Intelligence Report | November 2026 - Flipbook - Page 12
“If you aren’t hearing any complaints, you don’t have enough friction.”
Steve Sanders CSI
officer at CSI. “Friction slows adoption, but it also protects
customers would likely be flagged as fraudulent versus not”
your customers and decreases fraud. If you aren’t hearing
based on changes to those steps.
any complaints, you don’t have enough friction.”
Further, customers are grouped for further action —
Mastrangelo says it’s not uncommon for fraudsters to
manual review, longer holds or higher limits, for example —
have the audacity to call into Grasshopper’s call center to
based on certain characteristics, such as the length of their
complain, which makes it important for the bank to stick
relationship with the bank, says Mastrangelo. Grasshopper
to its fraud decisioning. “You don’t want to be closing good
also leverages technology partners and consortiums to cre-
accounts, but you have to go off of your fraud prevention,”
ate layers of security for identity verification, business veri-
he says. “We quickly know why that account was closed.”
fication, behavioral biometrics, and investigations and suspi-
That means following the data. Grasshopper sets risk
cious activity reporting. “If a customer has committed fraud
tolerances for approval rates, fraud rates and dollars lost
at another bank,” he says, “you’d have that consortium data
to fraud, and tracks those key performance indicators. “If
to auto blacklist those customers.”
you don’t know your fraud exposure … it makes it very hard
Many of Fort Knox’s security features are “proprietary,”
to continue to improve your prevention tactics,” he says.
Beguin says, but safety measures include a lockdown mode
Mastrangelo adds that board members understand that a
that freezes the account, two-day delays to withdraw money
certain level of fraud losses should be expected.
and various biometrics that replace the traditional username
“Most banks have a risk tolerance that I would call
and password. There are no real-time transfers of money at
moderate to moderately low. They don’t want a lot of fraud,”
Fort Knox; no simple logins. “If your bank is using a user-
says Sanders. “What’s concerning is that their investments
name, password and one-time passcode delivered via text or
and controls don’t always match that low risk tolerance.”
even app, it’s just not secure,” says Beguin. He’s referencing
Offering digital account opening is a good example of a
two-factor authentication; many banks rely on that tactic to
service that can provide ease of use to the customer but can
control fraud, according to Alloy’s fraud report.
also open the bank up to potential fraud. “A majority do not
Spoofing a bank’s website can be an easy way for fraud-
open accounts digitally out of their footprint, including very
sters to trick customers into giving up their account credentials.
large banks,” says Tommy Nicholas, CEO at Alloy, an identity
In 2024, the FBI reported 193,407 complaints tied to phishing
and fraud prevention platform. Opening an account or moving
or spoofing, in which a fraudster uses email, texts or phone calls
money requires an institution to confirm the legitimacy of that
to pretend to be a legitimate organization — such as a bank —
customer or transaction; increasingly, automation and data
to gain login credentials or other personal information.
analysis is helping organizations do that in near real time.
To combat this, both Grasshopper and Austin Capital’s
Still, three-quarters of banks and fintechs reported in Alloy’s
Fort Knox brand use a .bank web address, which is a verified
2025 State of Fraud Report that more than 25% of new
domain dedicated to banks. “That helps prevent spoofing,”
account applications triggered a manual fraud review.
says Beguin. Austin Capital also generally avoids sending
Executives at Grasshopper want to keep that number
links or one-time passcodes to verify a customer’s identity.
low, which requires examining which steps in the verification
That’s because criminals can use these same tools to trick
process are triggering further review, and testing and tweak-
customers into entering information into a spoofed website.
ing the rules in that waterfall. “Being able to use retroactive
“And then [the fraudster] can take all the money. It is
data to test rules to say, ‘OK, this would improve our pull-
that easy,” Beguin adds.
through rate by x percent, and yet it would only impact our
fraud rate by this much,’” says Mastrangelo. “You’re running
Emily McCormick is vice president of editorial & research at
those tests on fraud results to get an idea of how many
Bank Director.
10 | BANK DIRECTOR INTELLIGENCE REPORT
