#41: ChatGPT agent takes action, GENIUS Act for crypto passes, payments experts see growing fraud gap

This week, OpenAI’s ChatGPT Agent made headlines for its ability to take real actions online. But with great automation comes great attack surface. We’re breaking down what that shift means for fraud fighters, alongside two major updates in the payments space: a new U.S. crypto law and global trends in payments fraud prevention.

Let’s get into it.

NATE'S TAKE - JULY 22, 2025

Top Three This Week

1. ChatGPT’s new Agent can take action
2. The U.S. finally passed a crypto law. What it does and what it doesn’t.
3. Global payments leaders agree: the fraud gap is growing

1. ChatGPT’s new Agent can take action

OpenAI just announced the launch of its agent, an upgrade to ChatGPT that allows it to actually do things on your behalf: book flights, edit spreadsheets, click buttons, and navigate across websites in your browser. It's being tested with select partners now and will roll out more broadly soon.

That’s powerful and risky. Any time a bot can initiate real-world actions, new attack vectors open up:

• What happens when agents are tricked into interacting with scam websites or malicious apps?
• Can fraudsters use these tools for identity spoofing or scaled social engineering?
• How do you distinguish between a “real” user and a delegated one in behavioral data?

The big picture: most online transactions are already non-human, driven by bots, scripts, integrations, or automated systems. Agent-based tools will accelerate that trend. From a fraud perspective, this means:

• Behavioral signals tied to “typical” user journeys will shift fast.
• Fraud patterns will blend legitimate automation with abuse.
• Identifying intent—not just activity—will be more critical than ever.

As we covered in FIF31 and FIF34, attackers are quick to turn new tools into new scams. Agent-driven sessions are coming, and fraud teams will need new ways to detect misuse before it hits customer flows.

2. The U.S. finally passed a crypto law. What it does and what it doesn’t.

The GENIUS Act (yes, that’s real) just became the first major U.S. crypto regulation and it’s all about stablecoins. The law sets standards for issuers, requires one-to-one dollar backing, and bans algorithmic stablecoins. It also gives state regulators more authority to greenlight new players.

Why it matters for fraud:

• This clears the path for mainstream stablecoin payments and we’ve already seen action. Coinbase launched its crypto checkout product (covered in FIF37) the same day the bill passed.
• As stablecoins get more embedded in e-commerce, consumer protections disappear. These transactions skip the card networks—no chargeback rights, no dispute infrastructure.
• Expect new fraud patterns to emerge, especially at the intersections of Web2 and Web3 where stablecoins are accepted by traditional merchants.

If you’re on a trust and safety team and your leadership is asking about stablecoin checkout, it's time to start thinking about how these will be treated in your fraud workflows, and whether you’ll have the visibility (or tooling) to intervene when something looks off.

3. Global payments leaders agree: the fraud gap is growing

At ACI Worldwide's Payments Intelligence Roadshow, banks, processors, and payment providers gathered to discuss fraud trends and a consistent theme emerged: real-time payments are outpacing real-time fraud controls.

Among the challenges, in high-speed environments, reviewing transactions isn’t scalable. Decisions need to happen instantly. Also, scammers are adapting faster than many teams can retrain models or update rules, which means they’re still too reactive, relying on lagging indicators instead of leading behavioral signals.

Defenses that were good enough a year ago aren’t holding up today. If you're still calibrating decisions on old data or slow feedback loops, you're likely behind the next wave.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍