- Key insights: Consumers are willing to accept some inconvenience in exchange for safety.
- What's at stake: Major types of payment fraud include account-takeover fraud, card-not-present fraud, new account fraud, synthetic identity fraud, authorized push payment (APP) scams, and fraud related to agentic AI.
- Forward look: New forms of technology such as agentic AI are complicating fraud risk.
There's a new twist in the perennial tug of war between protecting consumers and keeping payment fraudsters at bay. Banks' fears of consumer attrition due to fraud controls may be overstated.
A Javelin Strategy & Research
The findings suggest consumers are becoming more tolerant of fraud controls. "Consumers are a little more accepting of friction than I think banks realize," Suzanne Sando, lead analyst in Javelin's fraud management practice, told American Banker. "They're growing more okay with it because they understand the purpose of that friction is to protect their accounts and protect their payments."
Major types of payment fraud include account-takeover fraud, card-not-present fraud, new account fraud, synthetic identity fraud, authorized push payment (APP) scams, and fraud related to agentic AI.
Banks need to remain vigilant, even as Javelin data show the combined impact of identity fraud and scams in 2025 dropped by $9 billion to $38 billion compared with 2024. Here are a few areas where fraud professionals say banks should direct their attention:
Agentic commerce
Last year Visa and Mastercard launched new agentic AI payments tools, and they are
Banks have expressed hesitation around security and the unknowns with agentic commerce. Consumers also haven't completely caught on. A
Nonetheless, if agentic commerce increases as expected, there's likely to be more related fraud. "That's going to be a big part of what we see in fraud trends in the years ahead," Sando said.
One of the challenges for banks is distinguishing between good bots and bad bots, Alisdair Faulkner, chief executive and co-founder of Darwinium, a fraud prevention platform, told American Banker. "Banks are having to rethink their entire risk strategy from an agentic perspective," he said.
There's also a concern about a potential increase of friendly fraud with agentic commerce, Ranjita Iyer, executive vice president at Mastercard, told American Banker. Mastercard has been working on a feature dubbed "verifiable intent" to confirm the cardholder authorizing the AI agent, capture the consumer's specific instructions, and record the interaction between the agent and merchant. In a dispute, there's a clear audit trail, according to
Card-not-present fraud
E-commerce is continuing to grow, so you would expect CNP fraud to grow in absolute numbers, but the "rate of growth is lower than it used to be," Iyer told American Banker.
While this is promising, there's also evidence that fraudsters are getting more patient. Their schemes don't necessarily have to bear fruit in a day or two. "They can wait for months and months, sometimes," Iyer said.
One example of this is called "bust-out" fraud. Fraudsters create new accounts, get a credit card, make small transactions, and maybe even pay their balance a few times—just long enough to slip under the radar. Eventually, "fraudsters go to town with the credit card," buying a bunch of things and disappearing, Iyer said.
Authorized push payment fraud
APP fraud occurs when victims are socially engineered into voluntarily transferring money to fraudsters posing as legitimate payees or institutions. The majority of this fraud, which originates on social media, continues to vex U.S. banks, in part because regulation isn't as robust as it could be, Oliver Hanmer, head of U.K. financial crime at Capgemini, told American Banker. Losses from APP fraud in the U.S. are expected to grow to between $12 billion and $18 billion by 2028, according to a Deloitte
Stricter regulation could help, said Hanmer who developed the U.K.'s mandatory reimbursement system, implemented in October 2024, for people ensnared by APP fraud. Responsibility is split 50-50 between sending and receiving banks, Hanmer said.
Australia has also adopted the system, and last year the European Union agreed to rules imposing financial penalties when banks don't have strong fraud controls, said Hanmer, former head of supervision and compliance monitoring and a member of the executive team at Payment Systems Regulator, the U.K.'s economic regulator of payment systems.
When the U.K. was developing its system, the U.S. considered a similar approach, but pushback by banks sidelined these efforts, Hanmer told American Banker.
Another measure that's helped in the U.K. and elsewhere is a service called "Confirmation of Payee," which allows payers to validate that the name they enter matches the name registered on their intended recipient's bank account before completing a payment. If a bank identifies a potential concern, consumers are alerted and asked whether they want to proceed. A similar system is being rolled out across the EU, Hanmer told American Banker.
The system makes it more difficult for less sophisticated fraudsters to defraud people, and it gives customers an extra layer of confidence that they're paying someone legitimate. There's also an effect on fraud detection because if the scammer's name is tied to the account, there's a potential paper trail, Hanmer said. "It makes a massive difference."
