I Was Nearly Scammed — And We Build Financial Crime Prevention Systems for Banks
I am the founder and CEO of a RegTech company that builds real-time transaction monitoring platforms for banks. Our technology helps financial institutions detect fraud, money laundering, and financial crime as it happens. I am 45 +years old, I have spent nearly a decade in this industry, and I have overseen sizable implementations across multiple countries.
And I was nearly scammed.
If it can happen to me, it can happen to anyone. That is not a cliché. It is a fact that should keep every bank executive, every compliance officer, and every fintech founder awake at night.
What Happened
I was returning to London from a Connecticut Bankers Association event. Due to a series of disruptions — a delayed flight, a missed connection, and the classic ping-pong between two airlines refusing to take responsibility — I found myself stranded overnight in Atlanta, out of pocket, and increasingly frustrated.
I had tried everything. I called my airline. I called the other airline. I went to the airport counters. Nobody could help. Every agent pointed at a different system, a different airline, a different department. After hitting a wall, I did what many do — I posted my complaint on airline's X (Twitter) account.
Within thirty minutes, I received a message from what appeared to be airline’s "Experience Service Team," complete with the airline logo. They asked the best number to reach me (first signal). Now, given that airline's own systems had proven incapable of handling my booking — and that a separate team reaching out seemed entirely plausible — I gave it to them.
A well-spoken person called me, listened sympathetically, and told me the airline would like to apologise and process a refund. After hours of being treated like an afterthought, suddenly someone was being helpful. I was relieved. I was sitting in the AT Lounge at the airport, exhausted, and ready to put this behind me.
The caller asked me to download an application to process the refund. It was from the Apple Store. Apple validates its apps, I thought. So I downloaded it.
It was only when the caller asked me to double click on the side (activate apple pay) the application — his hands figuratively outstretched, waiting for the money — that I woke up. I said no. I hung up.
I was minutes away from losing money to a scam that was specifically engineered around my emotional state and my frustration with a legitimate company.
Why I Was Vulnerable
Let me be direct about what made me a target. It was not ignorance. It was not a lack of technical knowledge. It was psychology.
I was physically exhausted after a transatlantic trip gone wrong. I was frustrated after hours of being passed between agents who could not help. And I was in a rush to resolve things before my next flight.
That combination — fatigue, frustration, and urgency — is precisely the cocktail that scammers exploit. The research is clear on this: vulnerable people are not just the elderly or the digitally illiterate. They are anyone in a heightened emotional state. People who have recently lost someone. People in financial difficulty. People in physical pain. People in a hurry.
On that day, I was several of those at once.
What Made the Scam Convincing
This was not a clumsy phishing email. It was a sophisticated, real-time social engineering attack that exploited specific weaknesses in how a large corporation interacts with its customers.
The airline's own failures created the opening. Because the airline’s legitimate systems were unable to resolve my problem — because every agent blamed a different system or a different airline — it was entirely believable that a separate team would reach out through a different channel. The dysfunction was the disguise.
The corporate digital strategy enabled it. Companies today spread their customer interactions across multiple apps, multiple channels, and multiple platforms. When a customer is already accustomed to downloading one app for bookings, another for check-in, and another for loyalty points, being asked to download yet another app does not feel unusual.
The complaint was public. My X post contained enough detail for any scammer to understand my exact situation and pose as someone who could fix it.
What Happened When I Tried to Help
After I realised what had happened, I called the airline’s call centre back. I told them, clearly, that their customers were being scammed in real time. I was not calling about my seat or my refund. I was calling to report an active fraud operation targeting their brand.
The airline did not have a process to follow. I repeated myself. The agent said he could not do much about the scam report. I asked to be escalated. Forty minutes later, a manager told me I could send a complaint email. I said this was not a complaint — people were being scammed at that very moment. Could he send an internal emergency notification? He told me his email and mine would arrive at the same place at the same time.
I did the responsible thing. I escalated to the best of my abilities. Whether anything was done on the other end, I genuinely do not know.
This is not just a failure of customer service. It is a failure of institutional design. Complaints management exists not as a bureaucratic formality but as a company's strongest line of defence. It is the mechanism through which real threats are identified and acted upon. When it is reduced to a complaints@company.com email address, it becomes theatre.
The Bigger Picture: Trust Is the Real Casualty
This experience is not unique. When I shared what happened with people around me, the stories came flooding in. Friends, colleagues, family — across the US and the UK — many had similar experiences or knew someone who did. There is an epidemic of social engineering fraud in our societies, and it is growing.
Here is what concerns me most: this is not just a financial crime problem. It is a trust problem. And trust is the invisible infrastructure that advanced economies are built on.
The reason we can transact online, open bank accounts remotely, send money to strangers, and conduct business across borders is that we have built systems of trust — regulatory frameworks, institutional reputations, digital verification — that allow us to do so without a commercial contract for every interaction.
When that trust erodes, the consequences are not abstract. People stop using online banking. They stop diversifying their financial relationships. They revert to in-person transactions, cash, and the narrow circle of institutions they already know. That is not progress. That is regression.
And that — not the way people pray or the language they speak — is the real differentiator between thriving economies and stagnant ones. Once a society crosses the trust threshold, commerce accelerates, innovation flourishes, and collective activity expands. When trust is attacked, all of that contracts.
What Financial Institutions Must Do
This is where I put on my other hat — the one I wear every day at EyesClear. Because while the scam I experienced originated with an airline, the money ultimately flows through banks and fintechs. The accounts that receive stolen funds are mule accounts, and detecting them is a responsibility that the financial industry cannot afford to treat as optional.
For Every Organisation That Interacts With Customers
Listen when customers signal trouble early. If a customer calls proactively, willing to pay to prevent a disruption, listen. Do not wait until the situation deteriorates. That gamble costs both sides more.
Secure or shut down your social media channels. If your corporate X or Facebook account cannot be monitored for impersonation in real time, put it in bold letters: this is a one-way communication channel. Better yet, consolidate to a single, secure app for all customer interactions.
Empower your frontline teams. If your service agents cannot actually resolve problems, do not put them in front of customers. Every interaction where an agent says "the system won't let me" opens a door for a scammer who says "I can fix that for you." There must always be someone powerful enough to make wrongs right.
Take scam reports seriously. Do not redirect them to a complaints email. Create a dedicated, urgent process. When a customer tells you their fellow customers are being targeted, treat it like the emergency it is.
Close the loop on open cases. If a complaint or case is opened, communicate immediately — even if only to say "we are looking into it." Silence is an invitation for scammers to fill the void with their own follow-up.
For Banks and Fintechs: Detecting the Mule Accounts
The fraud I nearly fell victim to does not end with the social engineering. It ends when money moves into an account controlled by criminals. That account is a mule account, and detecting it is where financial institutions have both the opportunity and the moral obligation to act.
Here are the signals every transaction monitoring and channels team should be watching for:
Application-level signals. Is the app being accessed from multiple IP addresses simultaneously? Has the user disabled biometric authentication like Face ID — and if so, why is that even allowed by default? Is only basic information being validated at onboarding — name and address with no deeper verification?
Behavioural signals. Is the password pattern consistent with known compromised credentials? Is this a newly opened account receiving its first inbound payment from an unusual source? Is the account showing patterns consistent with rapid fund forwarding?
The first-transaction rule. The first outgoing payment from any new account should require voice validation. The days of fully automated, zero-human-contact onboarding and transaction processing are over — or they should be. Know Your Customer is meaningless if you do not also Know Your Customer's Counterparty.
The Moral Argument
I want to be clear about something. Whether or not regulators mandate every one of these controls, financial institutions have a moral responsibility to implement them.
People are vulnerable. Not sometimes — always. All of us, at some point in our lives, will be tired, stressed, grieving, rushed, or in pain. The question is not whether your customers will be targeted in those moments. They will. The question is whether your institution will be part of the defence or part of the problem.
Every mule account that goes undetected is not just a compliance failure. It is a real person's money, earned through real work, transferred under duress to a criminal who will never be held accountable. Behind every successful scam is someone who trusted the system — trusted their bank, trusted the app store, trusted the brand on the other end of the message — and was failed by all of them.
Banks and fintechs sit at the one point in the chain where intervention is still possible. The social engineering has already happened. The victim has already been manipulated. But the money has not yet disappeared. It is sitting in a mule account, waiting to be forwarded. That is the window. That is where detection, monitoring, and rapid response can still prevent harm.
If financial institutions fail to catch those accounts — if they make it easy for scammers to receive and move stolen funds through frictionless, zero-oversight processes — they are complicit in the harm, regardless of what the letter of the law says. Compliance is not a checkbox. It is a covenant between an institution and the people who trust it with their money.
And if that covenant breaks — if people lose trust in digital financial services — they will retreat. They will consolidate their banking into one or two relationships they already know. They will move transactions offline. They will do less, collectively. Innovation slows. Commerce contracts. The digital economy that benefits everyone — banks included — begins to shrink.
This is not a hypothetical. It is already happening. People are already hesitating before making online payments. They are already questioning whether the person on the other end of a message is real. Every successful scam makes the next legitimate interaction harder for every legitimate business. The cost of eroded trust is not measured in individual losses. It is measured in the collective activity that never happens because people no longer feel safe.
A Note to Myself
As Alan Watts once said: learn to let go. I have taken that to heart.
But I have also taken a practical lesson: book flights directly with the operator, never through agents or partner networks. And when something feels off — even when you are exhausted, even when you want it to be true — stop. The moment you feel relief that someone is finally helping, that is the moment to be most alert.
We build systems to catch financial crime. But systems are only as strong as the institutions willing to use them, the teams empowered to act on them, and the society that demands they exist.
That is why we do what we do at EyesClear. Not because the regulations require it — though they do. But because the alternative is a world where trust dies, and with it, everything we have built together.
Why We Built EyesClear
We build systems to catch financial crime. Not in overnight batch runs that surface alerts the next morning, but in real time — as the money moves. Because the window between a scam succeeding and the funds disappearing is measured in minutes, not days. A system that tells you about a mule account tomorrow morning is a system that tells you too late.
That is why EyesClear exists. We give banks the ability to detect suspicious patterns as transactions flow, to investigate with full context in seconds, and to act before the money is gone. We do this not because the regulations require it — though they do. We do it because every transaction that passes through a bank carries with it someone's trust. And that trust is not ours to waste.
If you are a compliance officer, a bank executive, or a fintech founder reading this — ask yourself honestly: if one of your customers was sitting in an airport lounge, exhausted and frustrated, and a scammer tricked them into sending money to an account at your institution, would your systems catch it? In real time? Before the funds were forwarded?
If the answer is not a confident yes, we should talk.
Erkin Oksel is the CEO of EyesClear Ltd, a RegTech company headquartered at Level39, Canary Wharf, London. EyesClear provides real-time AML transaction monitoring, compliance intelligence, and case management platforms for banks and financial institutions worldwide. Learn more at eyesclear.com.