By John Hintze
HEAR THIS: Catch the latest on fraud with the ABA Fraudcast, hosted by ABA EVP Paul Benda. Follow on your favorite podcast app and at aba.com/fraudcast.
“When I’m in front of them, it’s very hard to ignore me,” Olsen says.
And the efforts are appreciated. A recent seminar focusing on scams aimed at the elderly was designed to last an hour but stretched to three as the bankers responded to attendees’ questions, such as whether fraudsters can steal their houses — in fact, fraudsters forging deeds to transfer property ownership is a growing scam.
“Now we’re scheduled to do another presentation there because this one was such a hit,” Olsen says. “We had about 30 people, and through word of mouth we will probably have closer to 100 the next time.”
His team also trains new bankers and tellers twice a month. Olsen says he applies the “community policing and broken windows theory” to banking, building relationships with the bank’s community and making sure that bankers and tellers alike are comfortable picking up the phone to call his analysts, and investigators and even him.
“The key to fraud mitigation and prevention is communication between the fraud team and the frontline folks, because without that, you’re going to have significant losses,” Olsen explains.
The approach has been particularly effective in alerting the Chicago-headquartered bank’s staff and customers about the evermutating forms of check fraud. Monitoring the so-called “dark web” for sales of its stolen checks, Olsen’s team has seen that fraudsters warning fellow scammers to try their schemes elsewhere.
“The fraudsters know these things,” says Stuart Feldhamer, principal and banking fraud practice leader at public accounting and consulting firm Crowe, adding that dark web participants typically share information about which financial institutions have the weakest and strongest controls.
Fraudsters ultimately choose targets based on the likeliness of successfully stealing funds while remaining as anonymous as possible, factors that vary from bank to bank, notes Patrick Smith, SVP of fraud operations management optimization at the American Bankers Association. While check fraud remains prevalent, even as check usage declines, the spotlight has turned to online fraud, where the use of artificial intelligence has dramatically magnified fraudsters’ abilities.
Fraudsters’ AI friend
Smith said that business email compromises based on machine-learning models — essentially first-generation AI — trick victims by using a limited dataset to generate impersonations of executives, trusted vendors and employees. These inherent limits constrain the longevity and effectiveness of BEC scams. The dataset of generative AI tools, by contrast, is virtually unlimited, and it takes leaps of logic to deduce what works or doesn’t, always refining its next attempts. Plus, LLMs can scour social media and other online venues for details to make email impersonations as well as deepfake voice and video calls ever more believable.
GenAI has also dramatically increased the effectiveness of now old-fashioned phishing emails by cleaning up their grammar and spelling, fortifying them with particulars and pumping out vaster volumes.
“What might have been 100 phishing emails all of a sudden is 10,000, and not only does it learn from its mistakes, but it anticipates mistakes,” Smith says. “That’s the big difference between AI and previous ML models.”
Missouri’s Jonesburg State Bank recently experienced the power of an AI-fueled phishing attack when fraudsters sent out thousands of texts to customers in the bank’s rural market that linked them to a fake a login page that requested their usernames and passwords. With that information, the fraudsters set about using Zelle, which the bank had recently adopted, to swipe funds from customer accounts.
“Fortunately, we had put safeguards in place, including a $500 limit that prohibited large amounts to be taken out. So we ended up losing only $7,000 before we identified the fraudulent activity,” says former ABA Chair Dan Robb, the president and CEO of Jonesburg State Bank.
Robb described the attempt as very technical and advanced because the fraudsters sent out the texts in waves, seemingly to avoid being overwhelmed when, at a certain point in the scam, customers had to interact with a live contact impersonating a bank employee.
Feldhamer recounts a recent BEC scam he recently heard about in which an email purportedly sent by the bank’s CEO was so carefully crafted that it successfully bypassed nearly every control and a significant sum was nearly sent. At the last stop in the fraud-mitigation chain, however, the institution’s CFO halted the payment because, while the CEO’s email checked all the boxes, it was sent at an unusual time of day.
“He knew the CEO’s behavior patterns, and it turned out he was correct and they stopped the payment,” Feldhamer explains.
Community banks’ advantage — for now
The greater familiarity among staff and customers of community banks may give those institutions an advantage over their large bank brethren as fraud escalates, although that’s likely to dissipate.
“As customers move ever-more into the digital world, banks, regardless of their size, tend to know their customers less,” Feldhamer says.
That means banks must rely increasingly on technology, also often powered by AI, for defenses. Traditional fraud detection and prevention relies on behavior analytics tools that spot patterns and customer profile deviations, and AI takes those tools to another level by incorporating a wider variety of data and even speculating on potentially new fraudulent schemes.
Nasdaq Verafin, for example, says its cloud-based software solutions “significantly reduce false positive alerts and deliver context-rich insights to prevent financial crime more efficiently and effectively.” Other independent vendors providing financial crime and risk and analytics services include Abrigo, RiskScout, Socure and Nice Actimize. Banks’ core technology providers such as FIS, Jack Henry and Fiserv also offer solutions, while the largest banks tend to develop their defenses in-house. But digital electronic tools are “really just one component of fraud defenses,” notes Toni Fennell, CRCM, a compliance risk expert at Ncontacts, “because banks still have to train employees and educate customers. In fact, that’s more important than ever.”
Training today extends well beyond a once-a-year event to updating employees after every new-variety-of-fraud event. AI will help weed out the false positives, Fennell said, but employees will still have to analyze the fraud to determine its impact.
“AI is not going to do that for us,” Fennell says, adding that while “old school,” the bank performing autopsies of fraudulent events remains critical: examining how they began and unfolded, where controls failed and changes must be made, and what education is necessary going ahead for employees and customers.
Balancing safety and service
Further complicating fraud prevention efforts, banks must balance the controls they put in place with customer service. Regardless of the safety benefits, limiting Zelle transfers to $500 per day will annoy some customers, as will freezing accounts to conduct fraud investigations. Ongoing education of customers about the banks’ fraud-defense measures should soften the blow, and establishing policies to communication with them in the event of fraudulent or potentially fraudulent activity is key.
Robert Farling, national risk and regulatory banking lead at West Monroe, recently had a conversation with an executive at a national bank who told him that besides efforts to identify and prevent fraud, his institution is examining from start to finish how its approach affects the customer experience. “How is the bank communicating? Are they keeping the customer adequately informed about progress in addressing and resolving the issue? It’s less about pure fraud defense taking a more holistic approach,” Farling explains.
Olsen says WinTrust’s customer-centric approach results in its bankers first reaching out to customers to determine whether there may be acceptable reasons for what appears to be unusual activity. Perhaps the customer bought a new computer that explains a new device ID, he said, or the customer really was in Nigeria on vacation or business.
“We always take that approach and make sure we’ve at least talked to customer before we do something adverse to his or her account,” Olsen says, “And if we see funds starting to go out the door, we’ll take steps to stop it.”
Elderly customers have become prime targets of fraud, such as deepfake telephone calls impersonating a friend or family member who claims to be in trouble and is requesting funds, says Robb at Jonesburg State Bank, while younger and middle-aged customers are falling victim to social-media scams. His bank recently teamed up with seven other community banks to publish a two-page, full-color ad in the local newspaper to alert community members to indications of potential fraud.
An immediate red flag for bank staff has been older customers entering a branch to withdraw several thousand dollars. Robb said that at times the fraudster has actually been on the phone with the customer to guide him or her through the transaction. To address such situations, which Robb said has happened at his bank upwards of 15 times over the past five years, the bank has developed a laminated placard for bankers and tellers to alert the customer that a scam is likely underway.
In one recent incident, a fraudster claimed to be an FDIC official and said Jonesburg State Bank was suspected of defrauding customers, and the agency wanted the customer to help in a sting operation.
“We actually called the FDIC with the customer, and the official there explained that the agency would never make such a request of someone,” Robb said.
Fewer checks but bigger dollar figures
While fraudsters are flocking to online fraud that they turbocharge with AI, checks remain a major concern for banks. Smith at the ABA described them as the “least secure way to make a payment.” No longer are fraudsters washing checks with nail polish remover; instead, they are using modern technology to replicate them nearly exactly. And while there are fewer checks in circulation, mainly because retail customers have shifted to digital payments, about a third of business-to-business payments are still conducted via checks.
Kristina Schaefer, CRCM, CERP, associate general counsel and director of government relations at $4 billion-asset Dacotah Bank in South Dakota, says customers still use checks to pay property taxes, the local snowplow operator and other payees for whom ACH or card payments can be difficult. She adds that banks should alert customers about the importance of examining their statements to ensure the payee on all cashed checks is correct.
“Unless the customer is ensuring that the $1,000 check written to the country treasurer was actually cleared by the country treasurer, it could put both the bank and the customer in a tough position if six months down the road the customer realizes it wasn’t the country treasurer that negotiated the payment,” she says.
In the case of banks’ retail customers, check fraud mainly stems from thieves stealing checks from mailboxes or otherwise and then selling them to fraudsters who may change their images, use the check information to order new checks, or otherwise procure deceitful payments. Educating clients about the risk is essential. Recommended steps — including those used in ABA’s free #PracticeSafeChecks consumer education campaign — are securing mailboxes, using mail holding services when on vacation, filling out checks completely with indelible black ink, and opting for electronic payments such as Zelle whenever possible.
Smith noted that while check use has diminished, the average check size has actually increased, largely because businesses than their retail customers to convert to electronic payments, despite the arrival of services such as the Clearing House’s RTP and FedNow. “Unlike electronic payments, once checks are in the mail, they are subject to theft,” Smith warns.
In fact, the electronic payment rails are highly secure, with related fraud typically occurring before the payment is sent or after its arrival. Unfortunately, customers’ comfort zones can be hard to change. Olsen recalls a vendor who fell victim to a BEC scam the first time his firm accepted an electronic payment, “and now he wants to go back to accepting only checks.”
Schaefer says her bank has looked at technology that compares signatures on current checks to customers’ past signatures, searching for differences that could indicate fraud. For B2B checks, she strongly recommends educating business customers about the benefits of positive pay. The software, offered by numerous vendors, is integrated into a bank’s check processing system and enables clients to ensure the details of a presented check match the issued check before approving the payment. “But make sure clients are cognizant of that fact that before their checks are paid they must log in to approve them,” she says. (For more on banks’ shift to positive pay, see “Is it time to kill the paper check?” in the May/June 2024 issue of this magazine.)
FCC to strengthen STIR/SHAKEN
On the telecom front, fraudsters are increasingly spoofing numbers that belong to banks, both through voice calls and text messages, requiring banks to spend significant resources on consumer education and post-incident resolution.
“It would be much more efficient if we could stop those calls and text messages in the first place,” says ABA VP Jonathan Thessin, senior counsel for regulatory compliance and policy.
In 2020, Congress passed the Traced Act, which required the Federal Communications Commission to establish a call authentication framework titled the Secure Telephone Identity Revisited/Signature based Handling of Asserted Information Using Tokenss call authentication framework, commonly referred to as STIR/SHAKEN. Fraudsters quickly found ways around the roadblocks, resulting in fraud losses estimated by the FCC at $196 billion in 2024 alone and prompting the regulator to propose steps to strengthen the framework.
“The commission should go further,” said ABA and a long list of other trade associations in a comment letter submitted at the start of this year. “We urge the commission to finalize rules that specify the steps that voice service providers (VSPs) that originate calls must take to comply with an existing rule that requires providers to take effective steps to ensure that it does not transmit illegal calls.”
“The organizations that are in a position to help us prevent people falling victim to the scams are organizations like the telecoms,” Schaeferadds. The trade associations’ letter proposes two main steps to shift much of the caller-authentication burden on to the VSPs. One would require them to complete more specific know-your-customer steps when onboarding callers that could include requiring the caller be a bonded business, have a legitimate physical address, and/or offer an actual product or service. A second proposal is for the FCC to create a database that VSPs could easily check to see whether a caller placing thousands or even hundreds of thousands of calls daily has lawful access to the number displayed on the recipient’s call ID display.
ABA’S Treasury check fraud tool
The U.S. Treasury Department’s Treasury Check Verification System enables banks to check the validity of federal paychecks, tax refunds, Social Security benefits and other payments sent via paper check by providing check-issue information to confirm checks’ validity. In June 2025, the ABA launched an online platform facilitating that process for its members, eliminating the need for them to build their own APIs, that also allows them to confirm the payee’s name, a feature unavailable on Treasury’s existing public-facing page.
Treasury checks are 16 times more likely to be subject to fraud, according to the Treasury, and so far, ABA’s tool has saved significant sums. Patrick Smith says that 75,000 checks that have gone through the system since June, and since October banks have self-reported 224 instances where the payee did not match, totaling more than $3 million.
“These reports come from fewer than 400 banks, representing about 18% of the banking industry,” Smith says. “Based on feedback, most institutions appear to be reporting only suspicious checks.” The Treasury Department has initiated what is likely to be a lengthy process of phasing out Treasury checks entirely — but until that day arrives, initiatives like ABA’s TCVS tool can help minimize losses on fraudulent Treasury checks. Learn more at aba.com/tcvs.
Thessin says VSPs receiving compensation per call have significant incentives to allow calls from fraudsters that a fortified STIR/SHAKEN framework could lessen. Some VSPs “pop out of nowhere,” and ABA data reveals that within a month they’ll be originating tens of thousands of calls, and in another month hundreds of thousands.
“It’s not credible for these providers to be onboarding legitimate businesses that are making calls at those volumes,” he explains, adding that regulatory action on the proposal is likely by summer.
Federal efforts to curb bank impersonation scams and other fraudulent advertisements over social media kicked off at the start of February with the introduction of the Safeguarding Consumers from Advertising Misconduct (SCAM) Act by Sens. Ruben Gallego (D-Ariz.) and Bernie Moreno (R-Ohio). The law would require online platforms to take steps to prevent fraudulent and deceptive ads and strengthen accountability when scams slip through by strengthening the FCC’s and states’ abilities to enforce violations of consumer protection laws.
“I applaud the introduction of that legislation, and I’m so glad that we’re talking about it at a national level now,” Schaefer says.
The fate of the bipartisan legislation remains unclear, but banks seeking to be proactive can assess their fraud systems now, verifying whether the behavior-analytics systems can incorporate fraud intelligence data generated by social media platforms and confirming that adequate controls are in place to manage fraud today. In addition, Fennell said, they may want to confirm their infrastructure can support compliance with any such law that emerges, including enabling potential information sharing partnerships if regulatory frameworks require or encourage it.
A new law that requires large social media companies to take a greater share of the burden to mitigate such fraud would come as a relief to bankers.
“This type of fraud has moved faster than I think our legislators have able to address it,” Olsen says. “The SCAM Act is a wonderful step in the right direction as far as holding social media to account.”
Contributing editor John Hintze reports extensively on financial and banking topics.
