Fraud at Machine Speed: What 2025 Taught Us About 2026

What is up fraud fighters, and welcome to Fraud Forward. This episode is special. It's not only the first podcast of 2026, it's also the official relaunch of Fraud Forward. And there's no better way to kick this off than with a real, honest conversation about where fraud is headed next. To do that, I brought together three absolute forces in this space who live this work every day across fraud, risk, and BSA.

...to break down what we actually saw in 2025 and what financial institutions need to prepare for as fraud accelerates into 2026. No hype, no fear-mongering, just real insights from the front lines. So let's get into it. Ladies, welcome to the inaugural episode of Fraud Forward. I couldn't think of a better group to kick this off with. Two of you, Jen and Karen, have joined me before on Banking on Fraudology, but with this being a new chapter and a lot of new listeners joining us, I'd love to reset the room for a moment. Let's go around and have each of you give a quick intro, who you are, what the heck you're doing here (no, I'm just kidding), what you focus on day to day and the lens you bring into the fraud fight. So everyone listening has context for the powerhouse group that we have here today. So Karen, we'll start with you.

All right, so Karen Boyer, or Boye, depending who you ask. I am in charge of fraud prevention and detection strategy in the operations teams and some investigations to go with that for M&T Bank. I'm also very well out in the industry and on plenty of industry groups such as the ABA, BPI, FS-ISAC, IAFCI, all the acronyms. So I will say that all these views and opinions are of myself, myself only. And from what I've seen in the industry through multiple banks, not anything that I'm seeing necessarily at my bank, and/or banks I have worked at or will work at, asterisks everywhere, legal disclosures, blah, blah, blah, you get it. I will try to hold down the fear-mongering. Sometimes it just comes out whenever I talk, but happy to be here. Thank you, guys.

Absolutely. Jen.

I'm Jen Lamont. I work for a credit union in Washington state. I am just over 20 years in the industry. I tackle everything from BSA compliance to fraud prevention, detection, recovery, complex investigations, identity theft, and everything in between. I fell into this industry and fell in love with it and can't imagine my life anywhere else. I'm super happy to be here. Karen mentioned we're part of a lot of different networking groups. Some cross over, some I've never even heard of, Karen, so I'll be Googling later, thank you. But yeah, so happy to be here and excited to talk about next, or I guess it would be this year. Although the fear-mongering, I think it might be hard to avoid.

Yeah, you're right. You're right. But now I also want to introduce Angela. I'm so excited. This is your first time on Fraud Forward. Well, it's all of our first times on Fraud Forward, but the first time on the podcast with me. I'm so glad you're here. Please introduce yourself to the group.

Thank you so much for having me. I'm excited as well. My name is Angela Diaz. I have about 15 years in the industry. I actually started on the merchant side and operations, and then I transferred over into financial services where I've been in operations, first line risk, financial crimes compliance, BSA, AML, and I looped back around to fraud. I'm currently in risk management, second line of defense, so very heavy into that bird's eye view, that oversight, that monitoring. I primarily focus on external fraud versus internal fraud. And I have spanned covering the credit card space, deposit payment space. I love risk management. I get to partner with a lot of the most incredible fraud operations leaders. So I'm super excited to bring that risk management angle to the podcast, and thanks so much for having me.

100%. Like I said, I don't think I could have done this without the three of you. This is exactly how I wanted to start the new podcast, just to say how intentional this podcast is going to be in the content that I'm going to be bringing and the powerhouse people I'm going to bring. So it's different perspectives. We've got a large bank, we've got a credit union, and we've got risk. I think that this just answers all of the above, right? It's what we're hoping for when we think about predictions and how we really want to have that right mindset. So yeah, I'm really excited to get into it. I think 2025 wasn't just more fraud. It was faster, more adaptive, and harder to interrupt, at least from the conversations I was having. And today isn't about overwhelming teams with everything that could go wrong, right? It's about preparing leaders for what's already here and what's coming next. So I'd love to start simple. If you had to describe 2025 in one word, what would it be and why? We'll go Angela, Karen, Jen.

For me, it would be growth. I saw some of the largest dollar amounts I'd ever seen in 2025. And then I saw a big jump in, or a big growth in, just evolution. I think for a while, at least from where I sit, fraud was pretty static and standard for several years. And we were seeing things this year that we'd never seen before, and in much larger amounts. So for me, it would definitely be growth. I think, to kind of highlight the positives, I have seen a ton of industry leaders and this community also grow and really join together to push for innovation in order to kind of tackle that. So growth, 100%.

I know I'm next and I'm actively trying to figure out one word. Can I break? Okay, that's exactly, I'm gonna say “back to the future.” And I'll say that because we had to, to Angela's point, like the scales of the fraud, because I know we'll get into it, like AI, but like quantum mechanics or computing, if you will, is something that people aren't really talking about enough that's causing this to scale. But with all of the technologically savvy frauds that we continue to see, I'm actually very surprised to see then the historical frauds resurfacing, like the boots on the ground going door to door saying, “Hey, we're in the neighborhood, we just fixed this roof, this roof looks…” And again, getting charged enormous amounts of money to fix the roof that never needed fixing. And some of them even let them into their house and up into their attic and then realize after a week that no work's being done. It's insane. So that would be what surprised me for 2025 in general, is how old-school fraud is resurging. And again, it's not like we could just stop the new-school fraud because we're gonna watch this fraud again. We gotta keep going and then keep adding. And so if I was gonna say one word, it would be insanity.

I think that that's a great word. I really do.

Right? Up to interpretation, if you mean myself, the landscape, you know? But yes.

Love it. All right, Jen, how about you?

I think for me, especially as I'm listening to these other two ladies talk about it: manipulation. I think it kind of goes, the social engineering and the manipulation tactics, they're just getting better. We're having individuals who have been our members for 20 years trust somebody they've been talking to over the phone and online for the last couple of months more than they trust their 20-year financial institution. And that is incredibly difficult to combat. So the human aspect of these fraud schemes, we talk a lot about technology, and yes, just like Karen said, that is a huge problem. It is evolving so quickly and raising the stakes of insanity for sure. But I think just that the level of social engineering and human manipulation happening, and the dishonesty, we're trying to get better at asking questions and trying to help our members understand what's happening, and there's a level of dishonesty coming at us that's really hard to combat. How do you tell somebody, “I think you're lying to me?”

Or “I know you're lying to me.”

It's easy when they live under your same roof, you know, and you can just give them the sign. It's like, “Honest!” But whenever it's a member or a customer, those conversations, yeah, they're really hard, especially when you know, like, you are following the exact pattern. Let me read you this article verbatim because it matches your story. Like here's the line that was used and that's the screenshot you're showing me. This is the same thing. And they're like, “No, no, no, it's not.” So I completely agree. I think manipulation absolutely is a great word to describe what we saw in 2025. And it's actually a perfect tee-up to the first prediction I wanted to talk about. So to give some backstory, obviously anyone who is not living under a rock in this industry knows that Frank McKenna and Carice and Marianne Miller, and now they're a ghost guest, or I can't remember how they exactly word it, ninja guest, I think, I don't know, but Matt Vega came and did a fraud predictions report. And so we took a little bit of information out of that, but we're also going to add some of our insights into what we think are prevalent. So we grabbed a few predictions. The first one that I want to bring up, and I'm going to have Jen talk through it with us, is the prediction: one, he said, digital arrest scams become a national security threat. So we've seen digital arrest scams continue to expand into early 2025, despite the awareness campaigns and education efforts like Jen mentioned. These scams use video-enabled law enforcement impersonation, cross-border coordination, and real-time pressure to terrorize victims into moving money. So Jen, this sits right at the intersection of scams, fraud, and BSA. And you've seen firsthand how difficult these cases are to stop once they're in motion. From your perspective, what are you seeing right now? And what has changed with these scams compared to what we even saw a year ago?

To be honest, I haven't seen firsthand a lot of the digital arrest scams, but as I was reading through, what does that actually mean? You know, the highlight to digital arrests is this 24-hour surveillance. Then you break it down further into what I am seeing, which is the government impersonation scams, law enforcement impersonation scams, and the tech support scams. And we are seeing victims on the phone, online, video chatting for hours thinking that they are speaking to a government agency and that if they don't act fast, that they're going to be arrested or something bad is going to happen. We've been seeing that for the last probably three or four years. The tech support scams, I'm hearing the same thing. “I was talking to this tech support for four, six, eight hours.” In my mind, I'm thinking, I can barely get people to answer the phone and call me back to validate information. What are these fraudsters doing to keep these victims on the line for so long? And the answer is: I'm not sure. But all I know is their tactics are powerful and their tactics are working. So it is something that is incredibly hard to combat. You know, we're reading in this industry a lot more about these ATMs, the Bitcoin ATMs, and the kind of push to either shut them down or educate more or add warnings to. And I'm a big proponent of that because most of the loss of funds in these scams are coming from those Bitcoin ATM machines, at least at my credit union. So I think the more push we have for shutting those things down and educating against them, we may be able to combat this better. We are seeing a lot of those types of things.

100%. I can remember, and I appreciate you saying that this is something that's been going on for three to four years. I remember literally being in the fraud leader role, having a conversation with a member that, I believe it was tech scam that kind of morphed into like that Chinese porn thing that they tried to manipulate and say, “We found this on your computer.” And so then they had to leave their webcam on while they duct taped money together and put it in a shoebox and then wrapped it in aluminum foil and then put it in bubble wrap into a bigger box. And I just remember thinking: And you had your webcam on this entire time? She said, “Well, that was how they proved I wasn't stealing any money.” And I was like, “But it was your money.” And now it was just, it was really, you know, baffling to me then. And to think, yeah, now they are just holding them for 24 hours, but then forcing them to move money through different means. I mean, it's a crazy concept, but at the same time, how are we even supposed to combat this effectively as financial institutions? I'd love to get Karen or Angela, if you guys have any thoughts on that as well.

I think it's especially difficult when the activity is happening outside of our institutions, right? We're so focused on monitoring what fraud looks like within our institutions and our systems and our payment transactions and our account access that it's very, very difficult when the root cause, or so much of the activity and the really important activity, is manifesting itself outside of the institutions. We have so many of these scams. We can't see it. We can't prevent it. We don't have access to it. We can think about what it looks like once it does enter into our institution, but that's a whole other kind of complex area of discussion. So I think that is what I've seen be the biggest challenge. We can talk a lot about customer education, of course, and I do agree that that's important. But I think I'd be naive to say that I felt like it was super impactful, unfortunately.

And to echo on that, Angela, I think the issue also is exacerbated that the right people in the right levels don't understand that the transactions we're seeing is generally the last 10% of a scam that derived extensively, ballooned well before our purview. And yet a lot of the pressure, well, I will say all, the majority of the pressure, lies within the banks to stop it without being able to see those indicators or what happened before. And yes, we have technology that, if installed correctly, you could see, “Okay, well, the customer is on the phone while they have a payment with this, with that.” But honestly, that's like slim to none compared to the scale that we're up against. And like we're discussing, we're not looking at webcams or understanding the four-hour conversations that might happen on a Saturday that leads to a Bitcoin ATM transaction on Monday. And again, that Bitcoin ATM transaction, like you were talking about, Jen, what does that start with? It starts with a withdrawal from the customer that is coming to a branch. And as a fraud person, yes, I would like to stop every withdrawal, make them fill out a questionnaire. I just know that that's not feasible and it's not realistic. So what are we, how do we stop that, again with that balance of: this is their money. It is one thing to say that when we could see like a substantial wire coming through that we know is a bad beneficiary. Like Jen, like you were saying, like “I know this is fraud.” Like that's a difficult conversation in itself compared to backing up and saying, “Excuse me, Mr. Smith, what are you gonna do with that $5,000 when I put it in your hand?” And it's hard. It's just challenging.

Yeah, you know, it's kind of hard to avoid in this conversation, let's be honest. And you know, I have to say, we're a pretty small credit union and we have a pretty good relationship with our members. And I think we do an exceptional job on our front lines of asking questions about cash withdrawals. We are being lied to. The fraudsters know we're going to ask. They know that this is likely outside of the member's normal business activity or normal consumer activity. So they're manipulating them into lying to us. Every single loss that I know about, when we ask the question, we are told: it's for a home remodel, it's for a road trip for our 50th anniversary, people get into details. “We are going on a cross-country vacation and we're gonna stop at three places along the way.” I mean, we're talking detailed explanations of how these funds are gonna be used and then we find out later once they realize that it's a scam and they've lost this money. Then we later find out, we always go back and go, “Could we have done something differently? Could we have changed our questioning to prevent this from happening?” And nine times out of 10, we did what we could. Who am I to tell you, you can't go spend $10,000 on a vacation?

Well, and I think it's, you did what we could. Yeah. And it's like you did what you could, but at the same time, you got to think too that if you stop this one, that's just going to educate the fraudsters of how do we need to answer next time so that it won't be stopped. So I completely agree. And I think it makes the point for this particular topic to say: I think this is more than just a fraud problem.

100%.

This is like that national security issue. We need to get something else, another tech team or whatever, to start working on this because the banks are not the solution here.

From a large financial institution standpoint, our volume of transactions, our volume of accounts and customers is so large that we are like the counter to what Jen was talking about. We cannot identify easily and get on the phone with a lot of customers. We just don't have the bandwidth to do that because these are banks that are just incredibly large. They hold some of the largest amount of customers and money for the whole entire world. So it's a totally different angle and a totally different challenge. We just don't have the capacity. We don't have the ability to easily identify, sort through, and just do that type of outreach. It doesn't mean it doesn't exist, but it is like a very small dent in probably what's actually going on.

Yeah, if you spent 45 minutes on one call, you would have had 12 other victims in that 45 minutes or more.

Yeah, so this is one of those that it's like, it's a prediction worth talking about. It's one that we're not necessarily going to be able to solve or to really give you insights on how to better prepare other than make sure you are working on those external relationships, making sure that you understand the scams and that you are educating your frontline as much as you can about what to look for. But this is one of those instances that we're not going to be able to stop it. And at most, we'll be able to prevent a few cases, but it all happens externally until, like Karen said, it's that last 10% of the interaction with the fraudster and your customer.

I think breaking down the silos and making sure that your fraud teams are communicating with your front line teams and even your member solutions department, and just educating on those red flags and those kind of buzzwords to look out for. Somebody called yesterday and they were going to mobile deposit a check to pay a ticket. “Mobile deposit a check to pay a ticket”, tell me more. So educating on those buzzwords to dig a little bit deeper, but I think you're right. It's a tough one.

Love that. Appreciate the insights here. Okay, so the next one that I wanna talk about is the ghost tap fraud. The prediction reads: ghost tap fraud adds one billion to card-present losses. I'll tell you, this is one that I really wanted to kind of dive into because out of all the predictions that we're talking about today and that were written in that report, this is the one that scares me the most. Historically, when we saw a contactless transaction coded as an entry mode seven, it led us to a pretty straightforward conclusion: it was the mobile wallet authenticated the user, the card holder still has the physical card, therefore, this is likely first-party fraud, especially if they've already used this mobile wallet in the past. And that conclusion used to feel safe. But with ghost tap fraud, burner phones, delayed execution, and SMS-based wallet provisioning being exploited, that assumption doesn't hold up anymore. And I think a lot of institutions are still operating as if it does. And I'll be honest with you: I had a conversation with another credit union that asked me specifically about this type of transaction. And I was like, “Yeah, no, that you got to look at first party fraud. Has a wallet been used before in the past and they still have their card in their possession? Yeah, obviously this is one that we would want to deny for first party as long as you've collected the right information. It shows that it was authenticated.” And then this report came out and I was like, “My God, cancel everything that I just said to you. We've got to dive into this.” So I'd love to ask you ladies: do you think institutions are underestimating card-present fraud right now because the fraud doesn't look like what we're used to?

Yes.

Yes, one thousand percent yes. Sorry to jump in, but I think that there is a misconception that even if the right people at the right levels of the bank read that article, it seems so far-fetched that it's just like, “Yeah, this seems like a global problem, it's not gonna hit us.” There's no appreciation for the saturation of that. And I'll tell you: token fraud has been skyrocketing for the past couple years, and I'm actually wondering why people haven't kind of talked about that. And a lot of it is falling back on the authentication standards of tokenizing the card as it is. Which, by the way, a lot of, especially the smaller banks, are relying on core providers and/or the Visa/Mastercard directly to help them with that authentication, which then obfuscates where that data is coming from. There's so many hurdles about this in general. To add this on top of it… And I'll tell you, I read some articles about it, but then when Frank was, was it Mary Ann? Anyways, on the article itself, I started researching and went down the rabbit hole too. I personally underestimated the fact that this is also that back to like, oh God, what movie was it? I don't know, but kind of like the facetious thought that somebody could scan your card from a mile away. And understand that is NFC near-field communication, but nonetheless: “Oh, that was one random news story in Ohio back in 2018, it's not real,” you know? And so, long story long, Hailey, to answer your question: I do not think that banks are understanding the risks, that understand what is actually occurring. And I think that the first-party fraudsters, especially those that are aware of this, will also exploit it saying, “That wasn't me, I must have been ghost tapped.” And perhaps that's the only way that more banks could understand that because they're actually listening to fraudsters telling them about the ghost tapping when they're actually first-party frauding, the dispute abusing itself. I don't know. So be it, I guess. It definitely frightens me. I don't have a solution. I don't know what to say. But it's terrifying.

And how do we prove it? And the regulations are consumer-based, which means we essentially lose as financial institutions. These are not types of transactions that we have chargeback rights on. You're not gonna get attention to a $1,200 case from law enforcement agencies most of the time. I'm sure that there are some unique situations that you might, but we're… This is something that keeps me up at night for sure. It takes me back to early in my career when teenagers were selling their debit cards and PIN numbers and claiming fraud. I feel like we're right back to the early 2000s, and I'm like, you know, which leads me to also remember that back then investigating was more about the interrogation. And I don't know about you all, but my interrogation tactics, with the advancement and evolution of fraud, they're a little rusty. You know, there are key indicators.

I feel like I have to have a degree in some type of coding and data, whatever, that I need to be able to back it up. And I'm like, I feel like an idiot sometimes trying to have this conversation, but I'm like, “No, no, no, this is what this is. I can't explain it to you, but I know what I'm talking about.”

Right, you just have to bluff it, Hailey.

Yeah, okay. Yeah.

Yeah. It makes for interesting conversations where I think we also need to go back to a strong KYC. Is this a brand new account where this is happening? What do we know about that account holder? What is their normal behaviors? Working with our processors to make sure that we have good rules in place to prevent transactions when tokenization has just occurred. I know that's where I've kind of gone, is straight to my processor going, “Okay, what rules do we have in place right now to prevent us from taking significant losses with tokenized fraud?” And looking at our velocity rules and things like that. Which again: it's all about scale. That's going to be a lot harder to do at the bigger financial institutions.

Yeah. I was actually speaking with someone, an expert on the e-comm side, about this particular thing. And I was like, “I'm uncomfortable with this one.” At first I called and I was like, “Hey, I want to talk through this prediction. I want your thoughts on this from the e-comm side. Like, what are you thinking?” And as we continued to talk, I got a message that said that they were talking with another e-commerce merchant and they were like, quote: “But how can we know if it's fraud if a Chinese person has a lot of cards in their Apple wallet? Like, is that how we're gonna figure that out? Because that won't narrow anyone down. Like, what are we supposed to do? You having multiple cards in your wallet, that's not unusual, especially if you're a corporate person and you've got a ton of digital cards from Ramp or whatever on your digital wallet.” And then the point was made, she's like, “Well, I kind of want to go talk to somebody at Apple and talk about this. I don't know if they're prepared for the storm that's about to hit.” And I was like, “Yeah, but I don't think they're liable. I'm pretty sure it's CFIs right now that are liable with it being contactless and how it was authenticated.” And she's like, “Really? I thought it was going to be because it was card-present on the Apple Pay wallet or the…” And we were like, “I wish.” I mean, they were supposed to authenticate the person and the cardholder. So shouldn't it be on them? But no, as it stands right now, it is liable to the FIs.

Yeah. I think that was part of it too. I've seen LFIs over the past couple of years, and rightfully so, focused so much on building out seamless customer experiences via digital banking, right? And we do need to go there. But what I always say is we need to be proactive, not reactive. So as we are building out a seamless journey in digital banking, because we know that's the direction that we're going, we have to in parallel at the same time be doing the risk assessments as much as we can, be thinking like a fraudster, and putting in the proper foundational controls. Does that mean that we're still not going to have problems and spikes and trends? Absolutely not. But that's where our ability to react in real time and be constantly monitoring and doing the analysis to be able to react quickly to the things that our foundational controls are not catching comes into play as well. And I think sometimes it's very difficult. I can't speak for a credit union, but I know in the LFIs, it is very much like: often build first and worry about the risk piece after. And we do have to allow room for that, but I do think it's crucial to budget and assemble the right team that can do that risk assessment and get those foundational controls in, in parallel as we're building, and then tweak and enhance later. And I don't see that happening.

One of my cliche statements: that's where there needs to be an understanding that fraud prevention is part of customer service. These customer surveys, there's a difference between a survey of like, “Would you like two clicks or one click?” Everybody's gonna say, “Oh, I want one click,” right? But then if you have even a pop-up, I'm just imagining it's a digital survey, everything's digital, right?, then there's a pop-up that says, “Well, if you have one click, it's a 75% chance increase that somebody else could also access your account.” It'll make that CX think about it. And because we're always stuck between the: “Did you let this happen?” versus “Stop blocking ABC,” you know? There needs to be a narrative shift of what customer service is in 2026.

I love that. It's giving transparency into: if you answer yes, this is what could happen. Exactly.

Phenomenal. I mean, this is why you're on the podcast, okay? This is why we wanted you here. And I wanted to also double click on what you said, Angela. I first of all thank you for saying exactly what you just said, that you think it's a large FI problem. Let me just assure you, credit unions did the exact same thing. We built first and then we asked later, “Hey Risk, why is this happening in this new product?” Well, I don't know. Did I get to look at it before you even marketed it to our customers? Because no, I didn't. Thank you for that. So yeah, let's put out the fire. Exactly. And then when you go and meet with the vendor and you're like, “This is not what you demoed to us. This is not the same. What is happening here?”

And then we have panic meetings with our vendors to fix things.

I can't properly risk assess when you're not giving it, like, I love whenever we would do the three-vendor process to look before onboarding. And it's like, okay, apples to apples, no, this is apples and pears. This is not even close. And it's like, they don't even offer a fraud service. Like, what are we doing here?

That could be a whole other conversation, Hailey.

Or that's on the roadmap for next year.

We're going to have another conversation about that, rest assured. But yeah, I appreciate that that's where you brought up the risk concerns, Angela, because it's true. There is oftentimes where we are in this build-first mode or “Hey, if we've never had digital issuance before, let's just turn it on.” Wait, our rules aren't prepared for that. We've got to do some testing first. Let's pilot it with employees. Let's do some testing. Don't just cut it on.

Yeah. And the other key thing beyond testing, because it's very difficult to test every scenario, is leaders understanding to put proper monitoring in place as well. I don't expect you to predict every scenario or be able to prevent every outcome. But if you put monitoring in immediately that alerts you when things are out of your reasonable threshold, that's a much more efficient and realistic way to operate. If you have the right monitoring in place, that's where you have the oversight to react quickly.

Love that and appreciate the perspective. Okay, Angela, I'm going to stick with you for a minute on this next prediction. They also talked about self-adapting AI fraud agents that shape-shift mid-attack. First of all, that sounds like a really cool action movie. But it raises a huge question. Are our models and controls built to recognize patterns, or to respond to something that's actively learning and changing mid-attack? From your seat in operational risk and external fraud, how do you think about that shift?

They should have always been, but they're probably not. I spoke a lot last year about the difference between standard pattern-detecting models and more advanced adaptive models. One of the biggest vulnerabilities I see is not enough focus on anomalies. We talked earlier about scams manifesting outside the bank. Customers authenticate, they move the money themselves, so it looks normal. But what should stand out is behavior that is abnormal, like a customer who has never sent a wire suddenly sending 16 wires in 24 to 48 hours. That should trigger alerts. This isn't new. If it feels new, it means we didn't prioritize correctly and now we're scrambling. Another issue is budget, prioritization, timing, and talent. There is a big difference between hiring someone who can talk about analytics versus someone who can actually build and execute advanced models. And maintaining models is critical. I've seen models layered to death, not maintained, and no one can make sense of them. Legitimate transactions get caught, fraud gets missed. Inventory management, model retirement, and understanding interactions are key. We're paying the price for cutting corners.

Love that. Go ahead, Karen.

One thing Angela referenced that's important is that AI agents don't have to go through all of the governance we do. Model risk management is here for a reason, but fraud needs faster reactions. Validation sometimes happens in production. The idea of espionage occurring with no human behind it is frightening. It really does feel like a movie, I, Robot becoming real.

This is scary. We're not talking rom-com.

We cannot let fraudsters be better at using AI than us. If we thought AI would take time to get here, we were wrong. We're in it now. We still have to fight fraud from five years ago while dealing with this. That's the reality. It's okay to admit where we are and help each other catch up.

That actually answers one of my questions. Does this feel like an evolution of existing threats or a completely different category?

It's both.

Where do you think organizations are most exposed right now?

All of the above. If I had to pick two: onboarding and payments. How did they even get into the bank? That often comes down to KYC and CIP failures, which is incredibly frustrating. And then payments, once they're in, we don't want money moving quickly because recovery is hard.

Payments and onboarding for me too. I also think we need to look at losses we don't always attribute to fraud, like loan charge-offs. Are patterns emerging? Digital banking allows anyone anywhere to apply. Are we seeing geographic anomalies? We need to collaborate across departments and question assumptions.

And what does KYC even mean anymore? If you block someone at DDA but they open a credit card, that's not helping. Name, address, DOB, SSN, that doesn't mean you are who you say you are anymore. The industry and regulators need modernization.

We also need to break down silos. Fraud, cyber, KYC, BSA should all be on the same call after major events. I rarely see that happen, and it absolutely should.

That’s exactly the conversation leaders need to be having. Before we move on, I want to go deeper on something Karen raised, agentic AI. AI systems that act on behalf of users, initiating purchases or transactions. Karen, are we closer to this than people realize?

Yes, we are closer. And I don't know what it will look like, that's why it's scary. How do we distinguish a legitimate bot from a malicious one? And then what do claims look like? “It wasn't me, it was my bot.” If bots buy at scale, what does that mean for liability? The regulations are customer-focused. Did you authorize the bot? These are huge unanswered questions.

We already struggle with authorized versus unauthorized transactions. Now add bots. It's muddy. If someone stores their card in Amazon and their account is compromised, we often have to treat it as authorized. These conversations are hard, especially at scale.

People don't realize how close this is. This isn't a 2030 problem. It's now.

We have to focus on what we can control and what we're accountable for, and be excellent at that. Thinking too broadly can distract us from solving what’s actually in our power.

I love that. Okay, last prediction: back to the branch. In-person verification returns. Are branches ready to re-enter the fraud fight as a control?

I’ve believed for years that at some point people will have to show up in person. Digital footprints can override real identities. But branches aren’t immune to fraud either. And we need to equip them properly.

We already lean on in-person validation, but fraudsters show up. Counterfeit IDs, intercepted checks, it happens. But often if we require in-person, fraudsters ghost us.

I want to caution us against going backwards. Branch networks are shrinking. If we rely too much on in-person, we create friction and operational strain. We need to stay forward-thinking and build controls that match how fraud is evolving, not revert to old models.

I love that. Before we wrap, open roundtable, what are we missing?

Regulatory accountability is coming. Regulators will ask: what controls did you have, and did they work? Saying “we did nothing” won’t hold up in litigation.

We focus too much on numbers and not enough on human impact. A $1,500 loss can devastate someone more than $50,000 depending on circumstances. We need to tell those stories.

Sextortion of young people isn’t getting enough attention. Especially with deepfakes. Even if someone did nothing wrong, the shame and fear are real. This is about human lives, not dollars.

I’ll share a success story. I had that awkward conversation with a teenage boy, and he educated his friends. One conversation turned into many. Keep talking about it.

Thank you all so much for helping relaunch Fraud Forward and for having this honest conversation. What will make a difference this year isn’t chasing every new threat, it’s questioning old assumptions, empowering teams, and evolving controls as fast as fraud does. Stay vigilant, stay informed, and keep moving fraud forward.