Fraudsters Exploit Banks’ Blind Spot in Internal Transfers
Watch more: Need to Know: Entersekt, Mzu Rusi
When it comes to fraud, banks have traditionally built their defenses around the obvious exits.
Wire transfers, ACH, peer-to-peer (P2P) payments and other ways money leaves the institution are the red flags that fraud prevention teams obsess over.
But as with many obsessions, this focus can create a dangerous blind spot: internal transfers.
“Most fraud defenses are designed to detect money that’s moving out of the institution, but transfers, not so much,” Entersekt Vice President of Product Mzu Rusi told PYMNTS. “They’re treated as routine, low-risk behavior. And that’s exactly the point. Bad guys exploit that gap in both the perception and control.”
Internal transfers are meant to be mundane. They cover overdrafts, balance liquidity or simply let customers shuffle money. However, they are increasingly becoming fraud’s favorite camouflage.
“If a fraudster has gotten into your account, their first action is not to send money out,” Rusi said. “It’s to move money within the user’s accounts or to a mule account that they’ve linked. Because internal transfers happen instantly, often without any authentication, there’s no time to intervene.”
Why the Login Obsession No Longer Works
This overlooked attack vector is more than a quirk of outdated fraud models. It’s emerging as a systemic weakness. The sheer volume of internal activity makes detection difficult. Flagging unusual behavior risks false positives that frustrate legitimate customers. Fraudsters know that burying illicit transfers inside thousands of routine ones provides cover.
But the overall blind spot isn’t just about transaction types. It’s also about mindset. Banks have long clung to the belief that once a user passes the login, the session is safe.
“Existing fraud stacks are built around the idea that once a user’s in, you can trust everything,” Rusi said. “The session is trusted indefinitely. That would’ve made sense 10 years ago, before we had industrialized fraud crime.”
Today, fraudsters don’t need to break in through the front door. They can manipulate users through social engineering, hijack sessions with malware, or deploy deepfake tools to impersonate account holders.
“Login success should just be the beginning of a risky journey,” Rusi said. “It shouldn’t be the end.”
“It’s similar to protecting your front door at home,” he added. “When the fraudster is in, he can move around the house freely. Modern defenses have to move beyond that initial entry. The question is not about, ‘Did you just log in?’ It’s about, ‘Are you still acting like you?’”
Technology is only part of the challenge. The most insidious fraud doesn’t involve hacking systems but hacking people.
“That’s the most dangerous part,” Rusi said. “Fraudsters aren’t hacking your systems; they’re hacking your user.”
Reimagining the Fraud Defense ArchitectureIf login is just the start, then what comes next? For forward-thinking firms, the answer can lie in continuous and contextual trust, a model built atop an architecture that evaluates every action, not just the login, in real time.
Fraud is no longer a matter of perimeter defense. It’s a constant, adaptive process. Attackers are scaling their operations with the same tools (automation, artificial intelligence, behavioral analysis) that financial institutions use to fight back.
“We’re not building fences anymore,” Rusi said. “We’re building intelligent boundaries.”
The challenge is balancing protection with user experience. Too much friction leads to fatigue and frustration. Too little invites risk.
“Every interaction should absolutely be evaluated,” Rusi said. “But it doesn’t mean that you need to actively challenge the user … Authenticate every single interaction, but how you authenticate is super important.”
This is where Entersekt differentiates between active authentication like biometric scans, device prompts and silent authentication, where device signals, behavioral patterns and contextual data operate behind the scenes.
“I see experience and strong fraud prevention as a false trade-off,” Rusi said. “They’re both outcomes of understanding user intent … Speed doesn’t kill, but blind speed does.”
When the system knows what the user is trying to do, and whether that intent makes sense, it can accelerate legitimate transactions while intervening only when risk is high.
“It would look totally different to what most institutions have today,” Rusi said. “Every interaction is scored in real time. You don’t inherit trust just because the login has succeeded.”
The post Fraudsters Exploit Banks’ Blind Spot in Internal Transfers appeared first on PYMNTS.com.