#8: Exploiting Password Resets, Bank Scam Warnings Fall Short, Fighting APP Fraud

This week, we’re focusing on how fraud tactics keep evolving, even as anti-fraud strategies try to keep up. From account takeover trends in marketplaces to new partnerships aimed at tackling payment fraud, it’s clear that no sector is immune. Let’s dive into what’s happening and the lessons we can take away.

‍NATE'S TAKE -Top Three This Week

1. ATO: Exploiting Password Resets and Onboarding Flows
2. Bank Scam Warnings Fall Short: Customers Want Smarter Solutions
3. Mobile and Banking Giants Join Forces to Fight APP Fraud

1. Account Takeover: Exploiting Password Resets and Onboarding Flows

Some of the marketplaces we work with are facing an influx of account takeover (ATO) attempts that slip past traditional defenses. These aren’t just any ATOs—fraudsters are using clean devices, IPs that match expected geographies, and, of course, the correct credentials. So, how do we know they’re fraudsters?

Here’s the play-by-play: Fraudsters start by confirming email access on breached accounts, then brute-force check if these emails are registered on marketplaces. Once they confirm an account, they initiate password resets using clean devices and matching IPs, then complete their takeover. This approach is so polished that it even works on marketplaces using password-free logins, like magic links.

As Killian Yates pointed out on my LinkedIn post on the topic, fraudsters are also finding ways to bypass verification by exploiting the “existing user onboarding” process. Instead of logging in, they enter valid credentials in the signup flow, which triggers a “this account already exists” redirect to login. This technique enables them to manipulate flows designed for legitimate users and move through account setups undetected.

These tactics highlight a critical gap in how fraud prevention strategies address user journey flows. If ATOs are spiking in “good” accounts that later commit fraud, it’s worth a closer look at your onboarding and reset flows. Analyzing patterns across account journeys can often reveal the clues that traditional monitoring misses.

RELATED: How To Balance Fraud Detection And Customer Experience: Actionable Strategies For Marketplaces

2. Bank Scam Warnings Fall Short: Customers Want Smarter Solutions

A new study by Tunic Pay and Opinium reveals that the friction-based warnings banks are using to prevent fraud aren’t working. Although 85% of UK adults are aware of their banks’ anti-scam measures—such as identity confirmation requests, fraud risk warnings, and even biometric checks—only 33% of users read these warnings before making a payment. It turns out, even measures designed to slow transactions don’t slow fraud: three-quarters of customers feel that delaying payments doesn’t add security value, and many believe the burden of fraud prevention should not rest solely on them.

This sentiment is particularly relevant given the UK’s new regulatory landscape for APP (Authorized Push Payment) scams. The Payment Systems Regulator (PSR) recently finalized rules mandating that banks reimburse victims of APP scams for up to £85,000 per incident, shifting more responsibility for fraud prevention onto financial institutions. The rules, effective from 2024, are intended to push banks to adopt more effective fraud prevention tactics since consumers will no longer bear the full brunt of these losses. For banks, this shift represents both a challenge and an opportunity to innovate their fraud prevention approaches.

Many users are now calling for banks to replace outdated warnings with real-time, adaptive fraud detection that doesn’t disrupt the customer experience. This shift is an opportunity for both fintechs and traditional banks to focus on advanced, invisible security measures that prioritize prevention over friction. In a world where delaying transactions doesn’t deter fraud, smarter, proactive tools are essential to fill the gap and meet the PSR’s heightened accountability standards.

3.  Mobile and Banking Giants Join Forces to Fight APP Fraud

‍

Also in the UK, a new partnership called Scam Signal is uniting major mobile operators with banks to address the rise of Authorized Push Payment (APP) fraud. APP fraud, often initiated through phone calls or SMS, cost victims over £210 million in just the first half of 2024. By analyzing correlations between phone activity and banking transactions, Scam Signal is able to flag suspicious activity before a payment is completed. Early results from Vodafone’s pilot program show a 30% improvement in fraud detection rates at a leading UK bank.

This partnership is a standout example of cross-industry collaboration in fraud prevention. The blend of network data and banking insight allows for a level of real-time fraud detection that neither sector could achieve alone. Fraud fighters can take away a key lesson: cooperation between industries amplifies defenses, providing a broader, data-rich context that improves fraud detection accuracy. As fraud becomes more sophisticated, so too must our alliances, creating partnerships that can adapt and scale to meet new threats.