February's monthly fraud report shines a light on the growing threat in this space, where even documents that look real, the data may not.
In this series, we're going to be looking at the document types we see most submitted every month and the threat that the high-risk versions of those documents may bring to the business communities we serve across all different industry types.
From bank statements to payslips, certificates to invoices and across finance, fintech, gaming and insurance, here are a few trends and examples to keep an eye on this month.
What we analysed
Across February, the majority of documents processed fell into these top five categories:
Bank statements - 49.81%
Invoices - 22.04%
Payslips - 11.55%
Utility bills - 7.08%
Tax documents - 3.77%
This matters.
Because these are exactly the documents most businesses still rely on for:
affordability checks
proof of address
source of funds
onboarding decisions
And they’re also the easiest to manipulate without breaking visual authenticity.
Where bank statements are coming from
The highest volume of bank statements came from:
Lloyds - 8.07%
HSBC - 7.67%
Barclays - 6.74%
NatWest - 5.35%
Santander - 3.38%
Followed by digital-first banks:
Monzo - 2.63%
Revolut - 1.97%
Clearbank - 1.64%
Starling - 1.59%
Nothing surprising here; these reflect market share.
But fraud doesn’t follow volume.
Where the risk actually is
When we isolate high-risk flags on bank statements, the distribution shifts:
Barclays - 8.04%
Lloyds - 7.91%
HSBC - 6.55%
NatWest - 6.13%
And then:
Monzo - 2.32%
Santander - 2.10%
Metro Bank - 2.03%
Revolut - 1.84%
Halifax - 1.34%
Clearbank - 1.30%
Starling - 1.14%
Examples identified in February '26
1. Transaction removal on a Metro Bank statement
Fraudsters are increasingly removing data rather than adding it.
One case identified three versions of the same Metro Bank statement, where:
the end of the transaction table had been cut
unpaid direct debit charges were removed
balances remained internally consistent
This passes most manual checks.
2. Cross-border identity manipulation
We identified a household composition certificate where:
the address was changed from Spain to Belgium
formatting remained intact
no obvious visual anomalies
This isn’t document fraud in the traditional sense.
It’s data relocation inside legitimate templates.
3. Full Lloyds bank statement reconstruction
A more advanced case:
Original Lloyds statement: £3k closing balance (November)
Edited version: £23k closing balance (January)
To make this believable, the fraudster:
rewrote transaction tables
adjusted dates
aligned balances throughout
This isn’t a simple edit.
It’s a synthetic rebuild of financial history.
4. AI-assisted document generation
We’re now consistently seeing documents edited using tools like ChatGPT.
In February, this included:
payslips modified via generative AI
formatting preserved
inconsistencies pushed into areas humans don’t check (metadata, structure, encoding)
AI is here, folks. Ensure you are safeguarding against it.
Why manual checks miss
From our previous analysis:
Manual review focuses on:
layout
logos
spelling
surface-level consistency
But modern fraud lives in:
metadata
document structure
font encoding
hidden layers
version history
You can’t see those.
And increasingly, fraudsters know that.
Most of what we flagged this month wasn’t obvious or poorly executed; it was clean, internally consistent, and built to look exactly how a genuine document should. Transactions weren’t being added; they were being removed. Balances weren’t roughly edited; they were rebuilt properly, and documents weren’t clumsy attempts.
This shows the shift we’re seeing: fraud is no longer trying to beat manual checks, it’s designed to fit within them. The real risk isn’t what gets declined, it’s what gets approved with confidence, and if February is anything to go by, the gap between what looks fine and what actually is fine is continuing to widen.
