In the race between payment speed and fraud prevention, the bad guys currently have a head start. Let’s fix that.
Let me paint you a picture. A customer opens their banking app. Within 20 seconds, they’ve initiated and completed an “immediate” payment. The money is gone. Irrevocably. Welcome to the instant payments era — where the experience is frictionless, the settlement is final, and the fraud mitigation window has been compressed from hours to heartbeats.
In LATAM, this isn’t a future scenario — it’s just another Tuesday. Instant payments now represent 60% of consumer spending in Latin America alone. North of the border, FedNow has surpassed 1,600 participating institutions in just two years, and Canada’s Real-Time Rail is soon to be live. The promise is enormous, it will accelerate economies with faster time to deploy capital and deliver economic growth. The risk is, too.
And before anyone settles in with a comfortable “we have fraud controls” posture — let me suggest that the fraud controls many institutions have were built for a world where the payment took two days to clear. That world is over.
Speed Broke the Safety Net
Traditional rails gave fraud teams a window, which frequently, was just enough time, to investigate and remedy suspicious transactions. Instant payment systems don’t just shrink that window. They eliminate it. Once funds move, they don’t come back.
This reframes the entire protection model. Prevention isn’t one layer of defense anymore. It’s the only layer of defense that matters.
AI Didn’t Create Scams. It Just Gave Their Handles a Chance to Scale
Here’s what I’ve been saying for a while now, and it’s being validated in real time: AI-enabled fraud isn’t a paradigm shift in the types of attacks we’re seeing. It’s an acceleration of the ones we already know. The fraud attacks are evolutionary, not revolutionary. But the scale — that’s what’s revolutionary.
OpenAI’s own research confirmed that its models were being used to run pig-butchering networks — generating romance scam outreach at industrial scale. What took a scam compound in Southeast Asia a team of 50 people now takes a well-prompted LLM and a distribution list. Deepfake voice cloning has made bank impersonation scams in LATAM frighteningly convincing. Fraudsters in Brazil are generating synthetic identity documents at 140% the rate they were a year ago. The investment scam pipeline, long a massive problem in both NAM and LATAM, has been turbocharged by AI-generated content that looks more credible than most bank websites.
The social engineering attacks of 2021 started with a clunky phishing text message. We should recognize that this era is winding down, and new social engineering attempts will start with a weeks-long AI-orchestrated relationship, a flawless deepfake video call, and ends with an authorized push payment on a FedNow rail. The customer authorized it. The bank processed it. The money is gone.
Agentic Fraud: When the Bot Does the Scamming for You
If AI-enabled scams are the current era, agentic fraud is what’s loading in the background.
Agentic AI can autonomously plan and execute multi-step tasks, and it’s already being explored as a consumer tool for things like scheduling, holiday planning, and yes, paying your power bill is already in the pipeline. The agent handles it.
Now flip that capability to the adversarial side. Fraudsters are already testing agentic frameworks that can autonomously navigate banking sessions, probe authentication controls, execute account takeovers, and initiate transactions… all without a human in the loop. These agents don’t get tired or nervous and they don’t hesitate on a step-up challenge in a way that behavioral systems could detect. THEY WORK 24 HOURS A DAY on a mac mini on your desktop.
The irony isn’t lost on me: the same AI investments your institution is making to improve customer experience are being mirrored on the other side of the table. Do something or something will be done for you.
Why Your Current Stack Is Bringing a Green-Screen to an Agent Fight
Most financial institutions in LATAM and NAM are managing real-time payment risk with tools designed for a batch-era; Static rule sets… Siloed channel detection layers across multiple attack surfaces and contact platforms. These were built for a world where fraud was caught on the back end… Instant rails don’t have a back end. Its game over as soon as the button is pressed.
The cost of this gap is not abstract. For every dollar of fraud loss, Latin American financial institutions absorb an average of $4.41 in additional investigation, legal, and recovery costs. And that’s before you factor in the reputational damage of a customer who lost their retirement to a deepfake call your controls couldn’t detect.
I’ve run a fraud shop. I know what it looks like when the volume of attacks exceeds the capacity of your rules/strategies/staffing model. That’s the situation many institutions are walking into now — and the institutions that get ahead of it will define the next era of trusted payments, and win the day.
Where Detection and Response Services Fit in This Picture
It actually feels quaint now, human based social-engineering ATO, but this is a geriatric threat now… Transmit Security’s Detection and Response Services (DRS) were built for the environment we’re actually in — not the one we were in five years ago.
Rather than waiting for a transaction to flag post-submission, DRS starts collecting behavioral and device telemetry the moment a user touches the application. It analyzes hundreds of signals continuously — device fingerprints, interaction patterns, network behavior, anomaly indicators — and surfaces a real-time risk recommendation before a payment is authorized.
Three things make this relevant for the threats we just covered:
- AI scam detection. Behavioral signals during a session can reveal the cognitive fingerprint of a scam victim… their unusual hesitation, atypical navigation and hold times on specific screens, and emotional distress indicators, even when the transaction appears authorized. The customer clicked “send.” but the model knows something is wrong. So we engage and interrogate the customer to think critically about the legitimacy of this payment
- Agentic fraud resistance. Autonomous agents behave differently than humans in banking sessions. ML models that understand the behavioral baseline of real users can distinguish that. Where we need to, however, we need to qualify the intent, novelty and patterns of legitimate agents and identify the agentic fraud agents, and stop them before the real time rail has transactions placed
- Orchestrated step-ups without the manual overhead. When risk thresholds are breached, whether from a deepfake account takeover or a suspicious agentic session, we need to trigger the right response: passkey-based authentication, biometric re-verification, or a payment hold, and it must be agile. No custom code, no rule approvals, no three-week deployment cycles and no more death by 1000 alerts.
It integrates as a cloud service. For teams managing risk across multiple markets, that means faster time to protection, and consistent detection logic across every rail that feels coherent to the user’s expectations with their provider.
Let’s Wrap It Up…
We are deep in the Scammer Era. AI has industrialized the social engineering attack. Agentic fraud is waiting in the wings. Instant payment rails have removed the remediation window. And the buckling fraud stacks protecting most institutions were built for a different decade.
The good news: the tools exist. The detection models are there. The institutions that deploy real-time behavioral intelligence, embrace the AI fight on both sides of the ledger, and get ahead of agentic fraud before it arrives at scale,those are the institutions that will lead, capture market share and deliver for their customers.
The ones that don’t? They’ll be explaining their position to regulators, customers, and board members who are all asking the same question: “You knew this was coming. Why weren’t you ready?”
Do something, or something will likely force your hand
Want to see how Transmit DRS handles AI scams and agentic fraud in a real-time payments context? Request a demo at transmitsecurity.com
