"Profile of a fraudster": a misnomer?

The Association of Certified Fraud Examiners (ACFE) publishes its “Report to the Nations” every two years.

It’s a widely cited study on occupational fraud, and the 2026 edition was released recently. Lots of people use it. The headline numbers are quoted in board papers, vendor pitches, and risk assessments around the world.

It’s a serious body of work; credit to the ACFE for keeping it going for 30 years.

But there is one part we keep coming back to, and not in a good way: the "Profile of a Fraudster". We wrote about it before, when discussing the risk of using sex/gender as a fraud signal. Unfortunately, the 2026 report repeats that pattern. So, it’s worth setting out, plainly, why the profile is a problem.

There are three issues, and they matter to how the profile gets used.

What the profile says

The latest profile describes the typical fraudster as a longer-tenured, college-educated male. It splits the cases out by sex, age, education level, tenure, department, and position.

A couple of the figures: the share of female perpetrators has grown from 25% to 28% across the studies, and the gap in median losses between men and women has narrowed.

None of that is wrong as a description of the data. But there are problems with the potential takeaways; what professionals might do with the profile.

Problem 1: It only covers internal occupational fraud

This study only covers occupational fraud, meaning fraud committed by a person against the organisation they work for. The 2026 report’s title says “occupational fraud”.

But the profile exists as a standalone infographic. The 2020 profile said “…which can help organizations assess fraud risk in their own workforces.” The 2026 profile isn’t that explicit.

It is not "fraudsters". It is people who defrauded their employer.

By design, external fraudsters are not included. Insurance claimants, loan applicants, romance scammers, organised rings. None of them are in here.

Calling it "Profile of a Fraudster" instead of "Profile of a Corporate Fraudster" is not some small oversight: that name suggests that an insurer can use it to justify bias in a claims fraud workflow; something that it was never built to support.

Problem 2: It treats personal characteristics as risk factors

Presenting a fraudster as "male, educated, long-tenured" invites readers to treat those traits as warning signs.

But does sex/gender or education level cause fraud?

One reason that males show up more often, in older data, is that males held more of the roles with access, authority, and the chance to steal. Control for role and seniority, and the gender gap shrinks. Research published in 2024 in the Journal of Forensic Accounting Research, using the ACFE data, found exactly that: the differences are much smaller once other factors (e.g. opportunity) are accounted for.

The report also says “…reinforcing the long-standing relationship between perpetrator demographics and fraud impact…”. This is disappointing; especially since the 2024 journal article pointed in a different direction, and so does the report's own trend: the loss gap has narrowed, not held.

The profile is reporting a correlation between gender and fraud, and alluding to it being a cause. Age and education raise the same concern. They are proxies for the kinds of roles people hold, not independent drivers of dishonesty.

Problem 3: It is a profile of who got caught

This study is built entirely from cases that were investigated, completed, and where the investigator was reasonably sure they had identified the culprit. That is a specific and narrow group. It doesn’t cover all internal fraudsters: everyone who got away with it is missing from the data.

If certain groups were watched or investigated more closely, more of their fraud got found, so the profile partly measures who gets scrutinised, not necessarily who offends.

Why this matters for banks and insurers

For internal fraud, profiling is a problem, that’s clear.

A profile like this is even more dangerous when it is used for a job it was not designed for. Occupational fraud is not the same as claims fraud, credit fraud, and application fraud. The population, the drivers, the risks, are different.

What to do instead

Use the report for what it is good at: scheme types, detection methods, the value of tips and controls, how long frauds run before they are found. That part is useful.

Leave the demographic profile out. Stick to behaviours. Behaviour is something a person chooses. Sex, age, and background are not.

And when a vendor or a colleague quotes "the profile of a fraudster" to you, ask the question: a profile of which fraudsters, found how?

It does not justify a change in fraud models

The ACFE produces the most influential fraud research in the world, which is exactly why the profile deserves more care than it gets. It splits out personal characteristics that are really stand-ins for opportunity.

It calls a narrow group of caught corporate fraudsters "fraudsters" full stop. The reach of the report doesn't match the rigour of this one section.

Treat the profile as interesting information, but not as input to how decision models are built and configured.

Disclaimer: The info in this article is not legal advice. It may not be relevant to your circumstances. It was written for specific contexts within banks and insurers, may not apply to other contexts, and may not be relevant to other types of organisations.