The new face of fraud: 5 emerging threats credit unions must address in 2026

The fraud landscape has fundamentally changed. What once required technical expertise and significant resources can now be executed at scale using readily available AI tools, putting credit union members at unprecedented risk. Understand how you can prevent these emerging threats through member engagement and training.

1. AI-powered deepfake fraud

Deloitte's Center for Financial Services predicts that generative AI could enable fraud losses to reach $40 billion in the United States by 2027, up from $12.3 billion in 2023. This dramatic increase is largely driven by deep-fake technology that creates convincing fake videos and audio.

Fraudsters use synthetic voices to bypass voice-based authentication systems and trick know-your-customer processes.  

They're also creating AI-generated videos to impersonate executives during video conference calls. A member might receive a phone call from someone who sounds exactly like their loan officer requesting immediate fund transfers, or criminals could use deepfakes to pass video verification during account opening.  

According to Signicat's Battle Against AI-Driven Identity Fraud 2024 report, fraud cases using AI deepfakes have risen over 2,000% in the last three years, with AI involved in 42.5% of all fraud cases.

Steps for prevention:  

Implement multi-factor authentication that doesn't rely solely on voice or video verification. Establish out-of-band verification protocols for sensitive transactions, requiring members to confirm requests through a separate channel.  

Train staff to recognize red flags even in seemingly legitimate interactions, and educate members about deepfake risks through regular communications. Consider implementing behavioral biometrics that analyze typing patterns, mouse movements, and navigation habits rather than just verifying identity through appearance or voice.

2. Synthetic identity fraud

Criminals are fabricating entirely new identities by combining real and stolen information, such as pairing a legitimate Social Security number with a fake name and address. These ghost profiles can bypass traditional identity verification and operate for months before defaulting, a process known as a "bust out."

When these fraudulent accounts eventually default, credit unions absorb significant losses. Real members whose information was stolen as part of the synthetic identity may face credit bureau complications, damaged credit scores, and the long process of proving they weren't responsible for the fraudulent activity.  

Unlike traditional identity theft, where the victim quickly notices unauthorized activity, synthetic identity fraud can go undetected for years.

How to spot a threat:  

Enhance your identity verification process beyond basic credit bureau checks. Look for inconsistencies in application data, such as addresses that don't match typical patterns or phone numbers that have recently been associated with the Social Security number. Monitor new accounts closely during the first 90 days for any behavior that doesn't align with the account's stated purpose.  

Additionally, two other options can help to flag patterns or applications across institutions. Consortium data flags identities appearing across multiple institutions simultaneously. Velocity checks identify suspicious patterns, such as multiple applications from similar profiles within a short timeframe.

3. Authorized push payment fraud

Scammers use sophisticated social engineering tactics, often powered by AI-driven deepfakes and personalized phishing, to trick legitimate customers into sending money to fraudulent accounts. Unlike traditional fraud, where criminals steal credentials, authorized push payment fraud convinces members to willingly authorize the transaction themselves.

Urgent, convincing messages that appear to come from trusted sources such as your credit union, a family member in distress, or a government agency. The member is pressured to act immediately, often being told their account is compromised or a loved one needs emergency funds.  

Because the member authorized the transaction, recovery is extremely difficult and creates disputes about liability. The emotional toll of realizing they've been scammed compounds the financial loss.

What credit unions can do:  

Implement friction in the right places. Add confirmation steps for unusual payment patterns, especially wire transfers to new recipients or payments that deviate from a member's typical behavior.  

Create clear member education campaigns that emphasize your credit union will never ask them to move money to "protect" it or demand immediate action without giving them time to verify. Establish a verification callback protocol that members can use when they receive suspicious requests. Consider delayed processing for high-risk transactions, giving members a window to cancel if they realize they've been scammed.

4. Business email compromise and vendor fraud

Business email compromise continues to dominate fraud attempts, affecting 62% of companies, with invoice fraud remaining the most common attack at 58% of organizations. Fraudsters compromise or impersonate email accounts to send fake invoices or payment change requests that exploit routine payment processes and vendor trust.

This primarily affects your business members who may face significant losses that impact their ability to repay loans or maintain deposits with your credit union. Many companies still rely on methods such as human callbacks or email confirmations to validate vendor bank account information, but these approaches are increasingly ineffective against AI-enhanced attacks that can spoof entire email threads and create convincing forgeries.

How to support business members:  

Offer business members specific guidance on vendor payment authentication protocols. Encourage them to establish out-of-band verification for any payment change requests, using a known phone number rather than one provided in the email. Provide fraud detection tools specifically designed for business accounts that flag unusual payment patterns.  

Consider hosting workshops for business members to recognize BEC attempts and implement internal controls. Work with business members to establish dual authorization requirements for payments above certain thresholds.

5. Romance and pig butchering scams enhanced by AI

Emotionally intelligent bots powered by generative AI now carry out complex scams like romance fraud and relative-in-need scams without a human behind the keyboard. Scammers use these bots to build fake relationships, send convincing images, and guide victims into investment or romance traps. These bots respond convincingly, build trust over time, and manipulate victims with precision and emotion.

These scams are becoming more scalable and convincing because AI can manage multiple victim conversations simultaneously with personalized responses. Members may lose their life savings before realizing they've been scammed. The shame associated with falling for a romance scam often prevents victims from reporting it promptly, giving fraudsters more time to drain their accounts.

Ways to prevent and respond:  

Train frontline staff to recognize warning signs, such as members making unusual international transfers, investing in cryptocurrency for the first time, or withdrawing large sums while appearing anxious or secretive. Create a judgment-free environment where members feel comfortable discussing potential scams.  

Implement transaction monitoring that flags patterns consistent with romance scams, like progressive increases in transfers to the same recipient or sudden interest in investment products inconsistent with the member's history.  

Moving forward

The weaponization of AI to create convincing, scalable attacks is only growing. Credit unions must respond with a combination of enhanced technology, updated procedures, staff training, and member education. The institutions that will best protect their members are those that recognize fraud prevention isn't just a security function but a member service priority that requires ongoing attention and investment.

Stay ahead of rapidly evolving fraud risks at Fraud & Security Virtual Conference, happening December 1–3, 2026.