Why APP scams don’t look like fraud until it’s too late: Interview with Carmine Giangregorio

Fraud might land in the fraud team’s queue, but the damage doesn’t start or stop there. What looks like a customer issue is often a security gap. What seems like a single event can signal something systemic.

By the time money moves, the real damage has often already been done. Yet too many organisations still treat fraud as a standalone issue, reacting to incidents as they arise instead of addressing the upstream signals.

The forward-looking institutions understand that effective fraud prevention requires a cyber-informed, cross-functional approach. They don’t just patch the wound after the fall; they spot the slippery floor before anyone steps on it.

Cleafy was built on a simple but powerful idea: fraud can be stopped and even predicted when understanding the cyber threats behind it. That belief brought together our three founders - Matteo Bogana, Nicoló Pastore, and Carmine Giangregorio - who, along with a growing team, set out to help banks protect customers from attacks that most security tools weren’t built to catch. 

We spoke with Carmine Giangregorio, Co-founder and Product Manager at Cleafy, to talk about what fraud really looks like today, how APP scams became such a serious threat, and what banks need to change now.

In those early days, what were you seeing that others weren’t? Was fraud already changing, or were you just looking at it differently?

When we started Cleafy 11 years ago, we could already see online banking fraud changing, but few others seemed to be looking closely enough to notice. Most teams were focused on isolated events like flagged transactions or suspicious logins, while attackers were mimicking users, hijacking sessions, and slipping through unseen.

I am confident that we were the first to approach fraud prevention through a cyber lens, moving beyond the limits of traditional, event-based methods.  

We knew reacting to single signals wasn’t going to cut it. So we built a new model, one that tracked behaviour across the full session, not just the last step. That mindset shift became Cleafy’s foundation: tracking how fraud really happens, not just how it looks at the point of transaction. 

When did APP fraud first land on your radar? Do you remember what it looked like initially, and how banks were talking about it, if at all?

Early on, most attacks were browser-based and silent. Malware would sneak in and change a transfer recipient while the user was logged in. Fraud was technical, invisible, and triggered by scripts.

As we worked with banks, we noticed a shift. It wasn’t just about spotting malware anymore; it was about seeing everything: user behaviour, active sessions, login patterns, locations. That’s where fraud leaves its trail.

APP scams are just the latest form of that trail. They expose how attackers adapt and how fraud hides in plain sight. 

The word ‘scam’ gets thrown around a lot. But do you think that label sometimes hides what’s really happening?

I believe there is still a slight misunderstanding around the word ‘scam.’ It sounds vague, like something low-tech or amateur. But scams today are carefully staged, blending human manipulation with technical precision. It’s not one or the other. The scam is the setup; fraud is the result.  

Today’s fraudsters aren’t lone hackers; they’re teams. Organised, skilled, and running like operations. Some handle the tech. Others work the phones, impersonate officials, and pressure people into acting fast. It’s a production line: malware, scripts, and call-centre-style pressure. Organised crime with a human voice.

There’s been a lot of debate over who’s responsible when someone gets scammed. From your point of view, how should that responsibility be shared between platforms, banks, and users?

Responsibility depends on each country’s regulations. In Europe, users tend to have more protection—especially more vulnerable groups—but even then, reimbursements can take weeks or months. 

Ultimately, it’s shared. Banks are under pressure to stay ahead of increasingly complex threats and need access to meaningful, real-time data to do so. People need support and education to recognise when they’re being targeted. And companies like Cleafy have a responsibility to provide clear, reliable tools that help both sides stay protected. 

Trust is what connects it all, and what fraudsters work hardest to break.

APP scams don’t look like traditional fraud. So why do so many banks still rely on systems designed for unauthorised access?‍

Many APP fraud operations are completely indistinguishable from legitimate operations, especially when you only focus on the transaction itself.

Since it's the actual user operating in a 'safe' context, acting without malware, in the usual location, and with usual behaviour, the real challenge is understanding what led them to carry out that operation and fall victim to a scam (and therefore to fraud).

This means banks must shift from just checking transactions to analysing the entire user journey, spotting early warning signs before the fraud even happens.

‍What do you see happening in the near future regarding APP scams? Is this going to be a growing trend?

Scams have always been tough to spot, which is why they remain a serious concern in cybersecurity. They’re not the only source of fraud today, but they have become one of the most challenging to detect and prevent.

Fraudsters are already using artificial intelligence to produce deep fakes audio or photos, making it easier to trick victims who might not recognise the threat. 

Another emerging threat we have seen is the most recent development of NFC relay attacks, which exploit the communication between a payment card (or device) and a payment terminal to perpetrate contactless payment fraud. Even though this is still at an early stage today, we believe it will become an issue in the future. 

If you could change how banks and FIs think about fraud, what would you want them to understand? 

Over the last 12 years, one thing’s clear: fraud will happen, no matter what. Relying solely on transaction monitoring, 2FA, or biometrics won’t cut it anymore. Fraudsters have become smarter, so must we, by thinking very, very far in advance.

You can’t focus only on spotting attack signals at the payment stage. The key is to follow the whole user journey, catching the subtle signs that point to fraud long before money moves. 

Sometimes, what you miss is far more telling than what you catch.

And finally, if you had to pick one change banks could make today to stop fraud before money moves, what would it be?

Fighting fraud takes a broad, collaborative effort, pulling together data, analyisis, and expertise from across the board. Risk scores alone won’t cut it; what’s needed is full cyber-intelligence. 

APP scams highlight this perfectly. 

Since the user is making the final move,  not the fraudster, without seeing the whole sequence of actions that led to that payment, it all looks legitimate. A wider view means spotting the warning signs earlier, stopping the fraud in real-time and without impacting the user experience. 

Fraud doesn’t stop at the transaction or with the fraud team. It’s a challenge that spreads across every part of the business. Banks that widen their view and work together will catch fraud earlier, protect their customers better, and stay a step ahead.