Yes, criminal activity spikes during peak shopping season. But the most damaging fraud often doesn’t happen in November or December. It happens months later, after the holidays have passed and attention has shifted, using accounts that were created, compromised, or harvested during peak volume. Fraudsters don’t treat the holidays as a sprint, they treat them as account setup season. Fraudsters use the holidays to set up sleeper accounts and synthetic identities, and to harvest real customer accounts, then monetize them throughout the year. By the time most companies detect the fraud, those accounts have already matured, gained trust, and done real damage. How active are criminals during the holidays? In the 62 days of November and December, myNetWatchman observed the following from live data sources: 5.7B unique credentials (username and password) 45.8M compromised credentials 16M compromised email accounts 3.7M payment/gift cards being tested Millions of new accounts created using compromised or synthetic data Holidays are ideal for sleeper and synthetic account creation The holiday season creates perfect cover for identity-based fraud because everything looks noisy : New account registrations surge to access discounts, shipping perks, and rewards Logins occur from unfamiliar locations and devices due to travel and gifting Customer service is overwhelmed with legitimate requests Promotional pressure reduces friction across onboarding and checkout In that environment, fraudulent behavior blends in. This matters because new account fraud is no longer a marginal issue. Losses tied to new account fraud now reach billions of dollars annually, driven largely by synthetic identities, fabricated profiles built using a mix of real and fake data. These accounts are designed to appear legitimate long enough to pass early controls, then “activate” later through fraud, abuse, or bust-out behavior. Fraudsters know that account age equals trust. The holidays give them the scale and cover to create thousands of accounts that can quietly age into high-value assets. The second holiday opportunity: harvesting real customer accounts Alongside new account creation, the holidays are also prime time for account harvesting. Shipping notifications, delivery issues, gift card emails, and promotion alerts create ideal phishing and credential-stuffing conditions. In many cases, the goal isn’t immediate fraud. Instead, criminals test credentials, confirm access, and store that account for later use. These “harvested” accounts may sit dormant for weeks or months before being used, often during: Major sales events Product launches Or moments when the account has accumulated value or loyalty rewards From a business’ perspective, the fraud appears suddenly. In reality, the compromise happened long before. How sleeper and harvested accounts get monetized Once activated, these accounts rarely serve just one purpose. They are reused across multiple fraud and abuse vectors: Fraudulent transactions and chargebacks using trusted accounts and saved payment methods Return and refund abuse , especially post-holiday when return volumes are already high Loyalty and rewards theft , draining stored value that often receives less scrutiny than payments Marketplace abuse , including fake buyers, seller reputation farming, or eventual bust-outs The common thread is identity trust. These accounts succeed because they don’t look new, risky, or suspicious, until it’s too late. Stopping sleeper and synthetic accounts requires shifting from transaction-only defenses to continuous identity risk assessment across the account lifecycle. Most organizations don’t see sleeper accounts until damage occurs Fraud programs are optimized to detect loud events: chargeback spikes, refund abuse waves, bot attacks. Sleeper accounts are different. They: Behave normally during early life stages Spread activity across time and channels Exploit organizational silos between identity, payments, loyalty, and marketplace teams Trigger controls only after trust has already been established By the time action is taken, the account has often already been monetized across multiple surfaces. What should your organization being doing now Stopping sleeper and synthetic accounts requires shifting from transaction-only defenses to continuous identity risk assessment across the account lifecycle. Start with stronger identity signals at account creation Email addresses are one of the earliest and most persistent identifiers tied to an account and one of the most data rich, underutilized fraud signals. In effective fraud programs, trust is not permanent. It is continuously re-earned. Using email authentication and reputation intelligence at account creation helps identify: Newly created or disposable email domains Emails previously associated with fraud or abuse Reuse patterns across identities, devices, or transactions Automation-driven account creation behavior This doesn’t mean blocking more customers. It means understanding risk earlier and applying friction only when signals justify it, preventing fraudulent identities from quietly aging into trusted accounts. Re-evaluate trust when accounts evolve Sleeper accounts rarely stay static. Risk increases when accounts: Change credentials or contact details Add new shipping addresses or payment methods Attempt high-value purchases, refunds, or redemptions Re-checking email reputation and identity signals at these moments helps detect accounts that were once low risk but have since shifted, before abuse escalates. In effective fraud programs, trust is not permanent. It is continuously re-earned. Detect compromised credentials before takeovers turn into losses Account takeovers are a common trigger for downstream fraud, but many defenses activate only after fraud occurs. Credential intelligence solutions allow organizations to assess risk before approving sensitive account actions by identifying whether: Login credentials have appeared in known data breaches Passwords are actively circulating in criminal ecosystems Credentials are being reused across platforms By evaluating credential exposure during logins, password changes, or account modifications, businesses can interrupt fraud at the takeover stage—rather than absorbing losses later through transactions, refunds, or loyalty theft. The bigger picture: accounts are long-term fraud assets Fraudsters don’t think in transactions. They think in accounts. The holidays are not just a time of increased fraud, they are a setup phase. Accounts created or compromised during peak season often fuel fraud and abuse for the rest of the year. Organizations that recognize this shift focus less on reacting to fraud spikes and more on exposing risky identities early, monitoring how trust evolves, and intervening before monetization occurs. Because by the time fraud becomes obvious, the most important decisions were already missed. myNetWatchman can help stop fraud before it ages While fraudsters use the holiday chaos to plant seeds for year-round abuse, myNetWatchman’s Email Reputation service allows retailers to reclaim the advantage of time. By leveraging real-time criminal data, our solution exposes the "DNA" of an email address at the moment of entry. Whether it’s flagging a high-risk sleeper account during registration , identifying harvested credentials before they are stored, or preventing a high-value account takeover during a login shift, myNetWatchman provides the intelligence to act before monetization occurs. We offer a friction-free, zero-false-positive environment that doesn't just block bad actors, it ensures that trust is earned, verified, and maintained. Don’t let today’s peak season volume become tomorrow’s liability. Want to learn more, let’s talk.

Klarna is just now learning what many in fraud prevention have known for years: synthetic identity fraud doesn’t start with stolen credit cards, it starts with unvetted digital identities. For years, email addresses have been treated as little more than a communication channel, a box to check during account creation. That assumption is now proving to be dangerously outdated . Email is often the first persistent identifier tied to consumer, vendor, and partner accounts. When email addresses are not properly authenticated at account opening, it becomes the perfect entry point for synthetic identities: Newly created or auto-generated email addresses Pattern-based aliases designed to evade detection Addresses linked to fabricated personas with no real-world footprint Compromised email accounts Once these identities are inside the ecosystem, downstream controls like credit checks, behavioral monitoring, and transaction limits are already playing catch-up. ...you can’t retroactively fix identity trust at scale. If the front door is left open, every system behind it is compromised. Unfortunately, this scenario is not an anomaly. Many organizations prioritize speed-to-conversion over foundational identity controls, like failing to authenticate email. This strategy can be a costly miscalculation. Klarna’s Lesson: Fraud Debt Accumulates Quietly Synthetic identity fraud rarely explodes overnight. It accrues silently, blending in with legitimate users until losses surface months or even years later. Buy-now-pay-later platforms, fintechs, and digital-first lenders are especially vulnerable because: Account creation is frictionless by design Credit exposure often precedes full identity validation Losses appear as defaults, not fraud By the time the problem is visible, the damage is already embedded in the portfolio. The solution is not more friction. It’s earlier intelligence. Klarna’s situation underscores a hard truth: you can’t retroactively fix identity trust at scale. If the front door is left open, every system behind it is compromised. Email Authentication is a Critical Step Many organizations look at high-growth companies and assume their underlying business model is sound. However, copying an approach that underestimates the critical need for robust email authentication creates three compounding failures: Fraud costs disguised as credit losses Increased compliance and regulatory scrutiny Erosion of trust with partners, banks, and investors Worse, once synthetic identities mature, they become harder and more expensive to detect. What looks like short-term growth often becomes long-term instability. Early Email Intelligence = Reduced Fraud, Reduced Cost, Higher Conversion Rates The solution is not more friction or overreliance on email verification. It’s earlier intelligence through authenticating an email at account creation to find: Non-working emails Declining sign-ups using synthetic email address Detecting compromised emails and conducting additional verification Identifying emails that would be difficult (or impossible) to conduct KYC Reducing downstream losses without impacting conversion And critically, this can be done economically and is completely transparent to the user. How We Help Clients Avoid the Klarna Trap Clients call our real time low cost Email Reputation API service at key events like new account signup, password change or email change to get real time intelligence if the email is tied to synthetic identity or is compromised. We answer the critical questions: does the email work, is it synthetic, is it compromised, will it be difficult to conduct KYC on the email. By analyzing email characteristics, patterns, and signals that traditional onboarding overlooks, we surface risk without adding steps, delays, or customer frustration. No extra forms. No additional friction. No waiting for losses to pile up before acting. Zero false positives. The Takeaway Klarna’s experience isn’t just a headline, it’s a warning. Companies that continue to treat email as a low-risk data point are building their growth on unstable ground. The question isn’t whether synthetic identity fraud will show up. It’s whether you’ll stop it at the door, or pay for it later. If you’re ready to learn how to do this before it becomes a problem, we’re ready to show you how. Let’s talk.

Across the payments ecosystem, criminals need validated, “live” cards because stolen cards are the fuel for almost every form of online payment fraud. The sooner they confirm which cards work, the sooner they can monetize them and fraud can hide more easily. These cards include traditional consumer Visa and Mastercard branded cards from issuing banks, private label, commercial, and even gift cards.  But here’s the problem: many organizations, including banks, don’t see these attacks happening, not because they lack technology, but because they lack visibility. The early signals don’t show up in their systems at all. This is the “ visibility gap ” that continues to cost banks millions in fraud losses every year. Marketplace Data: Important…but Far Too Late For years, fraud teams have relied on Marketplace Data , the lists of stolen cards that appear for sale on dark-web shops. These lists, often obtained from breaches, infostealer logs, or underground marketplaces, give a rough sense of which cards may be exposed. Marketplace Data has value. It shows: Which BINs are circulating underground When large breaches occur How many cards are being sold by geography or issuer But Marketplace Data has two crippling limitations: 1. It’s reactive. Cards usually appear on dark-web markets days, weeks, or even months after they are stolen. Because it is a marketplace, these cards may have been bought and sold many times. By the time an organization sees them, it's likely that criminals may already be testing or monetizing them. 2. It says nothing about card validity. A card listed for sale may be expired, canceled, or blocked. Marketplace Data doesn’t reveal which cards remain active, and therefore doesn’t help banks know where fraud is actually imminent. This gap can be especially dangerous during the holiday season. Fraud rings stockpile tens of thousands of stolen cards in early Q4, but marketplace listings only confirm exposure, not criminal activity or timing. To stop fraud before it starts, organizations need something more immediate and more reliable: behavioral evidence of live card testing . Checker Data: The Earliest, Most Actionable Warning Signal Checker Data captures the exact moment criminals test cards across the internet, this is real-time behavioral intelligence, not scraped listings, not breach dumps, not forensic aftermath. This is the earliest point in the fraud lifecycle where intent becomes visible. Instead of relying on a dark-web posting, real-time intelligence data shows: Which BINs are being tested right now Which cards are being validated successfully Where testing is geographically clustered How quickly testing is accelerating Which testing tools, botnets, or attack methods are involved And this early signal matters. As highlighted in a recent case study, one regional bank detected 25,000 compromised cards by monitoring real-time testing behavior, saving over $2.5 million in operational expense while preserving $7.5 million in revenue that would have been lost to customer churn and cardholder frustration. The fundamental difference here is between knowing cards were stolen (Marketplace Data)…and knowing that criminals are actively preparing to use them (Real-time intelligence data). Why Some Miss Seeing Card Testing Themselves An organization’s fraud models, no matter how advanced, may not detect early testing for one simple reason: Card testing happens at merchants that many don't see. Criminals rarely test cards at well-protected, high-security ecommerce sites. Instead, they test them at: Small online stores Donation platforms Subscription trial signups Global merchants with weak AVS or no 3-D Secure Bots hitting thousands of micro-merchants at once Organizations only see testing if an attacker attempts a transaction at a merchant using the issuer’s card. But in most attack cycles, criminals test hundreds of cards for hours or days before a single transaction ever reaches the issuing company’s systems. That means fraud managers are trying to solve a problem operating almost entirely outside their field of view . Closing the Gap: Why Real-Time Intelligence Matters Real-time Intelligence Data offers organizations a fundamentally different approach: Detection within seconds, not weeks Action before fraud, not after Accurate, high-fidelity signals tied to real testing behavior Compliance-safe data (no illicit marketplace procurement) Protection from seasonal testing surges Organizations don’t need to wait for fraud to appear in their own ledger. They can see attacks as they begin, across the entire internet. This is the shift from reactive defense to proactive prevention. myNetWatchman: Closes the Visibility Gap The visibility gap doesn’t have to be a permanent feature of BIN testing or seasonal fraud. myNetWatchman delivers the earliest alerts in the industry , detecting card-testing activity within seconds of the first probing attempt. By monitoring real-world testing behavior across the internet, myNetWatchman identifies compromised cards before fraud occurs, giving issuers the power to block, lock, or reissue with confidence. If your organization wants to get ahead of testing surges, strengthen customer trust, and reduce fraud losses before they happen, contact myNetWatchman today to see how real-time Checker Intelligence can transform your fraud-prevention strategy. Read more about our Card Monitoring solution.

We’re thrilled to share some exciting news: our founder, Lawrence Baldwin , is featured in a gripping new BBC World Service  podcast series that dives deep into one of the most remarkable  true stories  in cyber history. Listen to Cyber Hack “Evil Corp”: https://www.bbc.com/audio/brand/w13xtvg9   About the Series The BBC’s Cyber Hack series “Evil Corp” takes listeners inside the high-stakes world of international cybercrime, where hackers, governments, and investigators cross paths in a web of digital intrigue. It’s a global story that touches on billions of dollars, state-backed hacking, and the people who work tirelessly to uncover the truth. Among those voices is Lawrence Baldwin , our founder, whose pioneering work in cybersecurity and threat intelligence has been shaping this field for decades. His story brings authenticity, expertise, and a deeply human perspective to a narrative that spans continents. Why It Matters This isn’t just a story about hacking, it’s a story about integrity, perseverance, and innovation . For us, it’s an honor to see Lawrence’s contributions recognized on such a global stage. His experience has not only guided our company’s mission but continues to inspire how we approach our work every day, with curiosity, courage, and commitment to protecting others online. Tune In Cyber Hack series “Evil Corp” here: https://www.bbc.com/audio/brand/w13xtvg9   You can also find it on your favorite podcast app including Apple Podcasts & Spotify. Join the Conversation After you listen, we’d love to hear what you think. Thank you  for being part of our community and for supporting the work that began with one founder’s vision to make the internet a safer place. Enjoy, The myNetWatchman Team

The First Industry Benchmark on Cyber Threats Targeting Global Travel Brands Savannah, GA, October 21, 2025  — myNetWatchman today announced the release of the Travel Credential Abuse Index (TCAI) Report , a first-of-its-kind benchmark tracking credential-based cyberattacks across airlines, hotels, online travel agencies (OTAs), and car rental companies. The report delivers unprecedented visibility into how credential abuse has evolved over the past two years, revealing that while overall attack volumes fluctuate, the sophistication and persistence of threat actors continue to rise. Drawing on activity across more than 85 travel platforms  and billions of login attempts , the TCAI captures  real-world fraud behavior across sectors. The findings reveal  that credential abuse in travel has not declined, it has adapted . Attackers continue to exploit stolen credentials, MFA bypass tools, and both human and supply chain vulnerabilities. High-attack periods frequently correlate  with major data breaches such as the Otelier hotel software breach in 2024 and the coordinated Scattered Spider  airline campaigns in mid-2025. “Credential abuse represents one of the most persistent and underestimated risks to digital travel. Our goal with the TCAI is to give the industry a data-driven view of this evolving threat, and the tools to fight back.” said David Montague, CEO, myNetWatchman The TCAI highlights that attackers are increasingly ROI-driven , shifting focus among travel sectors as defenses tighten. Airlines and OTAs face  the most sustained surges. Despite widespread adoption of multi-factor authentication, the report warns that MFA alone is not enough . Travel companies must also implement compromised credential screening, advanced bot detection, and synthetic identity prevention . The research underscores the growing need for proactive threat intelligence and continuous monitoring. “Credential abuse is not a one-time event; it’s an evolving ecosystem,” added Montague. “Without layered detection and identity verification, even the strongest authentication systems can be undermined.” The Travel Credential Abuse Index Report (October 2025)  is available for download at   www.myNetWatchman.com/TCAI . About myNetWatchman myNetWatchman provides real-time intelligence and fraud prevention solutions to help organizations detect and stop credential abuse, account takeover, and synthetic identity fraud. Leveraging billions of behavioral and reputational signals across the internet, myNetWatchman helps global enterprises identify risk, reduce fraud losses, and protect customer trust.

If you’ve worked in fraud prevention or cybersecurity, you’ve probably heard it a thousand times: “Just turn on multi-factor authentication (MFA). It’ll stop the hackers.” And sure, MFA helps — a lot. But here’s the reality no one likes to admit: the most common doorway attackers use to bypass MFA is a compromised email account. That’s right. The inbox — that familiar, everyday tool we all rely on — is often the weakest link in account security. It’s the digital key to password resets, login approvals, and account verifications. When that key is stolen or spoofed, even the strongest MFA setup can crumble. So before we talk about logins, we need to talk about detecting compromised credentials and detecting compromised emails, because not every email belongs to who it claims to. The Bigger Problem: Compromised and Fake Email Accounts Every modern account starts with an email address, it’s the backbone of digital identity. Unfortunately, attackers know this too. They target inboxes because controlling one email account can unlock a chain of others, bank accounts, customer portals, corporate systems, cloud services, and more. Two major issues make this a nightmare for security teams: Compromised accounts : These are real users’ emails that have been stolen or exposed in breaches, often found in dark web dumps or infostealer logs. Once compromised, they become golden tickets for account takeover (ATO) attacks. Synthetic or fake accounts : Fraudsters create “clean-looking” identities that pass basic verification. They lie dormant for months, appearing legitimate until they’re suddenly used for fraud or cash-out events. In one incident, threat actors compromised multiple email accounts to identify users with Bitcoin holdings. By exploiting access to those inboxes, they located crypto exchange notifications, used that information to circumvent two-factor authentication, and ultimately walked right into those accounts. In both cases, MFA can be completely bypassed, not because the technology is broken, but because it’s authenticating the wrong person. Why MFA Isn’t Enough Anymore MFA was designed to stop unauthorized access by asking users for more than just a password. It combines factors like something you know (a password), something you have (a phone or token), or something you are (a fingerprint or face scan). But modern attackers are patient and clever. They’ve developed ways to slip past these barriers by exploiting weak links, usually human ones. Here are a few ways MFA is commonly defeated: Compromised Email Account : When a fake, synthetic, or compromised email account is used as a part of the MFA verification, criminals are taking over the account or will shortly. Prompt Bombing (MFA Fatigue) : Attackers flood users with repeated authentication requests until someone hits “approve” just to make it stop. Social Engineering : Fraudsters pose as IT or customer support, tricking users into confirming fake login attempts. SIM Swapping : By hijacking a phone number, attackers intercept SMS-based MFA codes. Session Hijacking : Cybercriminals steal valid session cookies from browsers, effectively “skipping” MFA. Malware on Endpoints : Once malware is on a device, even MFA can’t protect what’s already been compromised. Phishing-as-a-Service Kits : Ready-made tools now let attackers rent sophisticated MFA-bypass systems that intercept credentials and session tokens. Each of these methods preys on one key weakness, the trust we place in user credentials . Why Email Reputation Is the Missing Piece If MFA verifies “how” someone logs in, Email Reputation verifies who can log in. It’s the trust layer that ensures the credentials you’re authenticating actually belong to a legitimate, uncompromised user or another party who may have access. Email Reputation by myNetWatchman was built for exactly this. It uses real-time intelligence, sourced from both open and dark web data to identify whether an email account: Has been accessed by bad actors Observed in recent criminal activity Fake or synthetically created Recently registered and showing high-risk behavior Instead of waiting for an attack to happen, businesses can flag risky accounts at the moment of login or account creation. Where to Integrate Email Reputation Adding email reputation checks into your existing processes is straightforward and powerful. Here’s how to make it part of your fraud and security workflow: At Account Creation : Screen new sign-ups for compromised or fraudulent email addresses. At Login (even with MFA) : Identify compromised users before granting access. During Password Reset : Prevent attackers from resetting credentials on hijacked accounts. For High-Value Transactions or Account Changes : Reassess account trust before money moves. Periodic Account Reviews : Uncover “sleeper accounts” that may have gone bad since creation. This approach doesn’t replace MFA, it completes it . You’re no longer just confirming someone’s login attempt; you’re validating their identity’s credibility. The Bottom Line MFA is a valuable tool, but it was never meant to be a silver bullet. When the average data breach starts with a compromised email, focusing on MFA alone is like putting a better lock on a door, while ignoring that someone already has a copy of the key. Real security starts with trustworthy credentials . By integrating Email Reputation intelligence, businesses can finally move from reactive defense to proactive protection, spotting compromised, fake, and high-risk accounts before they do harm.

Why Continuous Monitoring Is Essential for Account Protection Business leaders and fraud managers invest significant resources in verifying and authenticating new customers. You implement rigorous fraud checks, confirm identities, and follow best practices to ensure each account is secure at the point of creation. At that moment, you can be confident the account is trustworthy. Compromised Email Risk: The Silent Trigger for Account Takeover Here’s the hard truth: even if you’ve verified a customer at signup, their account can still be at risk the next day, all because of their email address. When an email gets compromised through a phishing scam, a data breach, or dark web sale, fraudsters suddenly hold the keys to everything. With email inbox access, they can grab password reset links, approve fraudulent transactions, and impersonate your customer, all while flying under the radar. Account Creation to ATO From your perspective, a new customer has successfully passed fraud checks and started their journey with your brand. For fraudsters, however, this is just the beginning of an opportunity. Even if the onboarding data is clean, an email address, a seemingly mundane detail, can become the gateway to account takeover. A user enters data to create a new account Your company runs its process to authenticate and verify user data and approves the new account The email address becomes compromised due to several causes like phishing, breach, etc. Using the compromised email account, fraudsters now control the account and can: Alter account details or reset passwords Drain loyalty points, balances, or digital wallets Make unauthorized purchases Damage your brand’s reputation by making your business appear vulnerable The Underlying Issue Users/customers routinely reuse the same email and password combinations across numerous websites. On average, people maintain 75–100 online accounts. If their credentials are compromised elsewhere, that same combination can be used to breach their account on your platform. When an email gets compromised through a phishing scam, a data breach, or dark web sale, fraudsters suddenly hold the keys to everything. With inbox access, they can grab password reset links, approve fraudulent transactions, and impersonate your customer—all while flying under the radar. Why is this so dangerous? Email is the digital hub: It connects bank accounts, shopping platforms, social media, even work logins. If one email is compromised, dozens of accounts can be, too. Customers rarely know: Most people never realize their email has been exposed until after something bad happens. Credential reuse is rampant: People recycle the same email-and-password combo across sites, so a breach in one place can easily spill over to yours. That’s why continuous email reputation checks matter, they help you spot when “trusted” accounts are no longer trustworthy, before takeover and fraud hit your bottom line. A Proactive Approach While robust account verification at signup is essential, it's not sufficient. Modern fraud management demands ongoing risk assessment at every key touchpoint, such as account creation, customer login, account changes, funds transfer, and loyalty points redemption. The Power of Email Reputation This is where myNetWatchman’s Email Reputation service adds critical value. Through a simple API, you can instantly verify at these key customer interactions, like: Account Creation : Assess whether the email is compromised, fake, or synthetic, for step-up authentication or to block suspicious applicants upfront. Customer Login : Detects if the account has been compromised and actively being used by bad actors since its creation. Account Changes : Ensure account details are not being changed by bad actors who have taken over the account. Funds Transfer, Loyalty Points Redemption : Before a transfer of value takes place, make sure the actual account owner is in control. For your business, this translates to lower authentication costs, stronger defense against account takeover, and a smoother experience for legitimate customers. Final Thought The reality is that an account deemed “safe” yesterday may already be a risk today. By integrating continuous trust checks like Email Reputation into your fraud prevention strategy, you proactively close security gaps, protecting your business and maintaining customer confidence.

Every executive decision relies on trustworthy numbers. Metrics like CAC (Customer Acquisition Cost), CLTV (Customer Lifetime Value), churn, and growth are only as accurate as the data behind them. When fake, synthetic, or compromised email addresses start clogging up your customer account lists, they distort these critical measurements, inflating acquisition costs, diluting lifetime value, and creating churn that doesn’t reflect real customer behavior. By eliminating fake, compromised, and other high-risk accounts, companies get a clearer picture of their true customer base and a more reliable financial view of their business. This isn’t just a fraud problem, it’s a cross-functional issue that affects how Marketing measures campaign ROI, how Sales forecasts pipeline growth, and how Finance evaluates capital efficiency. One of the most effective and under-leveraged processes to achieve cleaner data is email account hygiene. This approach evaluates the trustworthiness of an email address at account creation, login, or during ongoing use, helping to detect synthetic identities, compromised accounts, disposable emails, and addresses linked to recent criminal activity. Filtering these out early protects your business and ensures that your growth, retention, and revenue metrics reflect reality rather than noise. Impact on Business Metrics Fraud Vector Signal from Email Reputation Impact on Business Metrics Disposable / temporary email addresses Poor domain reputation, short lifetimes, high churn Marketing : Campaign performance looks inflated but doesn’t convert. Finance:  CAC rises as acquisition spend is wasted Compromised / breached credentials Appear in breach dumps or infostealer logs Fraud:  Direct ATO losses. Sales:  Inflated LTV that disappears with churn. Finance:  Missed revenue forecasts due to account attrition Synthetic / fake accounts Detected via email age, domain reputation, behavioral signals Sales:  Inflated pipeline and false “user growth”. Marketing:  Campaign ROI reporting skewed. Finance: Overstated revenue potential in models Observed criminal / fraud activity Known fraud rings, chargebacks, spam networks Operations:  Reduced manual review and chargeback costs. Customer Experience:  Trust and retention improve. Finance:  More predictable fraud loss reserves. The Bigger Picture Behind the Numbers The data paints a sobering picture: synthetic and fake accounts aren’t just a nuisance, they are warping the very financial metrics executives rely on to make decisions . TransUnion reports that more than half of financial institutions now see synthetic identities as their top fraud concern. At the same time, the tactics behind these accounts are evolving, with 40% of institutions observing increased fraud attempts tied to generative AI, and nearly a third already facing deepfake-driven synthetic identities. These aren’t fringe issues; they’re mainstream risks undermining the quality of customer data. It’s not just financial services feeling the impact. Ping Identity highlights a 32% growth in fraudulent new bank accounts in a single year, and a staggering 183% spike in synthetic fraud attempts in retail over a three-year period. These accounts don’t only drain fraud budgets, they inflate Marketing’s lead counts, Sales’ user growth numbers, and Finance’s forecasts. Executives making calls on CAC, LTV, or churn are often doing so with corrupted data sets. Email Reputation from myNetWatchman Exposes Compromised, Fake Email Accounts Email Reputation doesn't just reduce fraud losses; it restores trust in the numbers themselves . By filtering out the noise of fake, synthetic and compromised accounts, companies can ensure their financial reporting is grounded in reality. And for business managers, that clarity isn’t a nice-to-have, it’s essential for allocating capital, planning growth, and proving ROI across the organization. For Marketing : Better segmentation, cleaner campaign attribution, higher conversion rates For Sales : Real pipeline, not padded by synthetic users For Finance : Capital efficiency ratios (CAC, payback, LTV/CAC) calculated on real customer, not fake ones Email Reputation is a simple API that helps companies determine if an email address is trustworthy, fake, synthetic, deliverable, or actively compromised. Businesses use Email Reputation during new account setup, login, and password reset to reduce authentication costs, enhance security, and prevent fraud. The real impact goes beyond fraud to ensure the metrics driving strategy and valuation actually reflect reality. For more information on Email Reputation by myNetWatchman, click here .

Apple just opened iPhone 17 pre-orders (stores launch September 19), and history has shown that fraudsters treat new-phone hype and holiday volume as their favorite cover. Sleeper Accounts Are Set for Attack One common tactic used by fraud groups is to set up accounts well in advance of an attack. These accounts, sometimes called "sleeper" or "dormant" accounts, are used to hit companies at scale and avoid the scrutiny of guest checkouts. Experian describes this as new or hijacked accounts that behave normally until a rapid cash-out. Fraudsters typically create new accounts using synthetic identities or compromise existing accounts. In some cases, fraudsters have pre-positioned tens of thousands of accounts for the holidays alone. When you add in the hype of a new iPhone, the stage is set for a season of attacks. After weeks or months of lying low, these accounts are then activated by criminals to purchase upgrades, device financing, add-a-line promotions, or execute SIM swaps and port-outs. Why this matters for mobile carriers: the new-account step is already the riskiest stage in digital onboarding; of which the Communications Fraud Control Association (CFCA) reports 1 in 9 telecom applications are believed to be fraudulent and that subscription/application fraud dominates telco fraud cases. Once a sleeper slips through, detection gets harder because the identity has “aged” and looks trustworthy. What the numbers say (and don’t) The telecom industry’s fraud pain is well documented even if “sleeper accounts” aren’t broken out as a standalone line item. The CFCA estimates $38.95B in telecom fraud losses in 2023 (about 2.5% of global telecom revenue). Subscription/application and handset-related schemes are repeatedly cited among the top drivers, exactly the channels sleepers exploit when high-demand devices land. Bottom line: sleeper accounts deserve carrier attention, especially during iPhone launches and the seasonal spike in orders. How sleepers behave Age the account: Clear KYC/IDV, low-risk behavior, on-time micro-payments to build trust/limits. Change-then-spike : Recent contact or address changes, then a sudden upgrade/financing basket, add-a-line, or number port. Cross-linking tells : Shared delivery addresses, devices, IPs/subnets, or emails across “unrelated” accounts, hallmarks of organized crime rings. All patterns consistent with dormant/ATO and subscription-fraud lifecycles. myNetWatchman spots synthetic and compromised accounts before they can monetize How quickly can you spot a compromised or synthetic/fake account? At myNetWatchman, we identify "sleeper" accounts in real-time giving you the earliest possible heads-up to fraud. We're constantly sifting through attack traffic and monitoring criminal activity as it happens. This means you get the best detection and remediation for hijacked accounts, right when it matters most. Here's how we do it: Our Email Reputation service is a low cost and easy-to-use API companies use to determine if an email address really works, was created-for-fraud (its fake), or if criminals have compromised the email account and are actively using it. Stop Fraud Before it Starts : Check the validity of an email account, anytime. Companies use Email Reputation to enhance user experience and optimize costs to authenticate and verify users as part of KYC, security, and fraud prevention. At account opening At login with 2FA/MFA During password reset User verification before large transaction Not Just Customer Accounts : Since fraud can come at you from several directions, Email Reputation is applicable for all users with emails, customers, employees, vendors, partners, suppliers, consultants and contractors. We're always gathering data, from live sources to the darknet. Then, our own intelligence and analysis kick in, pulling out the most relevant details—raw data, comparisons, velocities, and key features. All this incredibly accurate and actionable data is deployed in real-time, ensuring a smooth and secure experience for you. Want to learn more? Check us out at myNetWatchman.com. Sources : CFCA global telecom fraud loss estimate (2023); TransUnion State of Omnichannel Fraud (new-account fraud rate); Experian on dormant/sleeper fraud; TransUnion on rising SIM-swap/port-out & Javelin ATO losses.

(Excerpts from the recently published Special Report, “ The Economics of Credential Stuffing Attacks and Account Takeover Fraud ” by myNetWatchman) Credential stuffing has endured because it’s ruthlessly economical. Attackers take username/password pairs harvested from one breach, or several combined, and automate login attempts across thousands of sites. Even when only a tiny fraction succeed, think 0.00018% to 0.025% , the sheer scale turns pennies into profits and headaches into real losses for businesses (see report pages 1 and 5 ). The problem persists because consumers, employees, and vendors reuse passwords and criminals can cheaply rent botnets, proxies, and tools that mimic human behavior. The math favors the adversary. As the report details, a large-scale campaign can cost around $300 for the total package of credential lists, residential proxies, 2FA-bypass kits, and automation software ( page 4 ). Break-even can happen at ~0.006% success if each compromised account yields just $50 and many accounts are worth far more. At volume, the numbers get staggering: one streaming service saw 773 million credential tests/attacks in a year, producing nearly 2 million successful logins at a 0.0025% hit rate; even a “low” success rate becomes material at internet scale ( page 5 ). For organizations, the economics cut the other way. There are direct fraud losses , investigation and remediation costs, and reputational harm. The report cites $13B lost to ATO fraud in 2023 and an average of $4.81M per credential-stuffing attack (pages 4–5 ). Operationally, bots can clog login flows, ~16.5% of login-page traffic is linked to stuffing, driving latency, downtime, and support load ( page 5 ). Compliance risk compounds the pain: PCI DSS, GDPR, and CCPA enforcement can stack on fines and legal exposure ( page 7 ). The threat is evolving, too. AI-powered bots and headless browser automation help attackers solve CAPTCHAs, navigate complex flows, and adapt to defenses ( page 6 ). That means static controls won’t keep up. What does work is shifting the economics back in your favor. The report recommends a multi-layered defense : credential screening to spot exposed or actively abused credentials, MFA, aggressive rate limiting, device fingerprinting, behavioral biometrics, cooling-off periods for high-risk actions, and zero-trust checks for sensitive steps ( pages 8–9 ). Real-world outcomes are compelling. One international ISP drove ATOs down from 3,000/day to 4/day , and the sidebar on page 9 also highlights a 91% detection rate of compromised credentials observed in a multi-channel retailer slashing ATO successes from 532,000 to under 49,000 after implementing myNetWatchman’s AllCreds screening. If losses from credential stuffing feel inevitable, this report shows it isn’t. You can upend the attacker ROI with layered controls and proactive credential screening at account creation, reset, and login. Want to view the full report? Download here for all the details.

Credential stuffing is a serious cyberattack because it’s cheap, easy to scale, and takes advantage of the common problem of people reusing passwords. Even though only a tiny fraction of these attacks succeed (0.00018% to 0.25%), the sheer number of attempts means big profits for criminals and big costs for organizations. The financial gains for attackers, combined with how these attacks work, highlight the urgent need for strong defenses. Our latest report, "The Economics of Credential Stuffing Attacks and Account Takeover Fraud," breaks down why these attacks are so effective and what they cost both criminals and organizations. Inside, you'll learn about: The Low-Risk, High-Reward Business Model : A large-scale attack can cost as little as $300, while a single successful login can lead to hundreds or even thousands of dollars in fraud. The Alarming Cost to Businesses : From direct financial losses and operational expenses to severe reputational damage, the costs for organizations can be millions of dollars per breach. AI's Growing Role : Discover how AI-powered bots and generative AI are making these attacks more sophisticated and harder to detect. Essential Defensive Strategies : We outline the multi-layered approach organizations must take to protect themselves, including implementing Multi-Factor Authentication (MFA), behavioral biometrics, and our own AllCreds Compromised Credential Screening solution. Don't wait until your organization becomes the next victim. Download our report today to get a clear understanding of the threat and how to protect your customers and your business.

Bridging the Divide Between Breach Data and Actionable Intelligence It has been a year since the massive AT&T data breach shook the digital landscape, an incident affecting 73 million current and former customers stretching back to 2019. While the $177 million settlement and the offer of complimentary credit monitoring may signal closure for AT&T, for the individuals affected and every other business online, this event could be only the beginning. Once customer data enters the dark web, its impact reverberates for years. This data is bought, sold, and repurposed time and again in countless fraud schemes. Breach data is a point in time, static indicator of what a user’s credentials were on a site. As time passes it becomes less and less accurate as users could have closed their account or changed their password. This leads to lots of false positives when relied on to detect compromised accounts. In fact, industry estimates suggest that business losses from false positives reach an astonishing $300–$400 billion each year. While breach data informs risk assessment systems during credential verification, it cannot stand alone as the ultimate arbiter of trustworthiness. It requires supplementary evidence to provide a holistic determination. Informative, yes, but rarely actionable by itself. By contrast, integrating live data, information that demonstrates not only past compromise but that a fraudster is actively and or successfully using the credentials, transforms risk assessment, essentially bridging the gap from suggestive to actionable. Live data is rooted in real evidence, tracking accounts actively exploited by bad actors, and remarkably, it delivers zero false positives in relation to “we know the bad actor is using your data”. The difference may seem nuanced, but this gap can make a big difference in how businesses respond to perceived risk. With over 12,000 data breaches reported last year alone, nearly everyone has faced exposure over the past decade, often more than once. If every breached account were classified by businesses as high risk, the result would be universal step-up authentication, an expensive, tedious, and frequently insulting process for customers. A smarter approach combines breach data with live actionable intelligence, painting a clearer, more precise picture of the risk tied to each account, be it customer, employee, or vendor. This enables organizations to make judicious decisions about who merits additional verification or deserves to be declined outright. That’s why at myNetWatchman, we built our credential screening service to collect and combine breach data with actionable live data from multiple sources. Prioritizing the use of live data can help bridge the gap between mere information and genuine security. How Can myNetWatchman Help? For more than a decade, myNetWatchman has been at the forefront of live data tracking, empowering organizations to anticipate and mitigate bad actor activity. With a dataset exceeding 38 billion credential pairs, growing by 15 million new entries daily, and available within seconds of detection, myNetWatchman offers unparalleled clarity into the risks associated with every user account.