Industry
Published May 15, 2025
Last updated May 23, 2025

When fraud strikes: the 3 most vulnerable moments in the fintech customer life cycle

Figuring out when and why bad actors strike is important for designing fraud prevention systems that don’t unnecessarily hinder growth.
Louis DeNicola
Louis DeNicola
8 min
Key takeaways
Fintechs are attractive targets for bad actors due to their inherent connection to the financial system. Additionally, their intense focus on growth — often accompanied by promotional offers and urgency to onboard new users — can create opportunities that are easy to exploit.
Focus on securing your onboarding and account recovery user flows, as bad actors often try to abuse weaknesses in those processes. Adding security before high-risk transactions is also a good idea. 
It’s important to strike a balance between strict fraud controls and growth goals. Look for fraud solutions that can use diverse risk signals to dynamically adjust user identification flows, minimize friction for good users, and stop mundane and novel fraud attacks alike.

Fintechs change how people and organizations interact with the financial world — and fraudsters are paying close attention. If you downplay or ignore the risk these bad actors pose, you could find yourself scaling fraud with your user base. 

Many successful organizations balance growth and fraud prevention by dynamically adding or removing friction based on risk signals. They maintain their balance by regularly reviewing their processes and the rules that send accounts or transactions to the fraud team’s queue. 

You’ll need to assess when your business is most at risk if you want to follow suit. Three key moments for many fintechs are account openings, account recoveries, and before specific transactions.

1. At account openings

Many fintechs need to perform Know Your Customer (KYC) and anti-money laundering (AML) checks for compliance purposes. But viewing these as mere items to cross off your to-do list is a mistake. The identity verification (IDV) process presents a real opportunity to stop bad actors before they create an account.

Focusing on fraud prevention at account opening can help you: 

  • Stop losses: Limit referral and promo abuse during sign-ups. 

  • Save resources: Devote less time to manually reviewing alerts.

  • Secure your platform: Uncover sleeper accounts that bad actors can activate to steal or launder money. 

“Identity verification plays a critical role in the KYC process and compliance,” says Amanda Hodgetts-Martin, director of risk management at Branch. “But it also allows us to prevent fraud and provide accurate, safe onboarding.” The fintech company automates around 98% of its identity verification process with Persona and uses Persona to detect and prevent fraud throughout the customer life cycle. 

Tensions can occasionally arise between product, growth, operations, and fraud teams, as adding identity and fraud checks can increase friction. However, you can strike a balance with the right tools. 

Creating a branded onboarding flow that guides users through the experience and explains how it helps keep them safe can increase conversion rates. You can also add or remove checks based on your comfort level and how much risk a user or transaction poses. 

Dig deeper
Read the strategic guide to balancing risk and conversion
Get the ebook

For instance, the checks you run when someone opens a deposit account could differ from the ones you run when someone applies for a credit card. Similarly, risk (and therefore your checks) can vary when onboarding an individual versus a small business.     

Read more: Fraud vector glossary: the 10 most common fraud vectors

2. During account recoveries 

Dealing with fraud after an account takeover (ATO) is challenging because it can look like a legitimate customer wants to transfer funds, update account information, request a replacement card, or apply for credit. 

One approach to mitigating ATO fraud is to require an authentication or identity verification check when you notice inconsistencies, for instance, when a user logs in from an unfamiliar device or location before trying to reset the account’s password. 

Some fintechs do this by sending one-time passwords (OTP) via email or text to confirm the user can access the associated email account or phone number. However, bad actors can bypass OTP requests using OTP bots, social engineering, and SIM swaps or porting. 

A more effective approach is to gather and analyze multiple data points for signs of risk.

For example, a phone risk report and SIM swap signals help you assess how much assurance an SMS-based OTP authentication offers. You can also compare device and behavioral signals before and after the account recovery to look for suspicious inconsistencies. 

No solution is foolproof, particularly when bad actors can use malware to steal and emulate legitimate users. But combining multiple methods can help you catch fraudsters and determine when to reverify or authenticate the user. 

3. Before high-risk transactions

The other moments you want to focus on depend on your organization’s services, products, risk profile, risk appetite, and customer base. However, a few common high-risk transactions for fintechs include: 

  • Loans: Your funds may be at risk when someone wants to take out a loan, open a credit card, overdraft an account, run payroll, or borrow money in some other capacity. Bad actors may target fintechs that loosen underwriting requirements or offer incentives to fuel growth. 

  • Large transfers or payments: Bad actors may attempt large transfers or payments after opening or taking over an account. Authorized push payment fraud, when people get tricked into sending money to a fraudster or scammer, is also on the rise. An ACI Worldwide report estimates fraud losses in the US will exceed $3 billion by 2028. 

  • Deposits: Accepting checks and transfers can be risky because a user may be depositing a bad check or accepting a transfer that will be reversed. As the “check glitch” demonstrated, people could deposit checks and withdraw funds before financial institutions realized the check would bounce. 

Conduct a risk assessment (you can look into building on your AML risk assessment) to identify when, why, and how bad actors will target you and what levers you can pull to limit fraud risk and keep a fraud attack from scaling. Then, create and test rules based on your acceptable losses and low-, medium-, and high-risk scenarios. 

For example, financial institutions often place a hold on deposits into new accounts and on portions of large deposits. But depending on the risk indicators, there may be other situations where applying an exception hold is appropriate, as long as it aligns with regulatory requirements for funds availability.

Read more: The step-by-step guide to switching identity verification solutions

A multi-layered solution helps you fight fraud at every stage

While account openings, recoveries, and transactions are high-risk moments for many fintechs, your specific vulnerabilities will depend on the unique nature of your business. Your risk points will also evolve as you release new products or services, run promotions, update user flows, and adjust your fraud defense. 

A flexible and multi-layered solution can help you deter fraud attempts, detect bad actors, and mitigate the risk of fraudulent activity. Ideally, the solution: 

  • Takes an identity-first approach: It should excel at verifying users’ identities during onboarding and reverification. Since fintechs generally require identity verification for KYC anyway, this can be a good opportunity to shut down bad actors early. 

  • Incorporates diverse data points: The solution should draw on various passive, behavioral, and active risk signals to spot bad actors regardless of the specific fraud methods (e.g., deepfakes or credential stuffing) and fraud vectors (e.g., account creations or takeovers).

  • Adjusts based on risk signals: It should enable dynamic identity flows that adapt based on the risk a user or transaction poses. This allows you to minimize friction for low-risk users while pausing or slowing down potential bad actors. 

  • Minimizes false positives: The solution should let you set precise rules and adjust thresholds to improve performance without relying on manual reviews. In fraud prevention, a false positive is when you incorrectly block legitimate users or flag good transactions as fraudulent. In identity verification, a false positive is when a bad actor successfully passes an IDV check. 

  • Uncovers bad actors: It should recognize that no system (including itself) is perfect and offer tools for uncovering and highlighting connections between fraudulent activity or accounts to help you detect fraud that may otherwise go unnoticed.

In general, having more information can help you detect bad actors, segment users, automate decisions, and protect yourself from evolving fraud threats. However, you need to be able to analyze the information and turn data points into actionable insights. 

How Persona helps fintechs stop fraudsters

Fraudsters continually adapt and test. It’s why financial institutions have to worry about the latest genAI deepfakes one day and physical checks the next. Persona’s customizable identity platform offers building blocks that allow you to stay ahead and adapt just as quickly. 

You can choose from different verification methods for collecting and verifying information about individuals and businesses. For example, you can use government ID, selfie, and database checks during KYC and Know Your Business (KYB) processes. 

As users complete these checks, Persona automatically uses multiple risk signals to detect bad actors. You can also enrich data with reports and watchlists and incorporate signals from trusted third-party sources via the Marketplace.

“When you think about how Persona verifies government IDs and selfies, it gives you peace of mind,” says Todd Sorrel, co-founder and CEO of payment platform 6lock. “It’s not only the different checks that the solution performs, but the contextual data you’re using to analyze and understand the images against. When you combine them all together, it starts to paint a picture of the individual that provides a higher level of due diligence.”

Our no-code editor and Dynamic Flow allow you to create and customize risk-based paths for users. You can also require users to reverify their identity before permitting high-risk actions and configure the entire process to align with your goals. 

When a request or transaction requires a manual review, Cases consolidates information from disparate sources to give investigators a single dashboard where they can quickly work through their queue. 

You can also use Persona’s link analysis tool, Graph, to find connections between accounts and transactions. Tying newly identified bad actors to existing sleeper accounts can help you prevent bust-out fraud and stop fraud rings. You could even use the information you gather as a risk signal to create a feedback loop that strengthens your fraud prevention capabilities. 

Fintechs like Empower, Branch, Brex, and Square use Persona to automate KYC/KYB checks, scale fraud-fighting strategies, and manage fraud throughout customer life cycles. Find out why Persona is a top choice for fintechs, or connect with an expert from Persona today.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Louis DeNicola
Louis DeNicola
Louis DeNicola is a content marketing manager at Persona who focuses on fraud and identity. You can often find him at the climbing gym, in the kitchen (cooking or snacking), or relaxing with his wife and cat in West Oakland.