Download the PDF version

Unveiling the truth about modern scam campaigns


According to the PSR’s APP Report of 2023, fraud incidents in the UK are far more frequent than any other crime type. In particular, APP fraud represents one of the main threats in the banking industry, accounting for 40% of all fraud losses in 2023

The rise of technology, particularly AI, has changed the face of fraud. Fraudsters now employ sophisticated and personalised social engineering tactics to challenge traditional detection efforts. Modern scam campaigns have evolved far beyond the simple spoof call: they have become multi-faceted operations that exploit advanced technology and human psychology. 

Understanding how scams work, where they start, and how they are developed is crucial in preventing online banking fraud and safeguarding personal and financial information.

The evolution of scams: more than just a call

Gone are the days when a suspicious phone call was the primary scamming method. Today, scammers employ a combination of phishing, smishing, vishing, and other social engineering tactics to deceive unsuspecting victims. 

Scams can range from relatively basic, almost single-shot approaches to extremely sophisticated and persistent ones. Often, the attacker or threat actor (TA) responds to actions taken by individuals and organisations and progresses through a complex, multidimensional attack chain. 

The objective is still the same: stealing information to steal money in the fastest, cheapest possible way. And they do so by praying on the most vulnerable link in the chain: people. Our natural human tendencies and emotions, as well as the devices we use (e.g., our mobile devices) that sit outside the bank's perimeter defence, represent the quickest opening cybercriminals exploit to their own advantage to succeed. 

Why APP fraud is the ultimate scam 

Authorised Push Payment (APP) fraud has become synonymous with scams due to its reliance on deception and manipulation to convince victims to willingly transfer funds to criminals. 

This method, unlike traditional unauthorised transactions, exploits trust and often involves sophisticated impersonation and urgency tactics, making it a quintessential scam. The significant financial losses and increasing frequency of these incidents have cemented APP fraud's association with scamming activities. 

APP fraud has grown in recent years due to the increased real-time payment services available in online banking. Moreover, detecting it poses significant challenges due to its sophisticated tactics designed to evade traditional security measures.

But how does APP fraud work, and what can banks do to protect their customers? Learn more in our previous article, “How to fight APP fraud without affecting your online banking experience”.

How modern scams work

A fraudulent attack consists of a sequence of steps or actions known as the kill chain

Traditional scam scenario | Cleafy

When looking at an APP scam with social engineering as the main tactic, the chain is the following:

1—Threat actors make a call (vishing), impersonating someone who the victim is likely to trust. A common tactic is to pose as a bank fraud investigator or help desk agent.

2—They create a sense of urgency, for example, communicating that your account has been hacked and that you need to take specific action to resolve the problem. This action can either be transferring money or releasing sensitive information.

3— In the first case, the money is transferred to an account managed by the TA (a mule account that could be owned by a second victim or unweary contributor).

While these attacks are fast and cheap for TAs, today’s people are becoming more aware of scams, and fraud detection technologies are becoming more advanced, forcing cybercriminals to rethink their strategies. 

A report by CertFin, backed up by the UK’s National Cyber Security Centre, has stated that over 80% of fraud attacks include a hybrid of social and cyber elements. Social engineering is often only one piece of the puzzle. If we only focus on the social engineering piece, we might miss a lot of useful data.

Advanced scam scenaio | Cleafy

More complex kill chains, often employed when this basic set of tactics proves less effective because of the actions of individuals or organisations, look more like this:

1—Threat Actors conduct reconnaissance, which means purchasing data from the dark web, scraping data from social media, or collecting data via phishing.

2—They validate this data. Perhaps they’ve already verified bank customer data, or they might use bots and credential stuffing techniques (where they try to use stolen credentials to log in to a site or app and look for signals that the customer belongs to that institution).

3- They might conduct social engineering - but it isn’t just a phone call. This is a multi-channel campaign, launched from sophisticated tools, that enables the TA to cycle through techniques and pivot - vishing (payment), smishing, pretexting - with spoofed phone numbers or GenAI deep fakes. By using these techniques, they might not force a money transfer. Still, they steal additional credential information, request credential updates, or deploy malware through inadvertent clicks or app downloads from the official app stores.

4—They can then increase trust and legitimacy by manipulating the victim to transfer money, or they have control of credentials or remote access through malware.

You can imagine an attack of this type creates a lot more data. But only if you’re looking for it.

The challenges of traditional fraud management against modern scams

Traditional fraud management approaches have limited effectiveness against these more complex but growing frequency kill chains. The prevalence of—and growing nature of—fraud in banking and financial services is a testament to this fact. 

Actions are applied too late in the user journey, primarily at the point of transaction, where, in a world of increasingly instant payments, the fraud has come and gone before you know it. Businesses are left in an overly reactive position. The threat often happens well before this.

The common scenario is that if we only focus on the point of the transaction as the place where we determine the pattern and implement a course of mitigating actions, the damage has been done. As mentioned, by the time we’ve taken action, the TAs are pivoting and responding to evade and continue the attack. 

Moreover, traditional solutions often take a single-lens approach. They are siloed, maybe from different suppliers, and try to treat every problem the same way with the same detection capability or a rolled-up score-oriented approach.

This leads to stricter controls to minimise risk, but as a result, it impacts customer experience by flagging false positives, which also increases operational costs.

Lastly, the truth is that technology is enabling more sophisticated kill chains at lower costs and entry barriers. Think about the power of GenAI to enable the social engineering element of these actions to scale further, faster, and cheaper.  

GenAI can threaten and empower fraud management at the same time. Even though we always need to consider both sides, we prefer to stay positive and look at all the good things it can do in fraud prevention. An example? Read our latest article, “Empowering online banking fraud prevention with GenAI co-pilot”to find out.

How Cleafy’s proactive approach shields you against modern scams

Cleafy’s innovative approach and advanced technology protect banks and financial institutions from sophisticated, multi-layered scams. By integrating advanced cybersecurity and fraud prevention measures, Cleafy ensures these institutions can detect, respond to, and neutralise threats in real time without compromising the customer experience.

Cleafy's Fraud Extended Detection and Response (FxDR) platform provides end-to-end visibility across digital banking channels, analysing user behaviour, device activity, and transaction patterns to detect anomalies indicative of fraud. By correlating events across entities, Cleafy uncovers fraud patterns and enables swift response. Its real-time threat detection and automated rules engine ensure immediate action against threats such as account takeovers and malware attacks. 

Lastly, Cleafy’s Tailored Threat Intelligence delivers timely updates on emerging risks, while its dynamic risk assessment minimises both risk and customer friction by adapting responses to evolving threats. 

Conclusion: the truth about modern scam campaigns

Gone are the days of simple spoof calls; today’s scams are sophisticated, rapid, and scalable attacks employing multiple techniques exploiting vulnerabilities across the entire transaction lifecycle.

To mitigate these threats, banks and financial institutions must adopt advanced fraud solutions that offer real-time visibility across all vectors and integrate cyber and fraud data for proactive decision-making.

While technology advances rapidly, capable of great achievements and potential harm, at Cleafy our mission extends beyond transaction-point protection. Our state-of-the-art technology integrates cybersecurity and fraud management into a unified defence platform. This proactive strategy targets the fundamental tactics of all fraudsters, enabling earlier intervention and robust protection against known and emerging threats.

Book a demo with our experts today to discover how to elevate your online banking security to safeguard every digital interaction without sacrificing customer experience.

Read more articles