The trend that continues to worry me is the speed of innovation and collaboration of the attackers. As fraud fighters, it is more important than ever before to share what we are seeing, pass along our lessons learned, stay on the front lines of fraud threat intelligence, and lean into data consortium models for herd immunity: an attack on one protects all.
I am now releasing this free quarterly fraud intelligence report to help my fellow fraud fighters and industry professionals stay aware of the ever-evolving threats we face. I spend hundreds of hours a quarter diving into the deepest corners of the dark web, infiltrating rings, and monitoring threat actors to understand the new exploits they are proposing, working on, and deploying against the industry.
The most common theme this quarter: the people attacking your institution are no longer advanced cybersecurity black hats, engineers, or skilled fraudsters. They are a new generation of threat actors who combine the lack of extradition treaties with AI and rent-a-fraud-tool providers to attack financial institutions and businesses with little to no recourse.
Camera-injection kits that defeat document checks now sell for the price of a movie streaming plan. Banking trojans are custom built to silence a specific bank's fraud prevention alerts before the money moves. And two thirds of the flagship "fraud AI" models you hear about across the industry have been flipped into scams aimed at the people trying to research or stop them.
Nothing in this report is a forecast. All twelve vectors are active techniques we tracked from early dark-web chatter into active or scaling attacks over the last quarter. Some will have already hit your queue this quarter, and you probably will never know. Others are going to hit your system in the coming months, following the traditional path of least friction. Every one of them is cheaper, exponentially faster, and far more advanced than the version you defended against last year.
An attack on one protects all.
Advanced threats and fraud attack vectors can and do hide from one financial institution, lender, dealership, merchant, or business. They cannot hide from a shared knowledge network like the lenders on Point Predictive's data consortium, where an attack on one triggers the fraud immune response that protects everyone. Once they attack one, the network learns, adapts, and builds up that herd immunity, improving detection and prevention with each subsequent attack, just like your immune system.
Every attack vector in this report survives by staying nearly invisible to any single institution or business, making these exploits extremely difficult to detect without shared networks and consortium models. A seasoned synthetic looks prime in one portfolio. Put that same file in front of the full network of lenders, and the community of enhanced data sharing pierces the technology to show its true risk.
As you read, ask yourself whether you would be able to detect or stop them in your own systems and controls.
Industry collaboration, knowledge sharing, and shared data networks are more critical than ever before, and we are always happy to help, provide guidance, or Point Predictive's data consortium models are leading the way for lenders across the industry.
Matt Vega
Chief Fraud Strategist · Point Predictive
How to use this report
Reading this quarter's briefing
Think of this report as an industry-wide fraud reconnaissance and intelligence briefing. Each quarter we identify the tactics and techniques that are new, going live, or evolving into major threats. To make the list, a fraud tactic, technique, or technology must be real (not theoretical), verified as active with significant impact risk, and able to either scale the industry's financial loss exposure or pierce traditional fraud controls.
01
What is it
How the attack works, who runs it, and what changed this quarter to put it on the board.
02
Why it's on our radar
The blind spot it exploits. This is the part to pressure-test against your own stack.
03
Signals to watch
Concrete signals your team can hunt for now, plus who is being targeted.
Trends from Q2 2026
The twelve vectors
Twelve attack vectors, three themes. Tap any one to jump straight to it.
Rokarolla: the trojan built to silence your fraud team's alerts
Plenty of malware steals credentials. This one also blocks the phone call your fraud team makes to warn the victim.
Key targetsALL credit unions, banks, fintechs, and exchanges with a mobile banking app.
What is it
First disclosed by Zimperium zLabs in June, Rokarolla is an Android banking trojan hitting more than 200 banking, credit union, and fintech apps with roughly 137 remote commands. It steals credentials and intercepts SMS and OTP codes, and then it goes further.
It can disable Google Play Protect. It rewrites the clipboard to swap in attacker wallet addresses, so the victim copies one address and pastes another. It blocks incoming calls, including the call from your fraud team about suspicious activity. Worst of all, it mutes the device to suppress fraud-alert outreach entirely.
Why it's on our radar
Most mobile malware stops at credential theft. Rokarolla targets the response. By muting the phone and blocking calls and alerts, it removes the victim's, and the institution's, last line of defense during the cash-out.
It blocks the call about the fraud
Rokarolla mutes the device, intercepts the one-time passcodes, and blocks the incoming call from your fraud team. The victim's last line of defense goes quiet exactly when the cash-out runs.
0banking, credit union, and fintech apps in its target list
0remote commands available to the operator
Signals to watch
4
On-device transaction origin paired with fresh accessibility permission grants
OTP-authenticated transfers the customer or member says they never saw
Clipboard-swapped payees: the copied address is not the pasted one
Customers unreachable by phone or message during active high-risk events
Seeing this in your portfolio?
02/12
Trend 02 · Credit & Lending · AI Credit Washing
AI-industrialized credit washing & #CreditHacks
The borrowers are real and the files look clean, because the manipulation is temporary and nearly invisible without the right tools.
Key targetsCredit unions, auto lenders, dealers, and nearly all indirect lenders.
What is it
Credit washing, where consumers file false credit disputes to strip legitimate negatives just long enough to qualify, is now automated. AI models mass-produce FCRA dispute letters and fabricated supporting documents, while how-to recruitment spreads openly on social media under tags like #CreditHacks.
Point Predictive's credit washing alert rate surged 5x from 2019 to a 2024 peak of 1.7% of all auto applications, and 2025 held at 1.54%, still nearly five times pre-2022 levels. And because AI-built false documentation is so effective and so easy to get, the washing often becomes permanent. Records are being wiped clean.
Why it's on our radar
It isn't identity theft, and there is no stolen SSN. The borrower is genuine and the file passes the moment-in-time decision, because a single application review can't see the negatives that were washed away. With AI supercharging it, this is scaling fast against FICO and credit-report based decisioning.
Signals to watch
4
Recently "cured" files with a burst of removed derogatories
High-volume disputes with templated, near-identical wording
Scores that jumped sharply just before application or within one report cycle
Credit-file-only decisions made without consortium data to validate across a network
Seeing this in your portfolio?
The credit washing alert rate
Share of auto applications with credit-washing alerts, by year. The rate surged 5x from 2019 to its 2024 peak of 1.7% and held at 1.54% in 2025, still nearly five times pre-2022 levels. Point Predictive consortium data.
0surge in the credit washing alert rate from 2019 to its 2024 peak of 1.7% of all auto applications
“
It's hard for credit unions and lenders to counterattack credit washing because it's being driven ever higher by credit repair gurus touting new ways to use AI to erase bad debt.
Frank McKennaCo-Founder, Point Predictive
03
03/12
Trend 03 · Credit & Lending · Synthetic Identity
Seasoned synthetics out-score real borrowers at scale
The problem is no longer a weak score or a thin profile. It's a high-score, full file that tricks models and underwriters into approving.
Key targetsCredit unions and auto lenders, especially programs advertising deferred first payments, which buy the ring extra time.
What is it
AI-assisted identity farms are growing synthetic profiles for 6 to 18 months: secured cards, micro-tradelines, automated on-time payments (usually loans paying loans), even credit-building tools like reported debit cards. By the time the profile applies, it presents as a prime or super-prime borrower.
Recent auto-finance reporting in 2026 notes that well-aged synthetics now score better than real borrowers with thin files, because the model rewards the exact behavior the scheme was built to manufacture. Rings run these in volume and trigger coordinated bust-outs across lenders in the same time windows for maximum payout.
Why it's on our radar
These don't trip the normal higher-risk filters. They sail through as prime. The loss appears months later, after a borrower who never existed simply disappears. And with many credit unions now advertising deferred first payments, which buy the ring even more time, they are a bigger target than ever.
0–6
Months 0–6 · Plant
The identity opens secured cards and micro-tradelines. Small, quiet, unremarkable.
6–12
Months 6–12 · Grow
Automated on-time payments, often loans paying loans, plus reported debit cards pad the file.
12–18
Months 12–18 · Season
The profile now presents as prime or super-prime, out-scoring real thin-file borrowers.
!
Bust-out
Coordinated applications hit multiple lenders in the same window. The “borrower” vanishes.
“
Credit unions built deferred first payments and skip-a-pay options to serve members. These rings studied that generosity and have exploited it. When the file looks prime and the first payment isn't due for 90 days, your window to catch a synthetic closes before it ever opens.
Jen LamontCredit Union Fraud Consultant
6–18months of patient file-building before the profile ever applies
Primehow the file reads on paper the day the ring finally strikes
Signals to watch
5
Thin-but-pristine files with disproportionately high scores
Shared device, address, phone, or employer across applicants
Multiple lender inquiries inside a tight window
First-payment or very-early defaults appearing in clusters
Scores that look unusually high for the credit history and lifestyle behind them
Seeing this in your portfolio?
04/12
Trend 04 · Credit & Lending · Defender-Side AI
Data poisoning aimed at your in-house fraud models
It produces no alert. Just a fraud type that quietly stops showing up in your model's high-risk output, until it is too late.
Key targetsFintechs, banks, credit unions, and merchants with in-house, self-retraining models.
No alert firesThe damage reads as ordinary "model decay," while a chosen fraud pattern fades from your high-risk output and losses keep coming.
What is it
Attackers are going after in-house machine learning models. Rather than evading a model, they corrupt what it learns from, which is far easier against lower-volume in-house models. By feeding carefully built, legitimate-looking activity into feedback loops, or contaminating shared and third-party enrichment signals, they nudge a model into normalizing a fraud pattern from the inside.
We are watching growing dark web activity aimed at auto-retraining pipelines as long-term projects. Their own words: "hit them when the pot is full."
Why it's on our radar
There is no dramatic attack event to catch. The damage surfaces as slowly rising false negatives and score drift, symptoms that fraud teams often blame on model decay rather than an adversary. And the dark web is scaling it.
Signals to watch
4
Unexplained drift in score distributions over time
A known fraud typology fading from output while losses continue
Anomalies in label, feedback, and retraining sources
Performance shifts right after ingesting a new external feed or enrichment source
Seeing this in your portfolio?
No alert, just drift
Poisoned feedback seeps into retraining. No alert fires; the model just scores one chosen fraud pattern lower and lower until it reads clean. Their own words: "hit them when the pot is full."
05
05/12
Trend 05 · Credit & Lending · AI Impersonation
Phantom dealers & AI-cloned lender sites
A polished website used to be a good sign. Now it's a reason to look closer, because AI can clone any site in minutes.
Key targetsAll lenders, auto dealer networks, and indirect auto programs.
What is it
Fraud rings are standing up AI-cloned auto dealership sites, lender websites, and phantom-dealer fronts to divert loan proceeds, harvest applicant PII, or push fabricated deals into real lenders. The clones are getting so common that as one is taken down, five more appear.
Why it's on our radar
These sites are extremely hard to spot with an untrained eye. They can be built in minutes and copy any website. Right now there are no tools or techniques a dealer or lender can use to stop their site from being cloned, and many don't have the knowledge or tools to act once it happens.
5×for every cloned site taken down, roughly five more are created
The clone factory
How a phantom dealer is born: an AI model reads the real site and rebuilds it in minutes on a lookalike domain.
Takedowns can't keep up with the clones
Fraudulent dealer domains tracked by the Point Predictive Fraud Task Force.
The scam is growing, not fading
BBB dealer-impersonation reports per half year. Dollars lost: $522K in 2023, $1.65M in 2024, $1.94M in 2025, and $810K already in early 2026.
Signals to watch
4
Newly registered domains mirroring a real dealer's branding
Dealers with no verifiable footprint or licensing
Sudden volume spikes from a brand-new dealer source
Photos that look generated rather than authentic
Seeing this in your portfolio?
Point Predictive Fraud Task Force
We are taking action
Point Predictive is proud to announce the launch of our new Fraud Task Force, dedicated to helping the industry find and take down fraudulent and AI-cloned websites. The Task Force has already identified more than 500 fraudulent dealer sites and started forcing them offline.
Forcing the fakes offline
The Fraud Task Force finds fraudulent and AI-cloned websites and forces them offline, one takedown at a time.
0fraudulent dealer websites already identified and in takedown by the Fraud Task Force
Takedowns remove the storefront the ring depends on. Every site forced offline is one less trap for borrowers, dealers, and lenders.
Theme 02 of 03
AI-Enabled Attack Trends
Generative and agentic AI are being turned on the controls themselves: onboarding checks, callback verification, and the fraud fighters doing the research.
Deepfakes didn't get better this quarter. They stopped needing to, because a $30 subscription now skips the camera entirely.
Key targetsBanks, credit unions, fintechs, and lenders with digital account opening or remote loan applications.
What is it
Fraudsters are bypassing the camera outright rather than spoofing it. Using camera drivers and direct API tampering, they inject a pre-rendered deepfake stream straight into the verification pipeline. The "blink, turn your head" liveness prompts are performed on cue by synthetic footage.
An April 2026 MIT Technology Review investigation documented 22 Telegram channels openly selling camera injectors, deepfake generators, and Android hooking frameworks. The dark web is now flooded with injection kits built for onboarding flows, made to defeat major bank and exchange controls.
Why it's on our radar
Most deepfake coverage fixates on the face, or on spotting a virtual camera. The real change is hardware industrialization. Injection is now a cheap, supported product. And it defeats passive liveness because no physical sensor is ever involved, even though one shows as active.
A $30 injection kit feeds a pre-rendered deepfake straight into the verification pipeline. The camera never turns on, and the liveness prompts are performed on cue by the footage.
“
This is especially alarming for dealer groups. The fraudsters are skipping distorting reality with deepfakes to now just creating a new reality using a subscription.
Scott EllefsonFraud Consulting Manager
Signals to watch
4
Liveness sessions with no camera or device-integrity attestation
Repeated "camera error, restart" loops during capture
Emulator or virtual-camera driver signatures while the integrated camera reads as active
A clean, compliant video KYC that still ends in early payment default or fraud
Seeing this in your portfolio?
07
07/12
Trend 07 · Scams & Social Engineering · BEC / Business
AI-forged email threads are defeating the callback
"Call to confirm" is the control many still recommend for the highest-risk rails, like wires. It is now easy to defeat.
Key targetsCredit unions, FinTechs, AP/AR teams, and vendor payment workflows.
What is it
Vendor-impersonation and BEC attacks now use generative AI at scale to fabricate entire email threads, complete with matching cloned-voice callbacks. When the "verify by phone" step lands on an attacker, the supplied number is answered by a high-quality AI voice with no human on the line at all.
Credit union and small-business advisories through 2026 keep warning that human-callback and email-confirmation checks are losing ground against this vector. With dark web LLMs and open-source models freely available, this is now a live problem, not a forecast.
Why it's on our radar
The recommended defense is being weaponized. A payment-change request can arrive with a flawless thread history and a convincing voice on the callback, and both can be machine-generated.
Both halves are machine-made
The payment-change email arrives with months of thread history attached, all of it fabricated. Call the number it supplies and a cloned AI voice confirms everything. Verify with a number you already have on file.
The threadfabricated end to end by generative AI, with months of fake history
The voicea cloned AI voice answers the attacker-supplied callback number
Signals to watch
4
Any bank-detail or payment-instruction change, however polished
Payee changes verified only through contact info supplied in the request itself
Out-of-band mismatches: the number you know vs. the number they gave you
A first large ACH or wire to a newly added vendor
Seeing this in your portfolio?
08/12
Trend 08 · AI Attack Vector · Scamming Fraud Fighters
Using fraud research to scam fraud fighters
You have read the articles about FraudGPT, XXXGPT, and WormGPT, the AI models built for fraud. One problem: two of the three are now scams, stealing money from the fraud fighters trying to research them.
Key targetsFraud fighters and security teams researching the tools being used against them.
What is it
You have likely read about the AI models custom-built without guardrails to help fraudsters and scammers, the famous ones being FraudGPT, XXXGPT, and WormGPT. Those articles lead fraud fighters and security teams to try the tools out, to learn how to stop them. The problem: they have been converted into scams that target you.
There are now over 1,000 websites, on the open web and the dark web, claiming to be these AI models. Pay for access and nothing happens. A whole industry has grown around one idea: use the popularity of fraud-tool research to steal from the researchers. The fake fronts even borrow the real tools' names for their web addresses.
Why it's on our radar
If you want hands-on access to fraud and scam tools so you can defend against them, be careful. Fraud fighters and security researchers are losing their own money to fraud while trying to reach a tool used to commit fraud. Every open-web site claiming to be one of these models is fake, and most are scams. Two of the three models have not been operational for the past year, and the third is hard to reach unless you know the dark web well.
Signals to watch
3
ALL open-web sites claiming to be these models are 100% fake, and most are scams
Two of the models have been dark for the last year; all three were always dark-web exclusive
Known fake fronts trade on the real tools' names, right down to the domain
Seeing this in your portfolio?
The flagship "fraud AI" models
Source: Point Predictive threat research, Q2 2026
The storefronts, as captured
Pricing pages from the two fake fronts, captured live in July 2026. Polished tiers, feature checklists, Buy Now buttons. Pay for access and nothing happens.
Scam site
Scam site
Captured from two live fake fronts. Both sites impersonate the real dark-web tools to take researchers' money. Domains withheld.
Theme 03 of 03
Malware, ATOs & Payments
Mobile and session malware built to do more than steal. It hides inside trusted devices and shuts down the response.
Attackers found a use for your annoyance. They flood you with the same email until you reach for the unsubscribe link, and that link is the attack.
Key targetsAnyone whose email address appears on a dark web list, which is more than 95% of all emails globally.
0copies of the same "marketing" email in a single day before you crack
What is it
First detected by Point Predictive in June 2026. Criminals use AI to build high-quality clones of real company email campaigns, then spam you with them many times a day from a lookalike address. The links are safe. Real products, real sales, real promotions. Click a product image and you land on the real website. Nothing bad happens.
Then, after the 21st identical marketing email that day, you click unsubscribe. That link carries a hidden malware redirect that drops a keylogger onto your device, capturing everything you type: passwords, credit cards, addresses, banking details.
Why it's on our radar
It rides on legitimate campaigns and real URLs, and it uses annoyance as the method. Irritated people forget to check the unsubscribe link. That combination is giving this attack the highest success rate we have seen in years, because it hides in plain sight.
0of all email addresses globally sit on a dark web list, the targeting pool
Signals to watch
3
A rapid or daily jump in marketing volume from a brand that rarely emails you
Legitimate-looking campaigns from addresses that do not match past marketing
Copy the unsubscribe URL before clicking: a random string like dj29dj3m9d3hbg.net is the tell
Seeing this in your portfolio?
The bait is the exit
Every product link in the barrage is real and safe. Only unsubscribe is armed, and the random-string domain behind it is the tell. With more than 95% of email addresses on dark web lists, nearly everyone is in the pool.
10
10/12
Trend 10 · Cyber-Fraud · Evasion
TrickMo turns victim phones into "clean" exit nodes
Same real device, same IP, same city. Every signal your models trust checks out, and a fraudster is behind all of it.
Key targetsBanks, credit unions, lenders, e-commerce, and exchanges that lean on device or IP as a key trust signal.
What is it
A TrickMo variant, first tracked by ThreatFabric and sold as malware-as-a-service, re-engineers a banking trojan into a managed foothold. A built-in SOCKS5 proxy turns the infected phone into a network exit node.
That gives the fraudster the ability to route their own session through the victim's actual device and IP address. IP-reputation and geolocation signals come back clean. In plain terms: the fraudster's activity flows through the account holder's real phone, and your system reads it as safe.
Why it's on our radar
This attacks the fraud-detection layer itself. The transaction originates from the customer's trusted device, network, and geography, which is exactly what many models, rules, and risk scores use to lower the risk on a login and its activity.
Trusted devicethe session really does come from the victim's own phone
Trusted IPhome network and home city, all green across your risk signals
Every trust signal comes back green
TrickMo's built-in SOCKS5 proxy turns the infected phone into an exit node. The fraudster's session leaves from the victim's real device, home IP, and home city, so the signals your models trust most come back green.
“
TrickMo doesn't beat your fraud model. It dresses the fraudster in the victim's clothes. That's only visible when you're looking across a network or consortium, not inside a single portfolio.
Bill Hall, PhDChief Technology Officer & Chief of Staff
Signals to watch
4
Trusted device and IP paired with brand-new behavioral biometrics
Residential-proxy or exit-node indicators on a consumer line
"Impossible" simultaneous sessions from one identity or device
Internal-network reconnaissance coming from a consumer device
Seeing this in your portfolio?
11
11/12
Trend 11 · Cyber-Fraud · Behavioral Evasion
The Puppet Master malware that waits
This is a tricky one. The fraud operator waits and strikes mid-session, inside the real user's own genuine activity, like a puppet master.
Key targetsBanks, credit unions, and online-banking customers.
What is it
Described in Barracuda's June 2026 analysis, this banking malware does not auto-fire. Disguised as a browser or security update, it lets a human operator watch a live banking session and pick the exact moment to act: capture the session, or take over mid-stream, like a puppet master working a toy puppet.
Because the takeover happens inside the customer's own normal session, the fraud blends into their real behavioral patterns and device signals. Detection gets very hard.
Why it's on our radar
Bot and behavioral models are tuned for machine-speed or out-of-pattern actions. A human striking mid-session from inside the real user's activity generates almost none of those tells. It looks like the victim, because in every technical sense, it is the victim's session.
It waits for the perfect moment
No auto-fire and no machine speed. A human operator watches the live session and strikes mid-stream, inside behavior that is genuinely the victim's.
Human-drivenan operator watches live and picks the moment, no machine-speed tells
Mid-sessionthe strike lands inside genuine logged-in activity, not at login
Signals to watch
4
High-value actions right after a "software / security update"
Subtle mid-session shifts in cadence or navigation behavior
Session-hijack indicators with no new-device event or signal
A legitimate login followed by out-of-character movement in the same session
Seeing this in your portfolio?
12/12
Trend 12 · Cyber-Fraud · Fraud-as-a-Service
International Ghost Tap: global remote contactless fraud
Card-present transactions in California, Texas, and New York are now being run from China, at scale.
Key targetsCard issuers, mobile wallets, and POS acquirers, with credit unions becoming the highest-prized target.
What is it
A Chinese-language fraud-as-a-service ecosystem supplying NFC-relay "Ghost Tap" malware has gone international. One single fraudster alone was found running more than 21,000 subscribers, each one a compromised card.
Victims are socially engineered into linking a card to their phone or tapping it against the device. The phone then impersonates the card and relays it in real time to a mule's device at a physical terminal, often in another country. The malware behind this has scaled 13X since it was first discussed, with coverage expected to keep growing through Q3 and Q4 2026.
Why it's on our radar
We knew this vector existed. What caught us off guard is how fast it scaled. Physical proximity no longer protects a card: transactions clear as card-present while well-funded operations in China reach tens of thousands of victim cards per attacker.
Signals to watch
4
Card-present taps with physically impossible geolocation or velocity
Contactless-MSD entry mode on an EMV-capable card
One card reused across distant terminals within minutes; impossible-travel rules matter here
Wallet provisioning immediately before a high-velocity spend burst
Seeing this in your portfolio?
Ghost Tap has scaled 13X in under a year
Indexed to the first NGate malware report, Aug 2024. One fraudster alone ran a 21,000+ compromised-card channel. Seven separate malware families hit the market between Aug 2024 and Aug 2025.
0compromised cards ("subscribers") run by a single fraudster
Looking ahead
Signals to watch in Q3
Four things we're tracking for next quarter. All four are gathering speed.
Signal 01
Trusted-agent spoofing
Impersonation of legitimate AI crawlers and shopping agents. Spoofed agent identities are already generating millions of requests against major platforms.
Signal 02
Off-hours instant-payment raids
FedNow and RTP attacks timed to nights and weekends, when staffing is thin and the reversal window is effectively zero.
Signal 03
Deepfake job candidates
Synthetic applicants, including state-linked IT-worker infiltration, are now passing video interviews to gain insider access to systems and data like source code and PII.
Signal 04
Gamified mule rings
AI-built apps that gamify the recruitment of payment mules, surfacing as clusters of short-lived accounts, are on the rise.
How Point Predictive helps
Seeing the fraud no single institution can
Every vector in this report succeeds only while it stays invisible to any one institution. A consortium of 650+ lenders sees the linked identities, repeat devices, and coordinated rings that no single portfolio can.