New Threats, Old Crimes: How Modern Tech is Updating Fraud Schemes

Key Takeaways

Geographic and Temporal Barriers Have Collapsed 

• Technology has eliminated traditional physical constraints on fraud commission, enabling bad actors to perpetrate schemes from anywhere globally using nothing more than mobile devices and internet connectivity, fundamentally transforming fraud from a localized crime requiring physical presence to a borderless digital threat.
• The professionalization of cybercrime through “fraud-as-a-service” business models allows technically unsophisticated criminals to purchase access to ransomware, malware, and information stealer capabilities through monthly subscription fees, dramatically lowering barriers to entry and enabling coordinated attacks by previously solo actors who now collaborate as organized criminal enterprises.
• Artificial intelligence represents an exponential threat multiplier, with documented cases of AI-enabled espionage demonstrating capabilities that will fundamentally alter the fraud landscape in ways comparable to how the internet transformed child exploitation crimes from physical Polaroid photography to coordinated digital global networks.

Federal Prosecution Thresholds Focus on Impact and Industry Significance

• Federal prosecutors evaluate potential cases based on cumulative financial impact—either substantial losses to single entities or coordinated attacks affecting multiple organizations simultaneously—rather than simply the presence of criminal conduct, meaning the magnitude and scope of harm determine whether fraud becomes a federal matter versus remaining an internal disciplinary issue.
• Regulated industries including financial institutions, securities firms, and healthcare organizations receive heightened scrutiny due to consumer protection mandates and potential erosion of public confidence in critical sectors, with infrastructure targets like airports, government entities, and municipalities also drawing federal attention when attacks threaten public welfare or essential services.
• The current administration’s prioritization of healthcare fraud means that any misconduct in healthcare-related entities, regardless of direct federal funding involvement, may trigger criminal prosecution, requiring companies to proactively isolate bad actors, conduct thorough internal investigations, and position themselves cooperatively rather than appearing complicit through concealment attempts.

Early Detection Depends on Active Engagement with Security Systems

• Organizations that successfully detect fraud early are distinguished not by superior technology investments but by active engagement with the alert systems and notifications they have already purchased, with the critical differentiator being whether compliance officers, IT directors, and HR leadership actually review and respond to security warnings.
• Many companies invest in first-class cybersecurity monitoring tools yet fail to respond to nightly alerts regarding unusual data transfers, suspicious login attempts, or repeated system vulnerabilities, essentially paying premium prices for alarm systems they routinely ignore when notifications arrive.
• The gap between fraud commission and discovery is closing only for organizations where designated personnel actively monitor systems as living processes rather than treating security infrastructure as compliance checkboxes, recognizing that purchasing sophisticated tools without human engagement to interpret and act on their outputs provides no meaningful protection.

Continuous Learning Is Non-Negotiable for Compliance Professionals

• The mindset that compliance expertise is a static achievement rather than a continuous learning process represents a fundamental vulnerability in modern fraud prevention programs, as professionals who believe they have “arrived” at sufficient knowledge after securing senior positions will rapidly become obsolete in an environment where threat vectors evolve on weekly rather than annual timescales.
• Effective fraud prevention requires daily learning behaviors including monitoring DOJ enforcement actions through Google alerts or Court Listener, analyzing settlement terms and statements of facts from comparable cases to identify vulnerability patterns, and actively participating in industry-specific training programs offered by regulatory bodies like FINRA and law enforcement agencies including FBI field offices.
• Compliance officers must proactively seek education opportunities beyond traditional annual conferences, including FBI Citizens Academy programs, regulatory body podcasts and webinars, and peer networking events where practitioners share real-world experiences, recognizing that learning from others’ incidents costs nothing but provides invaluable insights that prevent repeating documented mistakes.

The DOJ Cyber Fraud Initiative Established Cybersecurity as Compliance Obligation

• Deputy Attorney General Monaco’s October 2021 announcement of the Cyber Fraud Initiative formally established inadequate cybersecurity controls as prosecutable compliance failures for organizations receiving federal funds or holding government contracts, creating a four-year enforcement track record with approximately fourteen cases demonstrating concrete consequences for companies that fail to maintain appropriate security measures.
• Companies must move beyond passive awareness to active implementation, examining each DOJ cyber fraud case for vulnerability patterns through careful review of complaints, settlements, and statements of facts, then conducting internal assessments to determine whether similar weaknesses exist in their own systems that could expose them to comparable enforcement actions.
• Compliance officers must forge stronger working relationships with IT departments and contracting officers, transforming cybersecurity from an IT-owned technical issue into a cross-functional compliance responsibility with clear accountability for monitoring security alerts, responding to identified vulnerabilities, and implementing continuous improvement processes that demonstrate the organization takes its obligations seriously.

Cross-Functional Collaboration Breaks Down Dangerous Silos

• Organizational silos between compliance, IT, HR, and finance departments create blind spots that fraudsters actively exploit, particularly in schemes like payroll diversion where phishing attacks on individual employees connect to broader patterns of Office 365 account compromise visible only when HR personnel coordinate with IT teams monitoring login anomalies.
• Tabletop exercises and joint training sessions represent low-cost, high-impact interventions that build relationships before crisis situations, ensuring that billing departments understand their vulnerability as financial gatekeepers, IT teams recognize the compliance implications of security alerts, and all stakeholders know their roles in coordinated response efforts.
• Breaking down departmental barriers requires actively reframing specialized functions—such as billing departments often dismissed as merely “coding folks” in healthcare settings—as critical security stakeholders rather than peripheral administrative roles, helping teams recognize how their seemingly routine activities around payment processing and financial transactions represent primary attack vectors requiring collaborative defense strategies.

Human Verification Remains Critical Despite AI-Enabled Deception

• The human element serves as both the most vulnerable component and the most flexible defense mechanism in fraud prevention frameworks, requiring organizations to cultivate cultures where employees feel empowered to ask questions about unusual requests—even when they originate from apparently legitimate sources—without fear of appearing incompetent or wasting colleagues’ time.
• Simple verification protocols such as calling known phone numbers to confirm email instructions about payment changes or wire transfers have prevented substantial financial losses in multiple documented cases, yet these protective behaviors only occur consistently in environments where questioning is actively encouraged and “trust but verify” approaches are normalized rather than perceived as signs of distrust.
• Artificial intelligence’s rapidly evolving capability to mimic voices, images, and communication patterns increasingly undermines traditional human verification approaches, meaning organizations must develop layered confirmation procedures that combine human judgment with technical controls while accepting that perfect prevention is impossible and that rapid incident response capabilities become equally important as front-end deterrence.

Adequate Cybersecurity Programs Are Living, Breathing Systems

• Prosecutors evaluate compliance program effectiveness by examining whether cybersecurity protocols function as continuously updated, actively managed systems rather than static Word documents stored in SharePoint folders and reviewed only during crisis situations or annual compliance cycles, with the distinction between compliance theater and genuine programs hinging on evidence of regular engagement.
• Evidence of adequate programs includes documented relationships between compliance officers and IT leadership with regular meetings to discuss security alerts and response protocols, clear escalation procedures when repeated vulnerabilities appear, and demonstrated learning from prior incidents rather than falling victim to identical attack vectors multiple times because lessons were never systematically captured and implemented.
• Organizations must implement multi-factor authentication for systems containing sensitive data or financial access, actively deploy security updates and patches from managed service providers rather than allowing known vulnerabilities to persist unaddressed, and maintain current inventories of third-party contractors with data access while monitoring those vendors for breaches that could create cascading organizational exposure.

Third-Party Vendor Risk Represents Growing Vulnerability

• Third-party contractors and service providers increasingly represent the weakest links in organizational security postures, with breaches of external vendors—including billing processors, IT service providers, and data analytics firms—providing attackers with pathways into primary target organizations that maintain more sophisticated direct defenses but cannot control their vendors’ security practices.
• Progressive regulatory bodies like FINRA have begun requiring member companies to disclose their vendor relationships specifically to enable proactive notification when third-party breaches occur, allowing organizations to implement defensive measures before attackers leverage compromised vendor access, with FINRA’s approach providing a model for how regulators can facilitate industry-wide threat intelligence sharing.
• Compliance programs must extend beyond internal control assessments to include regular third-party risk evaluations covering vendors’ security practices, contractual provisions requiring vendor notification of security incidents within specified timeframes, and contingency planning for scenarios where trusted business partners experience breaches that potentially compromise shared data, system access, or customer information the organization remains legally responsible for protecting.

Sustainable Fraud Prevention Starts Small and Builds Systematically

• Effective fraud prevention frameworks avoid unsustainable compliance burdens by starting with focused interventions addressing the highest-probability threat vectors—either internal threats from disgruntled or opportunistic employees or external attacks targeting financial transaction processes—before expanding systematically to secondary risk areas according to a principled risk assessment rather than attempting comprehensive controls simultaneously.
• Organizations should develop basic critical incident response plans as foundational elements, identifying who contacts whom during security events, what roles each stakeholder assumes in breach mitigation, how to engage law enforcement resources including FBI IC3 reporting for financial fraud and Secret Service cyber currency recovery programs for international wire fraud, and establishing these protocols costs virtually nothing while providing essential structure during high-stress crisis situations.
• Building sustainable programs requires identifying and leveraging industry-specific resources such as regulatory body training programs, peer company networks for shared threat intelligence, FBI field office partner engagement initiatives, and existing cybersecurity insurance provisions while accepting that prevention efforts will never achieve complete protection and that rapid mitigation capabilities—including having established law enforcement contacts and documented response procedures—represent equally important measures of program effectiveness.

Conclusion