The fraud gap in high-value, low-volume banking

The numbers are getting harder to ignore.

The FBI’s 2025 IC3 Annual Report found that business email compromise (BEC) losses reached $3.05 billion in the United States last year, up from $2.77 billion the year before. The Association for Financial Professionals’ 2026 Payments Fraud and Control Survey found that 76% of U.S. organizations experienced attempted or actual payments fraud in 2025, while 74% experienced BEC. Meanwhile, PwC’s Commercial Banking Fraud Survey, published in June 2025, found that every bank surveyed reported rising attack volumes targeting commercial clients, with one institution reporting a fivefold increase in just two years.

Retail banking gives fraud teams millions of transactions to learn from. Commercial banks, investment firms, and wealth managers don’t have that luxury. Their clients transact less frequently, but when they do, the stakes are significantly higher. A single compromised session can lead to catastrophic losses.

The challenge is that many of today’s most damaging attacks don't involve breaking through authentication controls at all. They happen after login, when fraudsters use social engineering, account compromise, remote access tools, and mule networks to manipulate legitimate users or operate from trusted accounts.

When I speak with fraud and digital leaders at commercial banks, investment firms, and wealth managers, I hear the same concern again and again: They're confident in what happens at login, but far less confident in what happens after. Once a session begins, visibility drops, even as the risk increases.

That's creating a growing gap in commercial fraud defenses. Closing it requires a different approach, one that continuously validates the user and identifies risk throughout the session, not just at the point of authentication.

The attack starts where authentication ends

What does that visibility gap look like in practice? In a recent conversation, a bank shared how fraudsters were using perfectly tailored social engineering scripts to convince customers to send money. The scripts were so effective and consistent that the same patterns were appearing across multiple banks at the same time, suggesting a highly organized operation. From a traditional fraud detection standpoint, these looked like legitimate customer-initiated payments: The customer authenticated successfully, initiated the payment, and completed the transactions themselves.

Scenarios like this help explain why I keep hearing the same requirement from banks building next-generation commercial platforms: continuous validation of the user after login. They need real-time behavioral analysis that extends beyond device checks and transaction monitoring, running from the moment a session begins through every click, navigation, and interaction.

PwC highlighted a challenge that will sound familiar to anyone working in commercial banking fraud: “Catch and release.” Payments are flagged as suspicious, customers are warned, yet the payments proceed anyway. One bank told PwC that seven in 10 flagged payments were ultimately released by customers and later confirmed as fraudulent.

This is what happens when friction lacks precision. When every alert feels the same, customers stop paying attention. They approve payments because they've been warned too many times about legitimate ones. In many cases, they're also convinced they're sending money to a trusted recipient. The bank issues a warning, but without the context or evidence needed to change the customer's mind. The result is a critical intervention point with too little substance behind it.

Behavioral intelligence changes that equation. By identifying signals associated with coaching, cognitive stress, or interaction patterns that don't match the legitimate user, banks gain stronger evidence to support an intervention. That allows them to challenge, delay, or deny high-risk activity with greater confidence and accuracy.

What I'm seeing succeed is a fundamentally different approach: friction driven by actual behavioral risk and not blanket controls. When an intervention is triggered by meaningful signals rather than broad rules, it carries weight. Customers take it seriously because it doesn't happen every time. That's the difference between blunt friction and intelligent friction.

What behavioral intelligence actually sees

Across these attack types, credentials and devices often appear consistent with a user’s established history. Behavior is what tells the real story, and that’s where deep behavioral intelligence comes in.

Within the session itself, behavioral intelligence can detect social engineering indicators such as cognitive stress, coached navigation, VoIP call presence, and hesitation patterns. It can catch impersonation through mismatches in typing cadence, mouse dynamics, and interaction sequences that don’t align with the real account holder. It can reveal remote access through straight-line touch paths, zero finger pressure on mobile, keystroke latency, and screen-sharing applications. And it can flag session environment manipulation, including developer tools activation, screen size anomalies, and abnormal page rendering.

None of these signals depend on transaction history. They come from the session itself. Critically, they work in high-value, low-volume banking environments where users transact infrequently, access patterns vary, and multiple people may operate under shared workflows.

The threat doesn’t stop at account takeover

The same visibility gap that enables account takeover and social engineering is also creating opportunities for fraudsters to exploit business accounts in other ways. Among small and midsize business accounts, banks are facing a growing mule account problem alongside rising scams, credential harvesting through phishing sites, and one-time passcode (OTP) vishing attacks. Mule networks are particularly difficult to detect because they blend into legitimate business activity. These accounts often show regular payment activity, multiple counterparties, and high transaction diversity. Traditional transaction monitoring can struggle to distinguish a mule account from a busy small business.

Multiple major banks are actively deploying behavioral intelligence models to address this challenge, and the issue continues to surface in conversations across the industry. Commercial banking presents its own set of risks. Dual-approval workflows, where one user initiates a payment and a second approves it in a separate session, are being targeted. Fraudsters compromise the initiator's account, then socially engineer the approver into releasing the payment. In some cases, a single user may have access to both initiate and approve transactions. Administrative accounts, which control user access levels, have also become high-value targets because compromising one can unlock both roles.

Behavioral intelligence provides an additional layer of protection by identifying when an initiator, approver, or administrator account is being operated by someone other than the legitimate user. It helps close gaps that workflow controls alone cannot address.

A decade of seeing what others miss

We've spent more than ten years in this space, analyzing billions of sessions across the global banking ecosystem. That depth gives us something most fraud tools don't have: a clear picture of both what genuine behavior looks like and what fraud looks like, at massive scale and at the deepest level of session intelligence on the market today.

That behavioral intelligence becomes even more powerful when combined with strong device intelligence. Together, they provide a layered view of risk that spans the entire session, from the device being used to the behavior unfolding behind it.

The institutions that close this visibility gap first will be the ones that protect their clients without slowing them down. They'll be better positioned to reduce losses, strengthen trust, and grow their business in an increasingly hostile threat environment.

Every tool in a fraudster's arsenal can be bought, stolen, or copied. But genuine behavior can't be faked, and that's where intent reveals itself.

—

Key takeaways:

Fraud losses and attack volumes continue to rise. BEC, payments fraud, and attacks targeting commercial clients are increasing across the financial services industry.
The biggest risk often begins after authentication. Many modern attacks involve legitimate users logging in and initiating transactions under the influence of social engineering, making them difficult for traditional fraud controls to detect.
Continuous session monitoring is becoming a requirement. Financial institutions need visibility into what happens after login and not just at the point of authentication.
Behavior reveals what credentials cannot. Signals such as cognitive stress, coached navigation, unusual interaction patterns, remote access indicators, and session manipulation provide insight into user intent and account misuse.
Behavioral intelligence enables smarter interventions. By delivering stronger evidence of risk, it helps institutions apply targeted friction, reduce false positives, and better protect customers without slowing business operations.