When Cyber Becomes Fraud — and Fraud Becomes AML

Financial crime rarely starts as just one thing. The chain that connects a cyber intrusion to a money laundering investigation is longer, faster, and more deliberate than most institutions have been built to see.

Picture a single criminal campaign. It begins with a phishing email that harvests credentials, advances through an account takeover, triggers a series of fraudulent transactions, and ends with funds dispersed across mule networks, each leg of the journey triggering a different team inside your institution, if it triggers anything at all.

This is not a hypothetical. It is the operational playbook of organised financial crime in 2026. Yet many institutions still treat each step as a separate problem, handled by separate teams, in separate systems.

‍

The authorised push payment problem

If credential-based attack chains were the whole story, the solution would be relatively tractable: harden authentication, monitor for anomalous logins, alert on unusual payment behaviour. Difficult, but bounded.

The harder reality is that a significant and growing proportion of global losses today do not involve compromised credentials at all. Authorised push payment (APP) scams have fundamentally changed the threat model.

‍

In an APP scam, the customer logs in from their own device, passes every authentication check, and initiates the payment themselves because they have been manipulated by an organised criminal network into believing they should. The transaction appears entirely legitimate. The customer is still a victim.

‍

Investment scams, romance fraud, impersonation of regulators and banks, fake property transactions: the vectors are diverse, but the mechanism is consistent: social engineering replaces technical exploitation as the primary attack surface. No stolen credential. No anomalous login. No device mismatch. Just a customer, their normal device, and a payment that destroys their financial life.

Traditional fraud controls, built to detect behavioural anomalies in accounts, are poorly suited to this. The anomaly is not in the account behaviour. It is in the customer's understanding of what they are doing.

‍

Three teams, one attacker

The structural problem is not primarily technological. It is organisational. Most institutions have built their defences in the same silos that their attackers have learned to exploit.

‍

🛡 Cybersecurity

Focuses on intrusions, endpoints, and access events

‍

⚠ Fraud monitoring

Focuses on transaction anomalies and account behaviour

‍

🔍 AML compliance

Focuses on patterns of suspicious movement and reporting

‍

Alerts generated in one domain rarely travel cleanly into another. A cybersecurity signal about credential exposure may never reach the fraud team before an account takeover occurs. A fraud case that reveals a mule network may not inform the AML typologies being monitored. The intelligence that would connect the dots exists somewhere in the institution — but it does not move fast enough, or at all.

Meanwhile, the criminal network on the other side of the transaction operates with full visibility of the entire chain. They know when the credential works. They know when the transfer clears. They know when to move on.

‍

Real-time payments raise the stakes

Across APAC, the infrastructure of payments is changing rapidly. Instant payment rails are compressing the window between authorisation and irreversibility to seconds. The fraud that once could be intercepted during overnight batch processing now must be caught before settlement, or not at all.

This creates a pressure that isolated detection systems cannot absorb. Speed of detection is necessary but not sufficient. The question is whether, in the seconds available, the institution can understand not just that a transaction looks unusual, but what chain of events produced it.

‍

Toward connected intelligence

Institutions that are beginning to address this are not simply deploying faster models. They are rethinking how intelligence flows between functions. What does it mean for a fraud analyst to have real-time context about whether the customer's device was recently associated with a phishing event? What does it mean for an AML investigation to begin with full knowledge of the fraud typology that generated the suspicious activity, rather than reconstructing it months later?

The technical components (shared data infrastructure, cross-domain alerting, unified case management) are necessary. But they only deliver value when the organisational structures and escalation paths are designed to use them. Connected intelligence requires connected teams.

There is no single architecture that fits every institution. The path toward integration depends on where the gaps are most acute, which threat types are most prevalent in the specific book of business, and what the regulatory environment requires in terms of documentation and reporting. But the direction of travel is clear: the silos that made sense when threats were more predictable are now a structural liability.

‍

The conversation worth having

If your institution is beginning to map the connections between AML, fraud, and financial crime, whether that means a technological investment, an organisational redesign, or simply understanding what a more integrated picture might look like — we would welcome the conversation.

The question is no longer just how fast we detect risk, it is how well we understand the full chain of events behind it.

‍

Start the conversation

‍

‍