AI Poised to Automate and Escalate Payment Fraud
Criminals are increasingly leveraging AI and organized tactics to automate payment fraud, from credential stuffing to sophisticated impersonation scams, while consumers prioritize robust fraud protection.

Payment fraud is evolving into a more organized and sophisticated criminal enterprise, with threat actors employing fake websites, large-scale operations, and even forced labor to pilfer funds and sensitive personal data. A significant driver of this evolution is the advancement of agentic artificial intelligence, which promises to automate numerous stages of the fraud lifecycle. This includes the collection and assembly of stolen credentials, as well as the brute-force cracking of passwords, thereby accelerating the pace and scale of attacks.
A recent "US Payment Fraud Survey" by Capco underscores the growing consumer concern over these threats. The study revealed that security and advanced fraud protection are paramount considerations for consumers when selecting payment providers, ranking higher than customer service, transaction speed, brand reputation, or rewards. "Payment fraud in the US is becoming more organized, automated and sophisticated, with scammers increasing their use of modern technologies and AI-enabled tools," noted Matthew Cohn, Partner & US Head of Banking & Payments at Capco. This sentiment is echoed by consumers, with 63% prioritizing security and 50% specifically seeking advanced fraud protection.
Account takeover (ATO) fraud remains a persistent and prevalent threat, with 35% of survey respondents ranking it among their top concerns. Attackers exploit stolen credentials, often acquired through phishing, data breaches, or dark web marketplaces, to gain unauthorized access to bank accounts. From there, they can initiate fraudulent fund transfers, open new credit lines, or establish mule accounts for money laundering. The effectiveness of traditional defenses like passwords, security questions, and even some forms of multi-factor authentication (MFA) is diminishing as AI enhances phishing campaigns and automates credential theft. Furthermore, the rise of deepfake technology poses a growing risk to voice and facial biometric authentication systems, with 89% of respondents expressing concern that publicly available personal information could be used to impersonate them or answer security questions.
Authorized push payment (APP) fraud is experiencing rapid growth, primarily because victims unwittingly authorize the transactions after being manipulated by scammers. These attacks often begin with deceptive text messages, emails, or phone calls, escalating into conversations designed to build trust and create a false sense of urgency. Threat actors impersonate trusted entities such as bank employees, government officials, or even family members to convince victims that their funds are at risk or that an immediate payment is necessary. AI-generated audio and video content are making these impersonation scams increasingly convincing and scalable, blurring the lines between legitimate and fraudulent transactions.
Card fraud is increasingly migrating to digital channels, with criminals focusing on stolen card numbers and personal information. Phishing, fake websites, skimming attacks, compromised payment terminals, and dark web marketplaces are common sources for acquiring payment data. This information is then used for online purchases or added to digital wallets. Notably, over 90% of credit card fraud involves cards that remain in the owner's possession, highlighting the prevalence of online data theft. Website skimming and automated card credential testing are on the rise, with North America accounting for a significant portion of global detections. "Fraudsters are selling data, services and tools to each other as they build an AI-enabled criminal industry on a global scale," stated Gregg Henzel, Managing Principal at Capco. "To strengthen defenses and preserve consumer trust, banks and other payment institutions must adopt a coordinated stance."
Identity fraud is also being supercharged by AI, particularly synthetic identity fraud, which combines real and fabricated information to create entirely new identities. The proportion of new bank credit card accounts linked to synthetic identities has more than doubled between mid-2021 and mid-2024. AI tools are instrumental in generating convincing fake documents and bypassing liveness checks during identity verification processes. This allows criminals to open accounts, apply for loans, and obtain credit using these fabricated personas.
Finally, insider fraud continues to present a significant risk. Employees and contractors can abuse their access to systems and customer data, or actively assist external attackers. This can involve stealing money or credentials, sharing sensitive information, overriding fraud controls, or inadvertently exposing organizations through negligence. The involvement of third-party providers further expands the attack surface, making robust third-party risk management a critical component of insider fraud prevention strategies.