This Week in Fraud (6/23)

Hello Fraud Fighters!

This week, UK Finance dropped its annual fraud numbers and they're not pretty. £1.28 billion gone in 2025, with APP fraud up 19% and investment scams up 40%, driven almost entirely by social media and the platforms that have decided fraud is someone else's problem. We also have the World Cup becoming a merchant fraud stress test, FinCEN quietly doing something significant with information sharing rules, two Texas brothers who learned the hard way that $8 million in crypto doesn't stay yours if enough people know about it, and an FTC action that reads like a case study in how to build a $250 million scam empire while staying invisible to fraud monitoring systems.

Let's get into it.

Nick

UK Finance published its Annual Fraud Report 2026 this week: criminals stole £1.28 billion through payment fraud in the UK in 2025, up 4% year-on-year, across more than four million confirmed cases. Eight people were defrauded every single minute and losses that never got reported almost certainly push that figure considerably higher.

The structural story is more interesting than the headline. Unauthorized fraud (where a criminal moves money without the victim's knowledge) is actually down 5% to £703 million and banks and card networks are winning that battle. What's growing fast are authorized push payment (APP) fraud; scams where victims are manipulated into sending money themselves. APP fraud rose 19% to £576 million. Other notable increases… investment fraud surged 40% to £221.5 million, the single largest loss category, purchase scams up 20%, romance fraud up 23%.

The vector driving this is not some sophisticated technical exploit. Two-thirds of all APP fraud cases in 2025 originated on online platforms, and the financial sector is left holding the bag. UK Finance's managing director of economic crime, Ruth Ray, spells it out: "The financial sector is a global leader in the fight against fraud, but we cannot remain the sole line of defense. Technology and telecommunications companies should face responsibilities that match the role their platforms play in enabling scams."

Banks reimbursed £354 million to APP fraud victims in 2025, equivalent to 61% of losses. The PSR's mandatory reimbursement rules (in force since October 2024) cover a narrower slice and show 89% reimbursement within scope — but the UK Finance data covers a wider range of payment types, and the gap between what's protected and what's lost remains real and wide.

So what? The report's policy ask — enforceable fraud prevention obligations on tech and telecoms platforms — is the right one, and it's gaining momentum. For fraud teams at UK-regulated institutions, the near-term picture is clear: investment and purchase scam volumes are climbing, online origination is the dominant vector, and mandatory reimbursement has shifted liability squarely onto financial services. Any institution not running real-time intervention and warning workflows on outbound transfers at the moment of payment initiation is increasingly exposed — both financially and regulatorily.

Identity risk doesn't stop evolving after onboarding. Jumio Watch continuously analyzes risk, surfaces meaningful changes, and enables faster, more confident action across the full customer lifecycle.

Learn more here:  https://go.jumio.com/jumio-watch-media

ACI Worldwide published data this week drawn from 24.5 million transactions across 61 live-event merchants, and it’s deja vu all over again. The same fraud signatures that preceded surges at Copa America 2024 and the 2022 World Cup are already showing up around the 2026 tournament. At previous events, fraud attempts surged more than threefold versus baseline. Fraudulent orders during the pre-tournament build averaged $405 (1.5 times the $270 legitimate average) and domestic cards are recording a 3.2% attempted fraud rate versus 1.4% for cross-border cards, which is the opposite of what most risk models expect.

Separately, Lloyds Bank has flagged a 36% increase in fake ticket scams tied to the tournament, with victims losing an average of nearly $300 per incident, with some losing considerably more via fabricated VIP packages and fraudulent hospitality sites.

The practical read for issuers and acquirers: elevated fraud thresholds on high-value ticket and hospitality transactions during major events create false decline risk for genuine fans and coverage gaps for fraudsters simultaneously. The ACI data suggests cross-border card share as an early warning signal — that figure rose from 7.5% of total spending to 11.5% in the run-up to Copa America 2024, preceding the fraud spike. Worth watching the same metric now.

On June 12, FinCEN updated its Section 314(b) fact sheet. Section 314(b) of the USA PATRIOT Act has always allowed banks to share information about suspected money laundering without getting sued for privacy violations. The problem is that most institutions interpreted "money laundering" narrowly and stopped short of sharing fraud signals because the safe harbor's application to fraud alone was ambiguous. The result: a Zelle scam flagged at Bank A never reached Bank B, where the same mule account was already at work.

The updated guidance closes that gap explicitly. Fraud offences (mail fraud, wire fraud, bank fraud, securities fraud, computer fraud) are now confirmed as covered specified unlawful activities under the safe harbor: banks don't need to identify specific laundered proceeds to trigger the protection, suspicion of fraud alone is sufficient, and sharing can happen in real time, verbally or electronically, including with institutions that have no existing relationship with the customer in question. Shareable data now explicitly includes transaction monitoring alerts, IP addresses, device IDs, geolocation data, and video surveillance footage.

The Bank Policy Institute called it "a critical step in helping banks to disrupt fraud and scams in real-time", while in the same breath pressing Congress to write the safe harbor into statute rather than leaving it as guidance a future administration could rewrite. That caveat is consequential: former OCC official Daniel Stipano has noted the safe harbor has never been judicially tested on fraud, and FinCEN's interpretation, however well-reasoned, isn't binding law.

Still, for institutions that have been sitting on the sidelines of 314(b) because of that ambiguity, this removes the excuse. The mule account problem is tailor-made for consortium-style real-time sharing. The tools now exist, and the legal cover, at least for now, does also.

Two Texas brothers, Isiah Garcia, 25, and Raymond Garcia, 24, pleaded guilty on June 18 in federal court in Minneapolis to a September 2025 armed robbery that has become one of the starkest examples of a growing threat category.

The brothers traveled from Texas to a family home in Grant, Minnesota, forced their way in, tied up the victim and his family, and held them at gunpoint for over eight hours. They demanded access to the victim's cryptocurrency accounts, and when the online accounts were drained, Isiah Garcia drove the victim three hours north to the family's cabin to access hardware wallets there. Total taken: more than $8 million. The victim's son eventually managed to call 911 and surveillance footage and evidence left at the scene led investigators to the brothers in Texas, where both were arrested and now face up to 20 years in prison.

The broader context of physical “wrench” attacks is concerning. CertiK reported in February that crypto-related kidnappings and violent attacks increased 75% in 2025, with losses from such incidents reaching $101 million in just the first four months of 2026 alone. France has seen more than 40 crypto-linked kidnappings or hostage incidents in the opening months of this year alone. In May, three men were indicted in a separate US case for a $6.5 million "violent robbery spree targeting cryptocurrency owners."

The crux of the issue: crypto wealth is increasingly visible (social media, public blockchain records, data breaches), increasingly concentrated, and, unlike a bank account, can be transferred instantly and irreversibly under duress. The Garcia case is a federal prosecution which signals the DOJ treating this category seriously. That's appropriate and frankly, about time. For compliance teams at crypto-adjacent institutions, it's also a reminder that "client security" increasingly has a physical dimension.

The FTC obtained a federal court order this week temporarily halting Genesis Tech, a Ukraine-based app publisher that built what the agency describes as a sprawling machine for subscription fraud: 15 companies, eight individuals, and a rotating portfolio of products specifically designed to evade the fraud monitoring systems that might otherwise catch them.

The brands (fitness apps MadMuscles, Harna, and Unimeal; PDF editors PDF Guru and PDF Master; horoscope platform Nebula; productivity app Wisey; fashion app Lumi) will be familiar to anyone who has clicked through a social media ad and found themselves mysteriously enrolled in a recurring billing cycle they never clearly agreed to. Between early 2023 and mid-2025, those five product lines alone generated nearly $250 million in global revenue. In the 12 months ending September 2025, PayPal accounts connected to the broader Genesis network processed nearly $700 million.

The FTC's complaint details the playbook: advertise as free or low-cost, bury auto-renewal terms in the smallest print on the page, charge for products consumers never requested, make cancellation actively difficult by removing it from the app or website, and continue billing after cancellations are supposedly processed.

What makes the Genesis case noteworthy for fincrime professionals is the evasion infrastructure: Genesis and its affiliates continuously registered new legal entities, opened fresh merchant accounts, and launched new products specifically to stay ahead of fraud detection programs, routing proceeds through Cyprus and Delaware shell companies back overseas. The FTC's complaint frames this explicitly: the shell company network wasn't incidental, it was the mechanism.

For payment fraud and chargeback teams: this case is a clean example of why merchant risk monitoring can't be purely transaction-level. When a network of nominally distinct entities shares beneficial ownership, payment infrastructure, and a fraud methodology, the signal lives in the relationships between merchants, not within any single account. The click-to-cancel rule that might have given the FTC sharper statutory teeth was vacated by an appeals court last July. But for now, they're working with older statutes. Genesis is one of Ukraine's largest tech companies; this one will be contested.

This Week in Fraud is a publication for fintech operators, fraud teams, and risk professionals. Have a tip or story? Reply to this email or drop Nick Holland at [email protected] directly.