Unauthorised fraud in the UK call for evidence
Published 15 July 2026
About this call for evidence
This Call for Evidence seeks input from organisations and individuals with relevant experience of unauthorised fraud in the UK.
Duration: From 15/07/26 to 07/10/26
Enquiries (including requests for the paper in an alternative format) to: Please send your response by 07/10/26 to: financecfe@homeoffice.gov.uk
Or use the Smart Survey link on gov.uk
If feedback can only be provided by paper, please send responses to:
Call for Evidence – Unauthorised Fraud
Homeland Security Group
6th Floor, Peel Building
Home Office
2 Marsham Street
London
SW1P 4DF
Please direct any questions to financecfe@homeoffice.gov.uk
Ministerial foreword
The UK faces a rapidly evolving fraud threat that causes profound harm to individuals, businesses, and the wider economy. Fraud is now the largest volume crime in England and Wales (46% of crime in the crime survey)[footnote 1]. with an estimated economic and social cost of £14.4bn[footnote 2]. Beyond financial losses, fraud causes profound personal harm on victims, undermines confidence in our economy, and provides a lucrative source of income for wider organised criminality. It is, increasingly, a national security threat.
Despite sustained efforts across government, law enforcement, and industry, the threat continues to rise. Unauthorised fraud, where criminals act without a victim’s knowledge or consent, has risen sharply, fuelled by increasingly sophisticated methods and the rapid evolution of our digital economy. In 2025, criminals conducted 3.81 million unauthorised fraud transactions[footnote 3], resulting in £703.4 million in losses. Bank and credit account fraud increased by 15% in the year ending December 2025, now representing around 66% of all fraud[footnote 4]. Criminals are exploiting social engineering, weaknesses in authentication, and new technologies such as deepfakes and generative AI to bypass defences at scale.
This Government has taken decisive action to protect the public and strengthen the UK’s resilience. But the pace of change in the digital economy, the complexity of the threat, and the sheer scale of criminal innovation mean that existing measures alone are not enough. Fraud cannot become an accepted cost of living or doing business in the UK. To beat a system‑wide threat, we need a system‑wide response. We must ensure that our policies, regulatory frameworks, and operational interventions remain agile, targeted, and grounded in the best available evidence.
That is why we are launching this Call for Evidence. It marks the first step in developing that response. We are seeking detailed input, supported by data, case studies, and operational insight, from organisations, industry bodies, law enforcement, regulators, consumer groups, and victims themselves.
Your evidence will help shape the Government’s next phase of activity to disrupt criminal operations, safeguard consumers, and reinforce the UK’s reputation as a secure place to do business.
Lord Hanson of Flint, Minister for Fraud
Introduction: understanding unauthorised fraud
What is unauthorised fraud?
Unauthorised fraud refers to fraudulent transactions made without the account holder’s knowledge or consent. Criminals gain access to a bank account, payment card, or remote banking channel and make transactions or withdraw funds without the victim’s participation or approval. Unlike authorised push payment (APP) fraud, where victims are deceived into making the payment themselves, unauthorised fraud occurs without the victim doing anything to initiate, approve, or enable the transaction.
In the UK, most transactions require Strong Customer Authentication (SCA), a form of two-factor authentication using at least two independent elements from of three categories: something the customer knows (e.g. PIN), has (e.g. phone or card), or is (e.g. biometric fingerprint or face scan). Banks and other payment service providers must apply SCA where payers make electronic payments, access payment accounts online or carry out any action through a remote channel which may carry a risk of fraud or other abuse. While SCA has strengthened payment security, advances in technology are enabling new fraud tactics as well as new prevention opportunities. Under the National Payments Vision, the Government will remove SCA regulations from the Payment Services Regulations 2017 to support a more flexible, outcomes-based approach.
Criminals typically obtain access by stealing or compromising credentials such as passwords, card details, authentication codes, or other personal information. Methods include phishing emails, malicious websites, impersonation calls, credential theft, and exploitation of vulnerabilities in online, mobile, or telephone banking systems. Once access is obtained, offenders conduct transactions, withdraw funds, or use the compromised account or card for further illicit activity.
There are several types of unauthorised fraud:
-
Unauthorised card fraud (including remote purchase fraud, card‑not‑received, counterfeit, lost/stolen, card ID theft)
-
Unauthorised remote banking fraud (online, mobile, and telephone banking)
-
Unauthorised cheque fraud[footnote 5]
These are all cases where transactions happen without the customer providing authorisation[footnote 6].
For the purposes of this Call for Evidence, unauthorised card fraud, unauthorised remote banking fraud and unauthorised cheque fraud are treated as the main categories of unauthorised fraud. Other types of unauthorised fraud are sometimes referenced depending on context, but these typically fall within one of the three categories above. For example, unauthorised cash withdrawal fraud is often included within remote banking or card fraud; unauthorised payments via Faster Payments or other transfers are usually treated as remote banking fraud; and unauthorised digital wallet fraud is generally counted under card fraud.
Account takeover (ATO) is also frequently referenced as a type of unauthorised fraud. In an ATO fraud, a criminal takes over another person’s genuine account. However, for the purposes of this CFE, ATO is treated as a fraud method or enabler, rather than a standalone fraud category. Analytically, it cuts across categories rather than replacing them. For example, ATO may result in unauthorised remote banking fraud (where online banking credentials are compromised), unauthorised card fraud (where a card is added to a digital wallet), or unauthorised remote banking fraud via telephone or mobile channels (where phone number compromise enables bank impersonation).
Unauthorised Fraud Origination
There is no comprehensive, standardised dataset that attributes the origination of unauthorised fraud to specific platforms or sectors. Origination and enabling activity are often multi‑stage, cross‑channel and not consistently captured (e.g. a scam starting on social media, moving to telecoms, and resulting in remote banking fraud).
Unauthorised fraud is frequently initiated through:
-
Phishing, a method which involves criminals sending fake emails, text messages, or hosting fraudulent online adverts that contain malicious links, and which trick users to revealing sensitive personal information (such as passwords), financial information (such as credit card numbers and bank accounts), or linking to websites which host malware (such as ransomware) which can sabotage systems and organisations.[footnote 7]
-
Data breaches and credential dumps, where stolen personal information or login data is leaked online, bought and sold between criminal actors, and used to access online accounts or convincingly impersonate victims.
-
Compromise of victims’ phone numbers, for example through SIM‑swap fraud, number porting abuse or call/SMS interception, enabling criminals to impersonate organisations or bypass security controls that rely on SMS or voice-based verification.
-
Social media profiles, which are targeted by criminals who are looking for information and images shared on profiles to gain information they could use to impersonate an individual’s identity, guess online passwords, or answers to any security question.[footnote 8]
-
Face-to-face card fraud, which involves in-person transactions, including contactless, typically using stolen cards and PINs. Offenders rely on low-tech methods such as ATM card entrapment, distraction theft, shoulder surfing, and PIN pad cameras. They may also use social engineering, including courier scams, to trick victims into handing over their cards.
-
Third‑party payment platforms, such as payment initiation, e‑wallet or open banking–enabled services, which may be exploited as part of the fraud chain.
Social engineering is a key method that enables unauthorised fraud across multiple channels. It involves manipulating victims into handing over credentials or security information, rather than breaking into systems directly.
-
Criminals impersonate trusted organisations, such as banks, government bodies or well‑known companies, using emails, texts, phone calls or fake websites to create urgency or fear.
-
Victims are persuaded to click links, download attachments, or enter credentials, often believing they are protecting their account or resolving a legitimate issue. Once credentials are stolen, criminals can gain unauthorised access to accounts, enabling unauthorised fraud such as making payments, changing contact details, or taking over accounts entirely, often without the victim realising until losses have occurred.
-
These techniques are often used on their own or in combination, allowing criminals to exploit trust across platforms and carry out unauthorised transactions.
Scale of the problem, enablers and tactics
Unauthorised fraud presents one of the most significant economic crime threats facing the UK today. Losses from unauthorised card fraud (debit, credit and other payment cards), as a proportion of bank turnover have remained relatively stable.[footnote 9] However, the number of incidents of all unauthorised fraud has continued to increase steadily. Data shows persistently high volumes and continued year on year growth.
Industry data shows unauthorised fraud is becoming more widespread. Volumes have risen steadily in recent years, reaching 3.81 million reported cases in 2025, an 11% increase on 2024 figures and a 40% increase on 2023.[footnote 10]
While total unauthorised fraud losses have fallen to £703.4 million in 2025[footnote 11] (down 5% on 2024)[footnote 12], the number of cases continues to grow, meaning more people are falling victim to fraud and facing its harmful effects. This reflects a shift from higher-value attacks to lower-value, high-volume fraud, increasing the scale of harm even as overall financial losses decline.
Other data sources confirm the scale of the threat and the trend of increasing volume of this type of fraud. The ONS estimate there were 2.7 million estimated ‘bank and credit account fraud’ incidents in the year ending December,[footnote 13] which accounted for 66% of total estimated fraud incidents and represented a statistically significant increase of 15% compared to the year ending December 2024 (2.4 million incidents).[footnote 14]
Criminals exploit a variety of tools and system vulnerabilities such as deepfake technology to manipulate identity checks, automated tools to breach accounts at scale, and sophisticated social‑engineering techniques to circumvent multi‑factor authentication.
Case study 1: Card ID fraud
Card ID fraud is when a criminal uses a fraudulently obtained card or card details, along with stolen personal information, to open or take over a card account held in someone else’s name. This type of fraud continues to underpin large proportions of unauthorised attacks, with more than 118,000 cases of identity fraud filled to the Cifas National Fraud Database (NFD) and Insider Threat Database (ITD) for the first six months of 2025.[footnote 15] Losses from card ID theft amounted to £54 million, with 103,171 recorded cases. [footnote 16]
These methods are often designed to bypass customer safeguards, enabling account takeover. As criminals adapt to stronger controls in some areas, they increasingly combine digital and social techniques across multiple channels to maximise their effectiveness and reduce the risk of detection.
Case study 2: SIM-swap attacks
Criminals intercept one‑time passcodes (OTPs) and bypass two‑factor authentication through social engineering and SIM‑swap attacks, a method that allows them to hijack a victim’s phone number and intercept security codes for banking and other services. SIM-swap attacks, which allow criminals to take control of victims’ phone numbers, have surged by 1,055% in the UK in 2024, rising from 289 to nearly 3,000 cases,, enabling criminals to hijack phone numbers and intercept banking security codes.[footnote 17] Subsequent reporting indicates that SIM‑swap activity continues to rise.[footnote 18] Cifas reports over 78,000 account (facility) takeover cases in 2025, a 6% increase on 2024, driven in part by a 38% rise in unauthorised SIM swaps.[footnote 19]
Those aged 61 and over remain the most frequently targeted group, accounting for 31% of cases, with filings for this cohort up 10% year‑on‑year. As reliance on mobile‑based authentication continues, SIM‑swap attacks and account takeovers are expected to continue increasing and are increasingly embedded in multi‑channel fraud, where criminals combine stolen data to maximise impact.[footnote 20]
The threat is amplified by AI enabled tactics. Deepfake videos, cloned voices, high quality fake websites, convincing social engineering scripts, synthetic identities and forged official documents are just some of the ways that technology boosts the tactics of international crime groups while lowering the technical barrier for lone bad actors. Deepfake tools are widely accessible worldwide, with the public increasing encountering deepfake content: there was a 469% increase in reports of suspected AI-enabled fraud incidents made to Report Fraud from 2023 to 2025.[footnote 21] According to Experian, 35% of businesses knowingly encountered generative AI related fraud in 2025. The percentage of retail banks affected has more than doubled from one in five in 2024 to almost half in Q1 2025.[footnote 22]
Case study 3: Synthetic IDs
Criminals exploit stolen or synthetic identities to circumvent institutional defences[footnote 23] and increasingly rely on compromised credentials at scale sourced from global breaches, such as Genesis Market, which was found to be hosting over 80 million stolen credentials before its takedown.[footnote 24] A synthetic ID is a fabricated identity created by combining real and fake information, often used to commit financial fraud.
These tactics are reinforced by the rapid growth of digital commerce and mobile banking, the expansion of digital wallets and app‑based banking, with 87 per cent of the adult population using at least one form of remote banking, i.e. internet banking, telephone banking and mobile banking.[footnote 25]
Case study 4: Digital wallet fraud
Digital wallet–based unauthorised fraud is also rising sharply, with criminals increasingly using phishing and impersonation calls to trick victims into approving a notification that allows a stolen card to be added to a fraudster’s digital wallet. Once provisioned onto the criminal’s device, these wallets can be used to make high‑value purchases that bypass traditional card limits, enabling rapid unauthorised spending without the victim’s physical card ever leaving their possession.[footnote 26]
There are indications that first party fraud, where individuals misuse their own accounts or falsely dispute transactions, contributes to unauthorised fraud. However, it is not consistently recorded in UK data, meaning its scale and impact are not well understood. It is likely to be concentrated in high-volume areas such as chargeback fraud, where individuals falsely claim a transaction was unauthorised or unsuccessful to obtain a refund[footnote 27]
While these insights help us understand some of the methods used by criminals, the current evidence base is insufficient to establish a direct causal relationship between these tactics and the rise in unauthorised fraud, nor to fully understand the connections between them. Similarly, there is not yet enough reliable evidence to determine the scale of the issue with confidence. As many of these tactics have existed for some time, they cannot alone explain the recent, and continuing, rise in unauthorised fraud volumes.
Open call for evidence
The Government is undertaking a comprehensive review of the UK’s response to unauthorised fraud. We seek data, intelligence, case studies, operational insights, technical assessments, and evaluations of existing or proposed prevention measures. Evidence may relate to:
-
Definitions and types of unauthorised fraud
-
Criminal methodologies, tactics and emerging threats (including AI-enabled attacks)
-
Drivers and enabling factors of unauthorised fraud
-
Technologies exploited (such as digital wallets and AI)
-
Weaknesses in current security mechanisms
-
Authentication and digital identity challenges
-
Industry response effectiveness
-
Data‑sharing and intelligence challenges
-
Any other barriers to reducing unauthorised fraud
-
Trends in attack origination and multi-stage/channel fraud (e.g., social media, telecoms compromise, data breaches)
-
Impacts on victims or businesses
-
Best and poor practice examples
-
Policy, regulatory and future intervention options
This Call for Evidence seeks comprehensive input from organisations and individuals with relevant experience of unauthorised fraud in the UK.
We welcome submissions from:
-
Financial services providers
-
Telecoms companies
-
Social media and online communications platforms
-
Payment service providers and fintechs
-
Retail consortiums and trade bodies
-
Law enforcement and regulators
-
Fraud prevention bodies
-
Consumer organisations
-
Researchers and academics
-
Victims or affected parties
-
Any other relevant stakeholders
Questionnaire
Section 1: Criminal Methodologies & Emerging Threats
Please provide evidence, data or case studies where available.
Q1 What do you consider to be unauthorised fraud?
Q2 How does your organisation differentiate unauthorised fraud from authorised fraud, and what sorts of cases do you find it difficult to do so?
Q3 What types of unauthorised fraud have you or your organisation been exposed to?
Q4 What methodologies do criminals use to commit unauthorised fraud?
Q5 What evidence do you hold on the scale and nature of first‑party fraud within unauthorised fraud, including its prevalence in remote purchase, card, and dispute‑related transactions?
Q6 What emerging threats do you anticipate over the next 3–5 years?
Section 2: Drivers of Unauthorised Fraud
Please provide evidence, data or case studies where available.
Q7 What factors are causing or enabling unauthorised fraud to happen?
Q8 What technologies or digital developments are being exploited to enable unauthorised fraud (for example, digital commerce such as online retail and e-commerce platforms; e-sims, mobile banking and app based financial services)?
Q9 What role has the growth of digital wallets (e.g. pass‑through wallets and in‑device wallets) played in the incidence or nature of unauthorised fraud?
Q10 How is artificial intelligence used to enable and prevent unauthorised fraud, and how is this likely to evolve over the next 2–5 years?
Section 3: Origins of Unauthorised Fraud
Please provide evidence, data or case studies where available.
Q11 Where do unauthorised fraud attacks most commonly originate (platforms, devices, networks, geographies)?
Q12 What evidence is there that criminals use more than one step or channel to carry out unauthorised fraud, and how do these stages interact?
Section 4: Barriers to Reducing Unauthorised Fraud
Please provide evidence, data or case studies where available.
Q13 What are the main barriers to reducing unauthorised fraud?
Q14 What is the most effective way to address these barriers, and which actors are best placed to do so (for example, industry, Government, regulators or other bodies)?
Q15 How does your organisation balance commercial interest, such as speed and accessibility, with robust security and customer protection?
Q16 What incentives exist to tackle unauthorised fraud, and how might they be strengthened?
Section 5: Existing measures to address Unauthorised Fraud
Please provide evidence, data or case studies where available.
Q17 What steps has your organisation taken to prevent or reduce unauthorised fraud, and how effective have these measures been in practice? Please provide evidence of impact where available, including any data, evaluations or lessons learned.
Q18 What are firms’ current transaction risk monitoring and analysis capabilities to identify and prevent unauthorised fraud, and how can they be improved?
Q19 Are there any examples of best practice, in the UK or internationally, that have successfully prevented, disrupted or reduced unauthorised fraud?
Section 6: Technical Standards, Controls & Authentication
Please provide evidence, data or case studies where available.
Q20 How effective are current authentication methods (e.g., PIN‑based, OTP‑based, transaction risk data, biometrics, behavioural analytics)?
Q21 What weaknesses in technical standards and regulatory requirements are most commonly exploited?
Q22 What additional standards, safeguards or controls would improve resilience against unauthorised fraud?
Q23 How effective are current digital identity controls (including biometrics) in preventing unauthorised fraud?
Section 7: Future Policy & Regulatory Intervention
Please provide evidence, data or case studies where available.
Q24 What options should Government consider to close vulnerabilities and strengthen defences?
Q25 Which regulatory levers or industry standards could most effectively reduce unauthorised fraud?
Q26 What future interventions are in development across industry to tackle unauthorised fraud? Please include examples such as new technologies, tools, or approaches to identify or prevent fraud.
Q27 Are there any further views, evidence or data relevant to unauthorised fraud that have not been covered in this questionnaire?
Thank you for participating in this call for evidence.
About you
Please use this section to tell us about yourself
Full name:
Job title or capacity in which you are responding to this consultation exercise (for example, member of the public):
Date:
Company name/organisation (if applicable):
If you would like us to acknowledge receipt of your response, please tick this box (please tick box)
Contact details and how to respond
Please send your response by 7 October 2026 to:
Email: financecfe@homeoffice.gov.uk
Or use the Smart Survey Link on gov.uk
Complaints or comments
If you have any complaints or comments about the process, you should contact the Home Office at financecfe@homeoffice.gov.uk.
Extra copies
Further paper copies of this consultation can be obtained from this address, and it is also available online at gov.uk.
Alternative format versions of this publication can be requested from financecfe@homeoffice.gov.uk
Confidentiality
Information provided in response to this consultation, including personal information, may be published or disclosed in accordance with the access to information regimes (these are primarily the Freedom of Information Act 2000 (FOIA), the Data Protection Act 2018 (DPA), the General Data Protection Regulation (GDPR) and the Environmental Information Regulations 2004).
If you want the information that you provide to be treated as confidential, please be aware that, under the FOIA, there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this it would be helpful if you could explain to us why you regard the information you have provided as confidential. If we receive a request for disclosure of the information we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Home Office.
The Home Office will process your personal data in accordance with the DPA and in the majority of circumstances.
The Home Office will share responses with HM Treasury; however, all responses will be anonymised and any personal data will be removed prior to sharing.
-
Categories as described in UK Finance, Annual Fraud Report, 2026 ↩
-
UK Finance, Annual Fraud Report, 2026 ↩
-
Identity Fraud: How Criminals Can Access Your Information, Equifax UK ↩
-
Mobile networks must step up to prevent Sim-swap fraud - Which? ↩
-
Report fraud, AI reports, 2026 ↩
-
Financial crime state of the industry report 2025, The Payments Association ↩
-
Notorious criminal marketplace selling victim identities taken down in international operation - National Crime Agency ↩
-
Cifas research reveals nearly half of UK adults feel first party fraud is acceptable, Cifas ↩