Ask a fraud manager at a community institution what's keeping them up at night in 2026, and you'll rarely hear about stolen card numbers. You'll hear about scams — the cases where the customer, not the criminal, moves the money. It's the fastest-growing category of loss in the industry, and it exposes a hard truth: most fraud controls were built to stop unauthorized transactions, and scams are, technically, authorized.
That distinction is the whole problem. When a member is manipulated into sending a real-time payment to a fraudster, your systems see a legitimate customer, on a legitimate device, making a payment they intended to make. Every traditional signal says "approve."
Why scams beat traditional controls
Classic fraud detection asks: is this really the customer? Scam fraud sails past that question because it is really the customer. The criminal never touches your systems — they work on the human. Common playbooks include:
- Impersonation. A caller posing as your fraud department, telling the member to "move your money to a safe account" to protect it.
- Purchase scams. Payment for goods or a rental that never existed.
- Romance and investment scams. Long cons that end in the member willingly wiring their savings.
Add instant payment rails to that mix and the money is gone before anyone realizes what happened. Speed, which members love, is also what makes scams so unforgiving.
The shift from identity to intent
The institutions making progress have stopped asking only "is this the real customer?" and started asking "does this behavior look like someone being coerced?" That's a move from verifying identity to reading intent — and it relies on signals traditional systems ignore.
You can't stop scam losses by getting better at recognizing the customer. You have to get better at recognizing when the customer is being used.
Behavioral signals do the heavy lifting here: a member who normally sends nothing suddenly setting up a large new payee; hesitation and unusual session patterns that suggest someone is being talked through the steps; a login followed immediately by a phone call and a rushed transfer. None of these are conclusive alone. Together, they paint a picture.
Friction, used surgically
The instinct to add warnings to every payment backfires — members tune out blanket alerts fast. The better approach is targeted friction: reserve the hard stops and pointed, scam-specific warnings for the small number of transactions that look genuinely risky. A well-timed prompt — "Did someone contact you and ask you to move this money?" — has interrupted more scams than any generic disclaimer ever will.
Build the human layer
Technology catches the pattern; people close the loop. That means training frontline and contact-center staff to recognize the emotional fingerprints of a scam in progress — urgency, secrecy, a member who seems coached or defensive — and empowering them to pause a transaction and ask questions without fear of annoying a good customer. Member education matters too, but education alone won't beat a skilled social engineer working someone in real time.
Where to start
Three priorities for a community institution: layer behavioral analytics onto your payment flows so intent signals actually surface; apply friction surgically to high-risk transactions instead of numbing everyone with warnings; and give your people both the training to spot a scam and the authority to slow it down. Scam fraud is a human problem wearing a technology costume — the defense has to work on both layers at once.