#29: Record-Breaking Fraud Losses, Massive Ad Fraud Networks, and Tap-to-Pay Defenses
Fraud is scaling across every channel, from fake ads to payment terminals. Losses are hitting record highs, attackers are getting more creative, and new defenses are starting to emerge.
Let’s get into it.
NATE'S TAKE - APRIL 29, 2025
Top Three This Week
- Americans Lost a Record $16.6 Billion to Scams in 2024
- Scallywag Ad Fraud Scheme Used WordPress Plugins to Push Billions of Fake Ad Requests
- Tap-to-Authenticate Metal Cards Could Redefine Fraud Prevention
1. Americans Lost a Record $16.6 Billion to Scams in 2024
The FBI’s latest Internet Crime Report shows that scammers stole $16.6 billion from Americans in 2024, marking a 33% increase from the previous year.
Key findings:
- Investment scams were the top driver of losses, accounting for over $6.5 billion.
- Business Email Compromise (BEC) scams caused more than $2.7 billion in losses.
- Tech support scams led to more than $1.4 billion in losses, a major jump from previous years.
- People over 60 filed the most complaints and lost the most money—$4.8 billion, up 43% from 2023. The average loss for seniors was $83,000, more than four times the overall average loss.
- Cryptocurrency was the most common payment method used in scams, followed by wire transfers and credit or debit cards.
- 83% of total losses involved the use of the internet or digital technology.
This aligns with what we have covered previously: fraudsters are focusing on high-value targets and leveraging newer technologies like crypto and digital impersonation to move faster and steal more.
For fraud teams: investment scams and digital impersonation are scaling aggressively, and high-dollar victims are being specifically targeted. Early detection and protection have never been more critical.
2. Scallywag Ad Fraud Scheme Used WordPress Plugins to Push Billions of Fake Ad Requests
Piracy site (left) linking to Scallywag site (right)
Source: HUMAN
A large-scale ad fraud operation known as Scallywag exploited piracy and URL shortening sites to generate up to 1.4 billion fraudulent ad requests per day at its peak.
The network operated across 407 domains and was built around four WordPress plugins—Soralink, Yu Idea, WPSafeLink, and Droplink—that allowed cybercriminals to monetize low-quality sites that legitimate advertisers avoid. Some threat actors even posted YouTube tutorials explaining how to set up their own ad fraud operations using these tools.
Visitors seeking pirated content were redirected through intermediary, ad-heavy websites designed to inflate ad impressions. The scam sites used forced wait times, CAPTCHA prompts, and cloaking tactics to mask fraudulent activity from ad platforms.
Through detection of suspicious traffic patterns, including abnormally high ad volumes from seemingly benign blogs, the operation was flagged and disrupted. After countermeasures were implemented, Scallywag’s fraudulent traffic dropped by 95%, with many affiliates abandoning the method.
Fraudsters are increasingly adopting fraud-as-a-service models, making sophisticated ad fraud accessible to a wider pool of actors. Scallywag shows how quickly these operations can scale—and why behavioral monitoring beyond surface-level metrics is critical.
3. Tap-to-Authenticate Metal Cards Could Redefine Fraud Prevention
Source: PYMNTS
Despite widespread use of multifactor authentication (MFA), 41% of fraud cases still involve stolen or falsified credentials, according to a new PYMNTS Intelligence report. Traditional MFA methods like SMS codes and email verifications are proving vulnerable to attacks such as SIM swapping and interception—while also frustrating users with long authentication times and password fatigue.
To address this, banks and FinTechs are turning to tap-to-authenticate metal cards. These cards combine physical security with embedded digital authentication, allowing users to verify their identity or approve transactions with a simple tap.
Tokens have been a part of online banking outside the US for years, but never caught on with merchants or US banks due to the friction they add. Proponents of these metal cards hope that the wallet-ready card form factor will create better adoption than the clunky token generators of the past.
Key findings:
- 65% of consumers struggle to remember passwords, leading to risky behaviors.
- 77% of financial institutions are exploring tap-to-authenticate solutions.
- Top benefits cited include frictionless authentication, premium appeal, and perceived security.
Smarter hardware is becoming a key part of modern fraud defenses. Tap-to-authenticate cards offer a path to stronger security without adding friction—a shift that may define the future of digital banking.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
