Skip to main content
  • Fraud

3 key focuses for the fraud front line in 2025

  • On the BAI Banking Strategies podcast, learn from Paladin Fraud's Jim Houlihan about a wider front for attacks, a growing strategy by fraudsters to overwhelm regulators and new oversight priorities.

Share

TRANSCRIPT

Key takeaways:

Everything, everywhere, all at once: The first fraud trend for 2025 is that banks and credit unions should expect bad actors to be coming at all of their products all the time. This “flood the zone” is being driven largely by technology that enables fraudsters to efficiently attack institutions at scale across a wide front.

Overwhelming regulators as a strategy: Not only are fraudsters attacking institutions, they are also going on the offensive with government regulators. They are flooding FIs with fake dispute reports and agencies with false complaints as a way to divert attention and resources away from fighting fraud.

Temptations to dial back spending: The new administration has clearly signaled that it plans to wield a lighter regulatory hand than its predecessor. Should this turn out to be true, Jim Houlihan urges banking institutions to resist the urge to greatly rollback fraud prevention initiatives.

BAI: I’ve got Jim Houlihan, partner and principal consultant at Paladin Fraud. Jim, it’s the start of a new year. It’s a good time to look at trends in order to get an idea about the challenges that fraud fighters might expect to see ahead. If I asked you to name three big challenges that banks should be paying attention to in 2025, what would you say? What are the big three?

Jim Houlihan: Well, first and foremost, thanks for having me. As far as the three big challenges go, this one will be pretty wide open, which is everything’s in play. We’re seeing a lot of the oldies but goodies come back, if you will: check theft, washing payees, deposits occurring. Fraudsters are being brazen, not even just with the banks or the entities that we are working with or we’ve been in contact with around filing fraud disputes when it’s not fraud and really manipulating the regulators to some extent by filing false claims that then create chaos within each one of those institutions.

And then I think the interesting one’s going to be what I’ll call the re-administration. Going from what I have seen and heard as a very heavy handed regulatory administration, listen, some of this is institutions putting it on themselves, but I also feel like that they’ve gotten burned so they’ve pushed really heavy on some institutions from a regulatory perspective. And I believe that is going to change, the heavy-handedness if you will.

The fact that every methodology really is in play — what do you mean by that?

So generally what we’ve seen both in my past life running fraud shops and then now as consultants in the fraud space, the fraudsters are attacking every product type, every vertical within the respective entities that they’re attacking. It could be credit cards, it could be loans, checking, savings, lines of credit, they’re going after customers, and so everything’s at play.

Check fraud kind of started creeping up again right around COVID time, but we’ve really seen it accelerate. I mean, this goes back 20 years when I was doing financial fraud investigations kind of out of the gate 25, 30 years ago, where they’re literally stealing physical checks. And yes, there are a lot of entities that still issue physical checks. Stealing them, washing them, depositing them, whether it’s remote deposits or ATM deposits, et cetera. We’re seeing them take those checks and then turn them into counterfeit checks, endorsing them and depositing them. And if one of the institutions isn’t aware, then obviously that’s cash.

I think one of the things I always like to say is that fraudsters will need to get it right one out of 100 or one out of 1,000 times, depending on the size of what they’re trying to get at. And that really, really makes them be successful. They are a business, they run a budget, all the rest of that.

I think the other component of this is, like I said, because of technology, the ability to scale. They don’t need as many people. They don’t need as many fingertips. They’re able to kind of fly through these processes much faster and just keep accelerating their levels of attack. And if they find one hole, they’re just going to continue to exploit that hole and jump into other areas within certain institutions, whether they’re just bombarding that specific institution or they’re using the same vector across multiple institutions and then flipping around. We’re really seeing it just be old Marine Corps phrase, Katie Bar the door.

Is it that a volume approach, or what really is driving that broad attack approach?

I think there’s two things. It’s scalability. They can large-scale attack as they get more technically proficient and efficient. Some of the technology is a little expensive for them. They do operate like any other business – they’re looking at profit margins. How much money can they make? If they get away with a million, a million and a half dollars from one instance they’ve got enough money now to fund probably multiple scale attacks and go after multiple verticals electronically, systemically.

I mean, we’re in a digital age. I know I mentioned paper checks, and I think that’s part of the issue is that there’s been some relaxed defenses around some of what we’ll call these old rudimentary, call it payment method types, transaction types, that institutions are trying to keep up with the technology that the fraudsters have. And so again, if they can make a ton of money in one transaction, they can multiply that across multiple ecosystems, if you will, multiple verticals, multiple institutions at the same time.

And the other thing we’ve seen is some institutions scale back their fraud departments. Many of the people I know in the space either had to downsize their departments or got riffed and had to find new jobs over the last couple of years due to the economic situation and the fraudsters know that. So I think it’s timing and economies of scale.

I think it’s so smart to sort of set this up as the fraudsters are almost competitors, that this really is business versus business. You have to think about it this way if you’re going to fight this fight the right way. So operating costs are getting cheaper for the fraudsters, as you mentioned, which puts more pressure on the banks and the credit unions, drives up their costs to play defense. So some thoughts there, please.

I think from the defense perspective, as I’ll call it, it’s become expensive to manage and mitigate. If you go back to, like I said, the last year or two down-scaling the actual departments and the bodies and the operational expense for an FTE versus let’s try and scale with some level of tech. I think a lot of entities are years behind where the fraudsters are from an evolutionary perspective, and now you’re trying to play, my old boss would say whack-a-mole. You’re trying to hit the nail on the head, plug the hole in the dam when you know there’s multiple cracks or multiple holes popping up.

It just becomes, again, an economy of scale and trying to keep up with what the fraudsters are doing from an attack vector perspective. AI from a defense perspective is great, but it’s also as good as there’s some human input into it and sizing your operation the right way and managing the scale of costs.

So you mentioned AI there, so there’s obviously a technology budget consideration, but there is a people and training budget consideration there too, operational consideration there too. So the front here, the front that banks are defending is getting wider. So what advice do you have on defending that front?

Yeah, I think it comes down to you’ve really got to… One of the things we see is a lot of institutions, they don’t tend to share much with their vendor partners. And I think that becomes an issue because the vendors specialize in their technology for one.

Two, it’s sharing information. And the troublesome thing we’ve had for right, wrong, or in different reasons is the ability to share information across institutions from a true consortium perspective, I’m not talking about vague email addresses and IP addresses and things like that. I’m talking about more detailed information and the privacy issues that come with that. And that’s a delicate balance as well. So those pieces really need to come together to be able to fight harder and stronger.

The operational component, if you think of an FTE and fully banked with all the benefits that come along with that versus technology, it becomes a really delicate balancing act. Every institution that we work with, that we see, everyone’s about acquiring new accounts, that is what grows a business because then you get a lifetime value out of that. It really comes down to how are you succinctly getting good accounts on the books and subsequent transaction activity and then really monitoring that customer life cycle. You got to get it right out of the gate. You’ve got to know who you’re dealing with from a foundational perspective through the life cycle of those transactions.

All right, back to that list at the top, those three things. Let’s hit the second one. The second big challenge, that growing brazenness of the fraudsters. Tell us more about that. There are some bold operators here. Let’s get into that.

Yeah, I mean we’ve seen things where they’ve overflooded dispute departments with disputes, whether it’s accounts that they’ve set up lying in wait. Whether they’ve taken over accounts, they’ll file fraud disputes with the fraud department in tens of dozens or hundreds of disputes to overflood a dispute department, which then sends them into an operational frenzy. That’s the first thing we’ve seen them doing is really to take the eye off the ball of what’s really going on at the core. So they can kind of cause a diversion, if you will, and then do the end around. Maybe the old Trojan horse going back to the old Roman days.

And then the second thing we’re really seeing with them is there’s a lot of sensitivity from a regulatory perspective around customers being able to have access to their funds, transact immediately, all of those components. So you’ll see them filing complaints with like the CFPB, et cetera, which then causes them to come back down on top of the institution, which causes more churn internally at the institution around “We can’t keep saying no to our customers” when in fact they’re really fraudsters you’re saying no to. That’s really escalated over the last couple of years, especially from a COVID perspective, how much it’s carried through the environment of we’re really worried about telling a good customer no.

And listen, as a fraud guy, I get paid to be pessimistic at the end of the day. The flip side of that is I also know I need to help clients, and institutions need to be focused on getting as many new customers in the door transaction activity because it’s a business as well. This a really delicate balancing act, and the fraudsters know this, and so they’re using that to their advantage.

We’re going to get into the regulation piece a little bit more, but they’re kind of related here because this boldness to actually kind of tap almost complaint vulnerabilities and create churn. What does that tell you about the future of the fraud fight that the regulators themselves are being targeted because we could have regulatory churn here, leadership change, policy change. Is this an argument for more of a consortium approach? And earlier we did talk about the power of consortium approach, so there’s almost like a thread here in a way, right? So what do you think about that?

Yeah, I mean I think we’re seeing it a little bit. There’s a couple of vendors in the space, we know a lot of the vendors, but a couple of the vendors who are really pushing hard to work, I’ll just use the terms, Capitol Hill-wise. Trying to get some level of momentum, if you will, towards that. Creating consortiums, trying to put together data, figure out the best way to kind of create this environment that can be more beneficial from a fraud prevention perspective.

I think from a regulatory perspective, what you’ve seen is a pretty tough world from a regulatory perspective on top of institutions over the last couple of years in particular. A lot of people can say that’s administrative-based, based on the now outgoing administration. That could be part of it.

And I believe you’re going to see that tone down a little bit with the change in administration. I think that tone down is going to occur to some extent because of maybe, I don’t know if overreach is the right term, but it’s definitely kind of this pushback for things that have happened over the last couple of years in certain environments.

Well, great segue. Let’s move into that third area. You started to talk there a little bit. It’s great. There’s a new administration about to come in – regulatory light, one could assume. Larger banks impacted for sure, but banking writ large could be impacted. Give us just an overview on that. I know it’s early days, always hard to predict, but when it comes to fraud, what’s the lay of the land? As much as you can.

Well, let me make this comment first. I mean, if you think, look at the outgoing administration, very, very heavy-handed from a crypto regulation perspective, very heavy-handed. And the SEC chair is essentially resigning before the new administration gets in the office. And now the new administration is saying they’re going to be very crypto-friendly.

My thought process is, and why I listed it here is, is if that occurs then, there’s this natural reaction from institutions to say, okay, we can pull back a little bit on the levers and the regulatory pieces that are important to stay on top of, to fight fraud, to fight money laundering, to not allow this to occur.

And I would just say, “Hey, be cautious of that” because you could really open yourself up to a lot of financial problems. Put the regulatory piece aside. The regulatory piece is massive at the end of the day as far as what they can and can’t do. It’s just if you pull back because there’s less of a heavy hand, you are asking for it financially to start. And then from there, it’s a trail of, oh, “we allowed all of this to happen. We were facilitators within these transactions and in this environment” now they’ll come back down on top of you.

So if I’m hearing you correctly, you’re saying it still is prudent to devote operational spending toward the fraud fight, even if Washington isn’t mandating it. That stops and starts in this area are expensive too, right? To take technology so far and then pause or pull back, plus losses are expensive. Just walk us through that sort of spending mandate and what you as a consultant, keeping it down the middle, there’s no political motivation necessarily for you, so you’re just helping banks make the most of this spend and protect themselves, right?

What we always do with our clients and the way we operate, consult is looking at it from an ROI perspective. Again, it comes down to you have to look at what I call it, a global fraud attack. So how much fraud are you preventing? How much fraud are you losing? Put those two pieces together to say this is the exactly how big the attack is. And is that prevention being done by technology or people or processes?

Similarly, you want to look at your losses the same way. And really that feeds back to the front side. And what I mean by that is we call it defect analysis. So taking a look at how are you getting beat and plugging those holes per se, but doing it at a more scalable size without impacting good customers. And there’s a delicate balance there, again, because the ROI piece. And you have to take all those pieces into consideration: total fraud, prevented total lost, how many customers are you impacting at the end of the day potentially, and where’s that balancing act?

It’s interesting. A long time ago I was running a fraud shop and we had our fraud losses in a really great spot. Our BPS was super low, our dollars was super low, and the person that I reported up through said, “What are you going to do to get that number down?” And my response was, “how many good customers do you want me to kill to get there? I can get you to zero, but you’re not going to have a customer base.” So I think you’re also going to have a somewhat measurable, again, ROI based measurable amount of losses that you know can take on because you’re getting your good customers through and the ROI and the long-term benefit of dealing with those customers could be very substantial.

So I think it’s really, again, that balancing act in a true ROI measurement, which we’ve seen some struggles with across. It’s kind of more this yin and yang, if you will, or this up and down from a valley perspective, being reactive and then going, okay, let’s pull everything back, or coming at it with a sledgehammer where you really got to take that measured approach data and ROI driven.

Well, a lot of what we have been talking about is, as you say, it’s reactive. Fraudster makes a move, bank responds, regulator responds, bank adjusts, et cetera, over and over. Is that simply the nature of the beast, action-reaction? Or can banking institutions really be more proactive in addressing their fraud risks in 2025?

Absolutely can be more proactive. The other analogy I use is you have car insurance. Do you have a $250 deductible or do you have $1,000 deductible? As long as you’re not in a car accident, you’re great that your deductible is $1,000 because you’re paying a lot less for it on a monthly basis. Soon as you get in that first accident and you get a bill for 5 or $10,000, you are writing a check for $1,000. Then it’s, “Oh my gosh, now I got to write this check. Why didn’t I have better insurance coverage?”

I use that analogy a lot to say to institutions, as we talk to them, friends of the family that we partner with, you got to take a proactive approach in looking at “Where are my areas of risk?” Where are the gaps in my processes? Do we have the right things in place? Are we AB-testing our vendors periodically just to make sure? Are we staying in touch with our vendors, communicating them with the issues that we’re seeing so they can help us develop better models, better AI, like we talked about earlier, rule sets, if we’re using rule sets, processes, et cetera? Staying proactive, that’s where you go, “Hey, I’m okay with spending a little bit more and maybe my deductible is $500 instead of $1,000.” Really thinking that through and staying proactive reduces the reaction and what I’ll call overreaction both ways.

Jim Houlihan from Paladin Fraud, thanks so much for the time today. Key, key topic. Top of mind for our industry and really valuable to grab some time with you. Thank you.

I appreciate it. Thanks again. This has been great.

Related Articles
Analyzing the Current Regulatory Landscape
Analyzing the Current Regulatory Landscape
  • Compliance & Regulation
Winning and Keeping Gen Z Customers
Winning and Keeping Gen Z Customers
  • Economy & Markets, Growth & Innovation, Technology
How AI Is Transforming Self-Service Banking: Today, Tomorrow, And Beyond
How AI Is Transforming Self-Service Banking: Today, Tomorrow, And Beyond
  • Technology

Become a Member and Get Exclusive Access

Join our community to unlock exclusive content, connect with industry experts, and gain access to valuable resources that will help you stay ahead.