By Joel Frisch, Co-founder of FALKIN, a customer safety platform built for community financial institutions

A few months ago I watched a demo of a phishing kit you can buy online for $100 a month. In under two minutes, it built a perfect replica of a credit unionʼs login page, complete with the right logo, the right colors, the right fonts. It even had a fake “Security Notice” banner at the top to make it feel more legitimate. The person running the demo laughed when he showed it to me. I didnʼt.

Thatʼs the threat landscape now. Not sophisticated nation-state hackers. Not elaborate technical exploits. A $100 subscription and twenty minutes of your afternoon.

The financial services industry has responded by doubling down on AI powered back-end detection: anomaly models, real-time transaction monitoring, synthetic identity scoring. And that stuff matters. But the fraud conversation has become so fixated on who has the best models that weʼve missed something important: the institutions best positioned to actually protect their customers right now arenʼt the ones with the biggest AI budgets. Theyʼre the ones with the deepest community relationships.

The attack has changed. The defense hasnʼt.

Hereʼs what the threat looks like in 2026. SMS and messaging apps now account for over half of all mobile phishing attacks. Not email. Not desktop. Your customersʼ phones, the devices they trust most, the ones they check 150 times a day. The attack surface is the relationship between your customer and their screen.

AI didnʼt just make scams better. It industrialized them. The same technology that helps banks detect anomalies helps fraudsters generate flawless, personalized messages at scale. The grandmother who gets a voice call from her “grandson” in trouble isnʼt facing a scam. Sheʼs facing a synthetic audio clone trained on real voice data, calling from a number that looks local. Thatʼs not a technical problem. Thatʼs a human problem.

And the financial cost is only part of it. The average community financial institution carries around $2.3 million in fraud exposure annually. Factor in investigation costs, compliance, staff time, and reputational damage, and every dollar lost to fraud costs closer to five dollars in total impact. A $500,000 loss year is a $2.5 million problem.

But the number that keeps me up at night is different. 67% of fraud victims blame their financial institution even when it isnʼt at fault. Read that again. Two thirds of people who get scammed walk away angry at their bank or credit union, regardless of where the failure actually happened. Thatʼs not a fraud statistic. Thatʼs a loyalty and retention statistic. And no anomaly detection model fixes it.

The structural advantage nobody talks about

Big banks have thrown enormous resources at the back-end detection problem. Theyʼve had to. At that scale, automated systems are the only option. But fraud defense isnʼt just a detection problem. Itʼs a trust problem. And trust operates differently at the community level.

Credit unions and community banks have something that the worldʼs largest banks cannot buy: members and customers who actually know the person behind the counter. Staff who recognize voices on the phone. The ability to call a member back on a number they know is real. These arenʼt soft advantages. In the context of fraud defense, theyʼre decisive ones.

The attack vectors that are growing fastest, social engineering, authorized push payment fraud, voice cloning, rely on the victim not being able to verify who theyʼre talking to. A coordinated banking network in the UK built safety call routing for exactly this reason: so customers could always confirm they were actually talking to their institution. Thatʼs a multi-year infrastructure project for a large bank. A community institution can solve the same problem with a callback protocol and one staff training session.

Speed matters too. The community institutions getting ahead on fraud defense arenʼt waiting for a three-year technology roadmap. Theyʼre running pilots. Kish Bank built a community “Stop and Think” campaign across digital and physical channels and cut customer losses by 94%. ExtraCo Banks launched memberfacing safety tools and prevented $60,000 in losses in the first three weeks.

These arenʼt billion-dollar programs. Theyʼre focused, fast, member-facing interventions.

Where the AI conversation is missing the point

Iʼm not anti-AI in fraud defense. I think real-time monitoring and anomaly detection are genuinely valuable. But the industry conversation treats AI as primarily a back-end, institutional problem to be solved by the technology team. That framing leaves out the most important actor in the room: the customer.

Most fraud today succeeds not because detection failed, but because the customer or member was convinced to authorize the transaction themselves. Thatʼs the definition of authorized push payment fraud, and itʼs the fastestgrowing category. No detection model catches it, because from the systemʼs perspective, the customer did exactly what they intended to do. The failure happened earlier, in the moment the customer decided to trust the wrong person.

The institutions that are actually moving the needle are the ones investing in the human layer: customer education thatʼs specific and timely, not generic annual reminders. Staff training that goes beyond “be aware of fraud” to “hereʼs exactly what a grandparent scam sounds like and hereʼs what to say.” Community touchpoints that make safety visible and normalize talking about scams before they happen. None of that requires a large language model. It requires knowing your community.

Safety is the differentiator that canʼt be replicated

Hereʼs the strategic point that I think gets lost: fraud prevention done well isnʼt just a cost control measure. Itʼs a growth strategy.

When customers and members feel protected, they talk about it. Acquisition conversations that used to start with rate comparisons start with “I heard you actually protect your members.” Thatʼs not marketing copy. Thatʼs a real thing credit union executives are hearing in the field right now.

No fintech app, no matter how slick the UX, can replicate decades of local trust. The question for community financial institutions isnʼt whether they can compete with the AI infrastructure of the largest banks in the world. They canʼt, and they donʼt need to. The question is whether theyʼre using the structural advantages they already have, the trust, the relationships, the speed, to build the one thing their members actually want right now: the feeling of being safe.

The institutions that figure that out wonʼt just reduce losses. Theyʼll win the next decade.

Sources