Multi-factor authentication was supposed to be the answer to the password problem. But when the second factor routes through the same compromised email address, you haven’t added security, you’ve just added steps.
Every security team in America will tell you the same thing: enable MFA. It’s become the first commandment of enterprise cyber hygiene, the baseline recommendation in every compliance framework, the checkbox that signals an organization takes security seriously. The problem is that most MFA implementations are built on a foundation that attackers cracked open years ago, the email inbox.
Learn more →Every morning, hundreds of millions of people prove who they are to their bank, their employer, their insurance company, their investment platform. They do it with the same mechanism they’ve used for decades: an email address and a password. The system sends a link. The link arrives. The system says: identity confirmed. Access granted.
It sounds reasonable. It is, in fact, one of the most expensive security mistakes the digital economy has ever made, and it is still being made, at scale, right now.
Learn more →Despite not being designed for identity verification, email’s convenience made it a common business identifier. Criminals target this pervasive use as a primary entry point for their activities. Read the newly published report, The Lying Gatekeeper, to explore these topics:
A Convenient Lie — How email, a messaging protocol built in 1971, became the de facto identity layer for the digital economy, and why that decision was never as safe as it seemed.
Learn more →In the modern digital economy, the email address has transcended its original purpose as a communication tool. It has become the near-universal unique identifier — the primary digital ID for billions of users. From financial services to SaaS products, the email address is the default gatekeeper for account creation, password resets, and high-value transactions.
However, this reliance has created a dangerous security paradox: while email is treated as a permanent, trusted anchor of identity, it was never designed to be one. To secure the digital ecosystem, companies must shift from assumed trust to continuous risk assessment.
Learn more →Klarna is just now learning what many in fraud prevention have known for years: synthetic identity fraud doesn’t start with stolen credit cards — it starts with unvetted digital identities.
For years, email addresses have been treated as little more than a communication channel — a box to check during account creation. That assumption is now proving to be dangerously outdated. Email is often the first persistent identifier tied to consumer, vendor, and partner accounts. When email addresses are not properly authenticated at account opening, it becomes the perfect entry point for synthetic identities:
Learn more →If you’ve worked in fraud prevention or cybersecurity, you’ve probably heard it a thousand times: “Just turn on multi-factor authentication (MFA). It’ll stop the hackers.”
And sure, MFA helps — a lot. But here’s the reality no one likes to admit: the most common doorway attackers use to bypass MFA is a compromised email account. The inbox — that familiar, everyday tool we all rely on — is often the weakest link in account security. It’s the digital key to password resets, login approvals, and account verifications. When that key is stolen or spoofed, even the strongest MFA setup can crumble.
Learn more →Business leaders and fraud managers invest significant resources in verifying and authenticating new customers. You implement rigorous fraud checks, confirm identities, and follow best practices to ensure each account is secure at the point of creation. At that moment, you can be confident the account is trustworthy.
Here’s the hard truth: even if you’ve verified a customer at signup, their account can still be at risk the next day — all because of their email address.
Learn more →Cybercrime is evolving faster than ever, and Business Email Compromise (BEC) stands out as one of the most insidious threats. Unlike flashy malware attacks, BEC is a subtle, social engineering scam where fraudsters impersonate trusted figures — like CEOs, vendors, or partners — to trick employees into wiring funds, sharing data, or authorizing bogus transactions. The result? Massive financial losses, data breaches, and shattered reputations.
According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams racked up a staggering $2.9 billion in losses in 2023 alone, with an average hit of $137,000 per incident. Fast-forward to 2024, and BEC accounted for 73% of all reported cyber incidents, with losses soaring past $55 billion over the decade. What’s more alarming? A 13% spike in attacks in early 2025, fueled by AI-generated emails — now 40% of BEC phishing attempts — making them eerily polished and undetectable.
Learn more →In our digital-first world, passwords — combined with an email address or User ID — are the primary gatekeepers to vast amounts of sensitive data. However, for nearly every online company, this reliance on passwords as a verification and identity method presents a critical weakness, leaving them vulnerable to credential stuffing, account takeover, and ransomware attacks.
Pervasive Problems: Weak, Reused, and Leaked Passwords
A Cybernews study on billions of leaked passwords revealed that a staggering 94% are either reused or duplicated across multiple services. Many users opt for “lazy” patterns like “123456” or simple combinations of lowercase letters and digits, making them trivial targets for brute-force and dictionary attacks. Despite decades of cybersecurity education, there has been little to no progress in user behavior.
Learn more →Most businesses and people assume email is secure. It is not. Every year millions of compromised email accounts are used by fraudsters. Email compromise leads to account takeovers, stolen travel and loyalty rewards, ransomware, and data theft — and it’s accelerating.
The 2025 Cyber Claims Report
The 2025 Cyber Claims Report from Coalition highlights that business email compromise (BEC) and funds transfer fraud (FTF) have become the most frequent sources of cyber insurance claims.
Learn more →Imagine Johnny, an AI expert, famous for his globetrotting talks, boasting about racking up over a million Delta miles. Unbeknownst to him, in his audience sits Billy, a tech guru with a less-than-ethical focus — stealing travel loyalty points to sell discounted travel.
Billy spots Johnny as a potentially “ripe target.” His initial challenge is accessing Johnny’s Delta account without knowing his email or password. At this stage, the odds of success are astronomically low — estimated at 1 in 100 billion. But Billy collects vast amounts of breach data, and his odds improve dramatically with each additional piece of information he obtains.
Learn more →According to Coalition’s 2025 Cyber Claims Report, Business Email Compromise (BEC) attacks and Fund Transfer Fraud (FTF) accounted for a staggering 60% of all cyber insurance claims in 2024. The financial impact is significant: BEC incidents cost organizations on average $35,000. Furthermore, 29% of BEC attacks led to FTF incidents, with an even higher average loss of $106,000.
A Near-Miss That Says It All
Consider the story of a banker at a large regional bank. A customer — a landscaper — came in to finalize the purchase of a large truck, with a $50,000 wire transfer to the dealership.
Learn more →Imagine this: You have elite frequent flyer status. You’ve spent years building up your miles, dreaming of that perfect vacation with your family. Then one day, your digital world crumbles. You can’t access your account. Your miles vanish. Your dream vacation turns into a nightmare.
This is exactly what happened to Steve.
For years, he’d been the airline’s dream client — clocking in countless hours and millions of miles. One day, Steve simply couldn’t access his frequent flyer account. He tried different passwords, different devices. Nothing. The customer service team could see his account, his miles, his upcoming trips — but couldn’t grant him access.
Learn more →