Hello Fraud Fighters!

Welcome back to This Week in Fraud, Newsletter #3. This week, a $5 billion fintech was breached because an employee answered the phone. Meanwhile, fraudsters are now using deepfakes in one out of every five identity attacks, Fortune 500 brands are being weaponized as credential phishing infrastructure, and crypto scammers have gone analog by mailing physical letters with holograms to hardware wallet users. Oh joy. 

Let's get started...

Nick

Big Story: The fraud Achilles heel (hint: it’s us)

Figure Technology, a $5 billion blockchain-based lender that tokenizes home equity loans on its own distributed ledger, just learned the hard way that you can have the most secure vault in the world, but that’s pointless if your employees give out the keys. 

On February 13th, Figure confirmed a data breach after an employee fell victim to a voice phishing (vishing) attack. The attacker impersonated IT support, tricked the employee into surrendering their Okta single sign-on credentials, and used a real-time Adversary-in-the-Middle (AiTM) phishing kit to bypass multi-factor authentication entirely. ShinyHunters, one of the most prolific ransomware groups operating today, published roughly 2.5 gigabytes of stolen data after Figure refused to pay the ransom demand.

The damage: nearly one million records exposed, enough PII to fuel identity theft, phishing campaigns, and synthetic identity fraud for years.

The irony isn’t hard to miss — Figure's entire value proposition is immutable, transparent, tamper-proof blockchain security. However, despite weapons-grade protection on their own platform, they fell prey to one of the oldest social engineering tricks in the book. Yes, it's a bit embarrassing.

The MFA problem (Might Fail Alarmingly)

What makes this breach particularly alarming is that it demonstrates that traditional multi-factor authentication is no longer a sufficient defense against professional threat actors. The AiTM kit used by ShinyHunters synchronizes the victim's interaction on a fake login page with the attacker's simultaneous attempt on the legitimate portal. As the victim enters their credentials and approves the MFA prompt, the attacker captures the session token in real time. 

Security researchers have been warning about this for years. Push-based MFA and SMS-based one-time codes are vulnerable to real-time relay attacks, but this breach demonstrates that the industrialization of these techniques is now complete. 

Figure is now offering free identity theft and credit monitoring to affected customers. Regulators are watching—breach notification laws have been triggered, and there's potential scrutiny from the CFPB and FTC on the horizon. But the real damage is to customer trust. 

The lesson here is not new: technology security is only as strong as its weakest link, and that is all too often the person between the phone and the keyboard.

Quick Hit #1: 2026 identity fraud is more sniper than shotgun

Sumsub published its global identity fraud report this week, and the headline finding is a little counterintuitive: the global identity fraud rate actually fell in 2025. However, sophisticated attacks surged 180% year-over-year. This is the "fewer but better" shift that fraud teams need to understand.

The data comes from an analysis of four million fraud attempts globally. Basic velocity checks and document verification are catching more low-effort attacks. But coordinated, multi-step operations designed to bypass layered verification are exploding (as the Figure story above demonstrates). Other findings… APAC saw a 142% spike in the use of synthetic personal data, and one in four APAC users were targeted for money mule recruitment. Not surprising — the dating and online media industries have the highest fraud rate of any sector analyzed.

Takeaway: if your fraud prevention strategy assumes that more fraud equals a bigger problem, you're measuring the wrong thing. The real threat is quality, not quantity.

Quick Hit #2: Operation DoppelBrand — when your bank's login page isn't your bank

Dark Reading reported this week on Operation DoppelBrand, a campaign by the GS7 cyberthreat group deploying near-perfect imitations of U.S. financial institution login portals. These aren't phishing emails with typos. These are pixel-perfect clones of major bank portals hosted on lookalike domains, designed to steal credentials and establish remote access.

Most brand protection tools focus on domain monitoring—watching for typosquatting and lookalike URLs. But these attacks exploit user trust in visual design, not just domain names. And let's face it, who REALLY checks the URL when they go to their bank's website? Me neither.

TL;DR: if you're a bank or fintech with a consumer-facing login, assume someone is already cloning it.

Quick Hit #3: Faster payments, slower defenses

Javelin Strategy & Research released its Foolproof Payments report this week, and the central thesis is that instant payment rails have outpaced fraud detection infrastructure, and it's eating fraud teams alive.

Jennifer Pitt at Javelin details the problem: "We focus on the fraud that we see, not the potential fraud... It's like a triage patient." The research backs this up, demonstrating that false positive rates on legacy alert systems run as high as 99%, and that fraud teams are drowning in noise and consequently missing real threats. The outcome — institutions are being forced to choose between a rock and a hard place of customer friction on the front end or fraud losses on the back end.  

The reality is simple: real-time payment infrastructure was built for speed while fraud defenses are still running batch processes from the ACH era, and the gap between the hare and the tortoise is where fraud happens.

Quick Hit #4: Deepfakes are now default infrastructure. Of course.

Entrust has released its 2026 Identity Fraud Report and it’s a whopper of a sample — the report is based on more than one billion identity verifications conducted across 195 countries and 30+ industries.

The findings are predictable: deepfakes are the engine powering current fraud. Deepfake selfies increased 58% in 2025, one in five biometric fraud attempts now involves a deepfake, and injection attacks (where fraudsters bypass liveness detection by injecting pre-recorded or manipulated media directly into the verification stream) are growing 40% year-over-year. In the payments and banking sectors, account takeover now accounts for 82% of all fraudulent activity.

The methods vary: photos of screens, printouts, 2D and 3D masks, videos of videos, videos of photos displayed on screens. Fraudsters are testing every bypass vector simultaneously. Interesting finding: the report also notes that cybercrime activity peaks between 2:00am and 4:00am UTC, when global crime groups exploit downtime as regional security teams go offline. Cunning.

If this seems like deja vu all over again, it is — this ties directly back to the Figure breach we started with, with the same industrial-scale approach. Fraudsters are building repeatable infrastructure and running it around the clock.

Quick Hit #5: Digital phishers go analog

Bleeping Computer reported this week that crypto scammers are mailing physical letters to Trezor and Ledger hardware wallet users, demanding an "Authentication Check" and including a QR code that leads to a seed phrase phishing site.

The letters include holograms and appear to be signed by company CEOs, making the presentation just convincing enough to work. The attackers are betting that a physical letter with official-looking branding will bypass the digital defenses that users have learned to recognize, and enough of the time it does to justify the ROI of direct mail costs.

The lesson here is timeless: fraudsters go where the defenses aren't. Everyone's watching for phishing emails and fake websites, but nobody expects a letter in the mailbox with a hologram. 

A hologram!

This Week in Fraud is a publication for fintech operators, fraud teams, and risk professionals. Have a tip or story? Reply to this email.