Start with a scenario that actually happened.

January 2024. A finance employee at a multinational firm in Hong Kong joins a video call. On the screen: the company’s CFO and several senior colleagues. The CFO instructs a wire transfer. The employee complies. The executive was never in that meeting it was an AI-generated deepfake. The employee wired $25 million to fraudsters.

Now consider what happened two minutes earlier at the employee’s bank unbeknownst to everyone in that call.

The transaction request arrived. An AI model, running inside the bank’s fraud detection infrastructure, scored it in 38 milliseconds. Unusual amount. Unusual destination. Unusual time. New payee. The velocity of the transfer request against the account’s history. The model returned a risk score. A human reviewer was automatically flagged.

The reviewer did not act in time. The $25 million moved.

This is the story of bank fraud detection in 2025 — not as a triumph, but as an arms race. The technology is extraordinary. The adversaries are now using the same technology. And the gap between the two is measured in milliseconds, deepfakes, and $40 billion in projected annual losses.

What Happened to the Old System

Until roughly 2015, most bank fraud detection ran on rule-based systems. Fixed logic, written by humans: if a transaction exceeds $X, flag it; if the card is used in two countries within six hours, block it; if three failed PIN attempts occur, lock the account.

These rules were transparent, predictable, and easy to game. Sophisticated fraudsters reverse-engineered them by keeping transactions just below thresholds, establishing spending patterns in advance, and exploiting the gaps between rules that no human writer had thought to cover.

Feedzai’s 2025 AI Trends in Fraud and Financial Crime Report reveals that 90% of global banks are now using AI and machine learning for fraud prevention and detection — a near-total industry transition away from rule-based systems in under a decade.

The shift happened because the alternative became untenable. In 2025, companies worldwide lost an average of 7.7% of annual revenue to fraud representing an estimated total of $534 billion globally. Rule-based systems were not failing occasionally. They were structurally losing.

The 38-Millisecond Decision

When you tap your card at a register or authorise a bank transfer on your phone, a decision is made before the merchant’s terminal has finished processing.

Banks train AI models on millions of historical transactions both legitimate and confirmed fraud teaching the system to recognise normal customer behaviour. When a new transaction occurs, the model simultaneously analyses hundreds of variables: transaction amount, merchant category, geographic location, time of day, device fingerprint, IP address, and the customer’s full historical behaviour pattern.

Not sequentially. Simultaneously. In the time it takes a payment terminal to display “Approved.”

The model is not asking: is this transaction large? It is asking something far more nuanced: given everything I know about this specific customer’s behaviour across the last three years, how anomalous is this specific transaction, at this specific time, from this specific device, at this specific merchant, given the 47 transactions that preceded it this month?

A $4,000 purchase at a jeweller in Miami would be unremarkable for a customer who buys jewellery quarterly and travels to Florida each winter. The same transaction, from an account that has never left its home city and whose largest previous purchase was $280, returns a very different risk score.

The Layer Nobody Talks About: Behavioural Biometrics

The fraud detection system’s most sophisticated and least publicly discussed component is not about transactions at all. It is about how you physically interact with your device.

As a user interacts with a device, the system collects and analyses tiny behavioural signals. A person’s typing rhythm has a distinct signature character speed, pressure, backspace timing, reaction speed, and pause duration all combine into a pattern. The same is true for how they hold a phone, swipe a touchscreen, or move a mouse across a page.

Traditional physical biometrics fingerprint or facial recognition authenticate once, at login. Behavioural biometrics confirm identity continuously, tracking and analysing behaviour from login to logout in real time, allowing for continuous authentication throughout the entire session.

In practice: you log into your banking app. The system notes that you type your password with your characteristic rhythm a 340ms pause between the third and fourth character, a slightly faster keystroke on the final letter, a consistent backspace rate. It notes the angle at which you hold your phone. It notes your scroll velocity through the account screen. It builds a behavioural fingerprint that is as distinct as your physical one.

Now a fraudster steals your credentials and logs in with your correct username and password.

Even if a fraudster breaks into an account with valid credentials, their behaviour exposes them within seconds. The typing rhythm is wrong. The scroll pattern is unfamiliar. The phone is held at a different angle. The mouse movements through the web interface follow trajectories the model has never seen from this account. The risk score climbs. A challenge is issued. The session is flagged.

A leading global bank that implemented behavioural biometrics to tackle account takeover fraud analysing typing patterns and mouse movements reported a 35% reduction in fraud losses over a six-month period.

Major adopters of behavioural biometric systems include JP Morgan Chase, Bank of America, and HSBC.

Device Fingerprinting The ID That Survives Incognito Mode

Alongside behavioural biometrics runs a parallel system: device fingerprinting. Where behavioural biometrics tracks how you interact, device fingerprinting tracks what you interact from.

Device fingerprinting creates unique device identifiers from hardware and software attributes that persist despite IP changes, private browsing, or cookie deletion — enabling consistent recognition for risk assessment across sessions.

Your device’s fingerprint is assembled from dozens of attributes: screen resolution, installed fonts, GPU rendering behaviour, browser plugins, time zone, language settings, audio hardware characteristics, and battery charge level. No single attribute is unique. The combination of all of them, at sufficient resolution, is functionally unique to your specific device and stable across sessions, across VPNs, across incognito tabs.

Behavioural signals fused with device fingerprinting form what researchers now call a behavioural data device fingerprint a dynamic, continuously evolving profile that integrates typing cadence, mouse movements, scroll velocity, touch pressure, IP address, geolocation data, and session history into a single identity signal.

A fraudster with stolen credentials, operating from a new device through a VPN in a different country, presents a device fingerprint that has never been associated with this account. The behavioural signature is mismatched. The geolocation is inconsistent with the session context. The model scores it high risk before a single transaction is attempted.

The Adversary Is Now Using the Same Technology

The reason fraud losses are still growing despite these systems is not that the technology is failing. It is that the attackers have access to equivalent technology.

Deloitte’s Centre for Financial Services estimates that banks will suffer $40 billion in losses from generative AI-enabled fraud by 2027, up from $12.3 billion in 2023.

Fraudsters now use AI to: fabricate synthetic identities combining real and false information to create believable personas; test security systems using AI to identify weaknesses and develop bypass strategies; and automate fraud tactics that previously required significant manual effort, enabling attacks against thousands of targets simultaneously.

71% of financial organisations identified professional crime rings not opportunistic individuals as their primary fraud threat in 2025. These are organised operations with technical teams, development budgets, and iterative testing processes. They probe fraud detection models, identify scoring thresholds, and build transaction histories designed to establish the appearance of legitimate behaviour before executing the actual attack.

The $25 million Hong Kong deepfake was not an outlier. It was a preview.

What the Bank Knows That You Don’t

The next time your bank sends a fraud alert or blocks a legitimate transaction you are seeing the surface output of a system that has been building a model of your behaviour for years.

It knows which merchants you visit in which order on a Friday. It knows your typical transaction velocity on a Monday morning versus a Sunday evening. It knows the angle at which you hold your phone when you open the app in bed. It knows your typing rhythm better than you know it yourself.

The system builds dynamic profiles for each customer, understanding their typical spending habits, preferred merchants, geographic movements, and transaction rhythms then monitors every new event against that baseline.

The false positive the legitimate transaction blocked while you stand at a foreign checkout counter is the system working exactly as designed, and getting the calculation wrong in your favour. The alternative is a system that never blocks anything.

Your password is the least interesting thing the bank uses to verify you. The way you typed it is far more informative.

📌 Read Also:

AIWala News