CISI Combating Financial Crime study guide for types of fraud, with learning objectives, UK control cues, and exam traps.
Types of fraud belongs to the CISI Combating Financial Crime Fraud and Market Abuse exam topic, weighted at 4%. Study it as a UK financial-crime control lesson: the paper usually asks whether you can classify the risk, place the right authority or obligation, and choose the next defensible control, escalation, or reporting step.
| Concept | What to know for CISI CFC review |
|---|---|
| Internal fraud | Fraud by employees, managers, contractors, or insiders using access, trust, authority, or control weaknesses. |
| External fraud | Fraud by customers, impostors, organized groups, cyber actors, vendors, or third parties outside the firm. |
| Mandate fraud | Fraudulent change of payment instructions, account details, or beneficiary information. |
| Procurement fraud | Vendor, invoice, contract, tender, conflict-of-interest, or kickback schemes. |
| Systemic fraud risk | A repeated or control-enabled pattern that exposes the firm to wider loss, not just a one-off incident. |
Fraud typologies help you select the right control. An identity-fraud case is not controlled the same way as procurement fraud. A customer scam is not handled the same way as employee account manipulation. CISI questions often include several red flags, so identify who benefits, who controls the process, and which control should have challenged the activity.
| Fraud type | Common clue | Better control focus |
|---|---|---|
| Identity fraud | False documents, mismatched data, synthetic identity, account takeover | Verification, authentication, device and behavioural checks, account controls |
| Payment fraud | Urgent payment, changed beneficiary, spoofed instruction, unusual destination | Callback, payment screening, dual approval, beneficiary verification |
| Mandate fraud | Changed standing instructions or settlement account | Independent confirmation and cooling-off or escalation controls |
| Procurement fraud | Fake vendor, inflated invoice, duplicate payment, conflict | Vendor due diligence, invoice matching, segregation, conflict checks |
| Employee fraud | Override, excessive access, concealed adjustment, collusion | Access review, monitoring, mandatory leave, independent reconciliation |
| Cyber-enabled fraud | Phishing, malware, credential compromise, social engineering | Security controls, fraud monitoring, customer warnings, incident response |
A practical way to classify fraud is to ask three questions before choosing the response: who is the actor, what asset or process is being attacked, and which control should have stopped or detected it. This prevents the common exam mistake of selecting a generic fraud answer when the facts point to a specific control weakness.
| Lens | What to identify | Example exam clue |
|---|---|---|
| actor | customer, employee, vendor, cyber actor, introducer, intermediary, or organized group | “the same employee approved the exception” |
| asset | money, securities, customer data, credentials, vendor payments, account access, or market information | “new beneficiary details were entered before payment release” |
| channel | email, online banking, telephone instruction, adviser request, procurement workflow, or internal system | “instruction came from a lookalike domain” |
| control failure | verification, authentication, approval, segregation, reconciliation, monitoring, or escalation | “callback was bypassed because of urgency” |
| next action | pause, verify, escalate, preserve evidence, investigate linked activity, or report | “funds have not yet left the firm” |
The best answer normally combines classification with response. It is not enough to say “this is fraud risk.” A stronger answer explains why the facts suggest mandate fraud, procurement fraud, account takeover, insider abuse, or organized external fraud and then selects the control that directly fits that route.
Customer-facing fraud usually attacks identity, authority, account access, or payment movement. It may be committed by the named customer, an impostor, a third party controlling the customer, or an organized network using mule accounts. CISI scenarios often mix legitimate relationship details with one abnormal feature, such as urgency, new account details, or a communication channel that avoids normal verification.
| Fraud pattern | What it may look like | Better response |
|---|---|---|
| impersonation | caller or email sender claims to be the customer but fails normal security checks | stop reliance on the channel and verify through trusted contact details |
| account takeover | login from new device, changed contact details, urgent withdrawal request | strengthen authentication, pause high-risk activity, and escalate |
| synthetic identity | apparently valid identity data that does not fit a real person consistently | enhance verification and review linked accounts or applications |
| mule account | account receives and quickly forwards funds inconsistent with profile | escalate financial-crime suspicion and examine linked beneficiaries |
| vulnerable-customer exploitation | third party pressures customer to transfer or liquidate assets | use safeguarding procedures and verify the customer’s genuine authority |
For exam purposes, avoid treating customer fraud as only a service issue. A payment instruction, account change, or liquidation request may also raise AML, sanctions, safeguarding, and suspicious-activity reporting questions depending on the surrounding facts.
Procurement fraud matters in financial crime because the loss may bypass client-account controls entirely. A firm can suffer fraud through fake suppliers, conflicted employees, inflated invoices, duplicate payments, rigged tenders, false expenses, or third-party service providers that are not properly monitored.
| Scheme | Red flags | Control response |
|---|---|---|
| fake vendor | new supplier with weak due diligence, no contract, urgent payment | verify supplier existence, ownership, bank details, and approval trail |
| invoice fraud | duplicate invoice, round-sum charge, vague service description | match purchase order, contract, receipt, and invoice before payment |
| tender manipulation | single bidder wins repeatedly or evaluation scores are changed | independent procurement review and conflict checks |
| kickback or conflict | employee relationship with vendor or unexplained gifts | conflict declaration, investigation, and disciplinary escalation |
| change-of-bank fraud | vendor bank details changed by email near payment date | independent callback to known contact before updating records |
The exam angle is control design. Procurement fraud is often prevented by vendor due diligence, segregation of duties, approval thresholds, invoice matching, conflict declarations, gifts-and-hospitality controls, and post-payment analytics. If one employee can create the vendor, approve the invoice, and reconcile the payment, the control design is weak even before a loss is proved.
Opportunistic fraud is usually a one-off exploitation of a weak moment: an employee sees a chance to override a control, or a customer submits a false claim. Organized fraud is more systematic: repeated applications, mule accounts, coordinated impersonation, linked devices, repeated beneficiaries, or collusion across employees and outsiders.
The distinction matters because organized fraud requires broader investigation. The firm should look for connected accounts, repeated identifiers, common addresses, device fingerprints, shared beneficiaries, employee involvement, or vendor links. A narrow single-transaction fix may leave the wider scheme active.
Organized fraud is usually visible through connections rather than a single dramatic fact. A single unusual payment may be explainable; several accounts sharing devices, addresses, introducers, beneficiaries, or timing may indicate a coordinated scheme.
| Link analysis area | Why it matters |
|---|---|
| shared contact details | may show apparently unrelated accounts are controlled by one group |
| repeated beneficiaries | may show layering, mule activity, or coordinated payment diversion |
| common device or IP information | may show account takeover or mass application fraud |
| repeated introducer or intermediary | may indicate a compromised referral channel |
| similar document defects | may show forged templates or organized identity fraud |
| linked employee approvals | may indicate collusion or insider facilitation |
This is why the best answer often includes a look-back. The firm should ask whether the same fraud pattern appears in other accounts, vendors, customer segments, branches, advisers, systems, or third-party channels. Organized fraud is not solved by reversing one transaction if the same control weakness remains open.
Fraud becomes more serious when the actor has system access or approval power. Insider access can allow the fraudster to create records, change data, approve exceptions, delete evidence, or hide losses. The exam often signals this through phrases such as “manual override,” “urgent exception,” “same employee approved and reconciled,” or “access not reviewed after role change.”
| Insider clue | Control implication |
|---|---|
| Manual override without review | Exception reporting and independent approval should be strengthened. |
| Same person initiates and approves | Segregation of duties is weak. |
| Dormant or excessive access | User-access review and joiner-mover-leaver controls are needed. |
| Reconciliation breaks ignored | Management review and escalation are ineffective. |
| Vendor controlled by employee relative | Conflict and procurement controls should be triggered. |
Fraud prevention is important, but CISI CFC questions often test detection and escalation after a red flag has appeared. The correct control depends on what the fraudster is trying to manipulate.
| Fraud risk | Strong detection control |
|---|---|
| identity or application fraud | document checks, database validation, device analytics, duplicate-data matching |
| account takeover | abnormal login monitoring, contact-detail change alerts, step-up authentication |
| payment diversion | beneficiary-change reports, callback failures, high-risk destination monitoring |
| internal manipulation | exception reports, access logs, mandatory leave, independent reconciliation |
| procurement abuse | duplicate invoice analytics, vendor master-file review, conflict checks |
| cyber-enabled fraud | phishing reports, endpoint alerts, credential compromise monitoring |
| organized networks | link analysis across accounts, devices, addresses, beneficiaries, and introducers |
Detection controls should produce a usable escalation path. A report that no one reviews, an alert that is routinely suppressed, or a reconciliation break that is accepted without investigation is not an effective control. The exam may describe a control on paper and then test whether you notice that it failed operationally.
Fraud investigations can be damaged by premature confrontation, incomplete records, or uncontrolled communication. Before contacting a suspected employee, vendor, or customer, the firm should consider preserving evidence and controlling who knows about the investigation.
| Investigation need | Practical implication |
|---|---|
| system logs | preserve access, override, approval, and change-history records |
| communications | retain emails, calls, chats, callback notes, and customer instructions |
| transaction status | identify whether money or assets are pending, released, reversed, or frozen |
| linked activity | check related accounts, vendors, beneficiaries, devices, and staff actions |
| confidentiality | avoid alerting a suspected fraudster before evidence is secure |
| escalation | involve financial crime, legal, compliance, HR, security, or senior management as appropriate |
The stronger exam answer usually avoids amateur investigation. Front-line staff should not secretly interrogate the customer, warn a suspected employee, or change records to “fix” the issue. They should preserve facts, follow procedure, and escalate to the function with authority to investigate.
| If the facts emphasize… | Think first about… | Then choose… |
|---|---|---|
| new payment instructions and urgency | mandate or payment fraud | independent verification and payment hold |
| false identity documents | identity or application fraud | enhanced verification and linked-application review |
| employee override or excessive access | insider fraud | access review, evidence preservation, segregation remediation |
| fake invoices or vendor conflicts | procurement fraud | vendor due diligence, invoice matching, conflict investigation |
| repeated accounts with common data | organized fraud | link analysis and broader control review |
| phishing or credential compromise | cyber-enabled fraud | incident response, authentication controls, customer protection |
| suspicious proceeds after fraud | laundering of criminal property | AML escalation and suspicious-activity reporting analysis |
| Scenario cue | Better answer pattern |
|---|---|
| “urgent and confidential” instruction | slow the process, verify independently, and do not bypass controls |
| “same employee processed all steps” | identify segregation failure and possible insider abuse |
| “no contract but payment requested” | treat as procurement fraud risk and review vendor approval evidence |
| “several accounts share one device” | investigate organized or linked-account fraud |
| “suspect is about to be contacted” | preserve evidence first and control communication |
| “customer is being pressured by a third party” | consider exploitation, authority, safeguarding, and fraud escalation |
| “funds already moved” | preserve evidence, investigate links, consider reporting, and remediate controls |
A client emails new settlement instructions from an address that looks similar to the client’s usual domain. The request is urgent and asks the firm to bypass normal callback because the client is travelling. Which fraud type and control response fit best?
A. Mandate or payment fraud risk; independently verify the instruction using trusted contact details before changing the beneficiary. B. Market abuse risk; place the account on a restricted list. C. Tax evasion risk; report to HMRC immediately. D. No fraud risk; urgency confirms the instruction is genuine.
Answer: A. A changed payment instruction with urgency and a lookalike domain is a classic mandate or payment-fraud signal. The firm should verify independently and not rely on the suspicious communication channel.
When revising fraud types, build a grid with the fraud actor down one side and the control down the other. Use customer, employee, vendor, cyber actor, and third party as actors; use verification, approval, access control, reconciliation, monitoring, and escalation as controls.
Also practise writing a one-sentence classification before choosing the answer: “This is likely mandate fraud because the customer instruction changes beneficiary details through an unreliable channel.” That forces the control answer to match the fraud type instead of drifting into generic compliance language.
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.