Resources / Fraud and Financial Crime / The Scam Shield

Introduction

Fraud is the most commonly reported crime in England and Wales. It accounts for approximately 45% of all crime in the Crime Survey for England and Wales, with an estimated four million offences in the year ending September 2025. Around one in fourteen adults was a victim during that period.

The scale is striking. So is the human cost. A government survey found that 86% of fraud victims reported anger, 73% reported stress, and 63% reported anxiety. At the most severe end, 18% said they suffered depression and 3% reported suicidal thoughts. Financial loss is only part of what fraud does to people.

For organisations, the stakes are also significant. Fraud losses to the UK economy were estimated at more than £14 billion in 2023 to 2024. The regulatory landscape is shifting to hold organisations more directly accountable for the fraud their customers experience and, since September 2025, for the fraud their own people commit.

This guide is written for compliance professionals, fraud prevention teams, risk managers, and senior managers in financial services and other regulated sectors. It covers the main fraud types, the current legislative and regulatory framework, what effective organisational fraud prevention looks like in practice, and a practical implementation checklist.

It reflects the position as of May 2026, including the failure to prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023, which came into force on 1 September 2025, and the mandatory APP fraud reimbursement rules introduced in October 2024.

Understanding fraud today

Fraud has changed character over the last decade. What was once primarily a problem of stolen cards and forged cheques is now a problem of social engineering, identity exploitation, and large-scale digital deception. The mechanics of how fraud happens, how it is detected, and how it is responded to have all moved.

Three shifts matter most for anyone designing fraud prevention controls.

The first is that authorisation, not unauthorised access, is now where most loss occurs. Authorised push payment fraud, where a customer is deceived into making a payment they later regret, has overtaken card-based fraud as the largest category by value. Traditional controls designed to detect unauthorised activity are not well matched to this risk.

The second is the professionalisation of fraud. Criminal networks operate sophisticated operations spanning multiple jurisdictions, using professional-grade technology, call centres, and money mule networks to move stolen funds. The image of fraud as opportunistic crime by individuals is out of date.

The third is that internal fraud, committed by employees or others in positions of trust, remains a significant risk. The people best placed to commit fraud are often those with legitimate access to systems and information. Controls that work well against external fraud may be less effective against a trusted insider.

Fraud also increasingly blurs with other crimes. Money laundering is the mechanism by which fraud proceeds are cleaned. Cybercrime is the means by which many frauds are now enabled. Financial crime cannot be managed in silos.

The main fraud types

Understanding the main fraud types is essential for designing effective prevention and detection. Each type has distinct characteristics, exploits different vulnerabilities, and requires different countermeasures.

Authorised push payment fraud

Authorised push payment (APP) fraud is where a victim is deceived into voluntarily transferring money to an account controlled by a fraudster. It is the largest and fastest growing fraud category by value.

APP fraud takes many forms. Purchase scams involve victims paying for goods or services that never materialise, typically through social media marketplaces or fake websites. Investment scams offer unrealistically high returns to persuade victims to transfer funds into fraudulent schemes. Romance scams involve fraudsters building relationships online over months before requesting money. Impersonation scams involve fraudsters posing as banks, HMRC, the police, or other trusted organisations.

APP fraud is particularly damaging because the victim initiates the payment. Traditional card fraud controls, which focus on detecting unauthorised transactions, are less effective against a payment the customer has been convinced to make themselves.

Since October 2024, banks have been required to reimburse victims of in-scope APP fraud. In the scheme's first year, 88% of in-scope losses were reimbursed. The scheme has changed the financial incentives for fraud prevention across the industry.

Unauthorised card and payment fraud

Unauthorised fraud is where a payment is made without the genuine account holder's knowledge or consent. This includes card-not-present fraud, where stolen card details are used for online purchases; card-present fraud, including counterfeit cards and card-not-received fraud; and account takeover, where a fraudster gains access to a victim's account and makes payments or changes account details.

The shift towards chip and PIN for in-person transactions pushed card fraud increasingly online, where authentication is harder. Fraudsters obtain card details through phishing, data breaches, malware, and purchasing data from criminal marketplaces.

Identity fraud and identity theft

Identity fraud is the use of someone else's identity to obtain money, credit, goods, or services. Identity theft is the prior step, obtaining the personal information needed to commit the fraud.

Personal information is obtained through many routes: phishing emails and text messages, data breaches, social engineering, and the exploitation of publicly available information on social media. Once a fraudster has sufficient personal data, they can open accounts, take out credit, or take over existing accounts in the victim's name.

The consequences for victims can be long lasting. Fraudulently obtained credit can damage credit files and take significant time to resolve. Victims may find themselves pursued for debts they did not incur.

Phishing, smishing, and vishing

These are the three main techniques used to obtain personal information or deceive victims into taking action.

Phishing uses email. Messages appear to come from legitimate organisations, banks, HMRC, delivery companies, and direct recipients to fake websites where they enter login credentials or personal information.

Smishing uses text messages. The technique is particularly effective because recipients tend to trust text messages more than emails, and mobile devices offer less visual indication of suspicious content. Smishing volumes increased significantly following COVID-19 and have remained elevated.

Vishing uses telephone calls. Fraudsters pose as bank staff, police officers, or representatives of HMRC. They are often highly convincing, having researched the victim in advance or having access to partial account information that makes them appear credible. Vishing calls often create urgency, pressure the victim to act quickly, and discourage them from verifying by hanging up and calling back.

Investment fraud

Investment fraud encompasses a range of schemes designed to persuade victims to invest money in fraudulent or non-existent opportunities. Common types include clone firm fraud, where fraudsters impersonate legitimate FCA-regulated firms; cryptocurrency fraud, where fake platforms or trading schemes promise high returns; advance fee fraud, where victims pay upfront fees to release larger sums that never materialise; and Ponzi and pyramid schemes.

Investment fraud victims lose significant sums on average, often their savings. The emotional impact is severe, compounded by the sense that the victim should have known better. This shame often deters reporting.

Older adults are disproportionately targeted because they are more likely to have accumulated savings, may be less familiar with online fraud techniques, and are often isolated in ways that make them more receptive to contact from apparent financial advisers.

Business email compromise

Business email compromise (BEC) targets organisations rather than individuals. A fraudster compromises or spoofs an email account, typically that of a senior executive or a supplier, and uses it to instruct a finance team to make a payment to a new or changed bank account.

BEC is highly effective because the instruction appears to come from a trusted source, often arrives with some urgency or confidentiality attached, and exploits existing payment processes. Finance teams that process payments based on email instructions without verification by a separate channel are particularly vulnerable.

CEO fraud, a specific variant, involves fraudsters impersonating a chief executive and instructing a finance professional to make an urgent payment, often on a Friday afternoon when oversight may be lighter and reversal harder.

Cyber-enabled fraud

Many fraud types are now cyber-enabled, meaning they are facilitated by technology. Ransomware attacks, account takeover through credential stuffing, data breaches that supply fraudsters with personal information, and malware that intercepts banking credentials are all forms of cyber-enabled fraud.

The emergence of artificial intelligence has added new capabilities to fraudsters. AI-generated deepfakes can now convincingly replicate voices and faces, making vishing and video-based fraud significantly more effective. Agentic AI, which can autonomously carry out multi-step tasks, presents a potential future threat: the ability to automate and scale fraud operations in ways that were previously labour-intensive.

The legislative and regulatory framework

The Fraud Act 2006

The Fraud Act 2006 is the foundational piece of fraud legislation in England and Wales. Its three core offences cover fraud by false representation, fraud by failing to disclose information, and fraud by abuse of position. It also covers participation in a fraudulent business and possession of articles for use in fraud.

The Act applies to individuals. Corporate liability for fraud has historically required the prosecution to prove that a senior individual with sufficient control of the company committed the offence, a high evidential bar that made corporate fraud prosecutions difficult.

The Economic Crime and Corporate Transparency Act 2023

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced a major change to corporate fraud liability. The failure to prevent fraud offence, which came into force on 1 September 2025, makes large organisations criminally liable where a fraud offence is committed by an employee, agent, or other associated person for the organisation's benefit, and the organisation did not have reasonable fraud prevention procedures in place.

The offence is modelled on the corporate offence of failure to prevent bribery under the Bribery Act 2010, which has been effective in driving compliance investment. The logic is the same: rather than requiring prosecutors to prove that senior management knew about or directed the fraud, the organisation is liable unless it can demonstrate adequate prevention procedures.

The offence currently applies to large organisations, defined as those meeting at least two of the following criteria: more than 250 employees, more than £36 million annual turnover, or more than £18 million total assets. It does not apply to smaller organisations, though they may still face liability under other legislation.

The specified fraud offences covered include fraud by false representation, fraud by failing to disclose information, fraud by abuse of position, obtaining services dishonestly, participation in a fraudulent business, false accounting, false statements by company directors, and cheating the public revenue.

The defence is straightforward in principle: the organisation had reasonable fraud prevention procedures in place. The government has published guidance on what reasonable procedures looks like, structured around six principles: top-level commitment, risk assessment, proportionate procedures, due diligence on associated persons, communication and training, and monitoring and review.

APP fraud reimbursement

In October 2024, the Payment Systems Regulator (PSR) introduced mandatory reimbursement requirements for victims of APP fraud. Under the rules, payment service providers are required to reimburse victims of in-scope APP fraud up to a maximum of £85,000 per claim. Liability is split equally between the sending and receiving firm.

The mandatory reimbursement rules have changed the economics of fraud prevention for payment service providers. Where previously the financial loss fell primarily on the customer, the split liability model creates a direct financial incentive for firms on both sides of a transaction to invest in fraud detection and prevention.

The rules apply to Faster Payments and CHAPS transactions. International payments, cash transactions, and some other payment types fall outside the scope of the mandatory scheme. This has led to some early evidence of fraudsters pivoting towards international payment routes to avoid the reimbursement obligation.

The Online Safety Act 2023

The Online Safety Act 2023 introduced duties on online platforms to prevent fraudulent content being served to users. Platforms are required to have systems to minimise the appearance of fraudulent advertising, to remove illegal content promptly, and to give users tools to protect themselves.

The Act is relevant to the fraud landscape because a significant proportion of APP fraud originates on online platforms. UK Finance data for the first half of 2025 shows that 66% of APP fraud cases began on online platforms. The Act creates at least some regulatory pressure on tech companies to take responsibility for their role in enabling fraud, though the debate about how much responsibility should fall on platforms compared to banks remains active.

The UK Fraud Strategy 2026 to 2029

In March 2026, the government published its Fraud Strategy covering the period 2026 to 2029. The strategy emphasises civil litigation as a fraud response tool alongside criminal prosecution, and committed £31 million to establish an Online Crime Centre bringing together policing, intelligence, and private sector partners from financial services, telecoms, and technology.

The strategy signals a systemic approach to fraud: recognising that no single actor can address fraud in isolation and that effective prevention requires coordination across government, law enforcement, financial services, telecommunications, and technology platforms.

Other relevant legislation

Several other legislative frameworks are relevant to fraud prevention in a financial services context. The Proceeds of Crime Act 2002 requires reporting of suspicions of money laundering, and fraud proceeds that are laundered will engage those reporting obligations. The Financial Services and Markets Act and FCA rules impose conduct obligations that bear on how firms treat fraud victims and manage fraud risk. Data protection legislation governs how fraud-related data is processed and shared.

Organisational fraud prevention

The legislative changes of recent years, particularly the failure to prevent fraud offence, have raised the bar for what organisations must do. But effective fraud prevention is not just about satisfying a legal test. It is about protecting customers, employees, and the organisation itself from significant financial and reputational harm.

The six principles of reasonable fraud prevention

The government guidance on the failure to prevent fraud offence structures reasonable procedures around six principles. These provide a useful framework for any organisation building or reviewing its fraud prevention approach.

Top-level commitment. Fraud prevention must be led from the top. Senior management and the board need to take fraud risk seriously, allocate appropriate resources, and demonstrate through their own behaviour that fraud will not be tolerated. A culture where fraud prevention is treated as a compliance overhead rather than a genuine priority will not produce effective controls.

Risk assessment. Organisations need to assess the fraud risks they face. The assessment should cover the types of fraud most likely to affect the organisation, the products and services that create fraud exposure, the customer segments most at risk, the internal vulnerabilities that could be exploited, and the external threats the organisation faces. A fraud risk assessment is not a one-time exercise. It needs to be updated as the business changes, as new fraud typologies emerge, and as the threat environment evolves.

Proportionate procedures. Controls should be proportionate to the risks identified. Not every risk warrants the same response, and over-engineering controls in low-risk areas is inefficient and can harm legitimate customers. For fraud prevention, proportionality means applying stronger authentication and verification to higher-risk transactions, investing in monitoring that targets the fraud types most likely to affect the specific customer base, and not treating all customers as potential fraudsters.

Due diligence on associated persons. The failure to prevent fraud offence covers fraud committed by employees, agents, and others who perform services for the organisation. Organisations need to understand who falls into this category and apply appropriate due diligence.

Communication and training. Fraud prevention obligations need to be communicated clearly to staff, and relevant staff need training appropriate to their role and the fraud risks they may encounter. Generic training that does not reflect real-world fraud scenarios is unlikely to be effective.

Monitoring and review. The fraud prevention framework needs to be tested, monitored, and updated. Controls that worked when they were designed may have decayed. New fraud typologies require new responses. A static framework will not remain effective.

Confirmation of payee

Confirmation of payee (CoP) is a name-checking service that verifies whether the account name a payer enters matches the actual account holder. It addresses the most common deception used in APP fraud: customers being deceived into paying fraudulent accounts believing they were paying a legitimate payee.

CoP has been effective in reducing APP fraud on payments where it is applied. Its coverage has expanded over time, but gaps remain, particularly for international payments and some account types. It is a good example of a systemic intervention that makes fraud harder without making legitimate payments more difficult.

Friction and customer experience

Fraud prevention controls that add friction to legitimate transactions have a cost. Excessive friction frustrates customers, drives them to competitors, and can in extreme cases push vulnerable customers towards less secure alternatives.

The challenge is calibrating friction to risk. A first-time payment to a new payee for a large amount warrants more intervention than a repeat payment to a known payee. A transaction that matches known fraud patterns warrants a warning. A transaction that is entirely consistent with the customer's normal behaviour does not.

Good fraud prevention design is not about adding maximum friction everywhere. It is about applying the right friction at the right moment, in a way that stops genuine fraud while having minimal impact on legitimate customers.

Internal fraud controls

Internal fraud deserves explicit attention. The people best placed to commit fraud against an organisation are often those with the most access, the most knowledge, and the greatest trust. Effective internal fraud prevention requires controls that work even when the person being controlled is a trusted employee.

Segregation of duties prevents any individual from both initiating and approving a transaction. Authorisation limits ensure that large or unusual payments require sign-off from a second person. Access controls limit access to systems and data to what is genuinely needed for a role. Audit trails ensure that activity can be reviewed after the event.

Whistleblowing arrangements are important for internal fraud. Colleagues are often the first to notice that something is wrong. A clear, confidential route to report concerns, combined with genuine protection for those who use it, can surface concerns before they become significant losses.

Fraud in the customer journey

Different points in the customer journey carry different fraud risks, and controls should be designed accordingly.

Account opening is a high-risk point for identity fraud. Strong identity verification at this stage reduces the risk of fraudulently opened accounts being used for subsequent fraud.

High-value or unusual payments are a high-risk point for APP fraud and account takeover. Targeted interventions at this point, including warnings about common scams relevant to the type of payment, confirmation of payee checks, and cooling-off periods for suspicious transactions, can prevent losses without affecting routine payments.

Account changes, particularly changes to contact details, registered devices, or payee information, are a high-risk point for account takeover. Requiring re-authentication for these changes and monitoring for patterns of change followed by unusual payments is good practice.

Intelligence sharing

One of the most effective fraud prevention tools is intelligence sharing between organisations. Fraudsters move between firms, and information about fraud attempts, mule accounts, and fraud typologies held by one firm is valuable to others.

The ECCTA enhanced the legal framework for information sharing between organisations for fraud prevention purposes. Industry initiatives such as the CIFAS fraud prevention service, Scams Signal from telecoms providers, and the Authorised Push Payment scams data published by the PSR all contribute to a shared intelligence picture.

Effective fraud prevention increasingly requires collaboration across sectors. A scam that originates on a social media platform, is executed through a bank transfer, and where the proceeds are moved through a different bank cannot be addressed by any single organisation acting alone.

Fraud and vulnerable customers

Fraud does not affect all customers equally. Some groups are disproportionately targeted, and the impact on them is often more severe. Recognising this and building specific protections into fraud prevention frameworks is both a regulatory expectation and the right thing to do.

Why some customers are more vulnerable

Vulnerability to fraud is not simply about age or cognitive ability, though these can be factors. It arises from any circumstance that reduces a person's ability to protect themselves or increases their attractiveness as a target.

Older adults are disproportionately targeted for investment fraud and telephone-based scams. They are more likely to have accumulated savings, may be less familiar with online fraud techniques, and may be more isolated. Fraudsters specifically seek out these characteristics.

People in financial difficulty may be more susceptible to advance fee fraud and investment scams that promise quick financial relief. The urgency of their situation makes them less able to pause and verify before acting.

People experiencing mental health difficulties, cognitive decline, or the effects of bereavement may have reduced capacity to assess the credibility of a contact or resist pressure from a persistent fraudster.

People who are relatively new to digital banking may be less able to recognise the signs of phishing or account takeover attempts.

What organisations should do

The FCA's Consumer Duty, which came into force in 2023, requires firms to deliver good outcomes for all their customers, including those in vulnerable circumstances. This has direct implications for fraud prevention.

Organisations should train customer-facing staff to recognise indicators of financial exploitation, including customers who appear confused, distressed, or are being guided through a call by a third party in the background. Staff should feel empowered to ask questions, to slow down a transaction that feels wrong, and to escalate concerns through a clear internal process.

Safe call-back procedures, where a customer can call back on a number independently verified to be genuine, help protect customers who have been contacted by a fraudster posing as their bank.

Scam warnings presented at the point of a suspicious payment, written in plain language and specific to the type of fraud the payment pattern suggests, are effective in stopping some customers from proceeding with a fraudulent payment. Generic warnings that appear on every payment are less effective.

Customer education, through digital communications, statements, and targeted campaigns, helps build awareness of how fraud works and what genuine organisations will and will not ask for.

AI, technology, and the changing landscape

The technology landscape of fraud is changing rapidly. AI is being used for fraud prevention and is increasingly being used by fraudsters. Understanding both dimensions is essential for anyone responsible for fraud risk.

AI in fraud prevention

Machine learning models have become central to fraud detection in financial services. They identify patterns in transaction data that are inconsistent with normal behaviour, flag potential account takeovers, and score transactions for fraud risk in real time.

The advantage of machine learning over rules-based systems is adaptability. Rules become outdated as fraudsters change their methods. Models trained on current fraud patterns can adapt more quickly, though they require continuous retraining and quality assurance to remain effective.

Behavioural biometrics is an emerging area that monitors how a customer interacts with a device, their typing rhythm, touch pressure, mouse movements, and the angle at which they hold their phone. These signals are difficult for a fraudster to replicate and can identify account takeover attempts where the attacker has the correct credentials but does not behave like the genuine customer.

AI as a fraud enabler

AI is also lowering the cost and raising the quality of fraud attacks. AI-generated text makes phishing emails more convincing, removing the grammatical errors that were once a useful indicator of fraudulent communications. AI-generated voice clones can replicate the voice of a known individual with minimal source material, making vishing attacks more credible.

Deepfake video has been used in business email compromise attacks, with fraudsters using video calls featuring a synthetic rendering of a senior executive to convince finance teams to make payments. These attacks are currently relatively resource intensive but the technology is developing rapidly.

Agentic AI, which can carry out multi-step processes autonomously, represents a potential future threat: the ability to automate fraud at scale, from initial contact through to money movement, in ways that were previously limited by the cost of human labour.

Digital identity

Digital identity solutions are becoming more important in the fight against identity fraud. The UK government's work on a trusted digital identity framework, and the increasing availability of electronic verification services, offer the potential to make identity verification more robust and more convenient simultaneously.

Strong customer authentication requirements under the Payment Services Regulations require firms to use at least two independent authentication factors for online payments. This has been effective in reducing certain categories of fraud, though fraudsters have adapted by targeting the authentication process itself through social engineering.

Implementation checklist

The following checklist covers the core elements of an effective organisational fraud prevention framework. It is structured around the government's six principles for the failure to prevent fraud offence but goes beyond the minimum compliance question to cover what good fraud prevention actually looks like in practice.

A final note

Fraud is not a static problem. The criminals who commit it are professional, adaptive, and well-resourced. The technology they use is developing faster than many organisations' controls. And the scale of the harm, financial, emotional, and social, is significant.

The regulatory landscape has shifted to hold organisations more directly accountable. The failure to prevent fraud offence, mandatory APP reimbursement, Consumer Duty, and the Online Safety Act together represent a clear signal from regulators and government: organisations are expected to be active participants in fraud prevention, not passive processors of transactions.

The organisations that respond well to that expectation are not those that build compliance frameworks designed to satisfy a legal test. They are the ones that genuinely understand the fraud risks their customers face, invest in controls that actually prevent harm, train their people to recognise and respond to fraud, and keep pace with an evolving threat.

Fraud prevention, done properly, protects customers, protects the organisation, and contributes to a financial system that people can trust.