Welcome to this week's episode of the Fraudology Podcast.
Well, I don't know if you've picked up on my pattern or not, but I've started to kind of go every other. So every other episode has a guest and every other episode has a solo episode with fraud news stories.
I hope that works for you. Let me know if you like that, if you prefer one more than the other. I'm always looking for feedback from you guys and really appreciate it when you reach out.
Today, there were too many news stories for me to go through, so I had to edit them down. And really, I focused on the ones that I think are going to impact the future of fraud, the ones that I think are going to help you do your job better.
It's something I, when I was working with the ambassadors for the Merchant Fraud Alliance, October 6th and 7th in Chicago. Please be there if you're a merchant.
When I was working with the ambassadors and talking about topics, one of them said they would love to understand what AI news articles to pay attention to and which ones don't matter, right?
Like which ones are going to help them do their job better and which ones are going to talk about either, you know, how AI is used to leverage fraud and commit fraud and create fraud attacks, and also using and utilizing AI to fight fraud.
And so I kind of was thinking about that when I was going through the news articles this week.
And the biggest headline, I think, is that the U.S. government has pulled Mythos offline. There's another one too that they pulled off and now I can't think of it. You're probably yelling it at me, Fable.
So they pulled Fable and Mythos offline, which were two of the most powerful AI tools that were identifying insecurities and, you know, vulnerabilities in cybersecurity and in fraud.
However, some cybersecurity researchers have said that this is actually going to create more problems for KYC. It's going to create more workarounds for the know your customer process for fraudsters to get around it, which will then impact fraud.
So that's going to be the first story that we talk about.
The next one is there's more statistics. This will be kind of a short one because we all know this already, but I think that the statistics are worth sharing.
There's more statistics on just the amount, the sheer amount of fraud and scams that occur on Meta platforms and how much they profit off of the ones that they know are fraud.
I talked about this on a previous episode a few months ago, that there was an article that came out that said that, you know, Meta marks these fraudulent advertisements or fraudulent profiles in Facebook, Instagram, WhatsApp, etcetera, but they don't act on them.
They just charge them more and they're, you know, profiting off of fraud and scams targeting consumers.
So we'll talk about that again.
There's also an update on the UK scams reimbursement laws. We talked about that like a year ago when they went into effect, but haven't really touched base on if they worked or not.
And I think there's a lot that the U.S. banks can learn, especially for APP fraud, you know, authorized push payment fraud.
It'll be interesting, I think, to know if this initiative has reduced APP fraud and how much, or if it hasn't and it's still increasing at the rate that it was before they put this in place.
But now that banks have to reimburse consumers, what does that look like and how is that working?
So I wanted to touch base on that because we had talked about that last year, and I think it's good to circle back on.
And then the last article that we'll talk about is that Google filed a lawsuit against a phishing group that was responsible for the theft of over 3.87 million credit cards. It's a huge phishing group and Google is suing them.
We can only hope that law enforcement will also get involved and shut them down.
But huge numbers for phishing, and the post I'm going to read talks a little bit about how that group works and how they're using AI to create phishing websites so much faster and easier and, you know, put out phishing text messages and emails, etcetera.
So we'll talk about that as well. Those are the stories that we're going to go over today.
But first, I thought I'd share kind of a funny little story that happened to me like an hour and a half ago.
I was literally sitting at my computer about to log into the recording website that I use or the recording software that I use to record this episode, and I got a phone call.
And it was from a friend that I haven't talked to in a few months. We try to go out to dinner once a month, but I have been traveling so much and she's been really busy.
She actually used to be my doctor, but we became friends and so I got a new doctor. She didn't text me before, so I thought that was weird.
You know, it's kind of like cold calling these days if somebody calls you before they text message you. So I was like, uh oh, something's up.
So I answered the phone and she had been a victim of credit card fraud and was kind of freaking out. So I talked her off the ledge and found out what happened.
She and her husband had received new credit cards because their bank had changed the name of the type of credit card it was. So it might have been a portfolio buyout or switch or, you know, movement. Who knows what the issuer was doing?
But it was one of the top three or four issuers in the U.S. And I know that for a fact that this is also happening to people that had Discover cards that are now being switched over to Cap One cards after Capital One bought Discover.
So this is happening, you know, a fair amount. Portfolio buyouts and things like that happen here and there or shifts.
You know, in this case, they were working with this bank already. They had a card issued from this bank already, but it was called something else, the type of card it was, like premier, executive, blah, blah, blah, whatever it was.
And so it changed, and they were sent new credit cards, put them off to the side, didn't think about them, didn't activate the card.
This morning, they received a few text messages saying that there was, you know, possible fraudulent activity on these new cards and they needed to call the bank.
She's actually listened to this podcast for years, which is just so funny. But she loves to learn and has learned a lot about fraud. I have definitely told her that is not a prerequisite to be my friend.
But she listens to the pod. I don't think she's listened as much recently, but she listened for like a good year, year and a half when we first kind of started becoming friends.
So she knew not to call the number on the text message. So she called the phone number on the back of the card, which I told her was the right thing to do.
She made sure that, you know, that card was really the right card in her name because she was thinking that maybe the card was fake and fraudulent. And I said that is really expensive and hard to do, to make it look legitimate and to have it work and things like that.
So, you know, fraudsters don't have to be that creative or that industrious. So that isn't what I would worry about.
But I would, you know, worry about other parts of the scam being, you know, maybe someone was texting you on behalf of your issuing bank as a phishing text message to get you to call and verify your credit card number.
So right thing to do to call the number on the back of the card, verify that that card was hers and that there were charges on it.
And she was very confused because it hadn't been activated. She hadn't activated it yet, and, you know, she had just received the cards. So how was there already fraud on it?
So I explained to her that it was most likely an enumeration attack. I think all merchants and banks are familiar with that term. But if you aren't, we also call it card testing.
Basically, when a BIN is reissuing hundreds of thousands of cards or even tens of thousands of cards, that's a great opportunity for fraudsters.
And they have their ways of, you know, she asked me how they would know that that was happening. And I was like, well, you know, it's possible that they have that credit card or somebody in the banking side, you know, mentioned it, or it came out in a banking trade email because BINs are public.
They're not, you know, private information.
So, you know, this new BIN was created and fraudsters scurried very quickly to try to fill in those last eight digits.
You know, BINs used to be six digits. So then they had to fill in 10 digits. Well, now they only have eight to fill in.
So they're just trying every number code most likely on a merchant website for, you know, a low dollar amount and trying the cards until they got one through.
And once they got one through, then they took it to other merchants online to make fraudulent purchases.
She asked how they would have her name and address. I explained that that isn't needed really. And they can make up any card name they want because letters are not verified through the authorization system, which in the year of 2026 still really frustrates me.
But I know that, you know, we're working on ancient code that is in DOS most likely still. And, you know, if we were to create a new payment system right now, it would absolutely verify those things, but we can only verify numbers.
So they wouldn't need that.
Not all merchants require AVS to have a purchase go through. And I actually usually advise that that's not, that's too much friction anyway. So they don't need those things.
And then she also asked about the activation. How were they able to place orders on a card that she hadn't activated yet?
And I explained that most issuers don't require activation anymore. They consider that friction. They may have a sticker on the card that says that, but some even just say don't worry about it, it's already been activated for you so you don't have to worry about that.
And even ones that say that you should call and activate, I've just gone ahead and taken that sticker off and used it right away and had no problems.
So most of the time, if you can use your card without activation, fraudsters can too, is my point there.
So they more than likely did that.
Well, it used to be that they would run scripts to do this, to card test and have enumeration attacks. Now they have AI.
AI is able to fill in the blanks really easily and you could even create agents to go ahead and card test if you wanted to. And I'm sure people have.
I had read a LinkedIn post a couple of weeks ago about the Discover to Cap One transition and how a lot of cardholders were seeing enumeration attacks on their cards. And the banks were as well.
Because, you know, somehow it got out what the new eight-digit code was or what the eight-digit BIN was. And they put them in the system and just tried different combinations of numbers until they got, you know, cards to go through.
So, you know, there's also the, I can't remember the name of the math equation, but they also know about that math equation, right? So it's something 10.
Oh my gosh, I can't remember it.
But the math equation that all credit card numbers have to go through. So that then narrows it down and they can put that into AI and say, I only want numbers that are positive for this math equation. So then that really narrows it down for them.
Recently, Visa put in enumeration thresholds for merchants. I kind of wish that they did the same thing to issuers as well. And they may have.
You know, I'm about to actually, when this podcast comes out, it'll be that day, I'm about to do a webinar with Anoush at Visa, who is the head of product for the VAMP program.
Well, she's also the head of product for the VIMP program, the Visa Issuer Monitoring Program. And most people don't know that that exists.
I really didn't know that that existed. I didn't know that issuers were monitored as well for fraud on their side.
So I mean, it's not, they're not monitoring everything that I wish that they could. But actually, Anoush and I started talking about it and she said that public comment for the new iteration of VIMP is coming up soon. So she's going to talk to me about that when that bridge, you know, gets crossed.
But anyway, I bring that up to say it's possible that issuers are being held to account on enumeration as well because, you know, they're obviously seeing it on their end too.
They're seeing, you know, bogus card numbers being pinged on their network. They're seeing high declines on card numbers of theirs, like just all of those things.
And so, you know, they can see enumeration attacks as well, but so can merchants.
So now there's a threshold for merchants that when the, I can't remember the exact math equation or what the threshold is, but there is a threshold for if it does appear that there's an enumeration attack happening at a merchant, you know, they're getting hit with card testing left and right and it's a specific percentage of their sales, then they could face fines or even closure and their acquirer gets involved.
So I do know that Visa and this program just started this year or last year maybe when VAMP started, and I think that's a good thing that they're trying to crack down on card testing.
We've only had it for 20 years. So it's great that they're doing something about it. It holds merchants accountable, the merchants that either don't know about card testing and don't know what to look for and what to do about it.
But it also, you know, provides education for them on that. But then in addition to that, it means that people are looking at that, right? They're paying attention to that number and trying to get it down.
So that is my story about my friend. You know, really it was no harm, no foul. They issued chargebacks on her behalf.
She was even too nervous to provide her address for verification to the bank so they could send her a new card. In fact, she said, I don't want another card. You can keep it.
So I suggested if she wanted to close that credit line that she should call them back with that verbiage. But otherwise, it's just an open credit line that she's not using.
But it's interesting to me sometimes how much victims of fraud, even when they don't lose their own money, feel violated.
And they feel that violated when a card number issued in their name is used without their permission.
It just amplifies how much it impacts victims when it is their money and they are held responsible, whether it's authorized push payment fraud, whether it's phishing, whether it's whatever, it's the crypto investment scams.
Trying not to use the word that the Chinese made up for it because I know that some victims really don't like that.
But it's the type of fraud that Erin West really has dedicated her career towards, as well as Gary Warner, which hopefully I'll have him on the podcast one day.
I'm just going to keep pinging him until he finds availability.
If you don't follow Gary on LinkedIn, I don't know how you get any fraud news. He's just great. He runs Dark Intelligence for Good, and they research a lot of dark web and, you know, Discord and Telegram channels of fraudsters.
And then he does a really good job of explaining what they're doing and how they're accessing information.
So anyway, all of that to say that that was how I started this episode before I even pressed record.
I am sure that if you're also in fraud, which most of you are, you probably have answered similar calls like that.
I call myself the fraud phone a friend. A lot of times it's my mother asking me like, should I click on this link or should I, you know, respond to this letter? And it's usually, the answer is no.
But every once in a while, if a friend or a friend of a friend gets hit with fraud, I get a call, and I'm sure you guys do too.
All right, that's it for fraud story time.
I'm going to dive into fraud news now.
As I mentioned at the beginning of the episode, Mythos, as well as, why did I forget its name again? See, it's one that I've never used before, Fable, and I wasn't familiar with. But Mythos and Fable were pulled offline last week by the U.S. government citing cybersecurity concerns.
And there's a really good article. It's on infostealers.com. I'm not familiar with that website, but it's obviously, you know, having to do with cybersecurity and fraud, cyber fraud.
But the title is, The Pulling of Mythos Offline: Why AI KYC Will Fail to Stop Cybercriminals.
Then it provides a screenshot of the statement on the U.S. government directive to suspend access to Fable 5 and Mythos 5.
And I guess this is a blog article, but it's really fascinating.
So the sudden U.S. government export controls pulling Fable 5 and Mythos 5 offline are already driving a significant surge in the cybercrime underground.
To comply with these new restrictions on foreign access, frontier AI labs are expected to implement financial-grade know your customer identity verification.
So in order to make sure that no one outside the U.S. is accessing these systems, they have to implement financial-grade KYC.
This regulatory shift creates an immediate, highly profitable monetization vector for darknet vendors.
Threat actors have spent years refining methods to bypass bank-level identity checks using synthetic identities and mule accounts, and they are already adapting these frameworks to target AI platforms.
The cryptocurrency ecosystem serves as a direct and undeniable precedent for this failure.
For years, crypto exchanges have attempted to gatekeep access using strict KYC and AML procedures, only to face relentless circumvention from dedicated cybercriminal operations.
Then it shows a screenshot from Telegram. I can recognize that background anywhere, and it's a post from a fraudster that says KYC is completely flawed and easily available.
KYC is just a honeypot for regular users because of breaches and insiders and is useless in the majority of cases due to purchased accounts.
That's from a prominent blockchain investigator, ZachXBT, highlighting the systemic failure of KYC procedures in preventing illicit actors from accessing regulated platforms.
And then there's a text saying KYC is a complete joke. Lazarus and other criminal orgs launder funds through many of the top crypto exchanges with fully verified, in quotation marks, accounts.
A common bypass method relies entirely on existing infostealer malware infrastructure.
Compromise logs from infostealers like Luma, Vidar, and Redline regularly capture active session tokens, cookies, and saved credentials for vital infrastructure platforms including Claude and OpenAI.
An adversary in a restricted jurisdiction can purchase these stolen logs from underground shops for nominal fees. Importing these valid cookies allows them to hijack a legitimate user's active session, entirely evading the platform's onboarding KYC and multi-factor authentication checks.
That's a lot like Starkiller that we talked about several months ago, where they're able to hijack cookies and tokens and sell those. And that allows the fraudsters to join that session by a legitimate user that had already passed KYC and already passed 2FA.
So, you know, not surprisingly, that's why we covered it on the podcast. These types of crimes are happening at a rapid rate and there's a lot more about it.
Then there's a screenshot of Hudson Rock Intelligence showing over 30,000 corporate credentials related to OpenAI harvested from infostealer infections.
Sorry about that. It's really small writing and it's in italics. Maybe I'm getting older because I'm having a hard time reading that.
Providing a massive attack surface to bypass identity verifications.
And then they show active session cookies for Claude AI retrieved from infostealer logs. Threat actors import these directly into their browsers to execute seamless session hijacks.
Beyond session hijacking via infostealer infections, the darknet has already housed a mature structured market for pre-verified accounts and identity manipulation services.
Threat actors actively trade bypassed accounts on dedicated cybercrime forums, treating access to restricted models as a standard, highly liquid commodity.
Initial access brokers simply create the accounts using illicit methods and then sell the login details to buyers globally, and then show screenshots of those for sale, you know, on ChatGPT, on Claude, on others.
When basic mule accounts are insufficient, cyber criminals turn to advanced synthetic identity fraud. The underground economy offers specialized services for deepfake generation and real-time voice manipulation specifically engineered to defeat biometric liveness checks, the very checks frontier AI labs will rely on to enforce border restrictions.
So they're saying, you know, these things are already being worked around and there's already so many workarounds to KYC on the bank-level KYC requirements that this is going to happen to this AI company as well.
I would say it's going to depend on which vendor they use because some are better than others at catching these, but they'll still have these risks for sure.
Then it shows advertisements on the dark web of threat actors advertising sophisticated deepfake and voice manipulation software designed to bypass KYC verification processes.
The tool features real-time face swapping, voice changing, and virtual camera capabilities for use in identity verification systems.
Coupled with a widespread availability of stolen passports, driver's licenses, and government identification documents, bad actors possess a complete, inexpensive toolkit to fabricate verified identities on demand.
The infrastructure to bypass these impending AI restrictions is already built, tested, and highly profitable.
Mandating identity verification forces AI research organizations to collect and store massive volumes of sensitive personal information, including passports and biometrics.
That depends on which vendor they use because not all of them have to store it locally, and a lot of them don't.
These databases represent high-value targets for network intrusions. When these repositories are inevitably breached, the stolen data will be funneled directly back into the cybercrime ecosystem, providing the exact credentials needed to fuel further identity fraud and access bypasses.
That was a blog article written by Hudson Rock. I follow their CEO. I know they're an intelligence company.
Yeah, so that's depressing.
And we were already worried about Mythos because it was identifying so many vulnerabilities on websites.
I mean, it was identifying hundreds of vulnerabilities in, you know, different flows and risk stacks for cyber criminals.
And, you know, researchers had said this is really dangerous. This is scary because it can find things that a human never could have, and it's finding them very quickly and at scale.
And if we can do it as researchers, cyber criminals can do it too.
So that's the main reason why Mythos and Fable 5 were taken offline in the U.S. and restricted to U.S. users.
But the whole point of this article is saying, you know, unfortunately, if they're relying on the existing KYC functions of a bank-level IDV, then that can be worked around, you know, by session injections, by deepfakes, voice cloning, etcetera, phishing scams, you know, to get 2FA numbers, like that type of data, that type of thing.
So I think that that's really scary and something that we need to be aware of.
I don't know if Field AI and other AI companies that have Mythos and Fable and anything else, or any other types of tools with that kind of power, I don't know if they are even using IDV or KYC right now.
So I guess that's a really good opportunity for solution providers that offer those services. But they definitely should.
But as we know, fraud prevention and risk stacks should always have layers.
You shouldn't just verify on an IDV verification system. And there's at least two IDVs that I know of that do a lot more than just the document verification.
They're looking at so many other things about the session that they're able to identify remote desktop being used. They're able to identify, you know, when sessions have been hacked and compromised.
So if I were advising Field AI, those are the two companies that I would tell them to talk to, the companies that are not just doing identity document verification, but the ones that are doing, you know, looking at every single part of the user flow to identify risk.
All right, well, the next story is, you know, more statistics on fraud and scams that are occurring on Meta platforms.
And this is kind of, I used to listen to a radio show back in the day, you know, before there was Spotify and all of that, that when I worked for Expedia, I had to commute like over an hour each way from downtown Seattle or West Seattle where I was at.
And it was in a town. Expedia was in a town called Bellevue at the time. They've since moved into downtown Seattle. And I'm like, oh, that would have been nice.
So for a year, I commuted that much. And honestly, my choice to leave, you know, even with the offer of a promotion was in part because of the commute.
But anyway, the commute isn't the part of the story. The part of the story is this radio show I used to listen to, and my husband listened to it too, around the same time.
So we'd, you know, come home and talk about the funny things that happened on it or, you know, what they talked about, etcetera.
But they had this segment called No Shit Sherlock. And it was they would read headlines that you were kind of like, yeah, no shit, Sherlock. Like, you know, oh, attention, the sky is blue.
Yeah, okay. I think we've all read headlines like that where you're just like, yeah, I already knew that.
I think that reading an article about, you know, more how fraud and scams primarily originate on Meta platforms is kind of a no shit Sherlock.
But I still think it's important and to be aware of.
I'm not going to read the entire article. This is from AML Intelligence, but I'm going to read a fraud researcher's post on LinkedIn about that article.
So he said it's not news that plenty of fraud originates online. It's hardly surprising that much of that originates on platforms and marketplaces that millions, if not billions of people use.
What is surprising to me at least, is that so much fraud originates on platforms controlled by one company.
According to, you know, Lloyds Bank in the UK, 68% of the fraud reported by Lloyds customers was started on a Meta platform.
So it began with a fraudulent advertisement or a phishing message, or, you know, ATO on a profile, or, you know, so many other options, all those different things on either Facebook, Instagram or WhatsApp. 68% of all fraud for this bank originated on those platforms.
Banks are getting so fed up that they're calling it out publicly. I've seen a handful of articles recently where that's happened. I think Lloyds was one of them.
Meta earns an estimated $16 billion, not million. That's with a B, from ads it believes to be fraudulent, according to internal Meta documents reported by AML Intelligence.
That was what I talked about a few weeks or months ago. I don't know. Time is a construct to me.
But as I mentioned at the top of the hour, you know, it was discovered through these internal documents from Meta that they are very much aware of the ads and the account takeovers and, you know, all the fraud tactics that happen on their platform.
They're looking at everything.
I mean, if they can provide you with a very specific ad. I mean, the fact that my husband likes to ride his motorcycle and then because we use the same Wi-Fi, or because he talks about it with me sometimes, I don't know which one, but I've certainly never searched anything about motorcycle equipment or, you know, accessories or whatever.
But I'm getting targeted ads when I log into my Facebook to join a group or read a group. You know, that's usually the only thing I use Facebook for these days, are the groups that I'm a part of.
When I log in and I see targeted ads for things that he might want, that I have no interest in whatsoever.
If they can tell that, if they can, you know, really tailor ads very specifically to you, then they have enough metadata to be able to identify when fraud is happening.
And they do. And what those internal documents showed was that they're profiting off of them.
When they see that ads specifically are fraudulent, they up the fee to the fraudster. And most fraudsters have learned not to use stolen credit cards when they're paying Meta because if they do, then they'll be shut down.
So they use, you know, legitimate payment methods for that and just keep getting to do it over and over and over again for all types of scams.
Crypto investment is some of them, but there's so many others.
So I think that's just worth stating again, that they earn an estimated $16 billion off of fraud and scams happening on their platforms.
So there's no incentive to stop it unless governments get involved, which I don't have high hopes for that. I hope that that could happen, but I just, I've been around in this world long enough to know that we shouldn't hold our breath.
And then governments and police don't appear to be able to do anything to prevent or at least reduce this problem.
Then he asked, what am I missing here? Is the problem that other governments no longer wish to take action against American companies because of the Trump administration's aggressive approach on tariffs, or is it something else?
So that was just, you know, the stats. I think the one that I really wanted to call out was the 68% of all fraud reported by Lloyds customers came from, you know, Facebook, Instagram or WhatsApp.
That's just insane. They could cut their fraud by 70% if Meta did something about it.
And that goes back to just all the talk we've had about the fraud ecosystem and how most of the time fraud doesn't just happen on one platform.
You know, usually there's a telco involved and there's, you know, a marketplace involved or a platform or a bank, or, you know, all the things involved in every single company that's involved in the scam ecosystem should be responsible for the fraud that occurs on their platform.
Even if it's not fraud that they consider fraud because they're not getting a financial loss on it.
You know, Facebook doesn't really consider all of these ads, you know, promoting crypto investments and promoting all these other, you know, fraudulent products and everything else they do. They don't consider that fraud because they aren't receiving a chargeback.
They're receiving a positive amount of income, so they have no incentive to shut that down or stop it until or unless a government gets involved.
And it would have to be a large government, preferably the U.S., but I think even if I, I know that the EU and UK have tried to combat some of this and have reduced some of this, but not enough to make Meta change their ways.
And while they are a, you know, multi, multi billion, if not trillion, well, they're not a trillion dollar company, but, you know, multiple billion dollars, and $16 billion is nothing to sneeze at.
So they're just not motivated to take it off their platform because to them it's a net positive.
So I don't know, maybe today I'm just making, hopefully I'm not making everyone depressed and angry with these stories. I think it's important to be informed.
Let's have a tiny bit of good news, shall we?
The UK, you know, last year or the year before, I can't remember when they put it into effect, they changed the liability for consumer-related scams.
So, you know, up until that point, if a consumer lost money due to, you know, APP fraud, then, advanced push payments fraud, then they weren't able to recuperate it.
It was within the last two years that the UK government said, hey, banks can identify, similar to Meta, can identify when fraud's happening more than they're doing now because they're not losing any money.
They're not investing in identification of fraudulent behavior or suspicious behavior on their users' accounts.
They're not investing in as much technology as we think that they should to be able to tell them when, you know, someone who's never sent a wire before all of a sudden sends a $100,000 wire to another country, or, you know, someone logs in and transfers my, you know, or this person has never used crypto a day in their life and they now are, you know, transferring all of their retirement fund into a crypto fund and transferring it to a crypto platform.
You know, they can see those types of things, but they weren't acting on them because again, it wasn't a loss for them.
Now, were they fielding calls and was it impacting their customer service line of people reporting this fraud and being very distraught because it was their own money? Oh, absolutely.
But it was starting to become a bit of a PR problem for those banks and the U.S. banks have had that too.
But at the end of the day, it was kind of a shoulder shrug and said, well, you know, that's on you. You need to be better at, you know, safeguarding your money.
And the UK government stepped in and said, no, banks now have to reimburse consumers for the fraud. And they split it 50/50 between the recipient bank and the sending bank.
So both banks had to pay up.
So if, you know, the bank sending the wire sends it to another bank, then both of those banks are required to identify fraud. They're required to invest in the technology that is able to detect this type of fraud.
So what happened since that happened?
Because I remember talking about this and speculating and talking with experts on the podcast about this law coming into effect.
And, you know, banks were really nervous about the amount of money they'd lose. And, you know, consumers were excited. Well, consumers in the UK were relieved.
I guess excited isn't the right word, but they were relieved.
However, nobody really knew what was going to happen. And a lot of regulators in the U.S., maybe not a lot, but there were several regulators in the U.S. that were watching this pretty carefully because, you know, maybe this is a blueprint for us to go through.
I remember talking to the Federal Reserve as well as the, oh gosh, I cannot remember the name of that organization, but it's a government organization. It's nonpartisan that does research for the Senate.
There was a research project on scams, you know, that they were looking into, that they reached out to me for comment on, and they specifically mentioned this law and said, you know, we're looking at this to see if this is what we need to recommend to the Senate to create a law.
Now, currently, our Senate isn't really doing a lot and making a lot of laws. That's not a political statement. That's just kind of an observation.
So I don't think any action has been taken on this. I mean, perhaps a senator has written a bill, but I don't, I certainly haven't heard of any going through around this. I think we all would have heard that by now, but there were definitely recommendations made.
So what's the good news, Karisse?
Well, over 15 months of mandatory reimbursement, 89% of in-scope losses have been returned to victims. Q4 claim volumes fell 13% from the previous quarter and consumer caution rejections remain negligible at 3%.
On its own terms, this dashboard tells a positive story, but the industry's view of the same period looks a little different.
UK Finance's H1 2025 report showed APP losses up 12% year on year despite falling case volumes, with investment scam losses up 55% and romance fraud up 35%.
Fewer cases but higher average losses. A compositional shift toward long-gestation social engineering that plays out well before a faster payment is initiated.
The 2026 UK Finance Annual Fraud Report will provide the industry's full year of 2025 perspective. If the H1 trajectory holds, APP losses for 2025 will reverse the downward trend recorded in 2024.
So while they were going down, they're thinking that 2025 is going to go up.
That would be a significant data point arriving just as Frontier Economics concludes its independent review of the PSR's APP fraud policy program due to report by Q3 2026.
The review's central question is not whether reimbursement rates are high, it is about whether the policy has reduced fraud and, crucially, the amount of money that ends up in criminals' pockets.
The dashboard and the UK Finance data read together suggests that the question remains genuinely open.
The UK Finance Key Conversation Fraud 2026 event on Monday, at which the full year report is launched, will provide some answers.
So I guess this wasn't as much good news as I thought.
I truthfully skimmed this and I saw the top part where it said that, you know, losses have been reimbursed and that claim volumes fell 13% for the previous quarter, and I was like, wow, that's great.
So there's less claims happening because of this. You know, more banks are doing more due diligence on these. And so, you know, there's less claims happening.
But as he goes on to explain, that's not necessarily the case.
When you look at the big picture, there's still just as much money being lost. It's just more social engineering scams that are working, taking longer to go through the process, right?
So they're longer scams than they saw before to get to that APP fraud.
So maybe reimbursement isn't the answer. I don't know what is.
I mean, it's possible that the U.S. has been doing, and this will be covered on the next fraud news episode because I just had to cut off the headlines, but the U.S. government is trying to tackle, you know, the Justice Department is trying to tackle international fraud rings and scams.
And they've been successful to a certain extent. And, you know, maybe that's the way that it needs to happen, is through law enforcement intervention.
There's just, you know, through a task force that's been created.
I don't know what's going to get stopped. But it's also, you know, I think it's also worth asking of these metrics and of that post that I just read.
Is it that the fraud hasn't really changed or is going up a little bit because of these laws, or, you know, because they're not working because the banks aren't, you know, able to detect this as much as they thought that they could or whatever else?
Or is it that these scams are on the rise, continually increasing so much? So even if you do go backwards a little bit and you stop some of the fraud, it's going to continue to be the same because maybe you stopped 20% of the fraud, but you're gaining, you know, there's 25% more fraud happening in the first place.
You know, it's kind of about two steps or one step forward, two steps back, or two steps forward, one step back. However you want to look at it, it's just something to be aware of.
This next article is a little bit more, it is a little bit of good news because I always like it when, you know, some retaliation or not retaliation, but retribution occurs towards fraudsters.
So Google's newest lawsuit is against a phishing group that calls themselves Outsider.
According to court filings, they and their customers have made 9,000 phishing websites since July 2023, leading to the theft of 3.87 million credit cards and at least $1.9 billion in USD stolen.
Robert McMillan's Wall Street Journal coverage pointed out that some of these websites were created using Google Gemini. He also discusses the AI-driven BEC, or business email compromise campaign tool Ghost Hacker in the same story.
The Outsiders Telegram channel is quite active, filled with other criminals who have sub-specialties in phishing.
Their Telegram bot, the same as the Sailor phishing bot I've previously mentioned, this from Gary Warner on LinkedIn, allows a search of what templates they offer.
They have at least 47 DMV toll road phishing templates, but their big focus currently is rewards points phishing, including the T-Mobile Rewards phish that I shared the walkthrough of earlier.
In the images below, you can see me navigate to their bot and search for points in quotation marks, 69 phishing templates found, and DMV, 49 phishing templates found.
Their Telegram channel has specialized phishers, such as Mario, who does Japanese phishing. And I cannot even try to say that username, but someone else who specializes in U.S. and UK banking phishing.
So these are tools that are, you know, this is a platform in Telegram and an organization within Telegram that is providing the tools for people to do text message phishing, or smishing as they say, as well as, you know, for toll road or DMV charges or, you know, those talking about points.
So that was really what I wanted to, you know, highlight was that this is bad, but it's good that Google has identified them and is targeting them.
Now, without law enforcement, without really the stick of law enforcement, are they going to be able to capture them or, you know, stop them?
Well, not really, but they can, you know, issue notice to them that they are on notice and that they see them, and they can try to civilly sue them.
And that has been effective in some cases within cyber fraud in the past.
I had an Amazon employee about a year ago, well, he's one of the employees, he's like the leader of his department, but he was talking about how they were working hard to either civilly sue or work with law enforcement to prosecute large cybercriminal organizations that were selling counterfeit items on their platform.
And it had been really effective.
So I thought the scope and the size of how much this one group that provides fraud-as-a-service tools to fraudsters to commit phishing scams was interesting.
I mean, 3.87 million credit cards being phished and, you know, over $1.9 billion being stolen, that's significant.
I wanted to see if I could grab his post about points and how, you know, points are being targeted, but that's not the right link.
All right. Anyway, not important.
Well, it is important, but I'll try to find it for next time to talk about the new phishing attack for points, for loyalty points.
If it's going to be taking over the toll road and the DMV phishing text messages, then I think we should be aware of it. So I will cover that in a future episode.
Well, guys, I talked for almost an hour. Thanks for listening to all of that.
I think the headline is that there's a lot going on and there's more fraud coming every day, especially because of AI.
And I know that there's added stresses because we're all seeing people get laid off because of AI.
Do your best to provide documentation and statistics to your senior leadership of all the work that you're doing.
You can also use any of these articles to say, hey, fraud is increasing at a rapid rate across banks, across e-commerce companies, across crypto platforms, all of these things.
We need to stay on top of it, if not to reduce fraud, to at least keep it to the same amount and keep it contained so it doesn't get out of control.
I can't tell you how many companies I've seen over the years lay off a fraud leader or change their vendor because something else looks shinier or implement the vendor wrong or whatever it is, and they just see fraud skyrocket.
So if you're, you know, it's important to at least keep what you have so that you can keep it controlled.
Those are just kind of my final thoughts.
All right. I will be back next week with a great guest, and I will talk to you then.