Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

It’s all over the news: GenAI will fuel a rise in scams and fraud. That’s a big claim, so let’s unpack what it means through the lens of one threat vector in particular: phishing.

Modern security leaders know that account takeover detection (ATO) isn’t just about spotting a bad login. ATO attacks are part of a broader scam lifecycle – starting with phishing or impersonation, escalating into credential harvesting, and ending with unauthorized access. To stop ATOs effectively, security teams need visibility into this full progression, not just the login attempt. That’s why a true ATO prevention strategy starts long before a password is entered.

Imagine this: a customer clicks a paid search ad that looks exactly like your brand—same logo, same layout, even your brand tone. They enter their login credentials, maybe their payment details… and they’ve just handed everything over to a scammer. This is domain spoofing in 2025. And it’s scaling faster than most businesses are prepared for.

The battle for digital trust is intensifying. Fraudsters are no longer lone actors, they’re industrialized operations, using AI-driven phishing kits and Phishing-as-a-Service models to exploit businesses and their customers at unprecedented speed. In this environment, traditional fraud defenses are collapsing under the weight of innovation they weren’t designed to face.

Scam losses in the Asia-Pacific region continue to escalate, positioning the area as a global testing ground for phishing innovations. Singapore’s recent implementation of the Shared Responsibility Framework (SRF) serves as a critical alert for enterprises: both regulators and customers are demanding heightened vigilance.

Multi-Factor Authentication (MFA) has long been considered a robust security measure, with Microsoft research showing it can block 99.9% of automated attacks. However, recent data indicates that sophisticated attackers have developed numerous techniques to bypass MFA, making it insufficient as a standalone defense against Account Takeover (ATO) attacks.

Let’s be honest – the burden of payment fraud has for years fallen squarely on the shoulders of scammed customers – A.K.A., victims. Reimbursement has largely been tactical; an opt-in gesture of goodwill administered on a case-by-case basis to customers who either make enough noise, or hold accounts banks can’t afford to lose. If you’re familiar with the UK’s APP fraud reimbursement mandate, you’ll know that things are changing in a big way.

Due to compromised accounts, financial institutions lose billions annually in unauthorized transactions and account-related fraud. Airlines suffer millions in fraudulent ticket purchases, and retailers face widespread loyalty fraud and resold gift cards. Automated, bot-driven takeovers further amplify the issue, driving costly credential-stuffing attacks that inflate operational costs and burn through budgets. The list goes on, and the problem is only getting worse.

Fraud is built on deception, and third-party fraud is no exception. In this type of fraud, attackers use stolen or synthetic identities to impersonate legitimate customers and gain unauthorized access to accounts, services, or funds. By exploiting the trust between businesses and their customers, fraudsters bypass traditional security measures, making third-party fraud a growing threat in an era of automated attacks and large-scale data breaches.

Fraud has moved from an IT issue to a boardroom topic across industries. The more complex the fraud, the bigger the financial, brand, and customer risk. E-commerce fraud, for example, is expected to cost from $44.3 billion in 2024 (when it was last reported) to $107 billion in 2029, a 141% increase. And that’s just one industry. When the stakes are this high, you can’t blindly chase threats.