GACS will never ask for your seed phrase, private keys, or payment. Always free.
GACS — Global Anti-Crime & Safety Logo
For organizations
Free · No signup
Aligned to COSO · ACFE · GAO
Updated 2026

The Fraud Prevention Playbook

A free, evidence-based playbook for fraud-ops, compliance, finance, internal-audit and security leaders. Five pillars mapped to COSO and the GAO framework, a working fraud risk assessment template, a 64-control catalog, a 10-metric KPI library, a 90-day rollout plan, a vendor rubric and a first-60-minute incident-response runbook — written to be lifted straight into your program.

Start with the framework Use the risk-assessment template Talk to GACS for orgs

Print-friendly. ~25 min read. Maintained by the GACS editorial team and reviewed against the latest ACFE Report to the Nations, FBI IC3 BEC summary, FinCEN advisories and EU/UK regulator guidance.

Executive summary

The median organization loses an estimated 5% of revenue to fraud every year (ACFE Report to the Nations). The median time to detection is well over a year, and the median recovery is less than half of the loss. Most of that gap is structural — not a tooling problem. Programs that publish strong fraud numbers share four characteristics: an owner with authority, a real risk assessment, a control catalog mapped to that assessment, and a published KPI pack.

This playbook gives you all four. It is deliberately opinionated — every recommendation either appears in COSO, ACFE or the GAO framework, or maps to a specific scheme currently active in the GACS public scam registry. If a section feels overweight for your stage, run the 90-day plan and let the risk assessment trim it.

Use it like this: Read the framework. Copy the risk-assessment template into your wiki. Walk the 64 controls against your current state and produce a gap list. Adopt the KPI pack. Run the 90-day plan. Re-run the assessment annually and after every material change.

Interactive fraud risk wizard

Answer ten questions about your sector, exposure and existing controls. The wizard scores inherent risk, control maturity and residual risk, then generates a prioritised top-5 action list and a 30/60/90 day plan you can download as a Markdown brief. Everything runs in your browser — no data leaves the page.

Interactive fraud risk assessment

~3 min · runs entirely in your browser · nothing is sent to a server

Step 1 of 5

Sector

Headcount

Annual revenue

The 5-pillar GACS Fraud Prevention Framework

Cross-referenced to the COSO Fraud Risk Management Guide principles and the GAO Framework for Managing Fraud Risks in Federal Programs (GAO-15-593SP). Lift the mapping directly into your control narrative.

Pillar 1 · COSO Principle 1 · GAO 'Commit'

Governance

A named accountable owner (Fraud Risk Officer or equivalent), a written fraud-risk policy approved at board level, and a tone-from-the-top that treats fraud as a strategic risk — not a back-office annoyance.

  • Fraud risk policy (board-approved, reviewed annually)
  • Roles & responsibilities matrix (RACI) across Finance, IT, Legal, HR, Internal Audit and Operations
  • Code of conduct with explicit fraud, conflict-of-interest and gift-and-entertainment thresholds
  • Anonymous whistleblower channel (third-party hotline + web form, retention ≥ 7 years)
Pillar 2 · COSO Principle 2 · GAO 'Assess'

Risk assessment

A repeatable, evidence-based exercise that enumerates fraud schemes by business unit, scores inherent and residual risk, and identifies the controls that close each gap. Refreshed at least annually and after any material business change (M&A, new market, new product, new payment rail).

  • Fraud taxonomy mapped to your revenue, payment and customer journeys
  • Inherent risk score (likelihood × impact) per scheme
  • Control inventory and residual risk score
  • Top-10 fraud risks register with named owners and review cadence
Pillar 3 · COSO Principle 3 · GAO 'Design & implement'

Control activities

The mix of preventive, detective and corrective controls that actually stop, surface and undo fraud. The most expensive mistake in this space is buying a tool before designing the control — every line item in the catalog below maps to a specific scheme.

  • Segregation-of-duties matrix for every cash-out path (payments, refunds, credits, write-offs, vendor master, payroll, expense)
  • Identity & access controls (MFA, conditional access, just-in-time admin, vendor MFA enforcement)
  • Transaction monitoring rules + ML models with alert disposition SLAs
  • Vendor and payee validation (callback, EV-cert, bank-account match)
Pillar 4 · COSO Principle 4 · GAO 'Respond'

Investigation & response

A documented investigation process, evidence-handling standard, and pre-agreed escalation path to Legal, Comms, Law Enforcement and Cyber-Insurance. Without it, your best detective control just generates an alert nobody knows what to do with.

  • Investigation SOP (intake, triage, evidence preservation, interview protocol)
  • Pre-built notification templates for regulators, customers and partners
  • Recovery playbooks per loss type (wire recall, chargeback rep, claw-back, civil action)
  • Lessons-learned loop that updates the risk register and control catalog
Pillar 5 · COSO Principle 5 · GAO 'Monitor & evaluate'

Monitoring & improvement

Continuous measurement of program effectiveness against KPIs that the board cares about — not vanity metrics. The benchmark you're aiming at: fraud losses as a % of revenue, detection latency, and the ratio of detected-to-reported.

  • Monthly fraud KPI pack to the executive risk committee
  • Quarterly independent assurance (Internal Audit or third party)
  • Annual external review of the program against COSO/ACFE/GAO
  • Real-time threat-intel feed from peer reports (e.g. the GACS public scam registry and ISAC channels)

12 fraud typologies hitting businesses in 2026

Ranked by 2024–2026 loss data across ACFE, FBI IC3 and the GACS public scam registry. Each entry names the scheme, who it targets in your org, the failure mode and the single control that closes it.

01

Business Email Compromise (BEC) — vendor or executive impersonation

AP, Finance, Treasury, Executive Assistants

Failure mode: Attacker takes over (or look-alikes) a real vendor's mailbox, sends an updated bank-details email, and the next legitimate invoice gets paid to the wrong account.

Closing control: Out-of-band callback to a previously-validated number for every bank-detail change, dual control + 24h cooling-off on payee-master updates, EV-cert vendor portal in front of email.

02

Synthetic identity fraud

Customer onboarding, credit, lending, BNPL, fintech

Failure mode: Fabricated identities (real SSN + made-up name + stolen DOB) pass thin KYC, build credit for 6–18 months, then bust out.

Closing control: Multi-source identity verification (document + selfie liveness + device + bureau + sanctions), velocity rules on shared device/IP/email, deferred high-value approvals until thicker file.

03

Account takeover (ATO) via credential stuffing or session-hijack

Consumer accounts, B2B portals, vendor portals

Failure mode: Credentials from third-party breaches replayed, or a session cookie stolen via infostealer malware, lets the attacker drain wallets, redeem points or change payout details.

Closing control: Phishing-resistant MFA (passkeys or hardware keys for staff and high-value users), session-binding, anomaly detection on login + sensitive-action attempts, mandatory step-up auth on payout changes.

04

Refund / promo / loyalty abuse

E-commerce, marketplaces, ride-share, food-delivery

Failure mode: Organized rings exploit lenient refund or new-user promo policies at scale, often with bot networks and synthetic accounts.

Closing control: Network-level fraud rules (shared device, shared payment instrument, shared shipping), refund-rate watchlists, customer-lifetime-value-aware policy (different thresholds for new vs trusted).

05

Payroll diversion

HR, Payroll, IT (SSO)

Failure mode: Attacker spear-phishes an employee, takes over the HRIS account, and changes direct-deposit banking details days before payroll runs.

Closing control: Mandatory MFA on HRIS, secondary out-of-band confirmation for any direct-deposit change, payroll-eve audit query that flags new bank routes added in the last 14 days.

06

Deepfake voice / video CEO fraud

Finance, Treasury, Executive Assistants

Failure mode: Cloned voice or video of the CEO/CFO on a Zoom or WhatsApp call instructs an urgent, secret wire — a 2024 case cost one Hong Kong firm $25.6M.

Closing control: Codeword challenge for any verbal payment authorization, hard rule that wires above threshold cannot be authorized over voice/video alone, callback to a known number through the normal channel.

07

Invoice fraud / fictitious vendor

AP, Procurement

Failure mode: A new vendor is added without proper validation, or an internal actor sets up a shell vendor with bank details they control.

Closing control: Vendor onboarding KYC (EIN match, bank-account-name match, address + IP + device dedup against existing vendors), mandatory segregation between vendor-master maintenance and payment release.

08

Authorized push payment (APP) scam — customer-initiated

Banks, fintechs, crypto on-ramps

Failure mode: Customer is socially engineered into sending an instant payment they will later report as fraud (pig-butchering, romance, investment, impersonation).

Closing control: Confirmation-of-payee, scam warnings keyed to destination risk score, friction on first-time large payments to high-risk wallets/IBANs/MoMo numbers, suspension of new-payee transfers above threshold for 24h.

09

Insider expense / T&E fraud

Finance, HR, Internal Audit

Failure mode: Duplicate receipts, inflated mileage, personal spend on corporate cards, or collusion with vendors for kickbacks.

Closing control: Continuous-controls-monitoring queries (duplicates, weekend hotels, round-number receipts, repeat single-merchant), surprise audits, vendor-employee address/bank-account intersection scans.

10

Card-not-present (CNP) fraud and friendly fraud

E-commerce, subscription, digital goods

Failure mode: Stolen card details used for digital goods (no shipment friction), or legitimate customers dispute genuine charges as 'I didn't do it'.

Closing control: 3DS 2.x with risk-based exemption strategy, device + behavioral fingerprinting, chargeback representment with order data, customer-purchase-history evidence and delivery confirmation.

11

Supply-chain / third-party software fraud

Engineering, IT, Procurement

Failure mode: Compromised dependency, malicious browser extension or weaponized vendor update siphons credentials, tokens or transaction data.

Closing control: SBOM + dependency-pinning, vendor security questionnaires with attested SOC 2 / ISO 27001, restricted browser-extension allowlist on finance endpoints.

12

Crypto on-ramp / off-ramp laundering

Crypto exchanges, fintechs offering crypto rails

Failure mode: Funds from APP scams, ransomware or sanctioned wallets converted through the platform; downstream regulator and bank-partner exposure.

Closing control: Sanctions and blacklist screening at every deposit/withdrawal (OFAC, OFSI, EU, UN; plus public scam-wallet feeds like the GACS registry), travel-rule compliance, withdrawal allowlists for retail.

Fraud risk assessment template

Copy this table into your wiki or spreadsheet and fill one row per scheme per business unit. Likelihood and impact use a 1–5 scale; inherent risk = L × I. Residual risk = inherent risk after applying the named control(s). Refresh quarterly for the top 10, annually for the rest.

SchemeBusiness unitLikelihood (1–5)Impact (1–5)Inherent riskExisting controlsResidual riskOwnerNext review
BEC — vendor bank-changeAP / Treasury4520Callback + dual control + 24h cooling-off6TreasurerQ+1
Synthetic identity (onboarding)Risk / Onboarding4416Multi-source IDV + liveness + bureau + device6Head of RiskQ+1
ATO via credential stuffingSecurity / Product5420Passkeys + bot-management + step-up auth6CISOQ+1
Payroll diversionHR / Payroll3412MFA on HRIS + payroll-eve audit query3CHROQ+1
Deepfake CFO callTreasury / Exec3515Codeword + written approval > threshold3CFOQ+1

Rows above are illustrative. Use the 12 typologies as starting schemes, then add any scheme that historically caused you a loss in the last 24 months — even if the immediate control is now in place.

The 64-control catalog

Organized by Prevent · Detect · Respond. Each line maps to one or more typologies above. Walk this against your current state, score each control as Implemented / Partial / Missing, and produce a gap list. Anything missing on a P1 typology is a control issue worth raising to the audit committee.

Prevent

22
  1. 01Written, board-approved fraud policy reviewed annually
  2. 02Named Fraud Risk Officer with budget authority
  3. 03Annual fraud risk assessment with refreshed top-10 register
  4. 04Quarterly fraud-awareness training for all staff (mandatory completion)
  5. 05Targeted simulated phishing + vishing + deepfake-call drills
  6. 06Hardware-key or passkey MFA for finance, IT and executive roles
  7. 07Conditional access on sensitive systems (geo, device posture, IP)
  8. 08Just-in-time admin (no standing privileged access)
  9. 09Segregation of duties matrix per cash-out path, reviewed quarterly
  10. 10Dual control + 24h cooling-off on vendor-master changes
  11. 11Dual control + callback on bank-detail or payee changes
  12. 12EV-cert vendor portal for invoices and bank changes (email banned)
  13. 13Customer KYC with multi-source identity verification + liveness
  14. 14Sanctions and PEP screening at onboarding and ongoing
  15. 15Confirmation-of-payee on outbound transfers
  16. 16Withdrawal allowlist and 24h delay on new-payee transfers above threshold
  17. 173DS 2.x with risk-based authentication for CNP
  18. 18Restricted browser-extension allowlist on finance endpoints
  19. 19Hardened email security (DMARC enforce, SPF, DKIM, anti-spoofing)
  20. 20Look-alike domain monitoring + takedown SLA
  21. 21Vendor risk assessment + SOC 2 / ISO 27001 attestation
  22. 22Dependency-pinning + SBOM for any payment-touching code

Detect

18
  1. 01Real-time transaction monitoring with rules + ML models
  2. 02Alert disposition SLA (e.g. 80% of P1 alerts triaged < 30 min)
  3. 03Device + behavioral fingerprinting on every session
  4. 04Velocity and network-link analysis (shared device/IP/email/phone)
  5. 05Continuous controls monitoring (CCM) on expense, vendor master, payroll
  6. 06Surprise audit of randomly sampled refunds, write-offs, credits
  7. 07Vendor-employee intersection scan (address, bank, phone)
  8. 08Payroll-eve query for direct-deposit changes in last 14 days
  9. 09Anomaly detection on logins and sensitive actions
  10. 10Honeytoken accounts and canary documents
  11. 11Threat-intel feed of fraud indicators (wallets, domains, phones, emails)
  12. 12Whistleblower hotline + web form with ≥ 7 years retention
  13. 13Anonymous tip program with non-retaliation guarantee
  14. 14Customer 'report fraud' channel with named SLA
  15. 15Quarterly red-team exercise targeting the BEC and ATO paths
  16. 16Dark-web monitoring for staff credentials and customer data
  17. 17Sanctions and blacklist re-screening on schedule
  18. 18Reconciliation cadence for every clearing and suspense account

Respond

24
  1. 01Documented investigation SOP (intake, triage, preservation, interview)
  2. 02Evidence-handling standard with chain-of-custody (admissible in court)
  3. 03Pre-agreed escalation tree to Legal, Comms, LE and cyber-insurance
  4. 04Wire-recall playbook (FBI Financial Fraud Kill Chain < 72h)
  5. 05Chargeback-representment playbook with required evidence pack
  6. 06Customer notification template (regulator-aligned)
  7. 07Regulator notification matrix (which, when, how)
  8. 08Media holding statement reviewed by Legal and Comms
  9. 09Account-takeover recovery flow (lock, verify, reissue, monitor)
  10. 10Civil recovery + asset-tracing relationships pre-agreed
  11. 11Cyber-insurance pre-claim notification within policy SLA
  12. 12Lessons-learned writeup within 30 days of every material incident
  13. 13Update to risk register and control catalog within 60 days
  14. 14Closeout reporting to executive risk committee and (where material) board
  15. 15Annual independent assurance review of the program
  16. 16Public credit + transparency report when victim-facing (optional, brand-positive)
  17. 17Continuous improvement: every incident closes a specific control gap
  18. 18Tabletop exercise run at least twice a year
  19. 19Coordination with peer ISACs and public scam registries
  20. 20Refresh tabletop scenarios from the latest 12 months of real cases
  21. 21Post-incident customer support funded out of fraud-loss budget, not P&L
  22. 22Retention of investigation artifacts per legal hold policy
  23. 23Document every decision and rationale (defensibility)
  24. 24Quarterly review of incident-response readiness

KPI library

Ten metrics — the ones executive risk committees and external examiners actually look at. Publish them monthly. Pair each with a 12-month trend line; the trend is the story.

Fraud losses as % of revenue

The number the board cares about. Benchmark: < 0.10% for mature programs, < 0.05% for top decile.

Net fraud loss after recoveries

Gross loss minus recovered funds and chargeback wins. The recovery delta is a leadership signal.

Detection latency (time from event to alert)

Target: < 15 min for transaction-level events, < 24h for control-level (e.g. vendor-master change).

Mean time to disposition (MTTD)

Time from alert to a closed decision. P1: < 30 min. P2: < 4h. P3: same business day.

Detected:reported ratio

Of the cases that closed as fraud, what % were caught by our controls vs reported by customers? Higher = stronger.

False-positive rate

Alerts that close as not-fraud / total alerts. Watch the trend, not the absolute — a falling FP rate with a stable detection rate is the win.

Customer fraud-friction score

Conversion delta between authenticated and friction paths. Required to balance loss vs. customer experience.

Time-to-recover funds (TTRF)

Median days from confirmed fraud to recovery posted. Wire recalls in < 72h matter most.

% of staff completing annual fraud training

Target: 100% within 30 days of hire and within Q1 every year. Tie to manager OKRs.

Tabletop exercises run per year

Minimum 2; quarterly for regulated entities. Each one must produce a control-improvement ticket.

90-day rollout plan

The fastest defensible standup. Four sprints, each ending in something the board can see.

Days 1–7

Diagnostic

  • Stand up the program — name the Fraud Risk Officer, set a steering committee, agree on the COSO/ACFE/GAO alignment.
  • Pull the last 12 months of fraud loss data (gross, net, by typology, by channel) and benchmark % of revenue.
  • Inventory existing controls and tools. Identify duplicate spend.
  • Stand up an interim KPI dashboard, even if manually compiled.
Days 8–30

Risk assessment + quick wins

  • Run a structured fraud risk assessment (use the template below).
  • Ship the top-5 quick wins — usually: callback on bank-detail changes, MFA on HRIS, dual control on vendor master, look-alike domain monitoring, and a banner-warning on first-time large payouts.
  • Publish the fraud policy and announce it from the CEO/CFO.
  • Launch the anonymous whistleblower channel (third-party hotline).
Days 31–60

Build the spine

  • Implement transaction monitoring rules + ML models per the top-10 risks.
  • Roll out phishing-resistant MFA across finance, IT and execs.
  • Operationalize the investigation SOP and run the first end-to-end tabletop.
  • Sign the wire-recall, chargeback-representment and cyber-insurance playbooks.
Days 61–90

Prove it + measure it

  • Close the loop on every alert with a documented disposition; publish MTTD/FP-rate.
  • Run a red-team exercise targeting BEC and ATO paths and remediate findings.
  • Lock in the monthly KPI pack to the executive risk committee.
  • Schedule the first independent assurance review for the following quarter.

Fraud-tool vendor rubric

Eight questions to ask every vendor before signing. Buying a tool before designing the control is the single most expensive mistake in this category — these questions force the conversation back to outcomes.

Coverage of your top risks

Show me how you would have caught my 5 worst incidents from the last 12 months. If the tool can't replay history against my data, that's a no.

Latency and throughput

P50/P99 decision latency under our peak TPS. Hard fail if > 200 ms for in-line decisions on payment rails.

Explainability

Per-alert reason codes my analyst can defend to a regulator and to a customer in an adverse-action letter.

Bias and fairness review

Documented testing for disparate impact on protected classes (required under ECOA in the US; equivalent in EU/UK).

Integration cost

Days-to-first-decision, days-to-go-live, ongoing engineering load. Total cost of ownership beats list price.

Data residency and privacy

Where does our data live, who can touch it, and how do you handle DSARs, deletion and breach notification?

Independent attestation

SOC 2 Type II current, ISO 27001 current, pen-test report from the last 12 months, and a copy of the latest model-risk-management write-up.

Customer references in your shape

Three references at your scale, in your geography, in your vertical, willing to talk by phone — not just logos.

Regulatory mapping

Not legal advice. A working orientation of the major regimes a fraud program intersects with. Treat as a checklist for your counsel to refine.

United States

  • SOX §404 — fraud-related ICFR design and effectiveness; auditor opines.
  • BSA / FinCEN — AML program, SARs (file within 30 days), CTRs, CDD/Beneficial Ownership.
  • FFIEC AML/CFT Examination Manual — supervisory expectations for banks.
  • OCC Bulletin 2019-37 — fraud risk management principles for banks.
  • GLBA Safeguards Rule — protect customer information; FTC enforces non-bank financial.
  • FTC Section 5 — UDAP; pair with state UDAP statutes for class-action exposure.
  • State data-breach notification laws (50 states + DC + territories).
  • NY DFS Part 500 — cyber + fraud program for NY-regulated entities; annual CISO certification.

European Union & UK

  • PSD2 / PSD3 — Strong Customer Authentication, liability allocation, RTS on fraud reporting.
  • EBA Guidelines on Fraud Reporting under PSD2.
  • 6AMLD — money-laundering offences harmonized; corporate liability for failure to prevent.
  • GDPR / UK GDPR — lawful basis for fraud-prevention processing (Recital 47), DPIA, breach 72h.
  • UK Economic Crime and Corporate Transparency Act 2023 — failure-to-prevent-fraud offence (large orgs, in force 2025).
  • FCA SYSC and PRIN — adequate systems and controls; consumer-duty alignment on APP scams.
  • Pay.UK — Confirmation of Payee and APP-scam reimbursement rules (mandatory Oct 2024).

APAC, Canada, LATAM, MEA (highlights)

  • Canada — FINTRAC PCMLTFA program; CASL; provincial breach notification.
  • Australia — AUSTRAC AML/CTF Act; ASIC RG 271 internal dispute resolution; ePayments Code.
  • Singapore — MAS Notice 626 (AML/CFT); Shared Responsibility Framework on scams (in force 2025).
  • Hong Kong — HKMA Supervisory Policy Manual on financial-crime risk management.
  • Brazil — Bacen Resolution 4,893 (cybersecurity); LGPD breach notification.
  • UAE — Central Bank Consumer Protection Regulation; Federal AML Decree-Law 20/2018.

Incident-response runbook

The first 60 minutes decide the recovery. Print this section, put it in the war-room binder, and rehearse it twice a year.

0–15 min

Contain

  • Confirm scope: which accounts, which rails, how much, since when.
  • Lock the affected accounts (no write actions) and rotate credentials.
  • Notify the on-call investigations lead and start the incident channel.
  • Begin evidence preservation: logs, mailbox forensics, payment audit trail.
15–60 min

Recall + report

  • Outbound wire: call your bank's fraud desk; request a SWIFT MT-103 recall and file with the FBI IC3 Financial Fraud Kill Chain (US) or equivalent. > $50K and within 72h gives the highest recovery odds.
  • Card: open a chargeback / fraud claim with the acquirer.
  • Crypto: contact the receiving exchange's compliance team; share the tx hash and your case ID; add wallet to internal blocklist and report to public scam registries.
  • Notify cyber-insurance per policy SLA (often < 24h to preserve coverage).
1–24 h

Investigate + notify

  • Forensic timeline: how did they get in, what did they touch, what did they exfiltrate.
  • Decide notification obligations: regulators, customers, partners, law enforcement.
  • Pre-positioned customer + media holding statements approved by Legal and Comms.
  • Open law-enforcement case (FBI/Secret Service, NCA, local cybercrime unit).
1–30 days

Recover + close

  • Civil recovery + asset tracing through pre-agreed counsel.
  • Issue customer notifications and process reimbursements per policy.
  • Lessons-learned writeup within 30 days; control-improvement tickets opened.
  • Update risk register, control catalog, training and tabletop scenarios.

Templates & further reading

Everything else GACS publishes that this page leans on. All free.

GACS public scam registry

Lookup wallets, domains, phones, tokens against the largest open registry.

Live scam alerts feed

What is hitting consumers and businesses right now. Filter by category.

Crypto Risk Certifications

Free cyber-fraud, AML and OSINT certifications for your team.

Professional diploma tracks

CBI, CFPS, SCS, CAIL, OIA, LLM Engineering for full-time practitioners.

Free cyber-fraud certification

Self-paced, certified, free. Issue to every fraud-touching role.

Free AML course

Practitioner-grade AML foundations. Pairs with this playbook.

Guardian — org monitoring

Watch your brand, wallets, domains and customers for live scam exposure.

GACS for organizations

Talk to us about enterprise integrations, threat-feed access and training.

Want this as a single PDF formatted for board distribution? Email the GACS editorial team and we'll send the latest cut.

Frequently asked

What's the difference between a fraud prevention playbook and a fraud risk management framework?

A framework (COSO, ACFE, GAO) names the principles. A playbook turns those principles into the specific policies, controls, KPIs and runbooks your team can execute on Monday morning. This page is the playbook, mapped explicitly to those three frameworks so internal audit and external examiners can trace the lineage.

Is this playbook free? Can we adapt it for our company?

Yes and yes. The page is free to read, share and adapt under the GACS open-content terms (attribution requested). The templates below — risk assessment, control catalog, KPI pack, runbook — are written to be copied into your internal wiki and tuned. Many regulated customers use it as the starting skeleton for the fraud chapter of their ICFR or AML program.

How is GACS qualified to write this?

GACS runs one of the largest public scam registries on the internet and trains practitioners through the Certified Anti-Fraud Specialist (CAFS), Certified Fraud Prevention Specialist (CFPS) and AML programs. The playbook reflects what's actually being seen in 2026 reports across the registry, not generic advice copied from a 2018 white paper.

How does this align to COSO, ACFE and GAO?

Each of the five pillars cross-references the corresponding COSO Fraud Risk Management Guide principle and GAO Framework for Managing Fraud Risks in Federal Programs (GAO-15-593SP) phase. Internal audit can lift the mapping table directly into a control narrative.

Where do we start if we have nothing today?

Run the 90-day plan above. Days 1–7 give you a defensible baseline. The week-2 quick wins (callback on bank changes, MFA on HRIS, dual control on vendor master, look-alike domain monitoring, banner warning on first-time payouts) typically pay for the entire program inside the first quarter.

How does this differ from a SOC 2 or ISO 27001 program?

SOC 2 and ISO 27001 are information-security frameworks. They overlap with fraud prevention (access control, change management, monitoring) but do not cover transaction-level fraud, payee validation, BEC defense, vendor master integrity, or insider expense schemes. A mature org runs the two in parallel, with a shared controls library.

Do you provide certification or training for our team?

Yes. The free GACS academy includes the cyber-fraud certification, AML course and an OSINT track. The paid diploma tracks (CBI, CFPS, SCS, CAIL, OIA, LLM Engineering for Fraud) are designed for full-time fraud, AML and intelligence professionals.

Can GACS monitor scams targeting our brand or customers?

Yes — Guardian is the organization-grade monitoring product. It watches the public scam registry, look-alike domains, deepfake mentions and fraud chatter for your brand, and surfaces high-confidence alerts. Pair it with the run-book above and you close the gap between detection and response.

Run this playbook with GACS

Most teams adopt the playbook in 90 days. GACS can compress that to 30 with embedded threat intelligence from the public scam registry, a Guardian deployment that monitors your brand, wallets and domains in real time, and certification for your fraud, AML and security teams.

Talk to GACS for orgsSee GuardianCertify your team (free)
Sales: contact formEditorial: press-kit

Cite this page / Press kit

Journalists, researchers and educators are welcome to cite this page. Use the permalink below or copy a ready-made citation.

Permalinkhttps://gacs.app/fraud-prevention-playbook
APA

GACS. (2026). GACS Fraud Prevention Playbook (2026). GACS — Global Anti-Crime & Safety. Retrieved June 24, 2026, from https://gacs.app/fraud-prevention-playbook

MLA

"GACS Fraud Prevention Playbook (2026)." GACS — Global Anti-Crime & Safety, GACS, 2026, https://gacs.app/fraud-prevention-playbook. Accessed June 24, 2026.

Chicago

GACS. "GACS Fraud Prevention Playbook (2026)." GACS — Global Anti-Crime & Safety. Accessed June 24, 2026. https://gacs.app/fraud-prevention-playbook.

BibTeX
@misc{gacs_fraud_prevention_playbook,
  author = {GACS},
  title = {GACS Fraud Prevention Playbook (2026)},
  howpublished = {GACS — Global Anti-Crime & Safety},
  year = {2026},
  note = {Accessed: June 24, 2026},
  url = {https://gacs.app/fraud-prevention-playbook}
}

Press / media enquiries: About GACS · Editorial policy · Methodology

Maintained by the GACS editorial team. Aligned to the COSO Fraud Risk Management Guide, the ACFE Fraud Risk Management Guide, and the U.S. GAO Framework for Managing Fraud Risks in Federal Programs (GAO-15-593SP). Reflects 2024–2026 data from the ACFE Report to the Nations, FBI IC3, FinCEN advisories, the EBA, the FCA and the live GACS public scam registry. Not legal, accounting or investment advice — use as the starting skeleton for your program and pair with your counsel and auditors.