Multi-factor autentication was supposed tobe the answer to the password problem. But when the second factor routes through the same compromised email address, you haven't added security, you've just added steps. 85% of breached orgs had bot detection 62% were successfully breached anyway $5 M average cost per ATO breach Every security team in America will tell you the same thing: enable MFA. It’s become the first commandment of enterprise cyber hygiene, the baseline recommendation in every compliance framework, the checkbox that signals an organization takes security seriously. The problem is that most MFA implementations are built on a foundation that attackers cracked open years ago, the email inbox. Here’s what those MFA dashboards don’t show you. When 64% of online services route password recovery exclusively through email, and when the average user’s inbox is connected to 60 to 70 percent of their online accounts, adding a second factor to the login screen while leaving the email channel unguarded is roughly equivalent to installing a deadbolt and leaving the window open. The lock is real. The protection is theater. The Skeleton Key Problem To understand why this matters, trace the mechanics of a modern account takeover. An attacker doesn’t need to beat your MFA. They need to beat your email provider, and given that 26 billion credential stuffing attempts hit financial and commercial platforms every single month, the odds that a target’s inbox credentials exist somewhere in a criminal database are not theoretical. They are near-certain for anyone who has been online for more than a decade. Once an attacker controls the inbox, MFA doesn’t protect the accounts linked to it. It protects those accounts right up until the attacker clicks “Forgot password.” From that moment, every MFA enrollment, every “verify your new device,” every “confirm this transaction,” every “approve this login from a new location,” flows through the compromised channel. The attacker isn’t bypassing MFA. They’re using it, as designed, to lock the legitimate owner out. ANATOMY OF AN EMAIL-PIVOT ATTACK Attacker acquires email-password combo from a breach database — a retail site, a gaming platform, a loyalty program. Cost: under $10. Inbox access confirmed. Incoming emails reveal the victim’s bank, brokerage, insurance carrier, and employer portal. “Forgot Password” at each institution. Reset links arrive. New passwords set. MFA enrollment flows to the attacker's device via email confirmation. Fraud alerts from the institutions? Intercepted. Deleted. The legitimate owner sees nothing. By the time the account holder notices: $47,000 gone. Twelve accounts compromised. Eight services sent alerts that never reached a human. This is not a hypothetical scenario. Security researchers documented exactly this cascade unfolding over eight weeks in a single victim’s account ecosystem. Every institution involved did everything correctly. They sent alerts. They required email verification. They honored the protocol. The protocol was the vulnerability. When the Second Factor Isn’t Really Second The deeper problem is structural. MFA’s security value depends entirely on the independence of its factors. Something you know plus something you have, that combination is strong precisely because compromising one doesn’t compromise the other. But when the “something you have” is an email code that arrives in the same inbox as your password reset links, you no longer have two independent factors. You have one factor, email control, expressed twice. “Hardening the lock doesn’t help when the key is already in criminal hands, and for most email-routed MFA, the key and the lock live in the same place.” The 2024 numbers put a hard edge on the abstraction: 85% of organizations targeted by account takeover attacks had bot detection in place. Sixty-two percent were still successfully breached. SIM swap fraud, the other major MFA bypass, jumped 1,055% in the same year, gutting the premise of SMS-based authentication. MFA fatigue attacks, in which users are bombarded with push notifications until they approve one in frustration, are now documented at enterprise scale. The authentication layer got harder. The identity layer underneath it did not. The 250-Day Blind Spot There’s a temporal dimension to this failure that gets less attention than it deserves. The average time to detect a credential-based breach is 250 days. That is 250 days in which an organization is extending trust, including MFA-protected trust, to an email address it has no idea is compromised. The address was valid at onboarding. It may have appeared in a breach database the following week. The organization has been sending it password reset links, transaction approvals, and MFA codes ever since. At least 23% of email addresses degrade annually, abandoned, reassigned, or compromised. In B2B contexts, 70% of job-related email addresses change within 12 months. An enterprise that validated its users’ email addresses at account creation and never revisited them is, statistically, operating with a substantial share of its identity signals quietly pointing at the wrong people. MFA on top of those addresses doesn’t close the gap. It doesn’t even see it. The Fix Isn’t More Friction The organizations winning this fight aren’t the ones that added more authentication steps. They’re the ones that stopped treating the email address itself as a static, permanently trustworthy artifact and started evaluating it as a dynamic risk signal, at account creation, at password reset, at every high-value transaction, and everywhere in between. An email address that was clean at onboarding and appeared in a criminal database last Tuesday is not the same identity signal. A continuous intelligence approach can see that. A one-time check at account creation cannot. The business case isn’t complicated. Preventing fraudulent access at the moment of a suspicious password reset costs milliseconds of API latency. Remediating a successful account takeover costs an average of $5 million per incident. For organizations running 12 successful ATO incidents annually, a figure that reflects current breach rates, that is $60 million in annual exposure before accounting for customer churn, litigation, and the 80% of consumers who say they will permanently abandon a service after an account takeover. MFA is not the problem. Routing MFA through an unmonitored, statically trusted email channel is. The security industry spent a decade telling organizations to add the second factor. It’s time to start asking what that second factor is actually built on. The full picture — the mechanics of how email became the digital economy's most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like, is documented in “ The Lying Gatekeeper ”, a new special report from myNetWatchman. Read the Full Report

The $15.6 billion mistake hiding in plain sight, and why fixing it starts with questioning the premise. Every morning, hundreds of millions of people prove who they are to their bank, their employer, their insurance company, their investment platform. They do it with the same mechanism they've used for decades: an email address and a password. The system sends a link. The link arrives. The system says: identity confirmed. Access granted. It sounds reasonable. It is, in fact, one of the most expensive security mistakes the digital economy has ever made, and it is still being made, at scale, right now. "Email proves reachability. It was never designed to prove identity. Modern systems confused the two — and criminals have been exploiting that confusion ever since." Email was invented in 1971. It was a messaging protocol, designed to move text between computers. It was not designed to verify identity, authenticate users, secure financial transactions, or serve as the gatekeeping mechanism for the most sensitive data in the modern world. And yet, somewhere between the convenience of the consumer internet and the pressure to grow fast, that is exactly what it became. The logic made sense at the time. Email was universal, free to deploy, and frictionless. Unlike traditional usernames, email addresses couldn't be duplicated. So, they became the default identifier across virtually all online services — banking, healthcare, e-commerce, government portals, streaming, social media. Today, the average person has accounts with 80 to 100 online services and uses the same email address for 60 to 70 percent of them. That concentration is not just a design choice. It is an attack surface of historic proportions. $15.6 B Lost to account takeover fraud in the U.S. in 2024 alone — a 23% increase year-over-year. The problem runs deeper than stolen passwords. It runs deeper than phishing. The real vulnerability is structural: businesses adopted email as an identity layer once, at product launch, under growth pressure, and then almost never revisited that decision. The security debt accumulated silently. Email addresses in user databases aged. Some got abandoned. Some got compromised. Some were reassigned to entirely different people. The service had no idea. It kept sending password reset links and transaction approvals to addresses it had validated, in some cases, years ago. Here is what a single email verification at account creation actually tells you: that this address existed and was accessible on one specific day. It tells you nothing about whether it is compromised right now. Nothing about whether it belongs to a fraud network. Nothing about whether it is a disposable address engineered to age into appearing legitimate. Nothing about whether anything has changed in the months or years since the account was opened. "A one-time email check is a snapshot. Fraud is a motion picture. Treating a snapshot as permanent proof of identity is not a security posture. It is a liability." The numbers confirm it. Account takeover attacks surged 250% year-over-year, with 99% of monitored organizations targeted and 62% successfully breached. Credential stuffing — the automated recycling of stolen email-password pairs across banking portals and e-commerce platforms — recorded 26 billion attempts per month. Phishing attacks exploiting email-based authentication surged 4,151% following the widespread adoption of AI generation tools. And sitting at the center of nearly every incident in that landscape: an email address that someone, somewhere, assumed was still good. 250 Days Average time to detect a credential-based breach. That is 250 days of password resets, transactions, and sensitive access flowing through a channel that may belong to someone else. Multi-factor authentication was supposed to fix this. And it helps — but it doesn't solve the underlying problem. Most MFA implementations route their authentication flows through the same email addresses. SIM swap fraud jumped 1,055% in 2024, undermining SMS-based MFA. MFA fatigue attacks are documented at enterprise scale. In 2024, 85% of organizations targeted by account takeover attacks had bot detection in place. Sixty-two percent were still successfully breached. The authentication events were hardened. The email address underneath them was not. There is a second dimension that rarely gets discussed: addresses that were never legitimate at all. The disposable email industry — services that let users create unlimited temporary inboxes in seconds, receive a verification email, and discard the address — reached $1.36 billion in market size in 2024. In high-risk sectors like e-commerce promotions and gaming, fake signups using synthetic or disposable addresses can outnumber legitimate registrations by as much as 120 to 1. These addresses pass every standard validation check. The only way to identify them is through continuously updated behavioral intelligence, the kind a one-time check at account creation will never surface. The case studies are not theoretical. In 2024, over 500,000 Roku accounts were compromised through credential stuffing. Norton, a company that sells security software, had to notify customers that attackers had successfully accessed their Password Manager vaults through the same email-password combination that protects every other account. Business Email Compromise resulted in $2.77 billion in reported losses to the FBI in 2024, with the actual figure likely exceeding $5 billion when unreported incidents are included. These are not edge cases. They are the predictable, documented outcome of treating a communication channel as an identity system. The solution is not to abandon email. Email will remain the internet's primary communication identifier for the foreseeable future. The solution is to stop treating a one-time email validation as a durable identity claim. Every high-stakes action, password reset, payment method change, large transaction, new device login, represents a new moment of trust extension that deserves a fresh evaluation of whether that trust is still warranted. The organizations ahead of this threat are not the ones who added more friction on top of email authentication. They are the ones who started questioning the premise underneath it. The full picture — the mechanics of how email became the digital economy's most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like, is documented in “ The Lying Gatekeeper ”, a new special report from myNetWatchman. Read the Full Report

Despite not being designed for identity verification, email's convenience made it a common business identifier. Criminals target this pervasive use as a primary entry point for their activities. Read the newly published report, The Lying Gatekeeper , to explore these topics: A Convenient Lie How email, a messaging protocol built in 1971, became the de facto identity layer for the digital economy, and why that decision was never as safe as it seemed. The Four Jobs Email Was Never Supposed to Have The four critical identity functions that email has been pressed into serving: universal username, account recovery, action approval channel, and persistent proof of identity over time. Trust That Expires the Moment It's Granted Why email-based identity verification is a point-in-time check on a dynamic threat landscape, and how attackers exploit the gap between account creation and today. The Cost of Static Trust The measurable financial consequences of treating an email address as a permanent identity signal, including a $5M average cost per account takeover breach. The Numbers Behind the Comfortable Myth A data-driven look at the scale of account takeover fraud, credential stuffing, phishing, and synthetic email abuse, and how email sits at the center of each threat. The Credential Reuse Epidemic How password reuse across services turns a single breach into cascading exposure, feeding email-based credential stuffing attacks at industrial scale. The Password Reset: Email's Most Dangerous Feature Why email-based password recovery, used by 64% of services as the sole option, functions as a skeleton key for attackers who control a victim's inbox. Why Businesses Keep Using It Anyway The economic and inertial forces that keep organizations dependent on email as an identity signal, even as the evidence of its failure accumulates. The MFA Paradox Why multi-factor authentication hasn't solved the underlying problem when most MFA flows are themselves rooted in the same compromised email addresses. The Disposable Address Problem: Email You Can't Trust From the Start How the $1.36B disposable email industry enables account fraud from the moment of registration, and why standard validation tools can't detect it. The Abandoned Account: A Skeleton Key That Never Expires How dormant accounts accumulate in every user database, linked to email addresses that have changed hands, and how criminals exploit that invisible drift. The Case Studies That Should Have Changed Everything Documented, publicly reported failures, from Roku to Norton to Business Email Compromise, that illustrate the predictable cost of trusting email as identity. From Static Trust to Continuous Intelligence What a better approach looks like: shifting from one-time email validation to continuous risk assessment at every high-stakes moment in the account lifecycle. Closing the Weakest Link How organizations should rethink email risk, and how myNetWatchman Email Reputation was built to solve account takeover fraud and fake account creation at scale.

Executive Brief Email was never built to be your digital passport. Created as a simple, open-network protocol for exchanging messages between trusted parties, it lacked the foundational architecture for authentication, financial security, or identity verification. Yet, today, email has quietly become the "de facto" primary identifier for billions of users. From resetting bank passwords to approving high-value transactions, the email address is the gatekeeper of the digital economy. This reliance has created a security paradox : we treat email as a permanent, trusted anchor of identity, even though it is one of the most easily compromised assets in a criminal's toolkit. The Reality of Email as Identity In 2026, the dominance of email as a unique identifier is undeniable. It is the near-universal standard for account creation, providing a reliable and memorable way for businesses to track user activity across devices. Financial Preference:  Approximately 77% to 80% of consumers  prefer managing their finances digitally (American Bankers Association). For these users, the email address is the primary bridge to their personal wealth. The Persistence Problem:  Unlike a physical ID, people often keep personal email addresses for 10–15+ years . This longevity makes an email address a "sleeper" asset; if compromised, it provides a decade’s worth of historical communication, contact lists, and behavioral patterns for an attacker to exploit. A Growing User Base:  There are currently over 5 billion email users  globally, with daily traffic expected to exceed 422 billion messages  this year (Radicati Group). The Evolution of the Threat: Why Assumed Trust is Failing The assumption that an email address represents a legitimate, unique, and long-term user is increasingly dangerous. Modern fraud has evolved into a highly automated, AI-driven economy where email is the "renewable resource" for criminals. 1. The Multi-Billion Dollar Impact of BEC Business Email Compromise (BEC) remains one of the most financially damaging cyber threats. According to recent FBI IC3 data, BEC losses have exceeded $8.5 billion  over the last three years, with a single wire transfer request averaging nearly $25,000  at the start of 2025. 2. AI-Powered Synthetic Identity Generative AI has radically lowered the cost of fraud. Criminals can now create "synthetic" email accounts at scale that appear legitimate, age naturally, and evade basic validation checks. By mid-2024, an estimated 40% of BEC phishing emails  were already identified as AI-generated. 3. The Hidden Breach In many Account Takeover (ATO) incidents, the breach doesn't happen at the target organization, it happens at the email provider. Once a criminal has inbox access, they can: Intercept MFA codes and password reset links. Study communication patterns to time attacks perfectly. Delete alerts from banks or services to remain "silent" for weeks or months. The Solution: Shifting from Static to Dynamic Trust Traditional security controls (MFA, device intelligence) often share a fatal flaw: they assume the email address itself is trustworthy. In reality, trust must be continuously re-earned. Email Reputation from myNetWatchman  moves beyond simply checking if an email "works." It evaluates the integrity of the identity behind the address in real-time. Feature Business & Fraud Impact Real-Time Intelligence Identifies compromises that happen after  account creation. Early Detection Prevents fraudulent sign-ups at the least costly stage: onboarding. Alias & Proxy Detection Stops "policy-jumpers" from creating multiple accounts to abuse promotions or bypass bans. Friction Calibration Creates a "fast lane" for high-reputation users while adding verification layers for high-risk addresses. Conclusion: Closing the Identity Gap Email was never meant to secure the digital economy, but it has become the foundation upon which it rests. As long as businesses treat email trust as a one-time decision, criminals will maintain an asymmetric advantage. myNetWatchman  closes this gap by treating email as a dynamic risk signal rather than a static identifier. By leveraging deep expertise and real-world intelligence, we help organizations stop responding to fraud and start preventing it. Smarter trust starts with knowing who is truly behind the inbox.

In the modern digital economy, the email address has transcended its original purpose as a communication tool. It has become the near-universal unique identifier—the primary digital ID for billions of users. From financial services to SaaS products, the email address is the default gatekeeper for account creation, password resets, and high-value transactions. However, this reliance has created a dangerous security paradox: while email is treated as a permanent, trusted anchor of identity, it was never designed to be one. To secure the digital ecosystem, companies must shift from assumed trust to continuous risk assessment . The Evolution of Email: From Communication to Identity Email was originally designed to allow two entities to exchange messages. It was never intended to be an official, "government-issued" identity or a lifelong credential. Despite this: Unique by Necessity : Because emails must be unique to route messages, they became the path of least resistance for identifying users. The "One Email, One Account" Rule : Companies enforce this to manage data aggregation across devices (phones, tablets, web) and to link behavioral or financial data. Financial Preference : According to the American Bankers Association, nearly 80% of consumers prefer managing finances digitally. For these users, the email address is the primary link to their wealth and personal information. The Reality of Email Risk The assumption that an email address represents a legitimate, unique, and long-term user is increasingly flawed. Emails are highly dynamic and often compromised: The Persistence Gap : While some personal emails last decades, others are disposable, synthetic, or proxies used to evade transparency. The Threat Landscape : In 2025 alone, a single "infostealer" attack compromised 183 million accounts. Roughly 29% of U.S. adults have experienced a hacked personal account. The Compromise Vector : In many Account Takeover (ATO) incidents, the breach doesn't happen at the bank or the retailer; it happens at the email provider. Once a criminal has inbox access, they can intercept MFA codes, reset passwords, and study communication patterns to time their attacks perfectly. Why Traditional Controls Fall Short Most organizations attempt to mitigate risk by adding layers like device intelligence or behavioral analytics. While valuable, these controls often share a fatal flaw: they assume the email address itself is trustworthy . Trust is rarely re-evaluated after the initial onboarding. A legitimate email address at signup can become a compromised tool for fraud six months later, occurring entirely outside the organization’s visibility. In an effective fraud program, trust must be continuously re-earned, not permanently granted. The Solution: myNetWatchman Email Reputation The solution is not to abandon email, but to stop treating it as a static identifier. Email Reputation from myNetWatchman evaluates email risk in real-time, allowing companies to "tailor" the user experience based on the integrity of the address. Key Functions of Email Reputation: Detection : Identify fake, synthetic, or compromised addresses before they enter your ecosystem. Friction Calibration : Apply higher friction (additional verification) for high-risk emails and a "fast lane" for high-reputation, long-tenured accounts. Continuous Verification : Authenticate the email at critical junctions: account creation, password resets, PII changes, and high-value transactions. Feature Impact on Business Early Detection Prevents fraud at the least costly stage: onboarding. Real-Time Intelligence Identifies compromises that happen after account creation. Alias Detection Prevents "policy-jumping" where users create multiple accounts. Conclusion: Closing the Gap Email has become the gatekeeper of the digital economy, yet it remains one of the most persistent gaps in security. As long as unauthenticated or high-risk emails are accepted as legitimate identity signals, criminals will maintain the upper hand. Smarter trust starts with email risk assessment. By treating email as a dynamic risk signal, myNetWatchman provides the intelligence necessary to prevent fraud rather than simply responding to it. It is time to move beyond verifying that an email "works" and start verifying who is actually behind it.

Yes, criminal activity spikes during peak shopping season. But the most damaging fraud often doesn’t happen in November or December. It happens months later, after the holidays have passed and attention has shifted, using accounts that were created, compromised, or harvested during peak volume. Fraudsters don’t treat the holidays as a sprint, they treat them as account setup season. Fraudsters use the holidays to set up sleeper accounts and synthetic identities, and to harvest real customer accounts, then monetize them throughout the year. By the time most companies detect the fraud, those accounts have already matured, gained trust, and done real damage. How active are criminals during the holidays? In the 62 days of November and December, myNetWatchman observed the following from live data sources: 5.7B unique credentials (username and password) 45.8M compromised credentials 16M compromised email accounts 3.7M payment/gift cards being tested Millions of new accounts created using compromised or synthetic data Holidays are ideal for sleeper and synthetic account creation The holiday season creates perfect cover for identity-based fraud because everything looks noisy : New account registrations surge to access discounts, shipping perks, and rewards Logins occur from unfamiliar locations and devices due to travel and gifting Customer service is overwhelmed with legitimate requests Promotional pressure reduces friction across onboarding and checkout In that environment, fraudulent behavior blends in. This matters because new account fraud is no longer a marginal issue. Losses tied to new account fraud now reach billions of dollars annually, driven largely by synthetic identities, fabricated profiles built using a mix of real and fake data. These accounts are designed to appear legitimate long enough to pass early controls, then “activate” later through fraud, abuse, or bust-out behavior. Fraudsters know that account age equals trust. The holidays give them the scale and cover to create thousands of accounts that can quietly age into high-value assets. The second holiday opportunity: harvesting real customer accounts Alongside new account creation, the holidays are also prime time for account harvesting. Shipping notifications, delivery issues, gift card emails, and promotion alerts create ideal phishing and credential-stuffing conditions. In many cases, the goal isn’t immediate fraud. Instead, criminals test credentials, confirm access, and store that account for later use. These “harvested” accounts may sit dormant for weeks or months before being used, often during: Major sales events Product launches Or moments when the account has accumulated value or loyalty rewards From a business’ perspective, the fraud appears suddenly. In reality, the compromise happened long before. How sleeper and harvested accounts get monetized Once activated, these accounts rarely serve just one purpose. They are reused across multiple fraud and abuse vectors: Fraudulent transactions and chargebacks using trusted accounts and saved payment methods Return and refund abuse , especially post-holiday when return volumes are already high Loyalty and rewards theft , draining stored value that often receives less scrutiny than payments Marketplace abuse , including fake buyers, seller reputation farming, or eventual bust-outs The common thread is identity trust. These accounts succeed because they don’t look new, risky, or suspicious, until it’s too late. Stopping sleeper and synthetic accounts requires shifting from transaction-only defenses to continuous identity risk assessment across the account lifecycle. Most organizations don’t see sleeper accounts until damage occurs Fraud programs are optimized to detect loud events: chargeback spikes, refund abuse waves, bot attacks. Sleeper accounts are different. They: Behave normally during early life stages Spread activity across time and channels Exploit organizational silos between identity, payments, loyalty, and marketplace teams Trigger controls only after trust has already been established By the time action is taken, the account has often already been monetized across multiple surfaces. What should your organization being doing now Stopping sleeper and synthetic accounts requires shifting from transaction-only defenses to continuous identity risk assessment across the account lifecycle. Start with stronger identity signals at account creation Email addresses are one of the earliest and most persistent identifiers tied to an account and one of the most data rich, underutilized fraud signals. In effective fraud programs, trust is not permanent. It is continuously re-earned. Using email authentication and reputation intelligence at account creation helps identify: Newly created or disposable email domains Emails previously associated with fraud or abuse Reuse patterns across identities, devices, or transactions Automation-driven account creation behavior This doesn’t mean blocking more customers. It means understanding risk earlier and applying friction only when signals justify it, preventing fraudulent identities from quietly aging into trusted accounts. Re-evaluate trust when accounts evolve Sleeper accounts rarely stay static. Risk increases when accounts: Change credentials or contact details Add new shipping addresses or payment methods Attempt high-value purchases, refunds, or redemptions Re-checking email reputation and identity signals at these moments helps detect accounts that were once low risk but have since shifted, before abuse escalates. In effective fraud programs, trust is not permanent. It is continuously re-earned. Detect compromised credentials before takeovers turn into losses Account takeovers are a common trigger for downstream fraud, but many defenses activate only after fraud occurs. Credential intelligence solutions allow organizations to assess risk before approving sensitive account actions by identifying whether: Login credentials have appeared in known data breaches Passwords are actively circulating in criminal ecosystems Credentials are being reused across platforms By evaluating credential exposure during logins, password changes, or account modifications, businesses can interrupt fraud at the takeover stage—rather than absorbing losses later through transactions, refunds, or loyalty theft. The bigger picture: accounts are long-term fraud assets Fraudsters don’t think in transactions. They think in accounts. The holidays are not just a time of increased fraud, they are a setup phase. Accounts created or compromised during peak season often fuel fraud and abuse for the rest of the year. Organizations that recognize this shift focus less on reacting to fraud spikes and more on exposing risky identities early, monitoring how trust evolves, and intervening before monetization occurs. Because by the time fraud becomes obvious, the most important decisions were already missed. myNetWatchman can help stop fraud before it ages While fraudsters use the holiday chaos to plant seeds for year-round abuse, myNetWatchman’s Email Reputation service allows retailers to reclaim the advantage of time. By leveraging real-time criminal data, our solution exposes the "DNA" of an email address at the moment of entry. Whether it’s flagging a high-risk sleeper account during registration , identifying harvested credentials before they are stored, or preventing a high-value account takeover during a login shift, myNetWatchman provides the intelligence to act before monetization occurs. We offer a friction-free, zero-false-positive environment that doesn't just block bad actors, it ensures that trust is earned, verified, and maintained. Don’t let today’s peak season volume become tomorrow’s liability. Want to learn more, let’s talk.

Klarna is just now learning what many in fraud prevention have known for years: synthetic identity fraud doesn’t start with stolen credit cards, it starts with unvetted digital identities. For years, email addresses have been treated as little more than a communication channel, a box to check during account creation. That assumption is now proving to be dangerously outdated . Email is often the first persistent identifier tied to consumer, vendor, and partner accounts. When email addresses are not properly authenticated at account opening, it becomes the perfect entry point for synthetic identities: Newly created or auto-generated email addresses Pattern-based aliases designed to evade detection Addresses linked to fabricated personas with no real-world footprint Compromised email accounts Once these identities are inside the ecosystem, downstream controls like credit checks, behavioral monitoring, and transaction limits are already playing catch-up. ...you can’t retroactively fix identity trust at scale. If the front door is left open, every system behind it is compromised. Unfortunately, this scenario is not an anomaly. Many organizations prioritize speed-to-conversion over foundational identity controls, like failing to authenticate email. This strategy can be a costly miscalculation. Klarna’s Lesson: Fraud Debt Accumulates Quietly Synthetic identity fraud rarely explodes overnight. It accrues silently, blending in with legitimate users until losses surface months or even years later. Buy-now-pay-later platforms, fintechs, and digital-first lenders are especially vulnerable because: Account creation is frictionless by design Credit exposure often precedes full identity validation Losses appear as defaults, not fraud By the time the problem is visible, the damage is already embedded in the portfolio. The solution is not more friction. It’s earlier intelligence. Klarna’s situation underscores a hard truth: you can’t retroactively fix identity trust at scale. If the front door is left open, every system behind it is compromised. Email Authentication is a Critical Step Many organizations look at high-growth companies and assume their underlying business model is sound. However, copying an approach that underestimates the critical need for robust email authentication creates three compounding failures: Fraud costs disguised as credit losses Increased compliance and regulatory scrutiny Erosion of trust with partners, banks, and investors Worse, once synthetic identities mature, they become harder and more expensive to detect. What looks like short-term growth often becomes long-term instability. Early Email Intelligence = Reduced Fraud, Reduced Cost, Higher Conversion Rates The solution is not more friction or overreliance on email verification. It’s earlier intelligence through authenticating an email at account creation to find: Non-working emails Declining sign-ups using synthetic email address Detecting compromised emails and conducting additional verification Identifying emails that would be difficult (or impossible) to conduct KYC Reducing downstream losses without impacting conversion And critically, this can be done economically and is completely transparent to the user. How We Help Clients Avoid the Klarna Trap Clients call our real time low cost Email Reputation API service at key events like new account signup, password change or email change to get real time intelligence if the email is tied to synthetic identity or is compromised. We answer the critical questions: does the email work, is it synthetic, is it compromised, will it be difficult to conduct KYC on the email. By analyzing email characteristics, patterns, and signals that traditional onboarding overlooks, we surface risk without adding steps, delays, or customer frustration. No extra forms. No additional friction. No waiting for losses to pile up before acting. Zero false positives. The Takeaway Klarna’s experience isn’t just a headline, it’s a warning. Companies that continue to treat email as a low-risk data point are building their growth on unstable ground. The question isn’t whether synthetic identity fraud will show up. It’s whether you’ll stop it at the door, or pay for it later. If you’re ready to learn how to do this before it becomes a problem, we’re ready to show you how. Let’s talk.

Across the payments ecosystem, criminals need validated, “live” cards because stolen cards are the fuel for almost every form of online payment fraud. The sooner they confirm which cards work, the sooner they can monetize them and fraud can hide more easily. These cards include traditional consumer Visa and Mastercard branded cards from issuing banks, private label, commercial, and even gift cards.  But here’s the problem: many organizations, including banks, don’t see these attacks happening, not because they lack technology, but because they lack visibility. The early signals don’t show up in their systems at all. This is the “ visibility gap ” that continues to cost banks millions in fraud losses every year. Marketplace Data: Important…but Far Too Late For years, fraud teams have relied on Marketplace Data , the lists of stolen cards that appear for sale on dark-web shops. These lists, often obtained from breaches, infostealer logs, or underground marketplaces, give a rough sense of which cards may be exposed. Marketplace Data has value. It shows: Which BINs are circulating underground When large breaches occur How many cards are being sold by geography or issuer But Marketplace Data has two crippling limitations: 1. It’s reactive. Cards usually appear on dark-web markets days, weeks, or even months after they are stolen. Because it is a marketplace, these cards may have been bought and sold many times. By the time an organization sees them, it's likely that criminals may already be testing or monetizing them. 2. It says nothing about card validity. A card listed for sale may be expired, canceled, or blocked. Marketplace Data doesn’t reveal which cards remain active, and therefore doesn’t help banks know where fraud is actually imminent. This gap can be especially dangerous during the holiday season. Fraud rings stockpile tens of thousands of stolen cards in early Q4, but marketplace listings only confirm exposure, not criminal activity or timing. To stop fraud before it starts, organizations need something more immediate and more reliable: behavioral evidence of live card testing . Checker Data: The Earliest, Most Actionable Warning Signal Checker Data captures the exact moment criminals test cards across the internet, this is real-time behavioral intelligence, not scraped listings, not breach dumps, not forensic aftermath. This is the earliest point in the fraud lifecycle where intent becomes visible. Instead of relying on a dark-web posting, real-time intelligence data shows: Which BINs are being tested right now Which cards are being validated successfully Where testing is geographically clustered How quickly testing is accelerating Which testing tools, botnets, or attack methods are involved And this early signal matters. As highlighted in a recent case study, one regional bank detected 25,000 compromised cards by monitoring real-time testing behavior, saving over $2.5 million in operational expense while preserving $7.5 million in revenue that would have been lost to customer churn and cardholder frustration. The fundamental difference here is between knowing cards were stolen (Marketplace Data)…and knowing that criminals are actively preparing to use them (Real-time intelligence data). Why Some Miss Seeing Card Testing Themselves An organization’s fraud models, no matter how advanced, may not detect early testing for one simple reason: Card testing happens at merchants that many don't see. Criminals rarely test cards at well-protected, high-security ecommerce sites. Instead, they test them at: Small online stores Donation platforms Subscription trial signups Global merchants with weak AVS or no 3-D Secure Bots hitting thousands of micro-merchants at once Organizations only see testing if an attacker attempts a transaction at a merchant using the issuer’s card. But in most attack cycles, criminals test hundreds of cards for hours or days before a single transaction ever reaches the issuing company’s systems. That means fraud managers are trying to solve a problem operating almost entirely outside their field of view . Closing the Gap: Why Real-Time Intelligence Matters Real-time Intelligence Data offers organizations a fundamentally different approach: Detection within seconds, not weeks Action before fraud, not after Accurate, high-fidelity signals tied to real testing behavior Compliance-safe data (no illicit marketplace procurement) Protection from seasonal testing surges Organizations don’t need to wait for fraud to appear in their own ledger. They can see attacks as they begin, across the entire internet. This is the shift from reactive defense to proactive prevention. myNetWatchman: Closes the Visibility Gap The visibility gap doesn’t have to be a permanent feature of BIN testing or seasonal fraud. myNetWatchman delivers the earliest alerts in the industry , detecting card-testing activity within seconds of the first probing attempt. By monitoring real-world testing behavior across the internet, myNetWatchman identifies compromised cards before fraud occurs, giving issuers the power to block, lock, or reissue with confidence. If your organization wants to get ahead of testing surges, strengthen customer trust, and reduce fraud losses before they happen, contact myNetWatchman today to see how real-time Checker Intelligence can transform your fraud-prevention strategy. Read more about our Card Monitoring solution.

We’re thrilled to share some exciting news: our founder, Lawrence Baldwin , is featured in a gripping new BBC World Service  podcast series that dives deep into one of the most remarkable  true stories  in cyber history. Listen to Cyber Hack “Evil Corp”: https://www.bbc.com/audio/brand/w13xtvg9   About the Series The BBC’s Cyber Hack series “Evil Corp” takes listeners inside the high-stakes world of international cybercrime, where hackers, governments, and investigators cross paths in a web of digital intrigue. It’s a global story that touches on billions of dollars, state-backed hacking, and the people who work tirelessly to uncover the truth. Among those voices is Lawrence Baldwin , our founder, whose pioneering work in cybersecurity and threat intelligence has been shaping this field for decades. His story brings authenticity, expertise, and a deeply human perspective to a narrative that spans continents. Why It Matters This isn’t just a story about hacking, it’s a story about integrity, perseverance, and innovation . For us, it’s an honor to see Lawrence’s contributions recognized on such a global stage. His experience has not only guided our company’s mission but continues to inspire how we approach our work every day, with curiosity, courage, and commitment to protecting others online. Tune In Cyber Hack series “Evil Corp” here: https://www.bbc.com/audio/brand/w13xtvg9   You can also find it on your favorite podcast app including Apple Podcasts & Spotify. Join the Conversation After you listen, we’d love to hear what you think. Thank you  for being part of our community and for supporting the work that began with one founder’s vision to make the internet a safer place. Enjoy, The myNetWatchman Team

The First Industry Benchmark on Cyber Threats Targeting Global Travel Brands Savannah, GA, October 21, 2025  — myNetWatchman today announced the release of the Travel Credential Abuse Index (TCAI) Report , a first-of-its-kind benchmark tracking credential-based cyberattacks across airlines, hotels, online travel agencies (OTAs), and car rental companies. The report delivers unprecedented visibility into how credential abuse has evolved over the past two years, revealing that while overall attack volumes fluctuate, the sophistication and persistence of threat actors continue to rise. Drawing on activity across more than 85 travel platforms  and billions of login attempts , the TCAI captures  real-world fraud behavior across sectors. The findings reveal  that credential abuse in travel has not declined, it has adapted . Attackers continue to exploit stolen credentials, MFA bypass tools, and both human and supply chain vulnerabilities. High-attack periods frequently correlate  with major data breaches such as the Otelier hotel software breach in 2024 and the coordinated Scattered Spider  airline campaigns in mid-2025. “Credential abuse represents one of the most persistent and underestimated risks to digital travel. Our goal with the TCAI is to give the industry a data-driven view of this evolving threat, and the tools to fight back.” said David Montague, CEO, myNetWatchman The TCAI highlights that attackers are increasingly ROI-driven , shifting focus among travel sectors as defenses tighten. Airlines and OTAs face  the most sustained surges. Despite widespread adoption of multi-factor authentication, the report warns that MFA alone is not enough . Travel companies must also implement compromised credential screening, advanced bot detection, and synthetic identity prevention . The research underscores the growing need for proactive threat intelligence and continuous monitoring. “Credential abuse is not a one-time event; it’s an evolving ecosystem,” added Montague. “Without layered detection and identity verification, even the strongest authentication systems can be undermined.” The Travel Credential Abuse Index Report (October 2025)  is available for download at   www.myNetWatchman.com/TCAI . About myNetWatchman myNetWatchman provides real-time intelligence and fraud prevention solutions to help organizations detect and stop credential abuse, account takeover, and synthetic identity fraud. Leveraging billions of behavioral and reputational signals across the internet, myNetWatchman helps global enterprises identify risk, reduce fraud losses, and protect customer trust.

If you’ve worked in fraud prevention or cybersecurity, you’ve probably heard it a thousand times: “Just turn on multi-factor authentication (MFA). It’ll stop the hackers.” And sure, MFA helps — a lot. But here’s the reality no one likes to admit: the most common doorway attackers use to bypass MFA is a compromised email account. That’s right. The inbox — that familiar, everyday tool we all rely on — is often the weakest link in account security. It’s the digital key to password resets, login approvals, and account verifications. When that key is stolen or spoofed, even the strongest MFA setup can crumble. So before we talk about logins, we need to talk about detecting compromised credentials and detecting compromised emails, because not every email belongs to who it claims to. The Bigger Problem: Compromised and Fake Email Accounts Every modern account starts with an email address, it’s the backbone of digital identity. Unfortunately, attackers know this too. They target inboxes because controlling one email account can unlock a chain of others, bank accounts, customer portals, corporate systems, cloud services, and more. Two major issues make this a nightmare for security teams: Compromised accounts : These are real users’ emails that have been stolen or exposed in breaches, often found in dark web dumps or infostealer logs. Once compromised, they become golden tickets for account takeover (ATO) attacks. Synthetic or fake accounts : Fraudsters create “clean-looking” identities that pass basic verification. They lie dormant for months, appearing legitimate until they’re suddenly used for fraud or cash-out events. In one incident, threat actors compromised multiple email accounts to identify users with Bitcoin holdings. By exploiting access to those inboxes, they located crypto exchange notifications, used that information to circumvent two-factor authentication, and ultimately walked right into those accounts. In both cases, MFA can be completely bypassed, not because the technology is broken, but because it’s authenticating the wrong person. Why MFA Isn’t Enough Anymore MFA was designed to stop unauthorized access by asking users for more than just a password. It combines factors like something you know (a password), something you have (a phone or token), or something you are (a fingerprint or face scan). But modern attackers are patient and clever. They’ve developed ways to slip past these barriers by exploiting weak links, usually human ones. Here are a few ways MFA is commonly defeated: Compromised Email Account : When a fake, synthetic, or compromised email account is used as a part of the MFA verification, criminals are taking over the account or will shortly. Prompt Bombing (MFA Fatigue) : Attackers flood users with repeated authentication requests until someone hits “approve” just to make it stop. Social Engineering : Fraudsters pose as IT or customer support, tricking users into confirming fake login attempts. SIM Swapping : By hijacking a phone number, attackers intercept SMS-based MFA codes. Session Hijacking : Cybercriminals steal valid session cookies from browsers, effectively “skipping” MFA. Malware on Endpoints : Once malware is on a device, even MFA can’t protect what’s already been compromised. Phishing-as-a-Service Kits : Ready-made tools now let attackers rent sophisticated MFA-bypass systems that intercept credentials and session tokens. Each of these methods preys on one key weakness, the trust we place in user credentials . Why Email Reputation Is the Missing Piece If MFA verifies “how” someone logs in, Email Reputation verifies who can log in. It’s the trust layer that ensures the credentials you’re authenticating actually belong to a legitimate, uncompromised user or another party who may have access. Email Reputation by myNetWatchman was built for exactly this. It uses real-time intelligence, sourced from both open and dark web data to identify whether an email account: Has been accessed by bad actors Observed in recent criminal activity Fake or synthetically created Recently registered and showing high-risk behavior Instead of waiting for an attack to happen, businesses can flag risky accounts at the moment of login or account creation. Where to Integrate Email Reputation Adding email reputation checks into your existing processes is straightforward and powerful. Here’s how to make it part of your fraud and security workflow: At Account Creation : Screen new sign-ups for compromised or fraudulent email addresses. At Login (even with MFA) : Identify compromised users before granting access. During Password Reset : Prevent attackers from resetting credentials on hijacked accounts. For High-Value Transactions or Account Changes : Reassess account trust before money moves. Periodic Account Reviews : Uncover “sleeper accounts” that may have gone bad since creation. This approach doesn’t replace MFA, it completes it . You’re no longer just confirming someone’s login attempt; you’re validating their identity’s credibility. The Bottom Line MFA is a valuable tool, but it was never meant to be a silver bullet. When the average data breach starts with a compromised email, focusing on MFA alone is like putting a better lock on a door, while ignoring that someone already has a copy of the key. Real security starts with trustworthy credentials . By integrating Email Reputation intelligence, businesses can finally move from reactive defense to proactive protection, spotting compromised, fake, and high-risk accounts before they do harm.

Why Continuous Monitoring Is Essential for Account Protection Business leaders and fraud managers invest significant resources in verifying and authenticating new customers. You implement rigorous fraud checks, confirm identities, and follow best practices to ensure each account is secure at the point of creation. At that moment, you can be confident the account is trustworthy. Compromised Email Risk: The Silent Trigger for Account Takeover Here’s the hard truth: even if you’ve verified a customer at signup, their account can still be at risk the next day, all because of their email address. When an email gets compromised through a phishing scam, a data breach, or dark web sale, fraudsters suddenly hold the keys to everything. With email inbox access, they can grab password reset links, approve fraudulent transactions, and impersonate your customer, all while flying under the radar. Account Creation to ATO From your perspective, a new customer has successfully passed fraud checks and started their journey with your brand. For fraudsters, however, this is just the beginning of an opportunity. Even if the onboarding data is clean, an email address, a seemingly mundane detail, can become the gateway to account takeover. A user enters data to create a new account Your company runs its process to authenticate and verify user data and approves the new account The email address becomes compromised due to several causes like phishing, breach, etc. Using the compromised email account, fraudsters now control the account and can: Alter account details or reset passwords Drain loyalty points, balances, or digital wallets Make unauthorized purchases Damage your brand’s reputation by making your business appear vulnerable The Underlying Issue Users/customers routinely reuse the same email and password combinations across numerous websites. On average, people maintain 75–100 online accounts. If their credentials are compromised elsewhere, that same combination can be used to breach their account on your platform. When an email gets compromised through a phishing scam, a data breach, or dark web sale, fraudsters suddenly hold the keys to everything. With inbox access, they can grab password reset links, approve fraudulent transactions, and impersonate your customer—all while flying under the radar. Why is this so dangerous? Email is the digital hub: It connects bank accounts, shopping platforms, social media, even work logins. If one email is compromised, dozens of accounts can be, too. Customers rarely know: Most people never realize their email has been exposed until after something bad happens. Credential reuse is rampant: People recycle the same email-and-password combo across sites, so a breach in one place can easily spill over to yours. That’s why continuous email reputation checks matter, they help you spot when “trusted” accounts are no longer trustworthy, before takeover and fraud hit your bottom line. A Proactive Approach While robust account verification at signup is essential, it's not sufficient. Modern fraud management demands ongoing risk assessment at every key touchpoint, such as account creation, customer login, account changes, funds transfer, and loyalty points redemption. The Power of Email Reputation This is where myNetWatchman’s Email Reputation service adds critical value. Through a simple API, you can instantly verify at these key customer interactions, like: Account Creation : Assess whether the email is compromised, fake, or synthetic, for step-up authentication or to block suspicious applicants upfront. Customer Login : Detects if the account has been compromised and actively being used by bad actors since its creation. Account Changes : Ensure account details are not being changed by bad actors who have taken over the account. Funds Transfer, Loyalty Points Redemption : Before a transfer of value takes place, make sure the actual account owner is in control. For your business, this translates to lower authentication costs, stronger defense against account takeover, and a smoother experience for legitimate customers. Final Thought The reality is that an account deemed “safe” yesterday may already be a risk today. By integrating continuous trust checks like Email Reputation into your fraud prevention strategy, you proactively close security gaps, protecting your business and maintaining customer confidence.