Payment fraud has entered its Lego era. With generative AI, attackers can now snap together reconnaissance, impersonation, and financial setup in minutes.

This isn’t theory. It’s the new fraud reality, and it’s already hitting billion-dollar companies: seven in ten have faced AI-powered, multi-system payment fraud attacks.

To prove it, SecureWorld and Trustmi teamed up with world-renowned ethical hacker FC (“Freaky Clown”) for a live demo of how modern fraud campaigns are built. As FC put it: “Nowadays, you can do this all on your own from anywhere in the world, like a coffee shop if you wanted to.”

Why Multi-System Payment Fraud Is the New Normal

Trustmi’s 2025 Fraud & Risk Report found that most fraud attempts don’t stop at a single trick—70% of incidents involved multiple systems. This matches what Trustmi uncovers with customers and prospects: the most damaging payment fraud attempts are the ones traditional controls miss because they combine steps. It’s a spoofed login followed by a vendor impersonation, or a compromised inbox setting up a fraudulent payment.

This is why SecureWorld and Trustmi asked FC to stage an end-to-end payment fraud attack. His demonstration proved the point: attackers don’t rely on one doorway. They chain techniques together and pivot until something works. As FC explained, “there’s always the option to pivot into a different attack vector, right? So one way is not always going to be the best thing.”

Modern fraud isn’t one-and-done. It’s multi-vector, adaptive, and built to overwhelm defenses by combining steps until they succeed. The real question is: how do attackers actually assemble these campaigns?

“Lego for Hackers”: The Attacker’s Toolkit

FC described modern fraud as “Lego for hackers”—modular building blocks that can be snapped together into complete, end-to-end payment attacks.

Those blocks include:

• Reconnaissance: Attackers leverage Open Source Intelligence (OSINT) and AI to scrape employee and vendor information in minutes.
  
• Compromise: Fraudsters exploit weak supplier accounts, phishing inbox access, or stealing vendor credentials.
  
• Lookalike domains: By registering convincing URLs and spinning up basic websites, threats can evade standard email authentication checks (SPF, DKIM, DMARC).
  
• Financial setup: To not raise suspicion, they will open fraudulent accounts that mimic legitimate vendor banking details.
  
• Social engineering: Hackers will deploy AI-crafted emails that mimic tone, grammar, and even timing of real communications.
  
• Teardown: After they achieve their goal, they dismantle infrastructure post-attack to erase their tracks.

Each block, on its own, can look completely legitimate. But when connected, they form a fraud machine that is difficult to spot until they’ve gotten their hands on your finances. But the extraordinary part was watching FC snap them together live in minutes, he built a working fraud machine, fluid and adaptive, right before the audience’s eyes. For security leaders, it was a rare chance to see the attacker’s playbook in motion.

How AI Accelerates Payment Fraud

What once took an entire work week can now be done in minutes. AI-powered payment fraud attacks are accelerating at machine speed, making them faster, cheaper, and harder to stop. Generative AI has supercharged every stage of the fraud cycle:

• Recon speed: Research that once took 40 hours is now done in “30 seconds to five minutes with GenAI—and it’s just as good,” FC explained. In the demo, he showed how OSINT can instantly scrape not just LinkedIn, but public posts, breach data, government records, even building plans and license plate registries—information that used to demand days of patient work.
  
• Social engineering automation: Instead of a hacker writing each email, FC ran an entire back-and-forth where AI agents wrote both sides of the conversation.
  
• Behavioral mimicry: Messages adapt to whether an employee writes formally, casually, or with humor. As FC put it, the grammar is perfect, the wording spot-on, even down to key phrases that nudge targets into action.
  
• Lower skill barrier: What once required advanced expertise can now be run by almost anyone with off-the-shelf tools. FC warned that “the barrier to entry is incredibly low. So low that pretty much anyone can do it now.”

Seeing it live was the unsettling part. What once demanded patience, skill, and coordination looked like plug-and-play fraud—scaled up by AI, and available to almost anyone.

The New Reality of AI-Powered Payment Fraud

FC didn’t just talk about how fraud has changed—he showed it. In minutes, he pieced together an end-to-end AI-powered payment fraud attack, snapping together multiple steps like Lego for hackers until it succeeded.

As he put it, you don’t need nation-state resources anymore. You can launch a complex attack from Starbucks and finish it before you’ve finished your cappuccino.

With this ease and speed, the number and sophistication of AI-powered payment fraud attacks will only increase. Is your business ready? 

See for yourself: Watch FC’s live demo of modern end-to-end AI-powered payment fraud.