The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Banks and financial institutions are investing heavily in prevention: device intelligence, behavioural analytics, malware detection, transaction monitoring, and more. Yet despite these layers, fraud continues to slip through the cracks, often in ways that are invisible to any single team or tool.

Every undetected attack has consequences: financial loss, regulatory scrutiny, reputational damage, and the stress of overburdened fraud teams. Analysts spend hours reconciling alerts, teams chase the same threat from different angles, and governance becomes harder to demonstrate.

If your organisation has ten or more tools designed to catch fraud, why are attackers still getting through? 

This article examines the hidden gaps that fragmented systems create and why layered defence alone is no longer enough.

The limits of layered defence

Traditional fraud strategies assume that stacking multiple controls will cover gaps. But modern attacks do not move layer by layer. Fraudsters exploit the gaps between systems, using channels and sessions in ways that no single layer sees.

Each tool sees only a part of the picture. None captures the full attack.

Gaps in practice

Different teams and systems have their own focus:

• Device tools track fingerprints, IPs, and configurations.

• Behavioural analytics monitors session patterns.

• Malware detection identifies infections and remote access.

• Transaction monitoring checks authorisation, value, and timing.

Fraudsters, however, do not respect organisational or technological boundaries. A session that appears safe on mobile may lead to a web payment compromise. Malware may trigger in one system but never reach fraud operations. Alerts often travel between systems only as risk scores, stripping away the context needed to understand the attack.

An example: a hybrid APP scam

Consider a common scenario:

1. A victim receives an SMS lure.

2. They call a spoofed number.

3. They are instructed to install remote access software.

4. The fraudster observes the banking session.

5. A payment is authorised through mobile or web.

Individually, they only see part of the issue: the device vectors are genuine, the session appears legitimate with the with the exception of a remote access tool operating in the background (can be justified in work environments), and the transaction is authorized by the account holder. But combined, these events form a single attack. Because the systems omit context, layered controls do not recognise the full pattern.

The cost of disconnected systems

The consequences go beyond lost money:

• Analysts spend time reconciling conflicting or duplicate alerts.

• Organisations maintain multiple vendors and data pipelines, increasing cost without improving coverage.

• Cross-channel attacks often go undetected.

• Teams across cyber, fraud, and AML chase the same threat independently, duplicating effort and reducing consumer satisfaction by being multiple touchpoints for the consumer

In the 2022 Alloy State of Fraud Benchmark Report, 71% of financial institutions surveyed increased spending on fraud prevention compared with the previous year, yet 91% still reported a rise in fraud. It shows that investment alone doesn’t close the gaps created by disconnected systems. Independent studies suggest that for every pound lost to fraud, banks may spend several pounds more in associated operational and recovery costs. These inefficiencies are what we call the “silo tax.”

Connecting layers to stop attacks

Fraud today spans devices, channels, and sessions. Detecting it early requires seeing it as a sequence rather than as separate events. Signals from one system must reinforce those from others to reveal the attack pattern.

Attack Pattern Recognition (APR) reconstructs attacks by linking signals across devices, sessions, channels, and transactions. It traces the path from the first compromise to the fraudulent transaction, highlighting connections that isolated systems would miss. When analysts can follow the full sequence, investigations become faster, and prevention moves earlier.

Closing thought

Banks do not need more layers. They need their existing layers to better communicate. Fraud is coordinated, and detection must be deliberate and coordinated as well. Until systems connect, layered defence only works in theory.

*Alloy – State of Fraud Benchmark Report (survey of ~250 decision‑makers at financial institutions)