Why Older Adults Are at Greater...
Impersonation scams are making it easier for fraudsters to exploit trust, particularly where older relatives or vulnerable customers are involved....
Read More
Fraud is already a significant and growing threat to UK businesses. UK Finance’s latest Annual Fraud Report shows that criminals stole £1.28 billion through payment fraud in 2025, an increase of four per cent. Cifas also reported a record 444,993 fraud risk cases filed to the National Fraud Database in 2025, with identity fraud and account takeover together accounting for 72% of all filings.
AI is not creating fraud from scratch, but it is changing the way fraud can be carried out. Criminals can use AI to make phishing messages more convincing, create realistic voice or video impersonations, generate false documents, mimic trusted contacts and scale attacks across multiple channels. This means organisations need to think beyond traditional fraud controls and consider how their people, processes and technology would respond to more sophisticated and fast-moving threats.
For businesses, the question is no longer whether AI-enabled fraud is possible. It is whether existing controls, escalation routes and response plans are strong enough to deal with it.
Many fraud attempts still rely on familiar techniques, including pressure, urgency, impersonation and manipulation. What AI changes is the quality and scale of those attempts.
A fraudulent email may no longer contain obvious spelling mistakes or clumsy wording. A voice message may sound like a senior executive. A fake website or application form may look credible. A compromised third-party account may be used to send instructions that appear legitimate because they come from a known supplier, customer or colleague.
This creates a challenge for organisations that rely too heavily on trust-based processes or informal verification. Where staff are used to acting quickly, approving changes over email, responding to urgent requests or relying on personal judgement alone, AI-enabled fraud can expose weaknesses in control design.
Preparation therefore needs to be proactive. Businesses should assess where fraud risks are most likely to arise, how those risks are currently controlled, and whether those controls remain effective in an environment where fraud attempts may be more realistic, targeted and automated.
One of the most important steps businesses can take is to strengthen authentication. Multifactor authentication remains a key control because it provides an additional layer of protection against unauthorised access and account takeover.
However, MFA should not be viewed as a standalone solution. It needs to sit within a wider control environment that considers who has access to systems, what level of access they have, how access is approved and how changes are monitored.
Access and onboarding policies should be strengthened through the consistent application of risk controls. This includes segregation of duties, the four-eye principle, need-to-know access and need-to-access principles. Where the risk is higher, the level of control should increase. Where the risk is low, organisations can still maintain proportionate and frictionless access, but this should be supported by clear rules rather than informal practice.
The aim is to make it harder for fraudsters to exploit a single compromised account, weak onboarding process or poorly controlled change request.
Businesses should also consider how technology can be used to identify and respond to AI-enabled fraud more effectively. As criminals use automation and AI to increase the scale and sophistication of attacks, organisations may need more advanced tools to detect unusual behaviour, verify identity and prioritise alerts.
Real-time verification tools can help identify suspicious activity earlier, including potential account takeover attempts or compromised third-party accounts. Automated alert triage can also help organisations prioritise investigation based on risk exposure, rather than treating every alert in the same way.
This matters because fraud and cyber teams often have limited resources. A high volume of alerts can lead to fatigue, delays or missed warning signs. Used appropriately, technology can help reduce false positives, focus attention on higher-risk activity and support faster decision-making.
However, AI-enabled fraud prevention tools should be embedded carefully. They need to be aligned with the organisation’s risk appetite, governance framework and operational processes. Technology should support decision-making, not replace accountability.
Fraud controls are most effective when they are built into the full customer, supplier and third-party journey. AI-enabled fraud may appear through application forms, websites, mobile apps, customer support channels, email, telephone contact or third-party portals.
Businesses should therefore consider where external parties interact with the organisation and where an attacker might attempt to exploit the process. This includes onboarding, account amendments, payment changes, credential updates, customer service requests and high-value instructions.
Controls should be embedded across these channels so that fraud prevention is not dependent on a single team or one point in the process. If a criminal can bypass controls by switching channel, for example moving from email to a support form or from a portal to a phone call, the organisation remains exposed.
A joined-up approach helps businesses identify suspicious behaviour earlier and ensure that high-risk activity is consistently challenged, regardless of where it enters the organisation.
Strict callback procedures are particularly important where instructions involve financial transactions, credential changes, account amendments or unusual executive requests.
Businesses should ensure that callbacks are made using trusted contact details already held on record, not details supplied in the instruction itself. This is especially important in cases where a fraudster may have compromised an email account, created a convincing impersonation or used AI-generated content to make the request appear legitimate.
High-risk instructions should not be approved solely because they appear to come from a recognised person or organisation. The higher the value, urgency or sensitivity of the request, the stronger the verification process should be.
Clear callback procedures help staff act with confidence. They also remove ambiguity, making it easier for employees to challenge unusual requests without feeling that they are delaying business unnecessarily.
Escalation routes should be logically enforced and aligned with the organisation’s risk appetite. This means defining in advance which types of activity require additional review, who is responsible for approval and what thresholds apply.
For example, escalation may be required for transactions above a certain value, requests involving new bank details, changes to access rights, activity involving high-risk jurisdictions or instructions that fall outside normal patterns of behaviour.
These thresholds and conditions should be clearly documented. Decisions should also be recorded so that there is a clear audit trail and accountability for how risks were assessed and managed.
A strong escalation framework helps prevent high-pressure decision-making in the moment. It gives staff a clear process to follow and ensures that higher-risk decisions are reviewed at the right level.
Fraud controls should not only exist on paper. They need to be tested in practice.
Access procedures, onboarding processes and high-risk approval routes should be included within regular testing activity, including external penetration testing where appropriate. This helps organisations understand whether systems and processes can be exploited, whether controls operate as intended and whether weaknesses exist across the wider control environment.
Testing should also consider how controls work across connected systems and third-party relationships. AI-enabled fraud may not always target the main organisation directly. It may begin with a supplier, customer, outsourced provider or compromised third-party account.
By testing access procedures and control effectiveness regularly, businesses can identify vulnerabilities before criminals do.
Desktop exercises are a valuable way to test whether an organisation’s incident response arrangements are fit for purpose. They allow teams to work through realistic scenarios in a controlled environment and identify gaps before a live incident occurs.
AI-enabled fraud scenarios should now be included within these exercises. This could include a deepfake executive instruction, a compromised supplier account, a fraudulent payment change request, an AI-generated phishing campaign or a customer account takeover involving manipulated identity information.
The value of a desktop exercise lies not only in the scenario itself, but in what the organisation learns from it. Gaps should be recorded and mitigated promptly. Lessons learned should be elevated into business-as-usual activity, and relevant policies, procedures and training materials should be updated accordingly.
This helps organisations move from theoretical readiness to practical resilience.
Technology and controls are essential, but staff awareness remains critical. AI-enabled fraud is designed to exploit human decision-making, especially where people are under pressure, dealing with urgent requests or trying to provide good service.
Training should help staff understand how fraud tactics are evolving and what this means for their role. This includes recognising suspicious instructions, challenging unusual requests, following callback procedures, escalating concerns and avoiding reliance on appearance, tone or familiarity alone.
Phishing training remains important, but organisations should also consider wider social engineering scenarios. Staff may need to understand how AI can be used to imitate writing styles, voices, images or video, and why a request that looks or sounds credible may still require verification.
Training should be practical, relevant and repeated regularly. The aim is to build confidence, not fear, so that staff know when to pause, check and escalate.
AI-enabled fraud should be reflected in the organisation’s wider governance framework. This includes the fraud risk assessment, risk appetite statement, risk compendium and incident response arrangements.
A risk appetite statement should provide a clear, threshold-based escalation path. It should help staff and management understand what level of risk is acceptable, what requires further review and where decisions need to be escalated.
The risk compendium should also be kept current and should include AI-related fraud risks. Ownership should be clearly defined so that there is accountability for monitoring, mitigating and reporting these risks.
Without clear ownership, AI-enabled fraud can fall between teams. It may be seen as a fraud issue, a cyber issue, a technology issue, a data protection issue or an operational resilience issue. In reality, it may involve all of these areas. Strong governance helps ensure that the organisation has a joined-up response.
A fraud risk assessment is one of the most effective ways to understand where an organisation may be vulnerable. It helps identify the threats the business faces, the controls already in place, and the areas where further mitigation may be needed.
For AI-enabled fraud, this assessment should consider internal and external risks. It should look at customer journeys, supplier processes, payment controls, access management, third-party dependencies, staff training, incident response and governance arrangements.
It should also consider how criminals may adapt existing fraud methods using AI. The focus should not only be on new technology, but on how AI can make familiar fraud types more convincing and scalable.
Proactive planning helps organisations move beyond reacting to individual incidents. It allows them to identify vulnerabilities, prioritise investment and build a more resilient fraud control environment.
At AJC, we help organisations anticipate, prevent and respond to evolving fraud threats.
Our Fraud Risk Consultancy team supports businesses with fraud risk assessments, fraud risk strategy, governance frameworks, risk appetite statements, policies, procedures, training and remediation activity. We work with organisations to identify where they are most vulnerable, assess the effectiveness of existing controls and provide practical recommendations proportionate to their risk profile and business needs.
We can also support organisations with fraud awareness training, phishing training and scenario-based desktop exercises. These exercises can be used to test how teams would respond to AI-enabled fraud scenarios, including impersonation, compromised accounts, fraudulent payment instructions, account amendments or data disclosure attempts.
As fraud tactics become more sophisticated, organisations need confidence that their people, processes and controls are ready. AJC provides practical, clear and proportionate support to help businesses strengthen fraud prevention, improve governance and build resilience against emerging threats.
AI-enabled fraud does not remove the need for traditional fraud controls. It makes them more important.
Businesses should not wait for an incident before reviewing their exposure. Strong authentication, clear callback procedures, risk-based access controls, defined escalation routes, regular testing, staff training and up-to-date governance all play an important role in reducing the risk.
Fraudsters are already using technology to move faster and appear more credible. Organisations need to respond with the same level of preparation, discipline and proactive planning.
Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.
Sources:
UK Finance. Fraud remains a national security threat as criminals steal almost £1.3 billion. Available at: https://www.ukfinance.org.uk/news-and-insight/press-release/fraud-report-2026-press-release
Cifas. Fraudscape 2026. Available at: https://www.fraudscape.co.uk/
Cifas. Fraudscape 2026: Fraud cases hit record highs as criminals adapt and scale. Available at: https://www.cifas.org.uk/newsroom/fraudscape2026
Signicat. 42.5% of fraud attempts are now AI-driven: Financial institutions rushing to strengthen defences. Available at: https://www.signicat.com/press-releases/42-5-of-fraud-attempts-are-now-ai-driven-financial-institutions-rushing-to-strengthen-defences
A Jolly Consulting. Fraud Risk Management. Available at: https://www.ajollyconsulting.co.uk/services/fraud-risk-management/
A Jolly Consulting. Fraud Risk Assessments. Available at: https://www.ajollyconsulting.co.uk/services/fraud-risk-assessments/
A Jolly Consulting. Fraud Risk Governance, Strategy & Operational Resilience. Available at: https://www.ajollyconsulting.co.uk/services/fraud-risk-governance-strategy-operational-resilience/
Impersonation scams are making it easier for fraudsters to exploit trust, particularly where older relatives or vulnerable customers are involved....
Read More
AI chatbots are becoming part of everyday business operations, but they can also create new security risks. This article looks...
Read More
In this series, we introduce the people behind AJC and the experience they bring to the business. In this profile,...
Read More