AI vs Fraud: The Arms Race in Detection
As fraudsters adopt AI tools, payment providers and retailers are deploying increasingly sophisticated machine learning to protect transactions. Neither side is winning decisively, but the data advantage currently sits with the defenders.
The attack pattern is almost elegant, in a grim sort of way. A fraudster doesn't buy a single stolen card number any more. They use generative AI to construct an entirely new identity: consistent name, address history, device fingerprint, browsing behaviour. They test it slowly, building a transaction history that looks clean. Then they strike.
UK Finance's Annual Fraud Report 2025 (covering 2024 calendar year data) put total payment fraud losses at £1.17 billion. The same report noted that banks and payment providers prevented a further £1.45 billion through automated detection systems. So the actual scale of attempted fraud is closer to £2.6 billion, and the only reason reported losses aren't several times larger is that detection systems are absorbing the majority of it.
That's the part of this story that doesn't get enough attention. The fraud figure looks alarming. The prevented figure is the actual news.
The threat has industrialised
Cifas Fraudscape 2026 recorded a total of 444,993 cases filed to the UK National Fraud Database in 2025, a record high, up 6% on 2024. Identity fraud was the single largest category: 242,003 cases, making up 54% of all filings. That's not a niche problem anymore. That's a supply chain.
What's changed is the tooling. A few years ago, identity fraud required manual effort: sourcing stolen documents, creating consistent backstories, coordinating across multiple accounts. Now, generative AI handles the assembly. Synthetic identity fraud uses AI-generated IDs, deepfake selfies, and doctored documents to produce profiles that pass automated KYC checks. Payments Association research tracked a 378% year-on-year surge in synthetic fraud attempts.
The other emerging category is deepfake-based bypass. Fraudsters use face-swap software and virtual cameras to fool liveness detection checks, the kind built into identity verification flows that most retailers and fintechs now run at account creation. According to Fintech Global's March 2026 analysis, facial animation deepfakes bypassed KYC verification in 12% of tested cases in 2025.
And then there are adversarial attacks: carefully crafted transaction inputs designed to slip past ML classifiers by exploiting the model's blind spots. ISACA's 2025 guidance on adversarial machine learning describes evasion attacks as "tactics where attackers subtly tweak input data to fool a model into making incorrect predictions." The same guidance notes that as detection models proliferate, so does the incentive to reverse-engineer them.
The underlying logic here isn't complicated. Fraud is a cost-optimisation problem from the attacker's side. If the expected return on a synthetic identity exceeds the cost of building and running it, it gets built and run. AI has made the cost of building one collapse.
What the defence looks like now
Mastercard's Decision Intelligence Pro is probably the clearest public example of where the technology has arrived. Launched in early 2024 and enhanced later that year, it uses a generative AI model to scan transaction data across billions of cards and millions of merchants, identifying compromised cards by predicting missing pattern details from partial data. The risk assessment runs in under 50 milliseconds. In testing, it doubled the detection rate for compromised cards and reduced false positives in those detections by up to 200%.
"Until now fraudsters may have thought they were operating in obscurity, seeking to launder the card details of millions of unsuspecting victims," said Johan Gerber, Mastercard's EVP of Security Solutions. "Thanks to our world-leading cyber technology we can now piece together the jigsaw."
Stripe's Radar takes a different angle, scanning every payment using hundreds of signals from across its network: device fingerprinting, behavioural biometrics, geographic patterns, transaction velocity, social graph signals for synthetic identity detection. According to Stripe's own documentation, this approach reduces fraud by an average of 32% for businesses that use it. A 2025 survey of 4,000+ payments leaders run by Stripe found that 47% of businesses now use AI to detect and prevent fraud, making it the most popular AI use case in payments.
The asymmetry that benefits defenders is data. Stripe processes over $1 trillion in annual payment volume. Mastercard runs billions of transactions. No individual fraudster, however well-tooled, has a comparable training set. The ML models are learning on orders of magnitude more examples of both legitimate and fraudulent behaviour than any attack can simulate. That data advantage is structural. It doesn't disappear when the models are attacked.
The human role hasn't disappeared. It's changed.
Remote purchase fraud (card-not-present transactions via the internet, phone, and mail order) cost UK businesses just under £400 million in 2024, up 11% on the year before, according to the UK Finance data. That's a meaningful number, and it sits in the category where merchant liability is highest.
The fraud teams at major retailers and payment processors haven't shrunk as ML has scaled. They've reoriented. Stripe's ML explainer is honest about this: "Machine learning relies on human experts to label data as fraudulent or not. Fraud analysts must then refine the training data to ensure models remain effective." The model handles volume; the analyst handles the edge cases the model hasn't seen before.
That's not a trivial job. Novel attack patterns, coordinated fraud rings, subtle adversarial probes: these all require human investigators who understand how the detection system works and can identify where it's being gamed. The risk for merchants who use third-party fraud detection as a black box is that they have no internal capability to do that work when the black box fails.
What this means for merchants
For most UK retailers, this translates into a few practical questions:
Online card fraud is the vector most likely to affect them directly. Of all card-not-present fraud in 2024, 75% occurred at merchants acquired outside the UK. International payment acceptance is where exposure is highest and where investing in real-time risk scoring pays off.
The balance between security friction and conversion is real, but it's shifted. False positive rates have dropped significantly as ML models have improved. A customer being declined on a legitimate transaction is still a conversion problem, not just an edge case. The tools to reduce those false declines have meaningfully improved.
Liability is shifting too. The UK Finance data makes clear that sophisticated fraud increasingly ends up on the merchant side of the ledger. Understanding what your payment processor's detection covers, and what it doesn't, is now a commercial question as much as a technical one.
The fraudsters have the tools. The defenders have the data. The 2024 UK fraud numbers suggest the defences are holding, barely, but the attack techniques are evolving faster than they were two years ago. The next wave will use AI in ways that haven't been industrialised yet.
That's an uncomfortable place to sit. But it's the actual situation.
For a deeper look at synthetic identity fraud and agentic attack vectors, see Fraud Is Getting Cleverer. So Are the Defences.
Data sources: UK Finance Annual Fraud Report 2025; Cifas Fraudscape 2026; Mastercard Decision Intelligence Pro press release, May 2024.
Stay Connected
Follow LLCommerce on LinkedIn
Get the latest AI commerce insights, analysis, and industry news delivered to your feed.
Large Language CommerceAbout the Author
Senior Editor
Sarah covers the intersection of AI and retail, with over a decade of experience in technology journalism. Based in Bangkok, Thailand — and will explain at length why that's actually the best place to cover e-commerce if you'll let her.