The Conversation Layer: The Fraud Signal Your Stack Is Missing

Dr. Sarah Nkemelu · · 9 min read
Abstract concept showing the conversation layer between fraudster and victim in payment systems

Most PSP fraud stacks are instrumented well at the transaction layer and improving at the behavioural layer. Transaction monitoring catches velocity and counterparty anomalies. Behavioural analytics flags unusual device contexts and navigation patterns. Both operate on data generated by your systems — payment instructions, session metadata, account state.

Neither sees the conversation that happens before any of that data is generated. That gap is fundamental to why APP fraud persists at the rate it does, and why transaction-layer improvements alone won't shift the reimbursement curve significantly. The attack does not happen on your platform. It happens in a conversation channel you have no native access to — WhatsApp, Telegram, email, phone. By the time the victim opens your app to make the transfer, the social engineering is complete.

What the Conversation Layer Is

The conversation layer is the sequence of communications between a scammer and a victim that precedes and directs the APP transfer. It's not a technical abstraction — it's literally the WhatsApp thread, the email chain, the series of phone calls, or the scripted chat on a fake investment platform that constructs the victim's belief that the transfer is legitimate.

This layer has structural characteristics that are distinct from casual communication. It follows a purposive narrative arc. It contains specific instructions: where to send money, how much, what reference to use, what to say to the bank if challenged. It often includes counter-fraud coaching — explicit instructions telling the victim how to respond if their bank asks questions ("just say it's a personal transfer," "don't mention the investment or they'll flag it"). It has timing patterns that differ from genuine relationships.

What we're building toward is the ability to detect those structural characteristics and generate a signal that enriches the payment risk score before the transfer happens. The conversation layer is observable — it just requires getting into the conversation at the right time.

Why Existing Fraud Tools Don't Reach the Conversation Layer

Transaction monitoring is designed to answer: does this payment look anomalous relative to what we know about this account and its counterparties? It's well-suited to detecting fraud where the payment itself is unusual — card-not-present fraud, account takeover, mule account recycling. It's poorly suited to detecting fraud where the payment instruction is entirely consistent with the account owner's behaviour but the context behind the instruction has been manufactured.

Behavioural analytics — device fingerprinting, session behavioural biometrics, navigation flow analysis — extends detection into the interaction layer. It can detect when someone else is controlling the account. It cannot detect when the genuine account holder is making a fully authenticated, intentional transfer at the direction of a fraudster they believe is legitimate.

Machine learning classifiers trained on historical fraud patterns face an adversarial adaptation problem: the features they learned to detect get designed out of new scam campaigns. Investment scam patterns look different from romance scam patterns; courier fraud looks different from HMRC impersonation. The conversation layer, by contrast, has consistent structural signatures that persist across campaign types — because the social engineering psychology doesn't change even when the narrative does.

The Signal Structure of a Scam Conversation

When we analyse the conversation patterns across different APP fraud types, certain structural elements appear consistently enough to constitute reliable signal.

Urgency injection is present in nearly all cases. A deadline is manufactured — the offer expires tonight, the window closes at end of week, a penalty applies if the transfer is delayed. Genuine investment advisers, genuine HMRC officers, genuine delivery companies do not operate on these timelines. The urgency is designed to suppress deliberation.

Counter-fraud coaching appears with high frequency in industrialised scam operations. Victims are explicitly told what to say to their bank. This is a strong signal — a legitimate party has no reason to instruct you on how to talk to your financial institution about the transaction.

Platform migration pressure is common in investment scams and romance scams. The initial contact happens on a platform where the scammer has built social proof (LinkedIn, Instagram), and then the victim is migrated to a communication channel where record-keeping is lower and the scammer has more control (WhatsApp, Telegram, a proprietary "investor platform"). Each migration represents a deliberate reduction in the victim's access to verification signals.

Message cadence shows a distinctive pattern in scripted operations: response times that are unusually consistent (suggesting automation or script lookup), followed by periods of silence designed to create anxiety before re-engagement. Genuine human relationships don't have that rhythm.

How a Honeybot Operates in This Layer

A honeybot is not a passive observer. It enters the conversation. When a PSP's fraud signal pipeline — whether from a customer report, a flagged payment instruction, or an incoming alert about a suspected mule account — triggers a review, the honeybot can be deployed into the communication channel associated with that fraud suspicion.

The honeybot doesn't announce itself. It engages with the suspected scammer using contextually appropriate responses that probe the narrative. For an investment scam scenario: it asks clarifying questions about the platform, the return structure, the regulatory registration. It introduces mild hesitancy — "I need a few days to move the funds" — to observe whether urgency pressure is applied. It requests documentation that a legitimate investment opportunity would have readily available.

The scammer's response pattern across that interaction generates a fingerprint: the specific language used to handle objections, the timing of responses, the documentation provided (or not provided), the escalation tactics deployed when the target hesitates. That fingerprint gets compared against known campaign profiles. A high-confidence match on an active investment scam campaign triggers an alert on the associated pending transfer.

We want to be precise about what this does and doesn't catch. A highly personalised, human-operated scam where the scammer is genuinely responsive and adapts to the honeybot's probing is harder to fingerprint accurately. The strength of the approach is against industrialised operations — where the same scripts run against hundreds of victims and the fingerprint is consistent. That's where the volume is.

What This Means for Fraud Ops Triage

The practical output of conversation-layer intelligence is an enriched signal, not an automated block. When a pending APP transfer has a honeybot engagement attached to it that matched a known investment scam campaign profile, the fraud ops queue entry looks different: it includes a confidence score, the matched campaign type, the extracted fingerprint elements that matched, and the flagged conversation elements (urgency phrases used, counter-fraud coaching instructions identified).

That enrichment changes how a human fraud analyst approaches the review. Instead of calling the customer and asking a generic "is this payment expected?" question — which a coached victim will answer affirmatively with full conviction — the analyst can ask specific targeted questions that probe the legitimacy of the investment entity, the source of the relationship, the communication channel used. The conversation-layer context allows the analyst to investigate rather than just verify.

This is the shift that matters for PSPs trying to reduce reimbursement exposure. Not automated blocking — which carries customer experience costs and regulatory risk of its own — but enriched human review that reaches further back into the fraud kill chain than payment instruction data alone can go.

The Stack Gap Is Not Fixable From Within the Stack

We hear fairly often from PSP fraud teams that they're "adding more ML models" to improve APP detection. We understand the instinct — the tooling is there, the data is there, and iterative model improvement is tractable. We're not saying ML models are not part of the solution. We're saying that models trained on payment-layer data will have a fundamental ceiling on APP fraud detection because the most informative signal — what was said to the victim before the transfer — is not in the payment-layer data.

The conversation layer is a different problem domain. The signal is linguistic, behavioural, and temporal rather than financial and transactional. The tooling that captures and analyses it is different from what sits in a standard fraud ops stack. Closing the gap requires either a direct integration with communication platforms (which raises significant RIPA and data protection questions that need to be worked through carefully) or an approach like honeybot engagement that creates observable conversation data from the fraud side rather than the victim side.

PSP fraud operations have steadily improved their post-transaction recovery rates and their friction mechanisms. The next frontier is pre-conversation-completion signal — catching the attack before the victim makes the transfer decision, not after it.