AI-Enabled Authorized Fraud

Banks and payment companies are racing to stop a kind of scam that looks legitimate to their own systems: customers are tricked into approving the payment themselves. (forbes.com) The pitch is simple. Instead of hacking an account and forcing a transfer, criminals use artificial intelligence to mimic a boss, banker, recruiter, or government official and persuade the victim to send the money. (forbes.com) That makes the payment appear “authorized,” even when it was induced by deception. Forbes reported on April 22 that attackers are exploiting the gap between cybersecurity teams, fraud teams, and payments-risk teams, which often work in separate systems and budgets. (forbes.com) The losses are already large. The Federal Trade Commission said consumers reported losing more than $12.5 billion to fraud in 2024, up 25% from 2023, and imposter scams alone accounted for $2.95 billion. (ftc.gov) The Federal Trade Commission said 38% of people who reported fraud in 2024 said they lost money, up from 27% a year earlier. It also said bank transfers and cryptocurrency were linked to more reported scam losses than all other payment methods combined. (ftc.gov) The same pattern is showing up in cybercrime data. The Federal Bureau of Investigation’s Internet Crime Complaint Center said reported losses hit $16.6 billion in 2024, a record, with fraud making up most of the losses. (ic3.gov) Traditional fraud controls were built to catch stolen credentials, malware, or unusual account takeovers. They are weaker when the customer passes identity checks and clicks “send” after a convincing phone call, text, or video message. (forbes.com) Payments groups are now rewriting rules around that problem. Nacha, which governs the Automated Clearing House network in the United States, said fraud-monitoring rule changes for credit-push payments take effect in 2026 and require risk-based monitoring by originators, third-party senders, and banks. (nacha.org) Nacha said those controls can include velocity checks, anomaly detection, behavioral tolerances, and pattern recognition. It set March 20, 2026, and June 20, 2026, as implementation deadlines for different categories of ACH senders. (nacha.org 1) (nacha.org 2) Companies are also spending on machine-learning tools to spot scams earlier. Mastercard said organizations lost an average of $60 million to payment fraud in the prior year, and 42% of issuers in its survey said artificial intelligence tools saved them more than $5 million. (mastercard.com) The pressure is growing because the attacks are getting cheaper to run and harder to distinguish from normal business. Verizon said exploitation of vulnerabilities rose 34% in its 2025 Data Breach Investigations Report, a sign that criminals are combining technical break-ins with social engineering and payment fraud in the same campaign. (verizon.com) The old test was whether a transaction looked valid on a screen. The new test is whether the person approving it was manipulated before the money moved. (forbes.com)