Payment Fraud Prevention: What Works and What’s Theater
Two payment apps, the same threat, opposite results. In one corner, Cash App, whose parent company was ordered to pay $175 million in early 2025 over how it handled customer fraud claims. In the other, PayPal, which moved more than a trillion dollars that year and still kept its loss rate near 0.08% of volume. Both face the same fraudsters, the same stolen cards, the same social-engineering scripts. So why did one end up in a regulator's press release and the other in an earnings call footnote?
The gap is not budget. It is which controls each company bet on. Most of what passes for payment fraud prevention is theater: it looks reassuring, it fills a slide, and it stops almost nothing. A handful of controls do the actual work. PayPal and Cash App make a clean natural experiment for telling the two apart, because in their case a regulator did the grading for us. This is a working playbook of what holds up and what quietly fails.
What payment fraud costs the economy now
The headline numbers are large enough to go numb to. Americans reported losing $12.5 billion to fraud in 2024, a 25% jump in a single year, according to the FTC's Consumer Sentinel Network. Worldwide card fraud hit $33.41 billion, and the United States carried roughly 42% of those losses on about a quarter of global card volume.
The more useful fact is hiding under the totals: where the money actually leaks. The top two payment methods by reported loss were bank transfers ($2.09 billion) and cryptocurrency ($1.42 billion) — not cards. That is not a coincidence. Those rails were built to move money fast and forward, with no built-in way to claw it back. Card networks have decades of dispute machinery behind them. Account-to-account transfers usually have none. The fraud follows the path of least reversibility.
| Metric (latest) | Figure | Source |
|---|---|---|
| US reported fraud losses, 2024 | $12.5B (+25% YoY) | FTC Consumer Sentinel |
| Top loss method: bank transfers | $2.09B | FTC, 2024 |
| Cryptocurrency losses | $1.42B | FTC, 2024 |
| Global card fraud losses, 2024 | $33.41B | Nilson Report |
| US share of global card fraud | ~42% (on ~26% of volume) | Nilson Report |
The common types of payment fraud, ranked by who pays
Every fraud guide hands you the same flat list of a dozen attack types. More useful is to sort them by who actually eats the loss, because that is what decides whether you should care. The common types of payment fraud do not share the pain evenly.
Business email compromise and authorized push payment scams sit at the top, because they trick the victim into sending money themselves, and the victim usually cannot get it back. UK Finance logged £257.5 million in push-payment fraud in just the first half of 2025, up 12% from the year before. Account takeover comes next: a fraudster gets into a real account and drains it, which means the rightful owner has to prove it was not them. Card fraud is widespread but, for consumers, mostly absorbed by the issuer through chargebacks. Then there is friendly fraud, where a real customer disputes a real purchase — it drives an estimated 75% to 79% of e-commerce chargebacks, and the merchant pays. Deepfake and voice-clone scams are the new entry, small in dollars today but climbing fast. The pattern is simple: the less reversible the payment method, the more the fraud lands on the person least able to absorb it.
Cash App: a case study in fraud prevention theater
If you want to see what fraud prevention theater looks like at scale, look at Cash App. By the time regulators arrived, it had around 56 million active accounts and a slick, friendly app. What it did not have was the unglamorous machinery behind the screen: real investigations, a working phone line, and any sense that an unauthorized transfer was the company's problem to fix.
What the regulators actually found
In January 2025 the Consumer Financial Protection Bureau ordered Block, Cash App's parent, to pay $175 million — $120 million back to harmed users and a $55 million penalty. The language is worth reading slowly. The CFPB said the company used "intentionally shoddy investigation practices" to close fraud reports in its own favor. Customers who called the fraud line reached a dead, pre-recorded message; for years there were no live agents to reach at all. The same month, a coalition of 48 state regulators added a separate $80 million penalty for anti-money-laundering failures. Combined exposure: roughly $255 million. None of that was about clever hackers. It was about a company that decided answering the phone was optional.
Why irreversible P2P transfers are the structural flaw
Underneath the enforcement story is a design choice. Cash App moves money account to account, like cash. Once it is gone, there is no card network to reverse it. That is fine until someone is tricked or hacked, and then the "it's just like cash" model becomes "you are on your own." Federal law (Regulation E) actually requires banks and payment apps to investigate unauthorized electronic transfers and make users whole. What I keep coming back to is how ordinary the failure was: not a breach, just a decision to treat unauthorized transfers as the customer's problem. The CFPB called that decision a violation.
How PayPal's fraud detection actually works
PayPal is the natural "what works" example, but the marketing version is wrong. PayPal is not fraud-free, and pretending otherwise hides the real lesson. Its own filings show transaction and credit losses of $1.72 billion in 2025, up 19% from the year before. Fraud is alive and well inside PayPal. The difference is what happens next.
Buyer and Seller Protection as a reversibility layer
PayPal built reversibility into the product to safeguard both sides of a transaction. Eligible purchases come with Buyer Protection, and sellers get their own coverage, with a dispute and claims process sitting on top. When fraud happens, the system can often refund the buyer or reverse the transaction rather than strand them. That is the exact layer Cash App lacked. It is also expensive and slow and full of edge cases, and PayPal gets plenty of complaints about it. But "a frustrating dispute process" and "a dead phone line" are not the same category of failure.
Machine-learning risk scoring at transaction time
The second layer is detection. PayPal scores transactions in real time against hundreds of signals — device, location, history, velocity, behavior — to flag the ones that smell wrong before money moves. The headline result is a loss rate that has hovered near 0.08% of total payment volume, close to a record low, even as absolute losses grow with scale. Read those two numbers together and you get the honest version: more volume means more raw fraud dollars, but adaptive scoring keeps the rate down. The system is not magic. It is just maintained.
What works: best practices that cut fraud
So what actually moves the number? Strip away the vendor decks and the controls that genuinely prevent fraud are short and boring. They share one trait: they adapt or they add a second independent check, rather than trusting a single static gate.
Multi-factor authentication is the cheapest high-leverage control there is. Microsoft has reported that MFA blocks more than 99.9% of automated account-compromise attempts, and that nearly all compromised accounts had never turned it on. Machine-learning transaction scoring, device fingerprinting, and behavioral biometrics catch patterns that fixed rules miss; one bank reported cutting fraud losses by about 35% after deploying behavioral analytics, though that figure is vendor-reported and should be read as indicative, not gospel. Strong customer authentication through 3-D Secure 2 adds a verification step on card payments; it carries a friction cost (roughly one in five authentication attempts fails to complete), but it shifts liability and stops a real share of stolen-card use. Know-your-customer checks at onboarding and velocity limits round out the list.
| Control | What it stops | Evidence | Verdict |
|---|---|---|---|
| Multi-factor authentication | Account takeover | Blocks >99.9% of automated attacks (Microsoft) | Works |
| ML / behavioral scoring | Anomalous transactions | PayPal-style loss rates near 0.08% | Works |
| 3-D Secure 2 / SCA | Stolen-card use | Liability shift; ~1 in 5 abandon | Works, with friction |
| Device fingerprinting | Repeat fraudsters | Industry-standard signal | Works |
| KYC at onboarding | Synthetic identities | Regulatory baseline | Works |
Security theater: fraud protection that fails
Now the budget-wasters, the controls that feel like fraud protection and deliver almost none. Security questions are the worst offender. The answers (your mother's maiden name, your first pet) are guessable, scraped, or breached, and the US standards body NIST now formally prohibits knowledge-based authentication as a valid login factor. It does not "add a layer." It adds a false one.
SMS one-time codes are the next trap. They feel like MFA, but they ride on a phone number an attacker can steal through a SIM swap, which industry research suggests succeeds on the first attempt around 80% of the time; the FBI logged roughly $26 million in reported SIM-swap losses in 2024 alone. Then there are static, rules-only engines that never learn, and slow manual review queues that let fraud clear before a human looks. The most expensive piece of theater of all is the one Cash App taught us: making transfers irreversible by default and calling it speed. Engineers tend to treat reversibility as friction to design away. For the victim, it is the entire point.
Account takeover fraud: where models split
Account takeover fraud is the cleanest test of the whole argument, because both companies face the identical attack: a criminal gets a real user's credentials and tries to move the money. Same input, very different output.
On the prevention side, the counter is well established: enforce strong MFA (not SMS codes), watch behavioral signals for a login that does not match the owner, and throttle suspicious velocity. But prevention always leaks a little, and the second question is what happens when it does. PayPal's reversibility and dispute process give the hijacked user a path back. Cash App's historical stance, that an unauthorized transfer was the user's problem, left them stranded, which is precisely what turned a security incident into a $175 million accountability case. Same fraud, opposite ending, decided by a policy choice rather than a piece of code.
| Front | PayPal | Cash App (pre-2025) |
|---|---|---|
| Money model | Card-backed, reversible | Account-to-account, irreversible |
| When fraud hits | Buyer/Seller Protection, dispute path | Treated as the user's problem |
| Detection | Real-time ML risk scoring | Limited, growth-first |
| Fraud support | Claims process (slow but real) | Dead phone line for years |
| Regulatory record | Loss rate ~0.08% disclosed in filings | $175M CFPB order, $80M state penalty |
How to respond to fraud after it happens
Detection is only half the job; the response is the half regulators actually grade. When an unauthorized transfer slips through, the legal floor under US payment apps is Regulation E: investigate promptly, and make the user whole if the transfer was not authorized. That means a real investigation, a reachable human, and a clock. Cash App's $175 million bill had nothing to do with being hacked. It was about how the company answered afterward, or refused to. Build the response, not just the wall.
Fraud trends: where prevention is heading
The next phase is an arms race fought with the same weapon on both sides. Generative AI is powering the fastest-growing attack vector: Deloitte projects AI-enabled fraud losses in the US rising from $12.3 billion in 2023 to around $40 billion by 2027, and deepfake-driven scams jumped into the billions in 2025 by industry estimates. The same technology also drives the best defense. The Nilson Report credits AI with producing the strongest fraud-fighting models the card industry has had. Whoever iterates faster wins the round, which is exactly why static defenses are doomed and adaptive ones are not.
What this means for payment fraud prevention
The lesson from PayPal and Cash App is not "spend more on technology." Both spent plenty. The winning bet is narrow and unglamorous: reversibility, accountability, and a few controls that adapt instead of pretending. Theater is cheaper, right up until a regulator puts a $175 million price on it. So audit your own stack against the table above and ask the only question that matters. If you cannot reverse a fraudulent transfer or pick up the phone when a customer is robbed, you do not have payment fraud prevention. You have a logo.
