The Other Side of Layered Defense

At my last company, every month we were required to watch a 1-3 minute video about fraud. Each video featured an actor portraying a real-world victim, walking through how the scam unfolded. The victims were intelligent and reasonable, the scenarios were convincing, and nearly every time, I learned about a new fraud pattern. These videos complemented mandatory security training, and they were effective. Everyone I know who works at a company experiences some version of this ongoing fraud education.

And yet, fraud continues to rise.

A recent TransUnion study estimated that U.S. companies lost roughly 10% of equivalent revenue to fraud last year, up 46% from the year prior. The most common targets of fraud are financial institutions, and data from the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) shows that Account Takeover (ATO) is the most common and fastest growing type of financial fraud in the United States, with three times as many reports now as there were five years ago. Not far behind is Authorized Push Payment (APP) fraud, where social engineering tactics are used to convince an account holder to unknowingly perpetrate fraud. Check Fraud, Credit Card Fraud, and many other types of fraud are also elevated or increasing. 

If companies invest heavily in training their employees, why are we still seeing such dramatic increases in so many areas?

The answer may not be that education doesn’t work; it may be that we are only educating one side of the system.

Data from the Federal Trade Commission shows that the age groups most frequently victimized by fraud are those under 19 and those over 80. Meanwhile, adults between 19 and 80 — the population most likely to be employed and regularly exposed to mandatory fraud training — account for a significantly smaller percentage of reported victims relative to their share of the population.

Correlation does not prove causation. But it does raise an important question: does repeated exposure to fraud education materially improve resilience? 

If so, why aren’t financial institutions treating customer education as a core fraud control layer?

For years, banks have invested heavily in backend protection. Nearly every institution now deploys AI-driven anomaly detection at the transaction level. “Layered defense” has become the standard model: financial institutions are encouraged to combine behavioral analytics, multi-factor authentication, device intelligence, identity verification, and real-time risk scoring to prevent and mitigate fraud.

These systems are all necessary.
But they are not sufficient.

Fraudsters study the controls institutions put in place. When one pathway closes, they pivot. Increasingly, they bypass technical defenses entirely by manipulating human behavior.

A recent scam I observed illustrates this evolution. A fraudster partnered with an online retailer selling low-quality goods. At checkout, a PayPal account was created without the buyer realizing it. Days later, the victim received an email impersonating PayPal, instructing them to transfer funds from PayPal to their bank account. The link they clicked on installed malware, capturing their bank credentials. The attacker then transferred a large amount from the user’s savings account to their checking account, knowing that as an internal transfer, this transaction wouldn’t be flagged as high risk. The amount of the transfer was exactly three decimal places off of the amount the victim thought they had transferred from PayPal to their bank account. 

By the time the fraudster called, posing as a customer service representative, the groundwork was complete. The victim was convinced they had made an error and needed to “correct” it.

This was not a failure of anomaly detection. It was a behavioral manipulation layered on top of technical sophistication.

Ironically, the individual’s banking application included scam alerts about this exact type of fraud. 

But the warnings were buried in a secondary menu, competing visually with colorful credit score graphics and other features designed to attract engagement.

We have built robust internal defenses.
We have not built equally robust customer-facing education systems.

What if financial institutions treated fraud education the way most companies treat employee training?

What if new customers were introduced to current scam patterns upon account opening? What if high-risk behavioral signals triggered targeted educational prompts, not just additional authentication? What if education itself became adaptive — informed by the same risk engines that power transaction monitoring?

Fraud prevention has long been framed as a technology problem.
Increasingly, it is a behavioral design challenge.

Banks cannot force customers to watch training videos before accessing their money. But they can design experiences that elevate visibility of real threats. They can integrate timely education into digital workflows. They can make risk awareness as prominent as credit scores and promotional offers.

The next evolution in fraud prevention will not come solely from adding more invisible layers in the backend. It will come from designing experiences that make customers more resilient, not just more authenticated. Technology alone cannot outpace fraud. Institutions that treat customer awareness as a core defense layer — not an afterthought — will define the next generation of trust in financial services.