 in direct fraud loss.*

This report provides a framework for closing these gaps, starting with the reality that fraud now operates as a system rather than a series of attacks. That shift fundamentally changes how teams must evaluate identity and payments data. When these signals are viewed together, it becomes clear that simple detection is no longer a sufficient defense, leaving active interruption as the only way to shorten the time-to-action before the damage is done. Want to dive deeper? We’re hosting a webinar breaking down the report on April 8 - grab your spot here.

1. Fraud now operates as a system, not a series of attacks

Most fraud programs are designed to catch a single moment in time, such as a suspicious login or a flagged transaction, rather than the broad operation surrounding them. This narrow focus fails to account for the actual mechanics of a modern attack. Fraud has become a patient progression that begins at onboarding and matures throughout the account’s tenure.

This patience is fueled by the massive increase in operational efficiency made possible by modern fraud automation. By managing thousands of accounts simultaneously, attackers have moved away from the obvious, telltale spikes of activity that legacy systems were built to catch. Instead, they can afford to spend months establishing a pattern of normal activity to bypass standard detection. This industrialization of fraud follows a predictable lifecycle:

• Onboarding: Passing initial KYC with stolen or synthetic identities.
• Seasoning: Establishing a history of low value, routine transactions.
• Manipulation: Using social engineering to coach the user or compromise the account.‍
• Extraction: Initiating high value payments or cross-platform cash-outs.

By the time they reach this final stage of extraction, the activity looks like a routine request by a trusted user.

As Steve Lenderman, Head of Fraud Prevention at iSolved put it on a recent Fraud Forward podcast, “Every fraud that takes place passes KYC.”

2. Identity and payments must be evaluated together

Spotting these patient attacks is difficult because most fraud departments still treat identity and risk payments as separate problems. When these signals live in different systems, a scam can hide in the gaps between them.

Consider the profile of a typical scam payment. To a siloed system, everything looks green:

The true threat only surfaces when these signals are evaluated as a unified risk. When a recognized device sends money to a first-time payee while exhibiting behavioral manipulation, the payment still appears perfectly legitimate and will likely clear. This combination reveals a pattern of fraud neither system can catch in isolation.

Fraud rarely looks suspicious to a single control; it only becomes visible where identity, behavior, and money movement are evaluated together in real time.

3. Detection alone is no longer enough

Most fraud programs are optimized for detection, but recording that a crime happened is not the same as stopping it. In scam-driven fraud, the most critical factor is time. Once a victim is under the psychological pressure of a scammer, that momentum pushes them to complete the payment at any cost.

This is why the most effective institutions are shifting their efforts toward interruption. Instead of relying on passive alerts and manual reviews that happen after the fact, they are introducing targeted friction at the moment of payment. These interventions are designed to break the fraudster’s proverbial spell.

Effective interruption strategies include:

• Real-time payment holds
• First-time payee verification
• Dynamic payment limits
• Escalation paths for frontline staff

As one example from the report shows, a simple safety pause provides the space a customer needs to reconsider a suspicious transfer. This delay breaks the psychological momentum of the scam by allowing the victim to step out of the fraudster’s scripted urgency. By reclaiming this time, banks can successfully dismantle the attacker’s influence before the funds leave the system.

“Fraud is the new friction, and fraud prevention is the new customer service.”
– Karen Boyer, SVP of Financial Crimes at M&T Bank

The takeaway

Fraud in 2026 will move faster, look cleaner, and span more systems than ever before. To adapt, institutions must shift their focus to three specific areas:

• Evaluate identity and payments together to remove blind spots.
• Interrupt fraud in the moment before funds leave the system.
• Monitor the entire fraud lifecycle as a continuous system rather than isolated incidents.

These changes are independent goals but part of a fundamental shift in how organizations must structure their defense. Because modern attacks are coordinated and persistent, an effective response can no longer rely on a set of disconnected parts. To protect the integrity of the financial systems that millions of people rely on every day, the defense itself must operate as a cohesive system. You can download a copy of the report here.

_{*LexisNexis® True Cost of Fraud™ Study 2025 North America}