Why Strong Authentication Alone Isn’t Enough to Stop Fraud
Banks are deploying passkeys, biometric logins, and mobile authentication apps at full speed. PSD2 in Europe forces strong customer authentication (SCA) for most online transactions. In the US, CFPB pressure and consumer expectations are pushing banks toward passwordless security too. And it’s working: brute-force account breaches are down. Login credentials are harder to steal than ever.
But fraud hasn’t disappeared. It’s shifted. Criminals aren’t breaking into accounts anymore. They’re breaking into customers’ trust — and walking them through Authorized Push Payment (APP) fraud, step by step.
When Authentication Gets Stronger, Fraud Gets Smarter
Before, fraud was about technical breaches — guessing passwords, exploiting weak 2FA, stealing card numbers.
Now, direct breaches are rare. In Sweden, BankID — one of the most secure authentication systems globally — covers over 97% of the adult population . Yet reported scam cases using BankID rose by over 70% in 2023 .
In the UK, total fraud losses hit £1.17 billion in 2023. Forty percent came from APP fraud — scams where users themselves approve the transfers .
Fraudsters didn’t break security systems. They convinced users to bypass them willingly.
Authentication stopped external attackers.
It didn’t stop human manipulation.
How Fraudsters Bypass Strong Security
Impersonation and Authority Scams
Fraudsters call posing as your bank’s fraud team, police officers, or even national tax authorities. They sound convincing. They know details about you — from breaches or social media — and spoof phone numbers to look legitimate.
In the U.S., Zelle scams use this tactic. Victims get a call warning of “account fraud.” They're instructed to transfer money "back to themselves" via Zelle to reverse it. But the destination account belongs to the fraudster .
The process is fully authenticated. The transfer is approved. The money is gone.
Misuse of Strong Credentials
In Sweden, BankID scams show how strong authentication can be weaponized against users. Victims are told to “verify identity” with their app. They enter PINs, scan fingerprints — not realizing they're authorizing logins or transfers the scammer controls .
Elderly customers, in particular, are tricked into reading out one-time security codes, assuming they’re confirming something harmless like tax refunds. Instead, they’re authorizing full account access.
Exploiting Knowledge Gaps
Fraudsters rely on the fact that many customers don’t know basic security policies.
They don’t realize real banks never ask for full passcodes or urgent transfers over the phone.
They believe urgency — "you’ll lose your savings if you don’t act now" — signals legitimacy.
They trust caller IDs, not realizing spoofing is trivial today.
Banks' authentication systems validate identity.
They don't validate the legitimacy of the situation.
Real-World Proof It’s Happening
Sweden’s BankID Crisis
In 2023, Sweden’s National Fraud Center reported the largest spike ever in phone-based scams exploiting BankID . Losses totaled billions of SEK. Criminals guide victims to authorize sessions on their own secure apps — tricking them into “protecting” their accounts while actually emptying them.
Sweden is a digital leader — almost cashless, almost universal smartphone adoption. And still, social engineering broke through strong authentication.
US Zelle Scam Epidemic
From January to June 2024, 41,000 cases of Zelle, Venmo, and PayPal-related scams were reported in the U.S., totaling $171 million in losses .
Most cases involved victims voluntarily transferring money after authentication, not unauthorized break-ins.
Banks’ security measures were intact. Customer decisions — under pressure — were the new weak point.
Why Authentication Alone Fails
Authentication verifies the who.
It doesn’t verify the why.
When a customer is socially engineered, all security checks are passed.
The intent behind the transaction is corrupted.
And banking systems aren’t built to read context — unless additional layers are added.
Strong authentication solved the old problem.
It left the new one wide open.
What Banks Must Add
Behavioral Analytics
Behavioral monitoring detects when something feels wrong — even if credentials are perfect.
Changes in typing speed, navigation patterns, transaction behavior — subtle signs show when a customer is under manipulation or stress.
Example: a user who usually flies through banking tasks suddenly hesitates, switches screens, pastes account numbers instead of typing them. These can trigger silent alarms without affecting the customer experience unless a risk is detected .
Real-Time Transaction Monitoring
Authentication says "this user is legitimate."
Monitoring says "this transaction isn’t normal."
First-time payees, large amounts, odd hours, new devices — all raise the risk score.
Banks can insert friction: extra warnings, delays, secondary verification.
Or automatically hold the transaction pending review.
A $100 grocery payment clears instantly.
A $10,000 “safe account transfer” at 2 a.m.? It waits.
Friction as Protection
Instant payments aren’t always a feature. For fraud victims, they’re fatal.
Banks can offer deliberate slowdowns:
24-hour holds on large transfers
Cooling-off periods for new beneficiaries
Second confirmation calls for high-risk actions
In Sweden, banks implementing voluntary 24-hour withdrawal delays saw a drop in high-value scam payouts .
Friction saves money.
Friction saves customers.
Smarter Customer Education
Scam awareness needs to be everywhere, not buried on help pages.
Contextual warnings inside apps — “Is someone asking you to transfer urgently? Stop and call us” — are proven to break scammer control in the final seconds .
Push security training consistently: login banners, transaction warnings, post-transaction notices.
Repetition beats assumptions.
Rethink What Real Security Means
Passkeys. Biometrics. Mobile authentication.
They’re critical foundations.
But today’s fraud isn’t breaking technical systems — it’s breaking trust.
Protecting customers now means protecting decisions.
Layered security — behavioral analytics, transaction monitoring, education, friction — turns strong authentication into real defense.
Fraudsters aren’t hacking systems anymore.
They’re hacking people.
And people need layered protection, not just better passwords.
Learn how Enlace can help banks stay ahead
At Enlace, we believe real security goes beyond login screens. Our Security+ platform integrates behavioral analytics, real-time transaction monitoring, and contextual friction to detect and block scams — even when customers are under pressure.
We help banks protect not just accounts, but intent.
Learn how we can help you close the human gap before it becomes the next fraud loss.
The insights in this post are based on industry research, conversations with Australian banks and fraud prevention experts, as well as our own experience. The content is for general information only and not intended as legal, financial, or technical advice. While Enlace strives for accuracy, the information may not reflect the latest developments.
TL;DR - Quick Summary
Regulations like PSD2 and US guidelines have pushed banks toward passkeys, biometrics, and mobile authentication.
Fraudsters now bypass strong security by socially engineering customers, leading to record-high losses from authorized payment fraud (e.g., BankID and Zelle scams).
Behavioral analytics, real-time transaction monitoring, contextual friction, and smarter in-app education are critical to close the new human gap.
Banks must rethink security beyond logins — protecting customer decisions, not just credentials, to truly stop modern fraud.
Published on
Apr 28, 2025
