10 free, exam-style Certified Anti-Fraud Specialist (CAFS) practice questions with answers and
explanations. No signup required. Work through them below, then take the
full free CAFS practice test to study every exam domain.
These 10 free CAFS questions are organized by exam domain, so you can see how each part of the Certified Anti-Fraud Specialist blueprint is tested. Reveal the answer and explanation under each question.
Domain 1: BUILDING A FRAUD RISK MANAGEMENT PROGRAM 40% of exam
Question 1
A customer calls the bank in a panic. She explains that she received a phone call from someone identifying himself as a detective from the local police department. He told her that her account had been used in a drug investigation and that she must immediately transfer her savings to a 'government safe account' to protect the funds while the investigation is resolved. She followed the instructions and transferred £22,000 before calling the bank. How should this fraud BEST be classified?
- Third-party account takeover, because the fraudster gained control of the customer's account without her knowledge
- First-party fraud, because the customer authorized and initiated the payment herself
- Authorized push payment fraud via impersonation of an authority figure
- Second-party fraud, because the customer acted as an unwitting intermediary for the fraudster
Show answer & explanation
Correct answer: C - Authorized push payment fraud via impersonation of an authority figure
Question 2
A fraud investigator at a US bank has completed a thorough investigation and has filed a Suspicious Activity Report (SAR) with FinCEN regarding a customer's account. The customer's relationship manager calls the fraud team the following day asking whether any reports have been filed on that account, as the customer is a long-standing high-value client. What is the MOST appropriate response?
- Confirm that a SAR has been filed but instruct the relationship manager that the information is strictly confidential
- Decline to confirm or deny whether any SAR has been filed on that account
- Share the SAR details only with the relationship manager's direct supervisor
- Advise the relationship manager to contact the compliance department for SAR-related disclosures
Show answer & explanation
Correct answer: B - Decline to confirm or deny whether any SAR has been filed on that account
Question 3
A bank's credit card portfolio has experienced a sharp increase in fraud losses. Upon investigation, the fraud team identifies that the losses are concentrated in customers who applied for cards online over the past six months. Analysis of the applications reveals that a cluster of accounts used fabricated combinations of real Social Security numbers belonging to minors and fictitious names, addresses, and employment details. These accounts made small purchases to build a credit history before maxing out their credit lines simultaneously. Which fraud typology BEST describes this scheme?
- Third-party identity theft, because real personal data belonging to other individuals was used without consent
- First-party application fraud, because the applicants provided false information on their own credit applications
- Synthetic identity fraud, because the identities were constructed from both real and fabricated data elements
- Account takeover, because the fraudsters assumed control of accounts that did not originally belong to them
Show answer & explanation
Correct answer: C - Synthetic identity fraud, because the identities were constructed from both real and fabricated data elements
Question 4
Under UK Payment Systems Regulator Policy Statement PS24/7, which came into effect on 7 October 2024, a consumer loses £120,000 in an authorized push payment scam via Faster Payments. The PSP confirms the customer did not act with gross negligence and is not a vulnerable customer. What is the reimbursement outcome under the mandatory framework?
- The sending PSP reimburses the customer £120,000 in full, then seeks a 50% contribution from the receiving PSP
- The customer is reimbursed £85,000, with the cost split equally between the sending and receiving PSPs
- The customer is reimbursed the full £120,000, split equally between the sending and receiving PSPs
- The customer is reimbursed £60,000, representing 50% of the total loss up to the scheme cap
Show answer & explanation
Correct answer: B - The customer is reimbursed £85,000, with the cost split equally between the sending and receiving PSPs
Question 5
A retail bank's internal audit team has completed an independent review of the fraud risk management program and identified three significant control gaps in the transaction monitoring framework. They have issued a formal audit finding and are tracking remediation. Separately, the Fraud Risk Management function has updated the fraud risk policy and is conducting monthly monitoring of fraud loss metrics. Which statement BEST describes the Three Lines of Defense model as it applies to this scenario?
- Both internal audit and the Fraud Risk Management function are operating as the second line of defense, which creates a structural conflict and requires immediate escalation to the board
- Internal audit is the third line providing independent assurance; the Fraud Risk Management function is the second line setting policy and monitoring
- The Fraud Risk Management function is operating as the first line because it owns the fraud controls, while internal audit serves as the second line
- Internal audit should not review fraud controls because the Fraud Risk Management function is already providing oversight as the second line
Show answer & explanation
Correct answer: B - Internal audit is the third line providing independent assurance; the Fraud Risk Management function is the second line setting policy and monitoring
Domain 2: FRAUD DETECTION AND ANALYTICS 30% of exam
Question 6
A fraud analytics team is evaluating two machine learning models for detecting authorized push payment fraud. Model A has a precision of 85% and a recall of 60%. Model B has a precision of 45% and a recall of 92%. The bank processes 500,000 payments per day and has a dedicated team of 12 fraud investigators. Which consideration is MOST critical when choosing between these two models in this operational context?
- Model A's higher precision means investigators will spend less time on false positives, but more genuine fraud will go undetected and result in direct losses
- Model B should always be preferred in fraud detection because recall is the only metric that matters for loss prevention
- Model B is unsuitable because a 45% precision rate means the majority of its alerts are false positives, which a team of 12 cannot sustainably investigate at 500,000 transactions per day
- Model B's higher precision makes it better suited for a small investigation team despite its lower recall
Show answer & explanation
Correct answer: A - Model A's higher precision means investigators will spend less time on false positives, but more genuine fraud will go undetected and result in direct losses
Question 7
At 11:47 PM on a Tuesday, a fraud detection system generates an alert on a personal current account. The account profile shows: the customer is a 34-year-old salaried professional with consistent monthly salary credits and modest recurring payments. Tonight's activity includes: a login from a device not previously seen on the account, a password reset completed via SMS OTP, addition of a new payee registered 4 minutes ago, and a £9,800 payment to that payee. The customer has never previously made a payment above £1,500. Which fraud typology do these behavioral indicators MOST strongly suggest?
- First-party fraud, as the customer may be staging a false fraud claim to recover a payment they authorized and later regretted making
- Account takeover, where a fraudster used credential compromise and SIM-based authentication to gain unauthorized control
- Authorized push payment fraud, because the payment was processed through the customer's authenticated session and was therefore authorized
- Synthetic identity fraud, as the account profile is inconsistent with the transaction being attempted
Show answer & explanation
Correct answer: B - Account takeover, where a fraudster used credential compromise and SIM-based authentication to gain unauthorized control
Question 8
A fraud detection model was built and deployed 18 months ago using 24 months of labeled historical transaction data. At deployment, the model achieved a recall of 88% and a false positive rate of 6%. Today, the same model achieves a recall of 61% and a false positive rate of 5.8%. No changes have been made to the model, the detection thresholds, or the underlying transaction data pipeline. What is the MOST likely explanation for the decline in recall?
- The false positive rate has decreased, which mathematically causes recall to fall in a predictable inverse relationship between the two metrics
- The transaction volume has grown over 18 months, making the model statistically unreliable at higher throughput levels
- Fraud patterns have shifted, causing new fraud behaviors to fall outside the model's learned decision boundary
- The training data contained too many false negatives, which have compounded over time to progressively reduce the model's detection sensitivity
Show answer & explanation
Correct answer: C - Fraud patterns have shifted, causing new fraud behaviors to fall outside the model's learned decision boundary
Domain 3: FRAUD INVESTIGATIONS 30% of exam
Question 9
A fraud investigator at an international bank has confirmed that a customer was the victim of a pig-butchering investment scam. The customer transferred a total of $340,000 in five wire transfers over four months to an account held at a correspondent bank in a different jurisdiction. The final transfer was made six days ago and the funds have not yet been returned. The investigator needs to initiate a recall of the most recent wire transfer through the SWIFT network. Which message type should be used to request the cancellation of a customer credit transfer?
- MT103, with a cancellation instruction appended to the payment details field
- MT192, which is a Request for Cancellation specifically designed for customer transfer recall
- MT202, which is used to recall financial institution transfers between correspondent banks
- camt.053, which is the ISO 20022 message for account statement reconciliation and fund recovery
Show answer & explanation
Correct answer: B - MT192, which is a Request for Cancellation specifically designed for customer transfer recall
Question 10
A fraud investigator is conducting a telephone interview with a 71-year-old customer who lost £38,000 to a romance scam over eight months. The customer is distressed and continues to insist that the relationship was genuine, that the person online was a real individual who truly cared about him, and that the bank is wrong. He becomes increasingly emotional when the investigator attempts to explain the fraud. According to best practices for victim interviews and the PEACE model, which approach should the investigator take at this stage?
- Present the forensic evidence directly and in detail - transaction records, IP addresses, and beneficiary data - so the customer can see the objective proof and accept the reality of the situation
- End the interview immediately and escalate to a vulnerability specialist without attempting further engagement
- Let the customer give his full account, acknowledge his experience with empathy, then clarify inconsistencies once he has been heard
- Defer to the customer's account and reclassify the case as a disputed transaction pending further review
Show answer & explanation
Correct answer: C - Let the customer give his full account, acknowledge his experience with empathy, then clarify inconsistencies once he has been heard