Financial institutions have traditionally focused on mitigating unauthorised fraud. Inevitably, this led to a focus on authentication, authorisation, and transaction monitoring.

Whilst unauthorised fraud has not yet been vanquished, the returns for criminals have diminished in recent years, forcing them to shift their focus toward manipulating customer emotions. Enter the social engineer, a skilled individual who, through deception, sets out to convince a person to act against their own interests.

Financial institutions have sought to address the social engineering challenge by shifting their focus from authentication and authorisation to the detection of risk in key digital banking customer journeys. That focus isn’t limited to new payees, but also addresses high-risk events, such as increasing payment limits and card-oriented functions, including payment approval, viewing card details, or PIN numbers.

The latter card-related events are proving especially important, given the shifts seen in markets such as the UK, where authorised push payment (APP) losses remain static, whilst remote purchase fraud has surged by 22%.

Regulators have also acknowledged the need for friction, with the UK’s Payment Systems Regulator (PSR) outlining its expectations of payment service providers (PSPs) within the consumer standard of caution, an element of the recent regulation that mandates APP reimbursement.

The PSR has required PSPs to provide tailored and specific interventions (not generic boilerplate warnings) to consumers before an APP payment is executed. Furthermore, it states that such interventions must be specific, directed, and transaction-specific, making it clear that the intended recipient is likely a fraudster, not merely that it might be a scam.

These requirements also carry implications for what now constitutes gross negligence on the part of the consumer. Consumers who proceed despite a valid warning are not automatically grossly negligent. PSPs are required to consider factors such as the complexity of the scam, consumer vulnerability, or operational limitations before judging negligence.

Australia’s new Scams Prevention Framework (SPF) enacted similar requirements. Regulated entities, including banks, are required to take reasonable steps to prevent scams. As is the case with the PSR, this is interpreted to include the provision of consumer warnings, particularly to high-risk customers and introduces scope for holding or stopping payments in critical cases to enable intervention (e.g., telling the customer about a suspected scam).

The friction tightrope

Banks in Australia have put behaviour at the heart of their approach, removing friction in situations that appear low-risk, while upping the ante when there’s a risk of consumer detriment.

Crucially, the largest Australian banks have been able to leverage a consortium view of risk that considers risk in the payer's customer journey alongside any risks that might surround the destination account (payee).

National Australia Bank (NAB) has spoken openly about the success of behaviourally driven payment alerts, which enabled it to stop and recover almost $2 million a week of customers’ money in the six months between October of 2024 and March of 2025.

“In addition to the $48 million+ in stopped and recovered scam payments, customers have also abandoned more than $195m worth of payments in that same, six-month period, after receiving a real-time payment alert.” — Chris Sheehan, group investigations at National Australia Bank.

Returning to the UK, Santander UK has set out to address the highest-volume form of APP fraud: purchase scams. Santander UK deploys dynamic, transaction-specific warnings when customers attempt a bank transfer via online or mobile banking to purchase items on Facebook Marketplace.

These warnings feature a “Seen in person?” validation step, during which customers must confirm whether they have seen the item in person. If they choose “no,” the transfer is blocked, and the bank advises the accountholder to verify the item in person or use safer payment methods, such as PayPal or a card.

Between Dec. 5, 2023 and mid-May of 2024, Santander prevented approximately 1,899 customers from completing a Facebook Marketplace payment after they acknowledged they had yet to see the item in person.

During the same period:

• Customers made 45,427 attempted transfers to Facebook Marketplace recipients.
• In 35,588 instances, a customer saw the item in person, and the transaction proceeded.
• In 1,899 instances, the transaction was blocked.
• In 7,950 instances, the transaction was first blocked, but the customer then reversed their answers to proceed.
• In 240 instances of those reversals, the customer fell victim to a scam.

Aside from the benefit to customers, both financial institutions — NAB and Santander UK — have undoubtedly reduced the operational impact of scammers’ activities, removing the need for inbound and outbound contact with customers. This is especially true of payments that would have been blocked if the customer hadn’t unilaterally decided to abandon them.

The business case

The use of behaviour to identify if a customer is being scammed in real-time is a no-brainer — both at the point of payment intent and post-authorisation. BioCatch’s Scams 360 solution helps financial institutions detect and prevent all types of scams, including those financial institutions have historically struggled to detect (romance, investment, purchase business-email-compromise, etc.).

The solution monitors the entire digital session and not just isolated events, giving teams real-time visibility into risky behaviours before a payment is authorised, and empowering them to provide customers with warnings that are driven by real-time risk scores.

The solution works seamlessly across both web and mobile channels, ensuring consistent protection regardless of how customers choose to access their banking. Crucially, it does so with a best-in-class alert rate — the percentage of total transactions requiring banks to intervene — whilst significantly uplifting detection.

The friction tightrope requires that PSPs consider customer experience and the impact of friction on their operations. BioCatch Trust™ Australia, which encompasses all of Australia’s largest banks and now covers more than 85% of the country’s banked population, arguably simplifies the process of determining when to intervene, delay, or block a payment.

This takes me back to why we should care not just about the journey but also the destination. When validating the legitimacy of a transaction, Trust enables the sending institution to factor in the risk of the recipient account being operated by a money mule — the first time in history banks have gained this kind of visibility into receiving accounts at a competing institution.

The faster you go, the further ahead you must look

This forward-looking approach enables PSPs to extend their vision — a concept typically taught to advanced drivers, such as those in the emergency services. Instructors of such techniques will also place emphasis on the notion that the faster you go, the further ahead you must look.

There is a parallel with the world of payments. As faster payments become the norm in much of the world, there is undoubtedly a need to look further ahead.

Relying on risk management that relies solely on transactional profiling or insights from a payment system is, to be candid, the equivalent of trying to drive while relying on only the rearview mirror.