What is online banking fraud and how to prevent and manage it

A customer logs in from their sofa, approves a payment that feels routine, and carries on with their evening. Minutes later, the money is gone, and so is their confidence in their bank. This is how modern online banking fraud often unfolds: quietly, convincingly, and at speed.

Online banking fraud no longer relies on brute-force attacks or obvious red flags. Today’s fraudsters exploit trust, timing, and digital convenience, blending technical intrusion with social engineering to bypass traditional controls. As real-time payments, frictionless journeys, and always-on digital channels become the norm, the window to detect and stop fraud is shrinking fast.

For banks, this shift changes everything. Fraud prevention can’t sit at the end of the transaction, waiting to clean up after losses occur. It must move upstream, embedded across the digital journey, capable of understanding user actions, intent, and risk in real-time. 

Getting this right isn’t just about reducing fraud losses; it’s about protecting customers at their most vulnerable moments and preserving trust in an increasingly invisible banking experience.

This article provides an overview of how modern online banking fraud operates, the primary types of attacks that criminals use to perpetrate fraud, and how you can protect your customers from cyber threats.

Online banking fraud occurs when a criminal accesses and transfers funds from an individual’s online bank account.  

As fraud generally refers to any intentional act aimed at depriving an individual of a legal right, online banking fraud narrows the scope of the illegal activity to those that occur online and result in an economic loss. 

Online banking fraud refers to any illicit activity completed on the financial institution’s web application or native mobile apps for money management, bank transfers, instant payments, and money lending.

Artificial Intelligence and online banking fraud

With Artificial Intelligence expanding its reach predominantly, fraud today scales exponentially. With AI, automation, and fraud-as-a-service ecosystems, attackers can test, adapt, and launch thousands of variations of the same scam in a matter of hours. One successful technique can be replicated across markets, banks, and customer segments with minimal effort, while generative AI makes messages more convincing, personalised, and harder to spot.

The result is a sharp increase in both the volume and sophistication of attacks. Industry data consistently shows double-digit year-on-year growth in digital fraud attempts, with Account Takeover, social engineering scams, and malware among the leading drivers of customer losses and reimbursement costs for banks. 

Understanding how these attacks work and where they break traditional controls is the first step towards stopping them.

Historically, online banking fraud has been categorised into two primary types: Account Takeover (ATO) and Automatic Transfer System (ATS), based on the attacks perpetrated to steal money.

The truth is that today, fraud campaigns no longer stay within a single definition. They move freely across digital channels, employing cyber techniques, social engineering, and session manipulation in sequence. 

For the sake of simplicity, this article maintains the traditional distinction to facilitate understanding for everyone.

Account Takeover (ATO)

Account Takeover occurs when a fraudster gains unauthorised access to a legitimate customer account and uses it to initiate transactions, change credentials, or lock the customer out entirely. Rather than attacking the bank directly, criminals exploit the weakest link: compromised user identities.

Most ATO attacks begin with credential theft, which is often obtained through phishing campaigns, data breaches, or malware infections. Social engineering plays a critical role, tricking customers into sharing one-time passwords or approving actions they believe are legitimate. Once inside the account, fraudsters move quickly, blending in with normal session activity to avoid detection.

For banks, the impact is immediate and multifaceted. Reimbursement obligations, increased support costs, and lengthy investigations often compound financial losses from fraudulent transfers. More damaging still is the erosion of customer trust: ATO victims rarely blame the attacker; they blame the bank that failed to protect them.

Phishing, vishing, and smishing

Phishing and its variants remain the most effective entry points for online banking fraud. Whether delivered by email (phishing), phone calls (vishing), or text messages (smishing), the goal is the same: to manipulate victims into revealing sensitive information or taking actions that enable fraud.

In a banking context, these attacks are highly contextual. Messages may reference real transactions, impersonate trusted brands, or exploit urgency around account security or payment failures. Increasingly, fraudsters also target bank employees, using vishing attacks to gain internal access or bypass controls through insider manipulation.

What makes these techniques particularly dangerous is their adaptability. AI-generated scripts, voice cloning, and real-time interaction enable fraudsters to adjust their approach on the fly, making detection by both customers and staff significantly more challenging.

Malware and trojans

Malware-based attacks involve malicious software designed to monitor, manipulate, or take control of a user’s device. Banking trojans, keyloggers, and remote access tools can capture credentials, intercept one-time passwords, or silently alter transactions without the user’s knowledge.

For financial institutions, these threats are especially challenging because the fraud originates from a seemingly trusted device. Transactions appear legitimate, authentication checks pass, and traditional rule-based systems often see no apparent anomalies.

Real-world attacks have shown how malware can remain dormant for weeks, learning user behaviour before striking, or operate as part of large-scale botnets targeting thousands of accounts simultaneously. Without session-level analysis and device intelligence, these attacks are complicated to detect in time.

Today, fraud analysts face new threats and capabilities that can compromise digital devices, including malware. At the moment, the most well-known are:

• Remote Access Trojans (RATs) are designed to remotely control an infected device, sending commands and receiving responses. These are typically spread across a large pool of mobile devices. 
• Man-in-the-Browser (MitB) is a type of malware that hides within the browser app, intercepts. It alters the communication between the local browser and the banking web application server to facilitate fraud.
• Overlays that overimpose a layer on top of specific pages of the app (or web app) to intercept private information as the user enters them;
• SMS Sniffers capture SMS messages to steal personal data or read OTP to bypass Multi-factor Authentication procedures.  

Cleafy’s Threat Intelligence team has analysed examples of advanced malware that perform ATO at scale: TeaBot and BRATA, both belonging to the RAT family, and Gozi, which instead belongs to the MitB family and can also attack via Automatic Transfer System. 

SIM swap fraud

SIM swap fraud exploits a weakness at the intersection of telecoms and banking. By convincing a mobile operator to transfer a victim’s phone number to a new SIM card, fraudsters gain control of SMS-based authentication and verification messages.

Once the SIM swap is complete, attackers can intercept one-time passwords, reset banking credentials, and authorise high-risk transactions. For banks that still rely heavily on SMS-based authentication, this creates a critical blind spot, particularly when SIM swaps occur outside the bank’s visibility.

The challenge for financial institutions is detecting fraud early enough. SIM swaps often occur days before an attack. Without real-time session and execution signals or intelligence, banks may only become aware once funds have already been transferred from the account.

Authorised Push Payment (APP) fraud

Authorised Push Payment fraud occurs when a customer is manipulated into sending money to a fraudster, believing the transaction is legitimate. What makes APP fraud particularly dangerous today is not just the social engineering itself, but how Artificial Intelligence has dramatically increased its scale, speed, and success rate.

AI enables fraudsters to industrialise deception. Generative models are used to produce compelling messages, scripts, and emails tailored to individual victims, often referencing real transactions, recent activity, or personal details. 

Voice cloning technology enables attackers to impersonate bank agents, merchants, or even family members with alarming accuracy, while automation facilitates the simultaneous execution of thousands of scam conversations.

APP fraud is rarely a standalone event. It is typically the result of a broader attack chain that may involve phishing, account reconnaissance, SIM-swap attacks, or malware-based monitoring. 

AI helps fraudsters identify the right moment to strike, when urgency, trust, and emotional pressure are at their peak, and push the victim to act before doubt or friction can intervene.

For banks, this creates a fundamental detection challenge. The payment is authorised, authentication is successful, and the transaction typically aligns with the customer’s historical patterns. Yet the financial and reputational impact is severe, with reimbursement costs rising and regulatory expectations increasing across markets.

Preventing AI-driven APP fraud requires more than transaction monitoring. Banks need real-time insight into session signals, device context, and deviations in customer intent, allowing them to intervene before funds are released, not after they’ve disappeared.

Automatic Transfer System (ATS)

Over the last few years, the continuous improvement of fraud-prevention solutions has made ATO attacks more difficult to execute. That’s why fraudsters are developing new ways to perpetrate fraud without having to take over victims’ accounts. These new techniques are engineered to automate illegal activities and complete them as quickly as possible.   

Unlike Account Takeover, attacks through the Automatic Transfer System don't require taking over the victims’ accounts. The fraud occurs while the user is actively using the target application by tampering with its genuine operations without the user noticing. 

The four main differences between ATS and ATO attacks are:

• ATS always involves malware on the victim’s device, whereas ATO can occur only through social engineering. 
• Malware that performs ATS is generally highly tailored to the targeted application and, therefore, more advanced and more challenging to detect. 
• ATS attacks can bypass fraud detection mechanisms such as Behavioural Biometrics, post-login biometrics, static interaction analysis, or Two-Factor Authentication because the actions are performed by a genuine user on a genuine device, unaware of the malicious malware installed on their device. In this case, cybercriminals are not interested in collecting users’ credentials or OTPs, as genuine users transfer money to the fraudsters’ accounts (without realising it). 
• Frauds via ATS attacks don’t require the manual intervention of fraudsters, as they are automated and easily scalable. Unlike ATO attacks, which target a few customers for large amounts, ATSs target a large number of victims for small amounts. This makes it easier for anti-fraud systems to miss a potential fraud.  

ATS attacks on mobile devices are carried out by gaining control of Accessibility Services, a suite of Android services provided by Google to make Android devices more accessible to users with disabilities. 

An example of advanced malware that performs ATS at scale is SharkBot, an Android Trojan discovered by Cleafy’s Threat Intelligence team in 2021.

The fraud landscape continues to evolve as attackers tap into the same technologies that power digital banking innovation. Artificial intelligence, real-time payments, and new financial ecosystems such as cryptocurrencies have created new avenues for fraud, forcing financial institutions to rethink traditional prevention models. Banks must now contend not only with faster and more automated attacks, but with AI-enhanced deception that can mimic legitimate behaviour and exploit instant transaction frameworks before controls have a chance to act.

In this context, staying ahead means understanding the emerging patterns of fraud and how AI both fuels the threat and enables a new generation of defence, including solutions like a GenAI co-pilot that helps analysts cut through data noise and pre-empt attacks with strategic insight. 

Real-time payment fraud and instant transaction vulnerabilities

Real-time payments leave little room for intervention. Fraudsters exploit this by combining social engineering with precise timing, pushing victims to act before doubts or controls can kick in. AI helps attackers scale these scams, optimising when and how payment requests are made.

For banks, prevention must happen before execution, using real-time sessions,  contextual risk signals, and Attack Pattern Recognition methodology to reconstruct the whole attack sequence, rather than focusing just on post-transaction analysis.

Deepfake technology and AI-powered impersonation

Deepfakes are turning impersonation into a high-fidelity threat. AI-generated voices, videos, and documents can convincingly mimic customers, bank staff, or trusted third parties, undermining traditional identity checks.

This shift forces banks to move beyond static verification and adopt continuous, session-based authentication grounded in live interaction context across digital and assisted channels.

Cryptocurrency and blockchain-related fraud

Crypto assets increasingly appear as the destination for funds stolen through scams and APP fraud. Fraudsters use their speed and global reach to complicate recovery and obscure money trails, often supported by AI-driven automation.

As banks interact more with crypto-adjacent flows, visibility into destination risk and customer intent becomes critical.

AI has become a core enabler of modern fraud, allowing criminals to automate, personalise, and rapidly adapt their attacks. At the same time, it is essential for defence, helping banks analyse complex signals and act in real time.

Thanks to AI tools like co-pilots and agentic AI, fraud teams can scale their day-to-day job by correlating data, highlighting risk, and accelerating decision-making, enabling prevention at the speed fraud now operates.

For years, many fraud detection tools have focused on the transaction, the moment money moves, applying risk scores to flag possible fraud. But attackers don’t strike at just one moment. They move through entire sessions, weaving complex stories that traditional tools miss. Meanwhile, most solutions still overwhelm teams with noise and fragmented data, making it harder to act decisively.

Fraud is a journey, not a single event. Customers face risks not only at transaction points but across their entire digital session, from pre-login activity to post-authentication execution. Cleafy tracks the full session narrative, enabling proactive detection of emerging threats before any damage occurs. This approach improves customer experience by reducing false alerts and friction, while maintaining strong security.

Cleafy redefines shift left by focusing on early understanding rather than just early alerts. This approach reduces complexity, breaks down silos between fraud and cyber teams, and accelerates confident, accurate responses, all essential for modern banks and financial institutions.

Shifting left isn’t about reacting faster. It’s about understanding sooner. By adopting a session-level, unified visibility engine, banks can disrupt attacks earlier, optimise operational efficiency, and better protect customers. The future isn’t more alerts, it’s more clarity. And clarity starts with the full story.

Today’s attacks exploit systems that are working as designed, slipping through post-login blind spots, reusing valid credentials, and moving silently across channels. Traditional defences built around transactions and known patterns don’t catch it early enough. And fraud, like cyber threats, is now a matter of when, not if.

The cyber-fraud fusion model flips this approach by shifting detection left, identifying anomalies as soon as they appear in live traffic. By monitoring live session execution in real time and linking cyber indicators to fraud context, banks can stop fraud earlier, reduce false positives, and preserve the customer experience.

Cleafy’s cyber-fraud fusion defence platform monitors full user sessions in real-time to expose the methods fraudsters use to prepare, execute, and escalate scams. We don’t just flag risky transactions; we detect the build-up, from the first click to the final step.