As online fraud expands, here’s how you can stay ahead

Globally, companies lost an average of 7.7% of their annual revenue to fraud, according to TransUnion’s 2025 Digital Identity Risk Accelerates Fraud Losses report. In the US, companies reported revenue losses of 9.8%, a 46% increase from the previous year. 

That’s hundreds of billions of dollars heading into the hands of fraudsters. And those stats don’t account for the loss of trust, hit to brand reputation, and time and resources spent on mitigating and resolving the fraud. 

It’s not “just” that the sheer amount of loss is growing. The types of attacks are shifting as fraudsters target more parts of the user journey. Below, we’ll explore why this is happening, who’s attacking, and share some thoughts on how organizations can protect themselves. 

There’s a growing and diversifying attacker ecosystem

In part, there’s more fraud because there are simply more fraudsters. Online fraud has been around as long as online commerce, but the spike in attackers we’re seeing now dates back to the coronavirus pandemic. Some people stuck at home and out of work turned to fraud, and many became competent, or even expert, at online deception and theft. 

Digital transformation and expansion also played a role. Some support programs during the pandemic had insufficient verification or validation checks, teaching people that outwitting them was possible. 

The more people worry about economic uncertainty and the cost of living, the easier they find it to justify shady ways to make money, whether that’s trying their hand at first-party fraud, handing their accounts over to a bad actor (for a fee), acting as a shipping or money mule, or experimenting with third-party fraud.

Some of the policy and behavioral changes became permanent. Returns policies are looser. Promotion stacking and abuse are common. Reporting chargebacks is easier. It’s faster than ever to set up an account to move money around. Malicious actors can even fake their way through a recruitment process to gain a job, salary, and access to a company’s data.

During the pandemic, international human trafficking pivoted towards scam sweatshop operations. Today, there are massive compounds of tricked or trafficked workers forced to participate in phishing, romance scams, investment scams, business email compromise (BEC) campaigns, and more, creating further fraud pressure downstream. 

With GenAI in their pocket, every attack is easier 

Fraud fighters are also dealing with a reality in which attackers can do more harm regardless of their technical expertise. 

Fraudsters who were successful with less technical methods and relied on others to build malware or bots can now expand into more technical attacks on their own. And those with technical expertise can operate at a much larger scale. 

In 2025, Persona identified more than 50 unique types of AI-based face spoofs, which is mind-boggling when you remember that it’s only been three years since ChatGPT entered our lives.

Attackers can leverage GenAI to up their game in other ways as well, including:

• Making fake websites or seller profiles using generated images and text

• Personalizing phishing campaigns or other forms of social engineering with translated text and target-specific images

• Creating bots to automate credential stuffing and password spraying

• Using AI-powered bots that take different paths through a site after account takeover (ATO), or during guest checkout, to make patterns harder to detect

• Gathering information from open source materials to make synthetic profiles or identities 

• Automating personalized multi-factor authentication (MFA) bombing campaigns so users mistakenly authenticate access to their accounts

Identity verification helps you automate and scale fraud prevention

The Digital Identity Risk Accelerates Fraud Losses report found that 31% of US business leaders named ATOs as the most prominent cause of fraud losses. They cited synthetic identity fraud as the second-most common cause at 24%. 

In other words, over half of US business leaders said the most prominent cause of fraud loss was attackers stealing or creating identities. 

By focusing on identity-based defenses, you can keep your organization safe from these damaging types of attacks. However, the new attacker ecosystem and use of GenAI mean you may need to rethink, and perhaps expand, where and when you implement security measures. 

The specifics will depend on your industry and organization, but it’s vital to consider the entire user journey and your situation-specific risks. 

For example, early in a user's journey, that can include: 

• Account creation

• Adding account details

• Age assurance or verification measures 

Later in a user’s journey, that might be when users are:

• Logging into an account 

• Changing account details 

• Initiating a transaction

• Adding coupon or promotion codes

• Requesting a return or refund 

Within a service marketplace, the risk areas include:

• Seller and courier onboarding

• Fund withdrawal requests 

• Service and product review submissions  

Focusing more on an organization’s internal processes, you also need to think about:

• JML (Joiner, Mover, Leaver) access changes

• Representatives’ capabilities 

Tailoring the verification touchpoints to your organization’s needs is key. So is designing risk-based identity verification flows. You want to have extra protection in place where it’s needed, but also avoid adding unnecessary friction for low-risk users and actions. 

Why authentication can’t be left to stand alone 

Verifying identity is vital to creating secure systems. Some organizations have responded by focusing on identity authentication, often by implementing MFA. That’s a crucial piece of the puzzle, but it’s never a good idea to make a single type of protection unduly load-bearing. 

The three elements of MFA are something you know, something you are, and something you have. Taken together, they form a solid base for reliable authentication. 

Unfortunately, the proliferation of data breaches, open source information trawling, deepfakes, and personalized social engineering means all three elements are more vulnerable. 

Once a bad actor compromises or creates an identity, they may be able to bypass or trick their way through the MFA request. Then, they can get to work moving money, making a fraudulent purchase, or stealing additional personal information. 

How Persona helps stop fraud across user journeys 

It’s a challenging time for risk, trust and safety, and fraud teams. The good news is that all the pieces you need to form a confident, coherent picture of a user’s identity are available. 

Persona’s verified identity platform collects and analyzes a wealth of passive and active risk signals throughout each user’s journey. You can use the products together for a unified experience, or add individual tools to your stack to fill in gaps.

• Sentinel allows you to silently collect risk signals outside of identity verification flows. The frictionless experience can help you set baselines and detect suspicious activity that warrants blocking or escalation. 

• With the no-code Flow Editor, anyone on the team can build and update user flows. And Dynamic Flow allows you to automatically add or remove friction based on risk signals and your goals. 

• Graph, Persona’s link analysis tool, gives you access to real-time connections that can uncover fraud rings, account sharing, identity mules, deepfakes, and new fraud trends. You can also use Graph within your verification flows to automatically make decisions based on real-time link analysis results.  

With a unified and multi-layered approach, you can be sure that even when online attackers are moving fast, your fraud defenses are one step ahead. Find out why Persona’s platform is a top choice for industry leaders, or connect with an expert from Persona for a personalized demo.