The 2025 State of Fraud Report shows record $12.5B losses and a rise in AI-driven fraud. Learn why modern identity verification (IDV) is now non-negotiable to fight fraud rings, secure digital channels, and meet regulatory expectations.
If you’re building or operating anything that moves money, you’re no longer fighting “random fraud.” You’re facing organized, well-funded teams using automation, breached data, and generative AI. The latest 2025 State of Fraud Report confirms what fraud leaders are feeling daily: attacks are up, losses are real, and most incidents strike on digital channels—where your growth lives.
At the consumer level, the U.S. Federal Trade Commission reports a record $12.5B in fraud losses for 2024—+25% year over year—making it the costliest year on record for victims. That’s not a “trendline”; it’s a slap in the face.
This publishing-ready deep dive breaks down the Alloy findings and connects them to a simple truth: identity is the new perimeter. If you can’t verify who’s behind a device, a browser, or a payment request—quickly and continuously—you’ll either over-block good users or under-block bad ones. Neither is a viable business model in 2025.
· 60% of institutions saw an increase in fraud attacks across consumer and business accounts.
· 56% say they catch fraud at the time of the transaction; only 33% catch it at onboarding, which means too many teams are still discovering fraud when money is about to move (or already has).
· 71% attribute the majority of attempts to criminal groups/fraud rings—not isolated “one-off” customers.
· Digital is the battleground: online (60%) and mobile (20%) banking dwarf other channels for fraud volume, even as organizations claim they invest equally in branch and digital.
· Losses don’t end at charge-offs: leaders rank reputational damage and client attrition among the most severe consequences.
Two implications fall out of that:
1. Prevention has to shift left (toward identity) so you catch bad actors before they transact.
2. Your controls must be digital-first—effective on web and mobile, in real time.
1) The professionalization of fraud
Alloy’s survey shows decision-makers now see fraud rings as the primary culprits. That’s bad news because they’re systematic—but also good news because repeatable patterns are detectable with modern data and ML.
2) Channel shift: growth moved online, fraud followed
When your best customers onboard and bank digitally, so do adversaries. It’s why online and mobile sit atop the fraud charts. If your strongest controls are still tuned for branch or call center, you’re playing the wrong sport.
3) Real-time payments raise the stakes
As rails get faster, “detect late and claw back later” stops working. In the UK, regulators went as far as mandating reimbursement for most Authorized Push Payment (APP) scams on Faster Payments from 7 October 2024, with a cap of £85,000 per claim (PSR policy overview)
4) Deepfakes and social engineering scale decision fraud
When an engineering firm can be tricked into wiring HK$200M (~£20M) via a deepfake video call, “video proof” isn’t identity. Read here
In the U.S., Customer Identification Program (CIP) rules require risk-based procedures that allow a reasonable belief you know your customer’s true identity. See 31 CFR § 1020.220 and the FFIEC BSA/AML Manual for the expectations examiners use. (eCFR text, FFIEC CIP section).
NIST’s Digital Identity Guidelines (SP 800-63) offer a practical way to align identity proofing and authentication with risk via IAL (identity assurance level) and AAL (authenticator assurance level). Teams use it as a north star for mapping controls to specific use cases. (NIST overview and living draft site).
Bottom line: regulators don’t prescribe how to verify; they require risk-based confidence. Modern identity verification (IDV) gives you defensible controls that also improve conversion.
The research report makes it clear: organizations aren’t just buying another blacklist; they’re moving to identity risk solutions with document verification, biometrics, and ML at the core. 64% plan to invest here in 2025.
Here’s the practical blueprint.
1) Orchestrate multiple sources (not just “buy a single vendor”)
Data orchestration fuses bureau data, public records, alternative data (e.g., cash-flow analytics), device intel, and behavioral signals behind policy-driven routing. This matters because rings can spoof one data source; they struggle to spoof correlated signals in real time. Enterprise banks are explicitly prioritizing alternative data alongside IDV and ML investments.
2) Make “history and authority” unfakeable
As one industry voice put it: GenAI can fake a face and voice, but not a decade-old email reputation or a pass from an authoritative registry. The U.S. Electronic Consent-Based SSN Verification (eCBSV) is a good example: with consumer consent, it checks whether Name + SSN + DOB match SSA records via API—vital in combating synthetic identities.
3) Step-up that actually “steps up”
Organizations increasingly rely on document verification (ID capture), selfie/biometric liveness, and strong authenticators to confirm identity when risk spikes. 91% report using step-up authentication as a first response once anomalies are detected, while KBA continues to decline.
Where to trigger step-up? Look for inconsistent device fingerprints, network risk, paste-heavy form behavior, and unusual navigation cadence—the early, high-signal flags Alloy respondents highlighted when describing ATO patterns.
4) Passwordless, phishing-resistant sign-in (Passkeys / FIDO2 / WebAuthn)
Passkeys bind credentials to the user’s device and site origin, making them phishing-resistant and far harder to replay than SMS OTPs. As of late 2024, more than 15 billion online accounts could leverage passkeys—evidence that passwordless is no longer “future tech.”
Use passkeys for:
· Login (default), step-up in higher-risk flows, and device binding for returning users.
· Recovery: when devices change, require a cryptographically bound re-enrollment, not an email link + SMS OTP combo.
5) Behavioral biometrics + device intelligence
Modern IDV quietly analyzes how a user types, swipes, or navigates—not just what they enter—paired with device fingerprinting and network risk. The result is an early warning system for bots and impostors that’s hard to fake at scale. These signals play especially well with real-time interdiction when money movement is imminent.
6) Graph and ML as first-class citizens
Because rings reuse infrastructure, graph analytics reveal shared emails, devices, IPs, and mule accounts across your portfolio. Meanwhile, supervised ML picks up repeatable patterns faster than a rules-only approach. The survey shows 99% already use AI in some capacity and 93% expect ML/GenAI to be transformative.
Alloy’s leaders report that implementing an identity risk solution delivered the biggest impact on reducing fraud, and 87% say the savings outweigh the cost.
That return compounds in markets with reimbursement regimes (e.g., the UK’s APP scam rules), where prevention directly reduces payouts, complaints, and churn.
1. Enroll with confidence
o PII validation + authoritative checks (eCBSV in the U.S.)
o Document capture + liveness when risk > 0
o Device bind + passkey creation at account opening to harden future logins
2. Authenticate continuously
o Risk-based checks at login, profile changes, new payees, new devices, and high-value payments.
o Behavioral biometrics and device intelligence run in the background; escalate to step-up only when needed.
3. Score identity risk everywhere
o Unify onboarding, session risk, and payment risk behind one policy engine.
o Use explainable ML so analysts understand why a decision fired (and so you can document it for auditors/regulators).
4. Interdict in real time
o When anomalies hit, pause instantly, verify out-of-band on a known channel, or trigger document + liveness before the funds move.
o Alloy’s data shows a capability gap: fewer than half of institutions interdict both applications and transactions in real time—closing this is table stakes.
5. Learn and share
o Feed confirmed fraud back into models and consortium networks. The broader the coverage, the higher the cost of committing fraud, and the faster rings burn out.
Good IDV doesn’t mean more friction. It means smarter friction.
· Most good users should breeze through passkeys on known devices without ever seeing a challenge.
· Uncertain sessions automatically step-up to doc + liveness or other strong forms—only when risk dictates.
· You’ll reduce manual reviews by giving ops explainable signals and clear reasons for decisions, instead of throwing every edge case into a queue.
The result: lower losses and a smoother login/open experience for legitimate customers—the growth engine you actually care about.
One latest survey shows 99% of institutions are already using AI somewhere in fraud prevention, and 93% believe ML/GenAI will revolutionize detection. That belief is grounded in practice—teams are using AI to automate investigations, supplement rules with supervised ML, and even explain decisions at scale.
But remember the constraint: AI can fabricate appearance; it cannot fabricate time and authority. Design your program to check signals that models can’t magically invent—like eCBSV matches, long-lived email reputations, or device histories that persist across sessions.
· 60% of U.S. financial orgs saw higher fraud volumes last year.
· 56% detect fraud at transaction time vs. 33% at onboarding—too late for instant rails.
· Online (60%) and mobile (20%) dominate fraud channels.
· Reputational damage tops the list of negative impacts—right next to direct financial losses and client loss.
· 64% plan to invest in identity risk solutions; document verification, biometrics, and ML are top priorities.
· FTC: $12.5B consumer losses in 2024
· UK PSR: reimbursement for Faster Payments APP scams from 7 Oct 2024, capped at £85k.
Yes, for three reasons:
1. Attackers changed. You’re up against rings, automation, and deepfakes. Old controls (passwords, KBA, SMS OTP) can’t carry that weight.
2. Channels changed. Fraud is digital; prevention must be too—and it has to run in real time.
3. Expectations changed. Customers expect frictionless onboarding and sign-in; regulators expect risk-based confidence. Modern IDV gives you both.
· Instrument device + network + behavior on web and mobile.
· Default to passkeys for returning users; keep SMS for break-glass only.
· Route to doc + liveness when signals disagree or risk rises.
· Adopt eCBSV (U.S.) via a provider for high-risk onboarding segments.· Stand up real-time interdiction across applications and transactions.
· Map controls to NIST IAL/AAL so you can explain the “why” to auditors and your board.
· Measure: false positives, step-up rates, interdictions, prevented losses, and net conversion by segment.
Fraud is fast and organized; winning means making identity the control plane. Bind risky actions to verified humans (document + liveness), default to phishing-resistant auth (passkeys), watch device and behavior continuously, and orchestrate authoritative checks with explainable ML. Do that, and fraud turns from a growth tax into a manageable product problem—earning you the only moat that compounds: customer trust.