How Banks Can Fight ‘Under the Radar’ Customer Fraud
Fraud committed by customers who exploit glitches or inefficiencies in the banking system is becoming a significant driver of first-party losses. A layered approach that combines technological capabilities with industry sharing efforts is the most effective way to fight it, analysts say.
By Suman Bhattacharyya, Reporter at The Financial Brand
Last summer, a series of fraudulent transactions at JPMorgan Chase were linked to a scheme where customers deposited bad checks and immediately withdrew the provisional credit before the checks inevitably bounced.
Called the "infinite money glitch," the scam was amplified on TikTok as users exploited a vulnerability where provisional funds credited to customers were much higher than the typical $225 available upon deposit — sometimes tens of thousands of dollars or more. Thousands of customers reportedly participated. The bank quickly closed the loophole and sued some customers to recover improperly withdrawn funds.
Chase may have minimized the immediate damage from the so-called glitch, but the incident is symptomatic of a bigger problem where a growing number of fraudsters are customers. These fraudsters generally avoid criminal activity in their lives, but they might be motivated to engage in fraud by exploiting a glitch or inefficiency or taking advantage of loopholes — with minimal chance of getting caught.
"These are people who probably have other vocations, and who are doing this either as a means of additional supplemental income, or because they’re in dire economic straits and they need to get back on their feet," says Trace Fooshée, strategic advisor at Datos Insights, who began researching customer fraudsters during the Covid-19 pandemic. Fooshée used the term "citizen fraudsters" in a 2022 report to distinguish this activity from fraud perpetrated by organized crime syndicates. Many do not recognize that what they are doing is illegal or unethical. "They might be driven by economic hardship, a morally casual attitude toward fraud, or the perception of an easily exploitable vulnerability," Fooshée says.
The extent of this activity is difficult to quantify. Given the increased fraud activity they are reporting, banks can help combat the problem by addressing the key vectors of attack, which include payment dispute fraud, check fraud and other deceptive behaviors. Authentication controls, application controls and data sharing mechanisms are a critical part of this effort.
"Citizen Fraud" and its Impact
What Fooshée calls citizen fraud often falls into three use cases, including check deposit fraud — exploiting the "float" time in which a check takes to clear and drawing on provisionally credited funds; payment or chargeback fraud, in which customers dispute transactions they might have made in pursuit of a refund; and money mule schemes, in which participants knowingly or unknowingly move money for scammers for monetary gain.
This activity grew during the pandemic amid strained personal budgets, but its impact is not tracked and is often included in broader fraud categories such as first-party fraud. First-party fraud occurs when the target of the deception is the financial institution — but it can be committed either by a customer or professional fraudster, according to Fooshée.
Despite challenges quantifying its effects, customer fraud is contributing to a growing first-party fraud problem across institutions, experts say.
"First-party fraud… in many cases, is definitely increasing over years," says Sunny Thakkar, head of global merchant fraud products at payment processor Worldpay. "It’s one of the top fraud vectors that merchants are concerned about."
In an October 2024 Alloy survey of 486 financial industry leaders across financial institutions and fintechs, 60% of respondents said fraud grew across consumer and business accounts that year. While 70% of attempted fraud events were carried out by full-time financial criminals or fraud rings, 29% of them were carried out by customers. Of the fraud activities committed by customers, 15% were coerced and 14% acted knowingly.
Among the most common fraud events identified by respondents over the past 12 months that could be bolstered by customer fraud included credit card fraud (20%), check fraud (11%), chargeback fraud (10%) and authorized push payment fraud (9%). Nearly one in three financial organizations experienced direct fraud losses exceeding $1 million – up from the year-earlier period, in which one in four respondents reported losses surpassing $1 million.
First-party fraud losses in the U.S. were worth more than $100 billion annually, per research from identity security and fraud solution provider Socure. A December 2024 survey of 2000 consumers conducted by Socure found that more than a third (43%) of respondents said they committed first-party fraud, including disputing legitimate charges. Of those who admitted first-party fraud, 60% of offenders cited financial hardship as the main driver.
Datos Insights’ figures are somewhat more conservative when accounting for chargebacks. A survey from the second quarter of 2024 found that just 6% of U.S. customers who disputed a transaction admitted they didn’t want to pay for a legitimate charge, while 5% of those who filed a dispute said they couldn’t pay the charge.
How Banks Can Fight Customer Fraud
The challenge is that the consumer committing the act is usually considered a good customer until the fraud occurs, says Fooshée. Combatting this type of fraud usually involves using detective analytics — including predictive modeling and anomaly detection capabilities — paired with internal controls, says industry consultant Hailey Windham, who noted that companies also ought not to unduly disrupt the customer experience through anti-fraud efforts.
Many of the protective measures applied to all types of financial fraud management can be applied to customer fraud, including authentication controls (verifying the identity of the account holder) and application fraud controls (rooting out fraudulent account applications through identity and behavior monitoring), Fooshée says.
"Most financial institutions control for money mules by way of stronger application fraud controls, meaning that they’re going to be looking and taking extra scrutiny to determine that whoever is opening up an account with them is not opening up that account solely for the purpose of settling ill-gotten funds through their bank," he says.
While authentication and application fraud controls can be deployed early in the cycle of fraud events, banks can also intercept fraud just before and at the point of the transaction.
"There’s a whole slew of different signals that come from the digital channel that serve to help, to serve and augment the forensic picture of who this person is and what they’re doing," including device identification and device reputation, says Fooshée.
Transaction activity is the last line of defense against fraudsters, allowing banks to monitor for anomalies such as unusual amounts or atypical payment frequencies.
Fighting Chargebacks with Merchant Data
Fraudulent chargebacks, both for credit and debit transactions, represent a significant proportion of customer fraud and can inflict considerable losses on both banks and merchants.
In responding to these payment disputes, banks need to exert care to avoid upsetting the customer, especially if they don’t have a history of fraudulent activity.
"[Banks] are in the job of servicing their customers well. They spend a lot of money to acquire customers," says Gaurav Mittal, executive vice president, disputes and transaction experience at Mastercard. "Secondarily, you may have an indication of fraud, but [banks] don’t always have the full information around the fraud and the consumer."
A good proportion of chargebacks can be traced back to "purchase confusion," in which customers may have forgotten they made a purchase, so it’s important for banks to gather more data before challenging the customer’s claim, says Mittal.
Learn more:
- Keeping Payments at Mastercard on AI’s Leading Edge — without Falling Off
- Real-time Payments Are at a Tipping Point, Bedeviled by Fears of Risk
- Dementia’s Hidden Cost: How Cognitive Decline Compounds Banking Errors and Enables Fraud
One way a bank can verify the authenticity of a disputed transaction is to review payment details provided by the merchant. Visa and Mastercard both have mechanisms that allow participating merchants to offer additional information about a payment, including device identification, the location of the purchase and previous purchasing habits of the consumer.
Mastercard’s program, which is called First-Party Trust, allows merchants to submit information that can be accessed by a bank to verify whether or not a customer made a purchase. First Party Trust, which rolled out in the U.S. in 2024, is opt-in only for merchants and banks, but it provides banks with the tools to gently query customers about purchases they may have forgotten.
"You might say ‘Hey, I see that you bought this, but I also see that you bought this [on] same device that you have bought the previous other things … Can you look that up in your email and see whether you received it?" says Mittal.
Still, some banks may determine that fighting a potentially fraudulent chargeback isn’t worth the effort.
"On a daily basis, the financial institutions have to make a calculation of cost, time, and those factors go into any decision of whether to actually put something through a claim system to investigate it and to fight for it, or just to eat it," says Jennifer Lucas, EY Americas’ payments consulting leader.
Some industry watchers argue that consortia like Unit21 and Socure can also bring together financial institutions, fintechs, and other participants to collaborate on data-sharing and anti-fraud initiatives.
Speaking broadly about industry consortia, Mittal suggests they can be valuable tools for information sharing on fraud, but the degree to which members transparently share information can vary due to competitive concerns.
Above all, a layered approach to "citizen fraud" management that includes both a technology solution to monitor for fraudulent transactions, along with other checks — including data sharing mechanisms — is most effective, suggests Fooshée.
"A layered approach to controls is the best approach and this is true not just for check fraud controls but for all kinds of fraud controls including distinguishing between legitimate claims and fraudulent claims," he says.
