#49: HBO cracks down on password sharing, PayPal Links payments to crypto, $17K loss in United Airlines scam
This week’s stories show how trust is being redefined and exploited. Streaming platforms are tightening their grip on access, fintechs are pushing deeper into crypto and P2P, and scammers are embedding themselves inside real systems, blurring the line between legitimate and criminal.
Let’s get into it.
NATE'S TAKE - SEPTEMBER 16, 2025
Top Three This Week
- Password Sharing Gets a Price Tag
- PayPal Links Peer-to-Peer Payments to Crypto
- Telecom signals are becoming fraud’s next frontline
1. Password Sharing Gets a Price Tag
HBO is the latest streaming platform to follow Netflix’s lead in cracking down on password sharing. Alongside a planned price hike, HBO will begin enforcing stricter controls by the end of the year to close loopholes that allow account sharing.
For fraud and trust teams, this shift matters. As streaming platforms tighten access, they're redefining what consumer abuse looks like, turning informal sharing into policy violations with consequences. That evolution mirrors what fraud teams face when distinguishing between legitimate behavior and abuse, whether it's account cycling, multi-user logins, or identity spoofing. These changes point to a future where access control becomes a frontline issue for revenue protection, not just security.
Watch how media companies enforce these new rules. Behavioral signals, geolocation, and device patterns may become the default tools for drawing the line between household use and fraud. That kind of enforcement logic, if accepted by consumers, could reshape expectations for identity and access across industries.
2. PayPal Links Peer-to-Peer Payments to Crypto
PayPal just introduced a new feature called PayPal Links, allowing users to send or request money through personalized, one-time-use URLs. Recipients don’t even need a PayPal account to start.
But the bigger move is what’s coming next: crypto integration. Soon, users will be able to send Bitcoin, Ethereum, and PayPal’s PYUSD stablecoin through the same links. That shift, along with interoperability with external wallets like MetaMask, signals a future where fiat and crypto blur behind the scenes of a seamless user experience.
For fraud teams, this raises two flags. First, links are now the money. And second, volatility and anonymity are entering the P2P chat. While PayPal is investing heavily in AI-driven scam detection and real-time alerts, attackers are already skilled at link manipulation and impersonation, especially when urgency or money is involved. If a personalized payment link becomes as powerful as an account number, its misuse could be catastrophic.
As P2P continues to evolve, fraud fighters should treat link-based transfers the same way they treat credentials: as sensitive, high-risk, and in constant need of visibility and control.
3. United Passenger Loses $17K After Being Transferred to a Scammer Mid-Call
In a striking case of business impersonation fraud, a United Airlines passenger says he lost $17,000 after a legitimate United agent unknowingly transferred him to a scammer. Dan Smoker had called United’s official number to rebook a canceled flight. After being placed on hold, he was connected to a man named “David,” who offered to rebook the trip if Smoker paid up front, promising a refund that never came.
What made the scam so convincing is that David called United separately, coordinated with a real agent to complete the booking, and passed off a fake payment link as legitimate. United initially claimed Smoker may have called the wrong number – until records showed over three hours of contact, and an internal investigation revealed the agent had Googled a partner airline’s number instead of using an internal tool.
For fraud teams, this case is a sharp reminder: even when customers dial the right number, they’re not necessarily safe. Fake handoffs, spoofed payment links, and real bookings can blur the line between trust and threat. Stronger call protocols, internal lookup enforcement, and clearer link validation tips for customers could help prevent similar breaches. When your own systems pass a customer to a scammer, that’s not just a fraud issue, it’s a failure of internal controls.
===
That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
