How to stop a fraud attack

Fraud is unfortunately common in financial services. And while no two fraud attacks look the same, there are some standard processes that banks and fintechs should follow to effectively stop a fraud attack.

At Alloy, we believe in a future without fraud.

The reality today, however, is that banks and fintechs alike come under attack frequently. Fraudsters are adept at finding and exploiting vulnerabilities, and without a comprehensive response plan it can be difficult to control the damage. Having a clear fraud response plan can also ensure that you collect the right data and learn as much as possible in the event of an attack.

Read on to learn how triage, discovery and remediation comprise an effective fraud response strategy.

And to understand what’s at stake, check out this blog post where one of our Client Success Managers takes you through his first-hand experience helping one of our clients work through a fraud attack:

On the front lines of a fraud attack


To make sure you and your customers are safe, you first need to determine: Are you experiencing ambient fraud or a fraud attack?

Ambient fraud

A common strategy among fraudsters is to continually test FIs’ fraud protection systems for weak points. These tests (along with small-scale fraudulent activity from amateurs and first-person fraudsters) mean that most FIs experience a constant level of fraud. We call this ambient fraud.

Ambient fraud is inevitable—it’s a cost of doing business. If you’re seeing ambient fraud, it doesn’t mean that your fraud protections are insufficient, nor does it suggest a fraud attack is imminent. We’ll share more detailed instructions for what to do about ambient fraud below.

Fraud attacks are different. In a fraud attack, a group of individuals attempt to exploit a specific gap in your FI’s fraud protections. But not every attack looks the same. In fact, there are two main types of fraud attacks: Fraud ring attacks and high-velocity attacks.

Fraud ring attacks

A fraud ring attack is a coordinated operation conducted by a small but sophisticated group of fraudsters. Fraud rings study your financial institution (FI) closely and look for ways to exploit the design of your onboarding, money movement, or account management systems. These individuals have an expert understanding of banking and payments systems, and are also familiar with the more common fraud prevention systems that FIs use today.

When a fraud ring figures out a potential exploit, they want to extract as much money as possible. This means they may be prepared to wait weeks or even months before cashing out. They might display normal, responsible behavior for a long period in order to qualify for credit or earn good standing with your FI before “busting out” all at once for a large sum across multiple accounts.

Of the many techniques employed by fraud rings, stolen and synthetic identities are among the most effective. But because fraud rings operate in a coordinated fashion, these identities will oftentimes share uncanny similarities. Knowing how to look for these similarities is essential to stopping fraud rings.

What characterizes an actual fraud ring attack? Accounts or applicants with shared attributes like common zip codes or email addresses frequently turn out to be part of the same fraud ring. In other cases, multiple accounts will be funded by the same bank (which will sometimes turn out to have been recently defrauded themselves). For this reason, creating allow/deny lists and velocity checks based on such shared attributes can be a valuable tool for stopping fraud ring attacks.

Here’s how to triage in the event of a fraud ring attack:

How triage fraud ring attacks

High velocity fraud attacks

While fraud ring attacks involve precision and patience, high velocity attacks instead rely on speed and brute force.

Recall that some ambient fraud activity is actually fraudsters testing your defenses for weak points. When a fraud ring conducts these tests and finds an exploit, it informs a larger deliberate strategy. But when an individual fraudster who’s not part of a full fraud ring finds an exploit, what do they do?

A high velocity fraud attack takes place when a fraudster discovers a vulnerability in your fraud defenses and publishes this information (usually on the dark web). What happens next is a surge in volume at the very top of the funnel, often consisting of low quality or clearly risky applications which may trigger your fraud defenses. But even if your fraud defenses stop 90% of these applications, the remaining 10% which slip through can still represent a considerable volume—and therefore a considerable threat.

Because of the sheer volume of applications involved in a high velocity attack, manual processes to approve or deny applicants can be overwhelmed. You can prevent this by keeping your automated fraud defenses up-to-date with providers’ best practices, and by implementing a pre-review step up process for risky applicants. In the most critical cases, however, it may be necessary to temporarily take your entire application page offline.

Keep in mind: fraud ring attacks and high velocity attacks may not be mutually exclusive. Some fraud rings employ cheap stolen identities to conduct high velocity attacks. Or, once a fraud ring attack is stopped, the ring may publish the exploit they used, leading to high-velocity attacks against other FIs.

Here’s how to triage in the event of a high velocity fraud attack:

How to triage high velocity fraud attacks


Once you’ve put a stop to the attack, the next step is to get to the bottom of what happened. These questions may help uncover how you came under attack:

  • When did the attack start?
  • How much volume did you see at the top of the funnel?
  • How did you determine the applications were fraudulent?
  • Which data sources were you using to run checks on new customers?
  • What kinds of step-up verification did you require from applicants?
  • How were you enabling applicants to fund new accounts?
  • What other fraud controls did you have in place?

Remember: fraud ring attacks are characterized by relatively fewer accounts or applications, but much higher dollar amounts. The fraudulent accounts may also exhibit certain shared attributes.

High velocity attacks, on the other hand, involve a high number of applications which may not share any attributes.

Understanding the attack itself is a prerequisite to understanding the gaps in your existing fraud protections. In addition to answering the questions above, we recommend that you compile final outcomes data in collaboration with your vendors and data partners as part of the discovery process.

Final outcomes data is a dataset which encompasses the full set of fraudulent accounts involved in the fraud attack, plus the resulting actual or potential monetary loss. Analyzing final outcomes data is the only way to know whether the changes you’re making will actually stop further fraud attacks.

Additionally, having final outcomes data allows you to include your vendors and data partners in the remediation process—which is where you’ll make the actual changes that will protect your FI going forward.


The specific steps you take during the remediation phase will depend on the details you uncovered during the discovery phase. However, there are a few fraud prevention measures that are generally effective, if you don’t already use them:

  1. Add a synthetic fraud scoring module.

  2. Add a machine learning-based identity theft module.

  3. Add behavioral biometric fraud detection for new applicants.

  4. Add tamper-proof phone-based verification and/or document + selfie verification.

  5. Add a funding account lookup module.

  6. Add transaction monitoring with fraud prevention.

  7. Introduce progressive onboarding or seasoning for riskier customers.

You’ll likely take additional specific steps with assistance from your data vendors or identity decisioning platform provider.

After remediation, remember: fraud hasn’t gone extinct just yet. Like every other FI, you’ll continue to experience ambient fraud as bad actors look for the next vulnerability.

There’s no question that fraud attacks are scary and can leave a negative impression. The good news is that life after a fraud attack resembles life before it—except with stronger protections and a clearer sense of how fraud works.

Learn more about fraud and how to balance fraud prevention measures against cost, conversion rates, customer experience, and compliance requirements by visiting our blog or requesting a demo of Alloy today.

We're building a future without fraud.

More on fraud

60 min watch
2022 fraud trends and 2023 predictions

Join Alloy, LexisNexis® Risk Solutions, Prove, and Ekata to hear our take on where fraud has been and where it’s going.

Watch now

4 min read
3 fraud & risk lessons banks can learn from fintech companies

Alloy CEO Tommy Nicholas outlines the top three challenges he sees banks face in their KYC and fraud prevention efforts and shares some lessons banks can learn from fintech companies to overcome these challenges.

Read more

5 min read
The great balancing act: fraud prevention and customer experience

Alloy CEO Tommy Nicholas and Jamie Warder, Executive VP & Head of Digital Banking at KeyBank, react to Forrester's study, The Identity Decisioning Imperative.

Read more

10 min read
Fintech fraud & compliance benchmark report

New research shows 92% of fintech companies are devoting more resources to battle fraud. See how your fraud and compliance strategy stacks up.


See what you’re missing

First, we’ll learn about your needs, answer your questions, and then see how Alloy can help.