The operational machine: How financial fraud is industrialized, scripted, and monetized before protection systems can respond

Subscribe
FR
Light Dark

The operational machine: How financial fraud is industrialized, scripted, and monetized before protection systems can respond

by Surbhi Sood and Srinivas Balakrishnan
May 5, 2026
6 min

Fraud in financial systems has evolved into an industrialized, tech-enabled supply chain. It includes specialized roles, scalable scripts, fraud-as-a-service tools, mule networks, and rapid cash-out mechanisms. This blog, the second in a three-part series, highlights how fraud exploits weak controls, agent channels, and legal delays, and thus calls for system-wide upheaval over isolated consumer awareness efforts.

Somewhere in a compound in Myanmar or Cambodia, a team of workers, many of them trafficked, sits at a screen following a script. They know exactly what to say, when to escalate, how to handle a hesitant victim, and when to hand the call to a “supervisor” for added authority. They are not criminals in any conventional sense. They are employees of a fraud enterprise, one that has refined its operations through feedback loops, performance metrics, and iterative script improvement in the same way a legitimate call center would. 

In 2025, the reality of financial fraud is a supply chain that we have to understand before we can disrupt it. The supply chain moves through distinct levels. Fraudsters target victims, exploit their vulnerabilities, execute the fraud, and cash out through formal transaction channels.

The organizational structure of fraud as an industry

In 2024, Americans lost at least USD 10 billion to fraud operations run from call center farms, as per US State Department estimates. These farms are human compounds where operators force workers to perpetrate fraud under the threat of violence. The UN estimates more than 200,000 people are held in such scam compounds across Southeast Asia. 

These fraudsters are well organized and operate with a clear division of labor. They have: 

Lead generators who source and segment victim databases from data leaks, scraped job portals, and purchased call lists from the black market;

Callers and script operators who execute the opening approach, build rapport, and identify the most responsive targets;

Escalation specialists and fake supervisors who add authority at the critical decision moment, which breaks the remaining resistance;

Technical enablers who manage spoofed caller IDs, remote access tools, fake KYC portals, and cloned banking interfaces;

Mule handlers and cash-out specialists who receive and rapidly move funds out of the banking system before detection is possible.

  Fraud networks continuously use performance data to refine scripts. These are based on which phrases work, where victims hesitate, and when they drop off. AU10TIX’s fraud evolution analysis notes that networks copy and scale high-performing scripts, which is why remarkably similar scam variants appear simultaneously across geographically distant markets. This is not a coincidence, but a result of franchising. 

How is the agent layer exploited? 

In emerging markets, the last-mile agent network is both a financial inclusion asset and a vulnerability prone to fraud. MSC’s long-running research on DFS agent fraud across Uganda, Kenya, Bangladesh, and India has documented that fraudsters exploit agents at two levels. They are often unwitting entry points for fraudsters who manipulate them into assisting transactions, and as active participants in fraud rings that exploit their privileged system access. 

In India, the AePS (Aadhaar-enabled Payment System) layer is particularly exposed. Our dedicated AePS fraud analysis found that AePS-related fraud accounts for 11% of 1.13 million reported cases, which equals INR 823.74 crore or USD 98 million approximately. Surprisingly, some providers reported up to 20 times more fraud than others as a percentage of their total transaction volume. This variance is not random. It reflects systematic exploitation of weaker-controlled agent channels, where biometric spoofing, cloned fingerprints, and social engineering of agents combine to drain accounts at scale. 

The agent layer is where the first line of consumer interaction occurs for the most vulnerable users. Oral, semi-literate, and rural populations rely on agent mediation rather than self-initiated digital transactions. MSC’s research on customer vulnerability and trust in Indian digital financial services (DFS) found that agents in some villages set the same PIN, such as 1234 or 5555, for every user they onboarded. This vulnerability is systemic. It stems from a convenience-over-security trade-off that defines last-mile delivery, and fraud networks are quick to exploit it.

What are the tools that enable manipulation?

The industrialization of fraud is inseparable from its technical infrastructure. The toolkit has become both more accessible and more sophisticated simultaneously. 

Fraud-as-a-Service platforms now operate like SaaS companies, and include subscription pricing, modular attack kits, customer support, and feature roadmaps. A small-time fraudster can subscribe for as little as USD 50 per month to access enterprise-grade phishing templates, synthetic identity generators, deepfake toolkits, and on-demand botnets. The barrier to entry has collapsed. 

The core technical instruments in play are: 

Caller ID spoofing and SIM swaps, which make calls appear to originate from legitimate bank or government numbers.

Remote access trojans (RATs), which give fraudsters live control of a victim’s device. Credit unions in the US reported a 55% increase in RAT-enabled fraud in 2025, now 15% of all credit union fraud.

Fake KYC portals and cloned banking interfaces, which are designed to harvest credentials in real time while appearing to resolve a legitimate problem.

Dark patterns and deceptive UI exploit the same cognitive vulnerabilities as scam calls. MSC’s Building Trust Through Design report identifies five manipulative interface tactics. These include guilt-tripping, hidden fees, and forced bundling fraudsters use to manipulate users through apparently legitimate platforms. When deceptive design is embedded within those platforms, the boundary between platform fraud and external scam dissolves.

In India, the technical layer is specifically tuned to the United Payments Interface (UPI) infrastructure. Research by CUTS International exposes malicious apps that train mules to use bank-specific UPI apps, register UPI IDs with different mobile numbers to intercept OTPs, and use merchant payment addresses to make transactions appear legitimate. The system even provides scripts for mules to follow when questioned by bank officials and acts as a supply chain within a supply chain. 

The money supply chain: From transfer to disappearance 

The moment a victim authorizes a payment, a second one begins, designed to make that money irretrievable within minutes. 

The flow is precise: funds arrive in a mule account, are immediately redistributed across multiple secondary accounts, converted to stablecoins, cryptocurrency, or prepaid instruments through weak-KYC exchanges, and withdrawn through agents. BioCatch’s 2025 Digital Banking Fraud report documents that by mid-2025, stablecoins accounted for 63% of all illicit on-chain transactions, with an estimated USD 649 billion in fraudulent flows. Unlike volatile cryptocurrencies, stablecoins offer criminals dollar-pegged stability combined with instant, irreversible transfers that bypass traditional SWIFT monitoring and AML controls. 

The mule network is expanding at an alarming speed. US financial institutions reported a 168% surge in confirmed money laundering cases in the first half of 2025. In India, mule recruitment operates as a Telegram-based pyramid scheme. Agents recruit participants who want easy money to move funds through their accounts and often do not understand the legal exposure they carry. When accounts are frozen, the fraud network provides recovery scripts. When accounts are closed, new ones are opened with fake GST registrations and business certificates. 

The legal architecture compounds the problem — The Prevention of Money Laundering Act prevents banks from freezing suspected mule accounts without a court order. Fraudsters are acutely aware of this delay and systematically exploit it by moving funds in the window between detection and authorization. 

The design implication 

Design is one of the most neglected and highest-impact tools available, but it works best as one lever in a larger system. Regulators, platforms, and banks must intervene and disrupt the fraud supply chain at multiple nodes simultaneously, not just educate consumers at the end of the chain. The operational machine is built on the assumption that detection will be slow, mule accounts will remain open long enough to be cleared, legal channels will create delays, and victims will be too ashamed or confused to report quickly. 

The question is not whether we can outpace the fraud supply chain. It is whether we can redesign the protection system with the same rigor that the fraud supply chain has been built. 