E-commerce Fraud in the UK: Is 3DS Enough? 

The UK payments industry has spent the better part of a decade building stronger fraud controls. Strong Customer Authentication (SCA), more sophisticated 3DS frameworks, behavioural scoring, real-time decisioning; the investment has been significant. And yet the Annual Fraud Report 2026, published by UK Finance on 15 June 2026, confirms what many in the industry have been quietly worried about: fraud losses are still rising. Eight people are defrauded in the UK every single minute. The controls are working; however, fraud cases are on the rise.  

So, what's going wrong? And more importantly, what needs to change? 

Those were the questions at the centre of a joint session hosted by G+D Netcetera and The Payments Association UK, with Ben Cooper (Partner at TLT LLP), Keith Groves (VP Security Solutions for UK and Ireland at Mastercard), Sannelie Gallichan (Senior Sales Engineer at TigerGraph), and Tanja Steinhoff (Senior Product Manager for Payment Security at G+D Netcetera). 

The fraud has moved. The controls aren't keeping up. 

The problem, the group agreed, isn't that 3DS has failed. It's that the threat has evolved around it. 

Ben Cooper, who has spent over two decades advising on financial crime, opened by putting his finger on what makes today's fraud landscape so difficult to defend against. "It's no longer just card-not-present fraud in a single channel," he said. "It's increasingly coordinated, cross-channel, and driven by social engineering where customers themselves are often passing the transaction unwittingly." 

That last point matters. 3DS and SCA were built for a world where the fraudster was an outsider trying to break in. Social engineering turns that very assumption on its head: the customer becomes, unwittingly, the means of attack. And once that happens, authentication alone can't save you. 

When the controls become the blind spot

Tanja Steinhoff described a pattern she encounters regularly in conversations with bank customers: an account takeover that never looks like one. The fraudster gains access to online banking and then, rather than going straight for the transaction, starts making small innocuous changes: adjusting credit limits, updating a phone number, redirecting an authentication app, and so on. Each action, looked at in isolation, raises no flags. By the time the fraudulent payment hits the 3DS rails, the attacker has full control, the transaction authenticates cleanly, and the SCA mechanism designed to prevent exactly this outcome has been rendered irrelevant. "What was meant to be the countermeasure against fraud," she said, "has been – via social engineering, via account takeover – taken out of our control as a pure ACS provider." 

The reason this keeps happening comes down to a structural problem the industry has been slow to address. Banks typically intervene when money moves, and not before. Everything that precedes that moment – the reconnaissance, the account manipulation, the quiet preparation – happens in the gaps between systems that don't talk to each other. Sannelie Gallichan put it bluntly: "We choose to do an intervention when money moves. That is typically where banks choose to act. By the time the payment transaction is around, 3DS happens completely outside of the bank's ecosystem." 

The fraudulent merchant problem illustrates exactly why that matters. A rogue merchant doesn't limit themselves to one bank; they operate across many, exploiting the fact that the intelligence each institution holds stays within its own walls. Bank A spots a suspicious pattern but has no way to alert Bank B, C, or D. By the time the fraud has run its course, each institution has seen only a fragment of the picture. "What is really important is to look for the places where you have the best coverage," said Gallichan. "Look for the opportunities to create that intelligence within your 3DS ACS provider environment, whether that's a consortium arrangement, a proprietary model, or just an informal alerting system." 

Ultimately, the problem is not that the signals aren't there. It's that they are fragmented: a limit change in one system, an authentication update in another, a device switch somewhere else. Each, individually, is unremarkable, but collectively, they tell a clear story. The industry just needs to start reading it. 

The data problem runs deeper still. Static personal information, once the foundation of identity verification, is increasingly easy to obtain. Keith Groves illustrated the point with a recent real-world example: an individual arrested not for committing fraud directly, but for harvesting and selling personal details to those who would. "It doesn't take organised criminals a lot of effort to harvest and collect that data," he said. Which means that knowing who someone claims to be is no longer sufficient. The question the industry needs to ask is not who, but how. "We're shifting away from simply validating the identity to validating whether or not the action aligns with the way the consumer behaves." 

Connecting the dots

What needs to change, the panel agreed, isn't one thing: it's the underlying approach. Point-in-time controls are no longer enough. The industry needs to intervene earlier and connect more signals, because even when account takeover cannot be prevented, stopping the fraudulent transaction that follows, and protecting consumer assets, absolutely can be. 

Gallichan, whose move from HSBC to TigerGraph was itself a signal of where she thinks the opportunity lies, made the case for graph-based approaches to stitching together signals that currently sit in isolation: "Connecting the dots, across not just the data you have, but across topologies." The practical starting point, she argued, doesn't need to be a large-scale transformation. "A graph database is a really ideal solution because it does not require a very complex data stream in order to populate it. Start by just looking at payment signals and transaction signals. Just start looking at two or three things you can bring together." 

Groves was clear that the industry is already moving in this direction. Consortium models are forming, banks are beginning to pool data on specific fraud typologies, and government is increasingly playing an active coordinating role. "There's a much stronger push on our industry to use data intelligently and share it without fear in the interest of fraud prevention," he said. "We're at the start of a new phase. In 2026, despite the numbers for 2025 showing significant growth, we're at the start of how banks can join forces together in public-private partnerships to really drive that." 

Cooper brought the legal dimension into focus. The tools for data sharing already exist: provisions under the Economic Crime and Corporate Transparency Act enable peer-to-peer and third-party sharing specifically for fraud prevention purposes. The obstacle isn't regulatory, it's cultural. "Organised crime groups don't care about data restrictions going from Germany to the UK," he said. "They just share data between themselves and cross-border. We've got to use those tools that are there ready for us." 

The path ahead 

Steinhoff offered a useful reframe for how the industry should think about the shift now underway. Within 3DS itself, the conversation has already moved: from optimising frictionless rates to actively identifying and declining fraudulent transactions, and from working within a single channel to building connections across organisations and systems. That evolution, she argued, now needs to happen at scale across the broader fraud prevention ecosystem: "start thinking, start creating heat maps," she said. "Where does fraud hurt in your particular organisation the most?" 

The closing message was consistent across all four perspectives: there is no silver bullet, and anyone still waiting for one is already behind. The fraudsters iterate fast, operate without regulatory constraint, and share intelligence freely. As Cooper put it: "If we're too afraid to make mistakes, they'll always be one step ahead." 

 

insights-webinar