Fraudsters move fast. Regulation, controls and customer education eventually catch up and then criminals change tactics again. That constant cat-and-mouse dynamic was a recurring theme in my conversation with Remy Knecht, Head of Anti-Fraud Services at Isabel.

From his position in a multi-bank ecosystem that processes around €2.3 trillion a year for some 50,000 companies across around 2,000 banks, Remy has a wide-angle view of how fraud is evolving in the Benelux region, and where banks need to adjust their approach if they want to shift from simply responding to incidents to building real fraud intelligence.

Verification of Payee: Helpful, but Not a Silver Bullet

Verification of Payee (VoP) / IBAN name check has often been presented as a major step forward in the fight against fraud. On paper, it is: when a customer signs a payment, they get an indication whether the account matches the name they expect. That pushes one important control upstream to the customer and can stop a fair amount of misdirected payments before they leave the account.

But criminals are already adapting.

Remy explained how fraudsters mimic legitimate business practices to get around VoP. Large firms such as telecom providers sometimes use collection agencies with a different name to chase unpaid bills. Criminals copy that pattern: they send emails saying a supplier has moved to a new “external agency”, sometimes even spoofing the supplier’s real domain.

Because many domains are still poorly protected against spoofing, these emails can appear to come from the genuine supplier. The fake invoice does not only contain a different IBAN; it also uses the name of a newly created company that legitimately matches that IBAN. When the victim enters the payment, VoP returns a reassuring green light, but it is a green light for a mule account behind a fake company!

The result is a dangerous false sense of security. The control is working as designed, but the design assumes the company on the other side is genuine. That means banks and their partners need additional layers of checking beyond VoP: looking at where the account is held, how strong the onboarding checks were, and whether that institution or jurisdiction is frequently used for criminal activity.

Looking Beyond the Single Payment

One of the most important shifts Remy described is moving from checking single payments in isolation to monitoring the whole chain: from onboarding and invoicing through to the actual transfer of funds.

The rollout of mandatory B2B e-invoicing via networks such as Peppol in Belgium is a good example. Electronic invoicing is often sold as “more secure” than email, and it is more secure in transit.

But Remy highlighted a weakness elsewhere: the checks when registering for an e-invoicing access point can be relatively light. It is not that hard for a determined criminal to impersonate a company and start sending invoices at scale.

Instead of one-to-one email scams, they suddenly have the ability to push hundreds or thousands of fake invoices through a channel that accountants and ERP systems are taught to trust. Again, the victim sees the invoice arriving through a “safe” rail and assumes it must be legitimate.

To address this, Isabel is broadening its view beyond “atomic” payments and scanning the entire process:

• How was the supplier onboarded?
• Does the company name, brand and IBAN match historical patterns?
• How many customers pay this supplier, and is one of them suddenly receiving an invoice that looks different to the rest?

If nine customers are paying a supplier in a consistent way and the tenth receives an invoice with a new IBAN or unusual details, that anomaly is a valuable signal long before the payment is sent.

CTO Tim Van der Wee, who is coordinating the Isabel Invoice Screening tool, says: “Peppol and standardisation create a real opportunity to shift fraud-prevention controls left – to the point of invoice receipt and pre-accounting – where invoices are reviewed and approved individually and full context is still available. By the time payments are executed - often in batches, that context is largely gone, and controls become less effective and more disruptive.” (You can find more info in Isabel's blogpost here).

Signals Hidden in the Behaviour

Data from the payment itself: amount, counterparty and timing, is only part of the story. Behavioural and contextual data is increasingly important, especially as criminals industrialise their attacks.

Remy pointed out that phishing kits and fake banking websites are now readily available for rent on the dark web and even via messaging platforms. Fraudsters no longer need deep technical skills to mount sophisticated credential theft campaigns.

However, once credentials are stolen and used, they leave traces:

• Logins from new devices, locations or operating systems
• Unusual patterns of access compared to the customer’s history
• Transactions initiated in a way that does not match normal behaviour

In Belgium, banks and telecom providers have gone a step further by collaborating on anti-phishing and anti-smishing initiatives. Suspicious domains can be shared and blocked across networks, and users are warned if they try to visit known malicious sites. That has reduced the success rate of classic phishing attacks, but it has also pushed criminals towards more intensive social engineering.

One telling signal here comes from the telcos. In many scam cases, particularly for retail customers, there is often a long call between the victim and the fraudster just before or during the transaction. By spotting these patterns, telecom operators can provide another useful piece of the puzzle to banks trying to identify scam-induced payments.

Remote access tools are another double-edged sword. They are perfectly legitimate for IT support, but in the wrong hands, they allow criminals to control a victim’s device. Isabel and others are therefore working with providers of remote access software to detect suspicious sessions linked to banking activity.

The common theme: fraud detection is becoming a team sport across sectors.

Collaboration Within the Rules

Whenever data sharing is mentioned, the conversation quickly turns to privacy and regulation. Banks often say they would like to collaborate more but feel blocked by GDPR and national rules.

Remy’s view is that the main barrier is not technology, but clarity around the legal basis, governance and “rules of the game”.

In cybersecurity, sharing threat intelligence has been a normal practice for years. Banks, telcos and governments have mechanisms to exchange information about malicious domains, tools and infrastructure. For fraud, especially across banks, that kind of sharing has been rare.

But this is starting to change.

New regulations such as the incoming EU Payment Services Regulation (PSR) are expected to make sharing certain fraud indicators mandatory. That pushes the industry to define:

• What types of data can be shared
• Who is allowed to see what
• For which purposes the data can be used

On top of that, the sector needs a common language so that fraud signals can be interoperable and automated. This includes standard taxonomies for fraud types and structured descriptions of how attacks are carried out, so institutions can plug this intelligence straight into their risk engines instead of translating everything by hand.

Isabel is working with banks, telcos, regulators and law enforcement in Belgium to build such a scheme at the national level, with the intention to connect into wider European networks over time.

From Rules to Intelligence

Historically, most fraud engines have been based on fixed rules: thresholds, blacklists and patterns derived from incidents that were already known.

That is, by definition, reactive.

Remy explained that the Isabel innovation team, under the leadership of Tim Van der Wee, is introducing AI to augment this approach, but with a strong emphasis on human oversight. Initially, AI models are deployed in a “passive” mode: they monitor payment flows and flag anomalies that would be difficult or impossible for analysts to spot manually. Human experts then review these cases, confirm whether they represent fraud, and feed that learning back into the models.

When a pattern is stable and false positives are acceptable, the insight can be translated into operational rules. This hybrid model combines the scale and speed of AI with the judgment and accountability of human investigators.

Crucially, this intelligence is not limited to what a single institution can see. If one bank identifies a mule account, that account is risky for everyone. Moving from one-to-one sharing to community-level models allows the sector to react much faster when criminals reuse the same infrastructure across multiple banks.

Balancing Instant Payments with Protection

Instant payments create a familiar tension: customers and businesses expect money to move immediately, but that leaves less time for checks.

Isabel’s approach is to apply the same screening to instant payments as to regular payments, but to treat instant transactions as a priority in analysts’ queues. If a payment triggers serious concerns, it can be paused while the team calls the customer.

Remy shared a case in which a paused instant payment turned out to be fraudulent. The customer later said that if the transaction had gone through, the company would likely have gone bankrupt (and they sent the team a huge bunch of flowers as a thank-you!). In that light, a short delay is a price most clients are very willing to pay!

To rebuild trust, Isabel and others are introducing ways for customers to verify that the person calling them really is from the bank’s fraud team, adding another small but important control in the chain.

What Needs to Happen Next

Looking three to five years ahead, Remy highlighted three priorities for banks and the wider ecosystem:

1. Make fraud intelligence sharing routine
   Just as cyber threat intelligence has become standard, sharing structured fraud indicators between institutions needs to be normal practice. Criminals move quickly; the industry has to move just as fast when one bank spots a new tactic.
2. Use AI with clear human control
   AI should help find patterns and anomalies that humans would miss, but decisions and accountability must remain with people. Well-governed AI can significantly improve detection and investigation without becoming a black box.
3. Strengthen digital identities for people and companies
   Digital identity schemes for individuals are already widely used in Europe to streamline customer onboarding and provide verified data. The next step is robust digital identities for companies, with verified corporate information that can be reused for bank onboarding, supplier checks and other processes. That reduces reliance on self-declared data and closes gaps exploited by fraudsters.

Fraud will never disappear. But by treating payment data as a strategic asset, collaborating across sectors and borders, and combining intelligent technology with human expertise, banks can move from chasing incidents to actively shaping a more resilient financial ecosystem.

(Our flagship event, The Banking Scene Conference Brussels on May 28, features a dedicated Fraud & Compliance stage where industry experts will share more insights on fraud-fighting strategy to overcome the challenges faced today. Join us to be a part of the conversations!)

You can find the full interview below or listen on your favourite podcast channel here - whichever platform you choose, don't forget to subscribe to stay updated!