Welcome to Fraudology Podcast, where we dive into the science and study of online fraud from the perspective of an e-commerce fraud fighter. I’m Karrise Hendrick. Welcome to this week’s episode of the Fraudology Podcast.
Well, today it's going to be a solo episode. I am back from all my travels and, as far as I know, will not be traveling again till August, and then after that for a family wedding. And then after that it'll be for MFA, the Merchant Fraud Alliance First Annual Conference, which is October 6th and 7th in Chicago. You're going to hear me talk about it a lot because I want as many merchants to come as possible. I don't want anyone to have FOMO. I want everyone there. And a little bit of a plug for it, ticket prices are going to go up on July 1st. Right now they're only $495 for merchants. Just as a reminder, we're not selling vendor tickets. We only have 15 sponsor companies, and those are the only vendors that will be able to attend the conference. That's to limit the ratio. We really want it to be a five-to-one ratio. Most conferences I've attended are one-to-one or less than one-to-one, like more merchants to vendors, and you can feel it. And this is really about merchants, and they want to find their peers. They want to learn about, you know, the solutions as well.
And I think we've done a good job of working with 15 companies in the industry that people want to talk to and learn from. They're kind of the best of the best in their spheres. So we have, you know, a really good chargeback company. We have a couple of great behavior biometrics and device ID companies. We have a few transaction monitoring services, just things like that. So anyway, the tickets are, for merchants, they're only $495 until July 1st. We also negotiated fairly low hotel rates for downtown Chicago. So we're doing the best we can to keep this, you know, really budget friendly. So anyway, that's my plug for the day. I am working hard on the agenda and I'm really excited about it. I'll be able to start talking about specifics soon on that. One other thing to share before I dive into some fraud news stories of the week. Speaking of MFA, not multi-factor authentication, but the Merchant Fraud Alliance. It's not at all confusing in my brain, but I also came up with the name, so I can't be too, you know, can't make fun of it too much.
But the MFA is putting on a free webinar on June 16th at 1:00 PM, and it's all about VAMP. It's all about the Visa Acquirer Monitoring Program. And it's going to be myself and Anoush, who is the head of product for VAMP. No one else knows more about VAMP than Anoush because she heads up the program. And I think the problem that people have had in the past, that merchants have shared with me about other webinars that have been done on VAMP, is that oftentimes the speakers are people that are in sales, especially for the Verifi products, the alerts. And so you can't get as much information about the specific program if you're not talking to the product, you know, people who manage the program. So I'm really excited about this.
I got together about 20 merchants about a month ago and asked them, you know, tell me every question you've ever had about VAMP. And I wrote out two pages of notes, typed, and sent those to Anoush and her team. And they went over those and they said it was really, really helpful to understand what, you know, merchants were still struggling with. And that's the outline for our webinar, is answering those questions. They'll answer all of them that they can. So I think that that is going to be a really good educational event, especially if you're on the merchant side. If you're not and you are on the acquirer side, you definitely should have done. If you're on the banking side, you might be curious, you can totally join as well. But primarily the audience is for merchants. So make sure you register.
I will do my very best to remember to put a link to the webinar in the show notes, because I do that on a different day than when I'm recording and sometimes I forget. If you look in the show notes and you don't see a link, just ping me on LinkedIn and I'll send you the information or look at my profile. I think I posted about it recently. So those are options to find it. Unpacking the Target price match gift card scam All right, let's dive into some fraud news, shall we?
There's a few, it's just kind of a potpourri of stories. I try to come up with a theme for these fraud news episodes. Or, you know, maybe there's one main article, you know, a big bust or something like that, or, you know, a new program coming out or whatever it is. But today's just going to be a potpourri of a handful of stories that I found interesting. The first one, since I already talked to merchants for the first few minutes, this next one is a merchant fraud issue that I think banks should also be aware of. But if you are working for a large retailer, especially that has gift cards or, you know, fast casual food delivery services, anyone that has gift cards, this might be a really important new scam to be aware of, even if you just sell gift cards, you know, for other companies. The title of this came from Gary Warner, who I really want to try to have on the podcast again soon. He is just, I've known him, known of him for, I don't know, the last 18 years of my career, and I've learned so much from him, whether it's just following him on LinkedIn or seeing him at conferences. So he posted about this on LinkedIn and I think it's really good to be aware of.
There's a new Target price match gift card scam, and Gary's calling it devious, and it's involving manipulated price matching at Target. So the Target price match gift card scam, basically, it's a new variant of the Chinese organized retail fraud via gift cards that Gary hadn't seen before. He says Target is doing an admirable job fighting gift card fraud. So how did they get around this? I think I know exactly how they got around it, but I'll share that in a minute. So step one is to buy a burner gift card. You use a list of elder victim gift cards delivered by WeChat to buy a high-end iPad at Target.
Two, you fake the price on a phone. So you open a locally edited copy of target.com on a device. Same item, much lower price. So it looks like it's on Target's website. And Target has a deal where if you buy something in the store that's more expensive than you can get it on their website, they'll do a price match. So you buy the expensive iPad in Target, you go to customer service, and it's very easy to do now, especially with AI. You create a locally edited HTML copy of target.com that shows the same item but a much lower price. Then you trigger the price match. You show the fake page to the customer service and claim the price match guarantee.
Step four is you walk out with a real gift card. So Target issues an activated store credit gift card for the difference. Usually it's about $400 to $550 per hit. So, you know, they may buy an iPad for $1,000. They'll show a locally edited HTML page from Target that says, actually, I could have gotten this iPad online at target.com for $500. Then the Target customer service agent gives them a $500 gift card for the difference. Step five is to ship the goods overseas. So the iPads are mailed via FedEx to a Hong Kong reshipper and then, you know, they launder the proceeds. So they use the gift cards to launder the proceeds and maybe sell the gift cards or buy again and just keep this going over and over again. There's an estimate that Target has lost over $4.6 million since 2022 on gift card fraud. That actually seems low to me. I don't know for sure, but what I do know is that, you know, we've talked about Operation Red Hook before.
Let's read his post first because he does talk a little bit about this being a variant. So he says, here's a new variant of the Chinese organized retail fraud via gift cards that I hadn't seen before. McGee Mcguy Lee of Levittown, NY, and Zhao Zhao of Flushing, NY, were arrested for their roles in gift card fraud against Target, including in Miami-Dade and Broward counties in Florida. As I mentioned before, Target is doing an admirable job fighting gift card fraud, including selling cards that don't have an activation sticker on them until it is applied at point of purchase by a Target employee. The reason they do this now, and I've talked to people that are very familiar with the situation, the reason they do this now is because of those, I think it was over a billion dollars, but it was millions of dollars of fraud through Operation Red Hook last year or the last two years, where Chinese nationals were stealing gift cards in stores by the stack, just walking out with them. Because if the cops were called, they would say, well, there's no value on these gift cards. I'm just taking some gift cards. They don't have any value on them. Well, they would take them and then very systematically they would have another group take the hidden number off for the activation code off of the card and log it in their system. And then they would have another team cover that up and make it look like it had never been tampered with and never been touched. And then another team would take those gift cards and put them in other locations. So oftentimes they would steal the gift cards, the zero-balance gift cards, on the West Coast, and then this process would happen. And then they would distribute those cards on the East Coast in different kiosks. So then again, if the cops were called, it was, well, I'm just returning these gift cards that don't have any balances on them. I'm not doing anything wrong. But unfortunately, what would happen is that unassuming consumers would buy those gift cards and put money on them. And these Chinese syndicates were continually checking the balances of these card numbers. And as soon as there was a balance on them, they would drain those cards. And so a consumer would gift a gift card to a niece or a nephew or, you know, whoever, and they would go to spend it and there would be $0 on it.
So this has been happening for a long time. The things that Target has been doing like including, you know, selling cards that don't have an activation sticker on them until it's applied at point of purchase by a Target employee, that's because of Operation Red Hook. That's them trying to stop that type of fraud. And as we know, in fraud, it's like a balloon. When you squeeze one side, the air goes to the other side, right? It doesn't just go away. So this is their new method of trying to target companies such as Target, and I imagine Walmart and Amazon and Best Buy as well. Members of the group would purchase high-end electronics and then manipulate the HTML on a Target web page to make it seem like the same item was on sale for a much lower price online. Using this manipulated web page as evidence, they would request that Target honor their price match guarantee, which would be issued in a form of a Target gift card, which was activated for the difference in purchase price. They were not editing the actual Target website, but a local version on a singular device, which they would display to a customer service rep to receive the in-store credit in the form of a gift card.
Lee received lists of gift cards to use for the initial purchases via WeChat group. Zhao admitted that she had been trained in manipulating the HTML to display the greatly discounted price. Target refers to this as PPMD fraud, post-purchase markdowns, and says that since 2022 it has cost them $4.6 million. Okay, that $4.6 is from post-purchase markdowns. Not all gift card fraud. That's why it's like, well, that seems low, but that's high for this specific type. I mean, sometimes I wonder how fraudsters have so much time to think these things up and then carry them out too, because they can be quite, you know, sometimes they can be pretty tedious. Lee used this technique to receive $37,725 in credit, while Zhao defrauded Target of at least $56,000 as recently as May 19th and May 20th of 2026. Lee is an illegal alien of Chinese nationality. He was confirmed on video attempting to enter the country via the Mexico-San Diego border crossing on September 22nd, 2023. Multiple Chinese individuals all use the same address, which could be helpful to anyone who wants to put this address in their system if they're a merchant to see if you've shipped to this address before. It's 2 Booth Lane, Levittown, NY 11756, and that's their address of record. The phone number used was 9173656788. I don't usually provide those things as PII, etcetera, but it's public. It's in the public domain. I would never, ever, ever provide an address or a phone number or anything like that if it wasn't public. Certainly not on the podcast.
The pair rented a car from Avis in Maryland and went on a fraud spree performing PPMD, which remember is post-purchase markdowns fraud, in Florida, Texas, Louisiana, Georgia, Alabama, North Carolina, South Carolina, and Virginia as examples of their success. The criminal complaint filed by Homeland Security Investigations includes an example of purchasing an $1,199 iPad and receiving a PPMD credit of $450. In another, they purchased a $799 iPad and visited another store to claim a PPMD credit of $550. So they were getting that iPad for what, $250? I mean, but customer service reps are trained to appease the customer. They're not trained to question those things. And it looked like their website, so, you know, I can't discredit them too much. It's just, wow. I'm getting an iPad for $250 would make me wonder, is this legit? Why have I not seen, like, 1,000 people waiting in line to take advantage of this deal if it's real?
Linking this crime to elder abuse and tech support scams. The gift cards used in the original purchase were purchased in several cases by elderly adults and then used the same day to make the iPad purchase. So they would have elderly adults purchase gift cards for them under whatever scam they said it was, Social Security Administration, tax fraud, whatever it was. They'd say, you need to buy gift cards and give us the numbers over the phone. They would then use those gift cards to buy the iPads. Then they would get an iPad. Then they would get money back to then do it all over again, and cyclical. As for the electronics, while under surveillance, Lee entered a FedEx store in Hollywood, FL, to mail them. They were addressed to Yang Hong Kong, Zinda Telecom Limited in Kowloon, Hong Kong. Lee listed the return address in Brooklyn, NY. So Gary got all this information from a United States District Court, Southern District of Florida criminal cover sheet and criminal complaint. So it's great to see Operation Red Hook still doing great work. And again, if you have gift cards and you have a price match similar to Target, you really should be aware of this scam. Even if you don't have a price match, the way that they're doing things, I think, you know, could, I could see them doing this and taking advantage of price matches in between different stores. I know sometimes, I don't know if it's all the time, but like Best Buy will price match something on Amazon. If they were able to manipulate the HTML locally of Amazon on a product, they could say, hey, I could have gotten it, I bought this here, but I could have gotten it on Amazon for $500 less, and then get, you know, a price match at Best Buy to buy it there or something like that. That wouldn't even involve a gift card. I do think that there can be variations of this that we should be on the lookout for. [Episode Break: (00:06:13): One new feature that Sardine recently introduced to their product suite is called the Anomaly to Rule product. If your system suddenly experiences a huge spike in risky activity, Sardin's machine learning will suggest a new rule to detect it. In addition to creating the rule, you can decide what to do with the transactions or accounts that trigger this new rule. Some of your options include putting the system in shadow mode to gather the data but not actually take action on these accounts. Or you can send them to manual review or automatically cancel them. This feature is is so needed because often the time between spotting activity and finding the right rule to trigger can take some time. Especially if you're relying on traditional legacy rules and data analysis to manually create new rules. In this case, you can go from experiencing high risk activity to making a rule and acting upon it within hours instead of days or weeks. For more information about this feature or any of the other products within Sardine, go to www.sardine.ai to read more information or to request a one on one product demo.]
Another article that I thought was important to be aware of is that the race is on among the biggest banks to fix IT vulnerabilities that were exposed by Mythos AI, and they're sharing information with each other. How Mythos AI reveals major bank cybersecurity vulnerabilities So major U. S. banks are now scrambling to repair hundreds to thousands of information technology vulnerabilities uncovered by a powerful artificial intelligence cybersecurity tool developed by Anthropic, according to a new report. I think that either Frank or Matt mentioned Mythos on a previous episode a month or two ago. But Mythos is a powerful new artificial intelligence model developed by Anthropic, and it's raising urgent concerns among cybersecurity experts, policymakers, and financial institutions. As early testing suggests, it could dramatically accelerate both the discovery and exploitation of software vulnerabilities and create significant data breach threats, prompting high-level emergency discussions in Washington, DC, among the top U. S. economic and security officials.
So basically, when you deploy Mythos on your site, it will find every single, well, I mean maybe not every single, but it will find a lot of cybersecurity vulnerabilities that your teams just weren't able to QA for, that your teams weren't aware of. And best, you know, it's a good guess if you think that cybercriminals are doing, using AI for the exact same purpose. Maybe they don't have access to Mythos, but they have, you know, other types of AI that are looking for vulnerabilities like this. So because Mythos has exposed, not exploited, but exposed all of these vulnerabilities, now companies, banks are rushing and panicking to fix them before the, you know, fraudsters and hackers identify them.
So Reuters reported that several of the nation's largest banks, including JPMorgan Chase, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley, have gained access to Anthropic's Claude Mythos preview model through its Project Last Wing initiative. The AI system known as Mythos is designed to rapidly identify cybersecurity weaknesses. Sorry, I just said that. Including vulnerabilities buried within proprietary and open source code, Reuters reported. The tool is proving especially effective at linking together multiple low-risk flaws into more serious threats that could expose critical banking systems. As a result, banks are accelerating software upgrades, shortening patch management timelines, and reviewing aging technology infrastructure that may no longer be supported by vendors, Reuters reported. Sources told Reuters that vulnerabilities previously scheduled for remediation over several weeks are now being patched within days. Reuters also reported that banks are uncovering weaknesses in older legacy systems and unsupported software platforms that they had not previously viewed as urgent risks. Those legacy systems, man, they can have a lot of risks for cybersecurity and for fraud as well. And sometimes they're no longer supported by the company, or if they are, there's one engineer within the company that knows maybe how to fix it or something like that, whether it's within your company or within your vendor. Either one. Some institutions are increasing automated system scans and continuous monitoring efforts as they adapt to what one source described as a machine-speed threat environment. The report said the increased workload could occasionally require banks to temporarily take systems offline more frequently to complete upgrades and repairs, though institutions are attempting to minimize customer disruptions.
This is a wake-up call. They said cybersecurity teams are also developing new internal procedures and methodologies to work with the AI tool effectively. Adam Myers of CrowdStrike told Reuters his team spent an entire weekend building workflows and capabilities around Mythos before beginning vulnerability testing. And then they're also saying that larger banks are sharing information about identified risks and defensive measures with smaller institutions that do not have access to the technology because of its high cost and competing requirements. Anthropic prices the model at $25 per million input tokens and $125 per million output tokens, Reuters said, making it significantly more expensive than some of the company's broader AI offerings. So while Mythos is working well, it's really expensive. CEOs face hurdles with AI replacement and layoffs Thanks. We have something else I read on LinkedIn the other day that I wanted to share with you guys because we've been talking about in the last few episodes, whether it was the episode with Holly or one of my solo episodes, talking about how, you know, a lot of people in fraud are being laid off right now. And I feel like every week there's at least a couple of people that reach out to me and say, hey, I just got laid off. Let me know what you know of. I'm trying to keep my eye out on whatever I can, with priority to remote roles, especially in the U. S. because that's primarily where my audience is. However, if you're, you know, in another country, you can let me know. Like there's a Fraudology listener that pinged me the other day and said, hey, if you see anything in the Dublin area in Ireland, please let me know. And I found one like the next day. Because I have such a great network, a lot of hiring managers are posting the roles in my feed and the algorithm knows that I like to see those. So that's where I'm getting them from. It's not a secret source.
Sometimes hiring managers do reach out to me and give me a little more context about who they're looking for or send me a job description right before it goes live. But for the most part, if you're looking at, you know, LinkedIn job postings, you'll see most of them. But sometimes the remote ones are difficult to find sometimes. So that's why I'm trying to share them with as many people as possible. But anyway, a lot of the reasons for the layoffs are AI, right? Like companies thinking that they can get more done with artificial intelligence than they can actual human employees. And I've talked a lot about, you know, my concern about the data sources for AI when it comes to fraud and how they're just not open source. And so they're going to hallucinate and give wrong information. I've shared all of that before. But this is another take on this that I thought was interesting. And, you know, it may not, you know, if you're still employed and you're worried about this, it may not hurt to mention some of these points to leadership if you're in a position to do so or at least be aware of it.
So Sir Eskenar on LinkedIn, I don't know his real name, posted this this week and it's been making the rounds on LinkedIn. I've seen it posted a couple times. CEOs are quietly realizing the AI replacement plan has a problem. Two problems actually. One, the token costs for running AI agents are now exceeding what they were paying the employees they fired. So just like the token costs that were in that article for Mythos, they're realizing that the token costs are, you know, now more expensive than employees. Two, when the tokens run out, the AI stops. It just stops. No continuity, no workaround. Just a spinning wheel where your workforce used to be. You fired humans to save money and bought a subscription that bills you into a corner. The employees you let go knew what to do when things broke. The AI just invoices you for the outage. And then there's the permission problem that nobody wants to talk about. To do its job, the AI agent needs access. Full access. Your systems, your patents, your contracts, your future plans, everything you spent years building handed over to a process that has no loyalty, no discretion, and no skin in the game. And it also might be used to feed information to your competitors, right? If you feed, you know, an AI tool all of this information, and then you don't have the enterprise tool, or even if you do, you know, you don't know all the privacy settings, it could be that if a competitor, you know, asked ChatGPT what they should do for a certain problem, they might source your documentation and say, well, here's what your competitor did. Or they won't even tell you that. They'll just say, here's what you should do. And it's exactly what you had done. And they know that because they have access to all your information. Everything you spent years building handed over to a process that has no loyalty, no discretion, and no skin in the game. You didn't hire a replacement. You gave a stranger with no soul the keys to everything you own. Enjoy.
I sent that to a friend of mine and said to me that was the very definition of FAFO. If you know, you know that acronym. But I thought that was interesting and something that hopefully leadership considers before making even more layoffs. A couple more stories.
This one is from Frank McKenna, Frank on Fraud. I guess there's a trend in China of people making peace signs in their selfies. So, you know, the two-finger peace sign facing the camera. And this article says that it could actually hand criminals your fingerprints. Something I never would have thought of. But again, with AI so much is possible. That casual peace sign you throw up in selfies might be giving you away way more than you think. Chinese experts are warning that the popular pose can expose your fingerprints to fraudsters with the right software. A mainland workplace reality show in April put the risk on display. Financial expert Lee Chang used a celebrity selfie to show how clearly visible fingers in a photo can put biometric data at risk. According to Lee, fingerprints can be pulled from selfies taken within one and a half meters if the fingers face the camera straight on. Even at 1.5 to three meters out, about half the hand details can still be recovered. The show demonstrated the trick on camera. After running a photo through editing software and AI tools, fingerprint ridges became visible. That's terrifying. There's a cryptography professor at the University of Chinese Academy of Sciences that told China Newsweek that high-quality cameras can make it possible to reconstruct hand details from a basic scissor-hand pose, which is also the peace sign.
He noted that lighting, focus, and image clarity usually make fingerprint recovery hard, but the risk goes up with higher resolution devices or when criminals get their hands on multiple photos of the same person. The bigger problem is permanence. Fingerprints are like facial data. Once leaked, you can't change them. Lee warned that that could open the door to financial losses and identity fraud. His advice is straightforward. Blur, pixelate, or smooth out your hands before posting selfies, and don't register your fingerprints on unfamiliar devices. He goes on a little bit more, but it's all just backing all of that up. I think that that is kind of scary and worth being made aware of. AI-powered phishing attacks overwhelm community lenders Here's another article kind of related to the previous one, with AI's help, fraudsters are targeting smaller banks. Criminals are customizing their scam attacks, and community banks have a fight on their hands. I know this is something that Hailey Windham is very passionate about. Not just this, but community banks and credit unions in general. But this article from U. S. News & World Report says that with the help of AI tools, many scammers have shifted their focus from customers at large banks to smaller institutions. In bank scams of the past, criminals have often impersonated big banks, sending texts to thousands of consumers and playing the odds that some would have accounts with those institutions. Recent scam reports suggest that fraudsters are now using AI tools to compile lists of banks' customers and customize attacks. Those AI tools have enabled scammers to target their schemes to customers of banks of all sizes. So they're basically saying that, you know, fraudsters impersonating banks were calling up customers, trying to convince them to reveal enough personal information to allow the criminals to hack into deposit accounts. On the surface, this was not unusual at all. Banks and consumers are regularly fighting off these types of schemes, and they are the kind of scam that Uri Rivner says he sees daily. As the CEO and co-founder of Refine Intelligence, which makes software that helps banks prevent fraud, I know Uri Rivner well. I went to Jerusalem actually with him once for a day. That was fun. I didn't realize that he was in this article. That's great. But this one stood out both in its size and its strategy. Rivner says that by the end of the day, the banks he was tracking experienced a 1,700% spike in attacks. And instead of pretending to be representatives of the largest U. S. institutions, he says scammers were taking aim at smaller lenders.
Half of the banks targeted, he says, had less than $3 billion in total assets. What we noticed is an explosion of bank impersonation attacks against regional banks and small community banks. These scams also appeared to incorporate AI tools in ways that some fraud experts have warned about, including those in our 2026 Banking Predictions article. The scale is beginning to be alarming. Small banks certainly haven't been immune from fraudsters in the past. In fact, U. S. News highlighted one particularly sophisticated scam that targeted a customer of a Massachusetts community bank last year.
But many scammers have been more inclined to take aim at customers of the largest U. S. banks. That's because the criminals often don't actually know where you bank. Instead, they may send out a text to thousands of individuals alerting them to a supposed problem with their Chase or Bank of America account. It's a shotgun approach, with scammers playing the odds that a significant portion of those receiving the message will have an account with one of those banks. As fraudsters might joke, that's why it's called phishing and not catching. Before, the attacks were very blunt force attacks where they cast a wide net, says Scott Incan, senior vice president of strategic initiatives and policy for the Independent Community Bankers of America.
It wasn't very targeted and communications were filled with grammatical errors and targeting errors. But now, because they have access to AI and other tools, they can target customers much more accurately. They can obviously impersonate other people, and they can do it at scale. Scammers have started deploying AI agents on web searches, asking them to scour both leaks of data and publicly available documents to compile a list of customers of a specific bank. Fraud experts say this makes attacks on smaller banks much more fruitful for the characters of the banks, called bad actors.
Uri Rivner says that's what appeared to have happened in the attacks he was monitoring. As we heard about similar attacks starting six months ago, now the scale is beginning to be alarming. Rivner spoke with officials of some of the banks targeted to develop a clearer picture of how the attempted scam unfolded. He says after scammers had identified customers of a bank, the next step was to call them all at once. He surmises that this was a calculated approach intended to overwhelm a bank's capacity to respond. In the past, a small group of scammers might run down the list one by one, but now AI bots can make hundreds of calls simultaneously. And while many small banks have robust AI-powered security defenses that can detect suspicious activity, a flood of questionable transactions could make it difficult for a bank with limited staff to review those transactions or contact customers. And many of those customers may still be on the line with the person they believe is from the bank.
It also makes it more difficult for consumers to call the bank and find out if they actually were the ones that called them. Some banks told Rivner that criminals apparently used AI to customize scams to a particular bank. For example, one bank official told him that customers were told they needed to provide sensitive information to help the bank transition them to the bank's new website. That bank indeed was going through a website change. You've always had a trade-off between scale and quality, says Rivner. But for the first time, criminals can do it at scale and with very high quality.
I think that's a really good point. Community banks have advantages and vulnerabilities in the fight against fraud. Incan says he's not familiar with the scam surge Rivner saw, but he says it wouldn't surprise him. He says scam attacks on bank customers tend to come in waves. I think the institutions of all sizes are experiencing just a massive increase of fraud and scams across the board. So it's very much an industry problem. Certainly community banks have been hit by these frauds and scams just the same way that the large banks have. There are some indications that smaller banks may be seeing a greater uptick in scams than their larger peers or online-only competitors.
More than 70% of credit unions and regional community banks reported an increase in fraud in 2025, according to the Alloy State of Fraud Report, which surveyed institutions of all sizes. It's a higher percentage than was reported by both big banks and fintechs. It's also a jump from what smaller institutions reported the previous year, when 52% said that fraud attempts had increased. So they have 70% of credit unions and regional and community banks say that they've seen an increase in fraud last year. That's pretty significant. Community banks, fortunately, have been preparing for this for quite some time, says Incan. This is something they've been looking at and developing strategies for. So I think they're all very well equipped to handle these surges. I hope he's right. Then they just talk about some of the benefits of community banks and that type of thing. But the other, you know, they talk a lot in this article, not, you know, a lot, but they touched on the fact that often scammers that are doing, you know, smishing or phishing don't know which, you know, which bank you bank with.
Actually, there is a way for them to know, and that is to buy lists of credit card numbers, even if they're dead credit card numbers that have all been reissued because somebody already used them for fraud. Fraudsters can use those databases or those, you know, logs to look at the first six digits of the credit card that was used and correlate that with your name and phone number. So now they have your name, your phone number, and they know which bank you bank with. So now when they call, they can impersonate your specific bank rather than saying they're from Chase Bank and hoping that you have a Chase card. That's not something that was in this article, but it's something that I'm adding because I think it's important to be aware of. And those lists can go for pennies on a dollar because, again, they don't really have any purpose. You can't commit fraud on them. You can't use those card numbers again for a transaction.
So a lot of, you know, carders or the people that are selling credit cards in bulk just don't care about those. So they're like, sure, you want this, I'll give it to you for 20 bucks. Like whatever, it's no big deal. Or I've seen it with the same organized crime syndicate where one department, for lack of a better word, is in charge of monetizing those credit card numbers on the list that they harvested. And then after they've monetized those credit card numbers for as many goods and services as they can, then they send those numbers off to another group that does phishing and text message phishing and that type of thing. And they then look up the first six digits, find out who their bank is, and do very personalized phishing attacks, which I guess is called spear phishing, is the proper terminology. But those are things to be aware of as well. It's not really a mystery anymore. It's not this magical mystery of where you bank. It's pretty darn easy to figure it out.
Sometimes they'll just call and say that they're your bank. They won't say the name, but when they say the name, it gains more trust, less defenses are up. So chances are there's more accuracy there for the scam. All right, that's where I'm going to leave it today, guys.
I always appreciate you listening to this podcast. I appreciate hearing from you when I've said something that has been interesting to you or you just want to reach out. It always makes my day, and I will look forward to talking with you more next week.