Skip to content Skip to content

ACI Blog

Catching scams while the call is still live: JT’s Damian Di Carlo on the telco signal banks are missing

JT’s Damian Di Carlo on why the signal that stops a scam is often not in the payment alone, but in the call happening beside it.

A customer is on the phone. On the other end is someone calm, plausible, and patient, walking them step by step toward moving their savings into what they have been told is a safe account. To the bank, most of that context is invisible. It sees a payment instruction from a logged-in customer on a familiar device, and it looks entirely ordinary. The call shaping that instruction sits outside the bank’s view.

Damian Di Carlo has built his work around that gap. He is a technical account manager at JT, the Jersey-based operator that sits across telecoms and identity, and he has spent sixteen years in and around payments. His argument is that one of the most useful signals banks have is not the one they have been trained to look for. It is not static telco data at all. It is the call in progress, and much of that context remains underused.

What the payment alone cannot show

Telco data is often treated as static, Damian says: who owns a number, how long a SIM has been active. JT’s argument is that the better clue is often not in those attributes alone. It is in the call happening right now. Its Scam Signal capability is built on combining real-time telephony data with a payment event as it occurs, rather than reconstructing what went wrong after the money has gone. This is not call monitoring. The point is to know that a call is taking place at the same time as the payment, and that the surrounding network pattern looks risky.

The missing fact is a simple one: the customer is on a call at the very moment they are being talked into moving money. The network can see whether a call is present, how long it has lasted, and whether it is incoming or outgoing. The bank sees only the payment instruction. JT says those patterns correlate strongly with scams when they are read in real time, which is the difference Damian wants banks to act on: stepping in while the scam is happening, not reconstructing it afterwards.

Why static defenses are not enough

Ask what actually works against SIM swap and number spoofing, and Damian starts with what does not. The lesson, he says, is blunt: one check on its own is rarely enough. The stronger approaches read telecom signals alongside the payment, the device and the customer’s behavior, in real time. Standardized APIs, particularly those coming out of the GSMA’s Open Gateway initiative, are a good example, letting a bank query something like a recent SIM swap in real time and set it against device or behavior data.

Those signals only start to matter when they are read together. A SIM swap on its own may be a weak indicator, because fraudsters adapt quickly. The same SIM swap alongside unusual account behavior is a different matter. That is why JT’s model leans toward combining several network signals with live transaction context rather than treating a SIM swap as a single risk flag.

What has not worked well is any control treated as static, or any check that can be socially engineered in isolation. SMS one-time passcodes stay vulnerable when they are treated as the trust model in their own right rather than one signal inside a wider decision, since once a number is compromised that trust collapses. Knowledge-based authentication fails for the same kind of reason, since an attacker can obtain or manipulate the answers. In both cases the problem is the same: fraudsters move faster than any single control.

The data-sharing stalemate

Banks and telcos have talked about data sharing for years. It gets framed as a strategic or philosophical question, he says, when the real obstacle is practical: the bank sees the payment instruction, not the call shaping it, and has no view of whether the customer is being coached over the phone as the money moves. What brought the two sides together was liability. Since October 2024, the UK’s Payment Systems Regulator has required banks and payment firms to reimburse eligible victims of authorised push payment fraud, up to £85,000 a claim, which gave banks a direct financial reason to integrate signals they previously had little incentive to use.

JT’s answer is to package the telecom intelligence as an API a bank can consume directly inside a fraud decision. With Scam Signal, Damian says, collaboration between mobile operators and banks produced a network-level API that is already deployed with a major UK bank. He does not think the answer is a grand identity-federation model. It is something more practical: a standardized API, tied to a specific high-impact use case in authorised push payment fraud, and aligned with where the liability already sits. Once the bank is the one carrying the loss, the business case for a live telco signal becomes much easier to make.

The first signal he would add

If a fraud team could switch on a single telco-layer signal tomorrow morning, Damian does not hesitate: detect whether a payment is being made while a suspicious call is in progress. That goes straight at authorised push payment fraud. UK Finance put APP losses in the UK at £576.4 million in 2025, a 19 percent rise on the year, with banks reimbursing £354.3 million of it to victims, which keeps it among the most damaging categories of fraud banks face.

He points to JT’s own UK deployments for the evidence. Institutions using Scam Signal, the company reports, have seen reductions of around 41 percent in scams in progress and 43 percent in overall fraud losses, alongside a meaningful drop in false positives. For Damian, the figures are not really about detection. They are about intervention, the ability to stop a payment before it completes rather than investigate it after. Why does it work? In his view, because it matches the way high-value fraud actually happens now. A large share of it involves real-time social engineering over the phone, so spotting that live interaction at the point of payment offers a chance to intervene before identity checks alone would. He is careful not to overstate the phone’s role. UK Finance attributes about two-thirds of APP fraud cases to scams that begin online and around one in six to telecommunications channels, including scam calls. Damian’s point is that the smaller telecoms share still matters, because those cases skew toward the high-value, real-time scams where stopping a payment mid-call can make the difference.

Clearing the false positives that follow

A wider net catches more good customers too, and that is the problem fraud teams know best: false positives. In card-not-present payments, Damian notes, the ratio of false positives can run at ten to one or worse, ten genuine transactions flagged, and sometimes declined, for every real fraud. Every one of those alerts takes time to clear, which is exactly what keeps teams from focusing on confirmed fraud.

Damian points to automated customer communications as the release valve. MoneyGuard, which a number of ACI customers already use, is his example: when an alert fires, the customer gets an interactive message that asks, in effect, “Do you recognize this transaction?” If they do, it resolves the alert and carries out the actions an operator would have taken, which JT says can automate around 70 percent of false positives.

His caveat is the channel. A message only works if the customer recognizes it and trusts how it arrived, which means trusted, authenticated routes, including authenticated push notifications that users can approve with a fingerprint, and consistent messaging across channels. If the customer does not trust the channel, they will not respond, and the model loses most of its value.

Hear Damian Di Carlo in London

Damian Di Carlo joins Banking Breakout 3, Beyond Reimbursement: scams, AI, and shared liability in a real-time world, at Payments Unleashed EMEA. The event opens with an evening reception on 29 June at 12th Knot, Sea Containers, and continues with a full day of content on 30 June at the Hilton London Bankside, bringing senior payments leaders from across EMEA together for sessions on real-time payments, fraud and scam liability, sovereignty in European payments, and the operating-model changes behind always-on banking.

Fraud has become a live, human event that plays out in the seconds before a payment. The case Damian makes is that the defense has to live in that same moment.

Register for Payments Unleashed EMEA – London 2026

Registration is complimentary for a curated audience of senior payments leaders.
Register today to secure your place.

Head of Communications and Corporate Affairs

Pierce Rohrmann is a veteran Chief Communications Officer serving as Head of Corporate Affairs at ACI Worldwide. His work spans payments infrastructure, fraud and financial crime, operational resilience, and crisis and regulatory reporting across global banking and software. His thesis: the best work creates clarity, not noise, and builds trust. Follow Pierce on LinkedIn.