Fraud is evolving rapidly thanks to generative AI

Fraudsters now have access to technologies that were once the preserve of experts. It takes just a few clicks to generate:

• doctored images of products “supposedly” broken,
• forged supporting documents,
• and well-crafted synthetic identities

As TF1 explains, private sellers are now facing disputes based on AI-manipulated photos, with automated systems sometimes turning against the honest victim themselves.

One user interviewed recounted losing €180 due to an AI-generated image showing a supposedly broken vinyl record — an item that, by its very nature, does not break in that way. The platform’s automated system, however, ruled in favour of the fraudster, illustrating the vulnerability of traditional checks.

This phenomenon is part of a global trend: fraud involving doctored images is skyrocketing, with a 15% increase in falsified images in claims since the start of 2025.

Three major trends observed by Oneytrust

At Oneytrust, our experts have identified three major shifts:

1. More sophisticated fraud

Generative AI can produce highly realistic images, some of which are impossible to distinguish with the naked eye. Synthetic identities or invoices recreated pixel by pixel can fool traditional verification systems.

2. The industrialisation of attempts

What was once manual work is now automated. Fraudsters are now launching vast, coordinated campaigns, drastically increasing the volume of attempts detected on e-commerce sites.
This industrialisation is confirmed by the TF1 report, which warns of waves of scams potentially affecting millions of people.

3. New weak signals

Traditional methods are no longer sufficient. When evidence is generated by AI, behaviour, metadata and contextual inconsistencies become the new areas of analysis.

 AI: an essential tool for countering these new attacks

With fraudsters now using AI, anti-fraud solutions must evolve. That is why Oneytrust has integrated advanced artificial intelligence models at the heart of its technologies.

In particular, our systems enable us to:

Detect behavioural and contextual inconsistencies

Frequency of returns, unusual histories, multiple addresses or devices: the patterns speak for themselves.
Our solution cross-references these signals to identify abuse well before it becomes visibly repetitive.

Adapt in real time

Fraud methods change every week. Our models continuously recalibrate to keep pace with these changes and block emerging attacks.

Identify organised networks

By analysing data structure and correlating identity details, devices and network history, Oneytrust exposes organised criminal groups operating under different identities or accounts.

Tailor detection to your returns processes

Oneytrust adapts precisely to each retailer’s returns policies and internal workflows, incorporating their rules, thresholds and operational specifics.

The real challenge: maintaining trust

In this context, the issue is no longer simply about blocking fraud.
It is about protecting the relationship of trust between retailers and their customers.

Excessive suspicion can damage the shopping experience. Being too permissive can encourage abuse and undermine business models. The balance is therefore delicate — and AI plays a crucial role in accurately distinguishing between:

• honest shoppers,
• opportunistic fraudsters,
• and organised criminal networks.

Oneytrust is committed to maintaining this balance by combining cutting-edge technology with human expertise.

Fraud and AI: a huge challenge… but far from insurmountable

Artificial intelligence has profoundly transformed the landscape of reimbursement fraud. Whilst it provides fraudsters with new tools, it further enhances companies’ ability to detect and stop them.

With ongoing investment, increasingly sophisticated models and greater collaboration across the entire ecosystem, this battle is not only possible, but winnable.

Trust is one of the cornerstones of online commerce. Together, let’s continue to protect it.

The post Refund fraud: when AI becomes a tool for fraudsters… appeared first on Oneytrust.

1. The new broad definition of an ‘AI system’

The text defines an AI system very broadly as a ‘machine-based system, operating with varying degrees of autonomy, capable of adapting after deployment and which, for explicit or implicit purposes, deduces from data how to generate results (predictions, content, recommendations, decisions) that influence physical or virtual environments’.

This broad technological scope is complex to implement operationally, but the market agrees that it encompasses sophisticated approaches such as machine learning (ML), hybrid expert rule + machine learning approaches, and advanced optimisation.

With the proliferation of AI use by fraudsters, trusted anti-fraud companies such as Oneytrust will need to further develop their range of AI solutions to power their scoring, behavioural alerting and anomaly analysis engines in order to keep up with the times and identify increasingly sophisticated fraud patterns.

2. Risks: where does fraud detection fit in?

The AI Act classifies certain uses as ‘high risk’ (critical biometrics, employment, education, access to essential services such as credit scoring, health insurance pricing, etc.). These systems are authorised but must be accompanied by a very sophisticated risk management system and an assessment of their compliance before being placed on the market.

One notable exception is that AI used to detect financial fraud is not automatically considered ‘high risk’. This reduces the direct regulatory burden, but does not remove the expectations of transparency, data quality and human oversight that regulated institutions contractually pass on to their subsidiaries and suppliers (such as Oneytrust).

3. What are the key dates to remember?

The main requirements of the AI Act will come into force in stages. Here are the key dates to remember:

• 2 February 2025: entry into force of the ‘unacceptable risk’ prohibitions + AI literacy requirement (awareness/training for staff involved in AI).
• 2 August 2025: obligations for general-purpose AI models (GPAI) begin to apply (generative AI).
• 2 February 2026: European deadline for certain implementing acts (post-market surveillance plans).
• 2 August 2026: obligations for high-risk AI systems.
• August 2027: general application of all provisions of the regulation.

4. Why prepare even if you are not ‘high risk’?

Fraudsters are becoming industrialised with AI. Deepfakes, fake documents, automated attack scripts, automated use of synthetic identities: fraud is scaling up. Those involved in the fight against fraud must adapt quickly to these new trends.

Although fraud prevention is not explicitly considered high risk, it is essential to ensure that solutions respect the fundamental rights and privacy of customers and end users, whether in accordance with the GDPR or the AI Act. In addition, the expectations of regulated partners (mainly in the banking sector) are increasingly high, as they are subject to sector-specific requirements that demand traceability, good documentation and heightened vigilance regarding the quality of the data used to satisfy their supervisors.

5. The Oneytrust response

Oneytrust provides identity verification and fraud detection solutions for e-merchants, fintechs and banks, relying on AI solutions coupled with our 25 years of human expertise in fraud prevention to detect synthetic identities, transactional anomalies and risk signals in real time. We are members of the BPCE Group, which drives us to high standards of compliance and model governance.¹

As with the GDPR, we did not wait to cultivate our expertise on the AI Act and have been raising awareness and training our staff on these new compliance issues for several years. Contact us if you would like to learn more about Oneytrust’s vision for AI compliance and risk management!

The post AI Act and Fraud Prevention : why the market must prepare appeared first on Oneytrust.

That something is weak signals.

What is a weak signal in digital identity?

A weak signal, as its name suggests, is not a red alert. It is a detail. A micro-anomaly. An almost invisible (or rather ignored) inconsistency taken in isolation, but which takes on its full meaning when correlated with other elements.

For example:

• a known device… but whose technical fingerprint has changed slightly;
• a connection from a usual city… at a completely atypical time;
• correct keystrokes… but with an unusual rhythm;
• a smooth user journey… but traveled at a speed too fast to be human.

None of these elements alone is sufficient to justify blocking an event. But together, they tell a different story from what the declarative data would suggest.

Why strong signals are no longer enough

Historically, security relied on binary elements: correct password, validated SMS code, recognized device.

The problem? These proofs can be stolen, intercepted, or simulated.

Malware, phishing, massive data leaks, and automation tools have turned credentials into mere raw material for fraudsters. Even strong authentication is no longer foolproof against real-time proxy attacks or remote takeover.

The result: a user can tick all the boxes for legitimacy while still being a fraudster. This is precisely where weak signals become decisive.

Weak signals reveal behavior, not a declared identity

A declared identity can be falsified. Behavior is much more difficult to fake.

Weak signals allow us to answer not the question “Is this information correct?” but “Does this behavior resemble that of a legitimate human being in this specific context?”

This leads us to a dynamic interpretation of digital identity, based on the consistency of habits, the continuity of interactions, and the logic of sequences of actions.

From isolated events to behavioral history

The true power of weak signals lies not in a snapshot, but in duration.

A strange connection may be insignificant. Two anomalies close together begin to raise questions. A series of micro-deviations paints a picture of fraud.

It is by connecting these dots that we move from one-off checks to continuous behavioral monitoring. Digital identity ceases to be a state and becomes an evolving probability.

The challenge: detecting without degrading the experience

Exploiting weak signals does not mean increasing friction.

The goal is to adapt the level of vigilance: request additional verification only when the risk increases, silently monitor suspicious behavior, and trigger enhanced controls on sensitive actions.

In other words: make security proportional to the actual risk.

When email addresses become a weak signal

Email addresses are often perceived as simple contact identifiers. However, they contain a wealth of information that is underestimated when analyzed from a semantic and behavioral perspective.

Let’s take two examples: marie.dupont@yahoo.fr and ma.rie_du.pont1567@gmail.com.

Both addresses are technically valid. Both can pass standard checks. But they don’t tell the same story.

Semantic analysis involves observing the structure, logic, and consistency of an email address in relation to the context declared by the user.

Discreet but telling clues may emerge: domain name, username composition, presence of promotional keywords, consistent or inconsistent series of numbers, unusual complexity, or recurrence of similar patterns observed in previous fraud cases.

Taken in isolation, none of these elements proves fraud. But they may indicate that an address was created quickly, en masse, or for purely transactional rather than relational purposes.

A real digital identity often leaves traces of continuity. Conversely, in many fraud scenarios, the email address is a disposable tool designed to pass a technical check, not to reflect a lasting identity.

Semantic analysis therefore allows us to answer a subtle question: does this address resemble a human point of contact or a functional artifact created for a specific scenario?

Once again, the value comes from correlation: unusually structured email, rapid account creation, device recently seen on other accounts, automated browsing. It is the aggregation of these weak signals that reveals a credible risk.

From raw data to contextual intelligence

Weak signals already exist in your systems: technical logs, browsing data, device metadata, action sequences.

The difference lies not in the quantity of data, but in the ability to correlate it in real time, contextualize it according to the journey, learn from past patterns, and detect subtle deviations.

Digital identity is no longer a file, it is a flow

For years, we treated identity as a file: static information to be verified once and for all.

Weak signals are forcing us to change our paradigm. Identity is becoming a continuous stream of behaviors, which are confirmed or degraded through interactions.

Conclusion

Major frauds rarely hide behind big anomalies. They are concealed in the details that we don’t look at.

Learning to read weak signals means accepting that the truth is no longer found in a single piece of evidence, but in the accumulation of micro-clues. In a world where identities can be fabricated, stolen, or rented, this subtle reading becomes one of the pillars of digital trust.

The post Weak signals: those little-noticed details that reveal the authenticity of a digital identity appeared first on Oneytrust.

Across Europe according the MRC online merchants are already losing roughly 2.8% of revenue to fraud, with fraud representing about 3% of all orders. Identity fraud and account takeover are surging, fuelled in part by AI that can generate convincing fake identities and social-engineering scripts at scale according to UK fraud agency CIFAS. Agentic AI simply supercharges that trend on both sides of the fence. 

For merchants and finance companies though – there is a dilemma. Increasingly buyers and new customers will use AI to seek out and purchase goods and services,  

From now you’ve basically got two new “customer segments” turning up in your data: 

• Legitimate agentic AI – shopping assistants, payment agents and aggregators acting on behalf of real people. 
• Malicious agentic AI – computer-using agents hammering your sign-up flows, ID checks and checkouts at scale. 

The job for merchants and financial services providers is to work with their fraud detection companies to pick their way through this minefield. At Oneytrust we have been seeing this emerge over 2025 and like the rest of the world we anticipate a huge uptick in 2026.  

So, what you do not want to block; agentic AI is already being used as a consumer interface for payments and shopping: 

• A number of agentic AI options are emerging in Europe like Mastercard “Agent Pay”, Visa “Intelligent Commerce”, Amazon “Buy for Me” and Google “Shop with AI”, where agents initiate payments within parameters set by the consumer 

• Payments players describe “agentic commerce” as AI agents that hold conditional permissions to shop and pay on a user’s behalf, functionally similar to cards-on-file or recurring payments but with a conversational UX and more decision-making according to Visa.  

Regulators are behind the curve: PSD2 doesn’t mention AI, and even PSD3/PSR only references AI once for fraud prevention. But consumer agents are happening anyway. 

For a merchant, that means some “bot traffic” is now high-value, compliant traffic (AI doing what a loyal customer asked it to do). These agents will often come from data-centre IPs, headless browsers or shared devices, and will reuse stored credentials and payment instruments – i.e. very similar to the bots you’ve spent so much time trying to deter.  

If you block everything that looks like an agent, you’ll break this emerging channel and annoy the schemes, PSPs and big-tech partners driving it. 

How fraudsters are using agentic AI against merchants and banks 

Several trends are showing up in European and global reporting: 

Credential stuffing & ATO with Computer-Using Agents (CUAs). 

According to a report by Push Security,  OpenAI “Operator”-style CUAs shows they can log in to arbitrary web apps, read pages, click buttons and handle full flows like a human – but at bot scale. That lets attackers spray stolen credentials across thousands of sites and then perform in-app actions once they get in. 

AI-scaled phishing and social engineering feeding into payments. 

The European Payments Council’s 2025 threats report flags AI-generated phishing and deepfakes as a key enabler of APP fraud and impersonation scams, making language barriers vanish. 

Account opening and synthetic ID at industrial scale. 

Financial-crime specialists warn that agentic AI will be used to flood banks’ online onboarding with highly consistent, multi-step new account applications, reusing and recombining stolen or synthetic identity elements. 

Payment fraud “speedruns”. 

Arkose Labs talk about agents that skip normal browsing, go straight to high-value endpoints (card testing, gift cards, BNPL, high-ticket items), and adapt in real time if they hit friction. 

Your ID and fraud stack is going to see AI agents trying to open accounts and make purchases 24/7, some benign, some absolutely not. 

Why classic bot defences aren’t enough 

The nasty twist, well-summed up by one recent fraud blog, is that beneficial and malicious agentic AI are technically indistinguishable at first glance. Both: 

• Run in browsers or CUAs that move the mouse, scroll and click like humans. 
• Can introduce jitter into timings and keystrokes. 
• Can respect (or deliberately emulate) your UX flows. 

Old-school bot rules – “data-centre IP = block”, “too fast = bot”, “no mouse = bot” – are blunt instruments here and will kill legitimate payment agents along with attackers. You have to stop thinking “bot vs human” and start thinking in terms of intent and pattern at the identity, device and journey level 

How to tell good agents from bad ones 

For merchants and banks using an ID+fraud provider like Oneytrust, the detection strategy for this use case looks roughly like this. 

Treat “agent” as its own identity class 

First step is to explicitly model agent traffic: 

Tag sessions where the user agent, device behaviour or integration pattern clearly indicates an AI or automation layer. 

Maintain separate risk baselines for: 

Human sessions 

First-party agents (your own app’s automation) 

Trusted third-party agents (big-tech payments, official partners and the new AI purchase agents listed above) 

Unknown / suspicious agents 

Legitimate agents tend to be stable over time – same provider, similar IP ranges, same small set of identities, and predictable timing – the same as legitimate people. Malicious agents show sprawl across identities, merchants and institutions – mimicking their fraudster creators.  

Identity and data-level coherence 

This is where your digital-identity layer comes into its own, Oneytrust’s own positioning is crystal clear: as generative AI, deepfakes and synthetic ID fraud rise, static KYC checks are turning into security liabilities. D-Risk ID focuses on the contextual coherence of identity data (phone, email, device, address, etc.) and can cross-validate against a consortium of live, validated identities from major European retailers and banks. 

Against agentic AI 

Legitimate agents will mostly reuse known, well-behaved identities: long history, normal spend patterns, consistent device history, strong matches in consortia data. 

Malicious agents trying to mass-open accounts or test stolen identities will produce: 

• Many first-seen identities in a short window. 
• Weak or no matches to real identity graphs. 
• Synthetic patterns (odd name/email combos, phone/email geography mismatch, disposable infrastructure). 

Your scoring should treat “new identity + agent session” as high-risk by default, unless the identity is clearly rooted in your consortium / historical data. The truth is that legitimate agents actually resemble patterns and identities of legitimate users. Phew! 

Additionally, legitimate payment agents will often come from a small, stable fleet of devices with clear, contractual relationships. You can whitelist those patterns progressively once you’re confident they’re clean. 

On-site behaviour 

This is where malicious agentic AI really gives itself away. 

Tell-tale patterns for malicious agents  jump straight from entry to login/signup/payment without any browsing or hesitation; no content exploration, just form-filling. They can over-index on voucher/code entry, BNPL, gift cards, high-limit products – anything with a better payout per second. Again, they behave in very similar patterns to human fraudsters – just with greater velocity.  

By contrast, legitimate consumer agents do read product content, compare options and respect user preferences set upstream. They often return to the same merchants and categories repeatedly, with low dispute/chargeback rates over time. You can create a pattern that recognises and allows good behaviour and agents just as you do for good buyers.  

In short, your fraud stack should be able to distinguish “agent that behaves like a long-term customer proxy” versus “agent that behaves like a credential-stuffing script with a UI”. 

1. Don’t outlaw automation; classify it. 

Build explicit support for “trusted agent” traffic in your risk models instead of treating all non-human sessions as hostile. 

2. Tie everything back to a real identity. 

Lean hard on identity-graph and consortium data: if an agent is acting for identities you can’t anchor in the real world, raise the bar sharply. Talk to Oneytrust about our graph networks.  

3. Use adaptive friction, not blanket blocks. 

For “new identity + agent + high-risk product”, default to extra verification: stronger SCA, additional ID checks, or out-of-band confirmation. EU rules under PSD3/PSR are anyway pushing PSPs towards stronger screening and liability for impersonation fraud – merchants can ride that wave 

4. Align with EBA remote-onboarding guidance 

The EBA’s remote onboarding guidelines demand robust, risk-sensitive processes for online account opening, including impersonation and ID-forgery controls. That’s your mandate to deploy deeper behavioural and identity checks on agent-driven account creation without breaking legitimate customers. 

5. Instrument and rate-limit flows that agents love 

Sign-up, login, password reset, payment-instrument addition and high-risk product applications should have fine-grained rate limits and anomaly detection specifically tuned for I have tidied up the document by standardizing the titles and headers, removing all numbering, and cleaning up the content based on your instructions.

The post Agentic AI  – what you need to know in 2026  appeared first on Oneytrust.

Each return involves several parties: customer service, warehouse, carrier. Too often, these systems operate in silos, leading to delays, errors and a poor customer experience. A parcel dropped off at a collection point may remain invisible to customer service, generating calls, frustration and late refunds.

This is where Reversys comes in. Its collaborative SaaS platform puts an end to this fragmentation by orchestrating the entire return flow, from online declaration to refund. It centralises information for all parties, ensures consistency of operations and offers unprecedented agility. E-merchants can customise their policies: immediately refund a VIP customer as soon as the parcel is dropped off, or wait for verification for a high-value product. This orchestration transforms returns into a strategic lever, capable of boosting satisfaction and loyalty.

A rapidly growing phenomenon: return fraud

But behind the operational complexity lies an even greater danger: fraud. With payments becoming more secure, fraudsters have shifted their attacks to returns. This phenomenon, known as return abuse, takes various forms: returns of used or worn products under the pretext of a defect, requests for refunds for products received but declared as undelivered, or exploitation of free or extended return policies.

The figures are clear and show a worrying trend. In 2023, 13.7% of returns were deemed fraudulent, an increase of more than 10% in one year, according to Datadome. In 2024, 40% of retailers reported being victims of return abuse, according to the 2025 Global Fraud and Payments Report by Visa / Cybersource.

What is even more worrying is that the majority of companies are not prepared. In 2021, nine out of ten companies feared an increase in the risk of fraud and cybercrime, but six out of ten had not allocated a specific budget to deal with it (Fevad/Euler Hermes). In other words, the threat is known, but the means to counter it remain insufficient.

The answer: the Reversys x Oneytrust alliance

To meet this dual challenge – operational and security – Reversys and Oneytrust have joined forces. Together, they offer a unique solution that combines intelligent orchestration and predictive risk analysis.

Reversys streamlines and personalises reverse logistics, while Oneytrust, the European leader in e-commerce fraud prevention, brings its expertise in behavioural scoring and proactive detection. As soon as a return is declared, Oneytrust assesses the risk in real time. Reversys uses this information to adjust its strategy: immediate refunds for reliable customers, enhanced checks for high-risk profiles, and selection of the most secure or economical carrier depending on the context.

This approach drastically reduces fraud while guaranteeing a premium experience for honest customers. It gives e-merchants back control over their returns, transforming a process often perceived as a constraint into a lever for performance and profitability.

Did you know?

By integrating Oneytrust’s reliability with Reversys’ returns management, e-merchants can anticipate risks even before the parcel reaches the warehouse, thereby protecting their turnover and reputation.

Is your company prepared to tackle return fraud? Discover how Reversys and Oneytrust can transform your reverse logistics ! Discover the solutions offered by Reversys.

The post E-commerce returns: between operational challenges and the risk of fraud, how Reversys and Oneytrust are reinventing reverse logistics appeared first on Oneytrust.

• Easy to hijack: A stolen cookie can be enough to steal someone’s online identity.
• Rich in sensitive data: Usernames, sessions, preferences… all this information can be exploited for targeted attacks.
• Invisible to the user: Most internet users are unaware of the scope of the information stored, which facilitates fraud.

The impact on your brand

• Advertising fraud: Falsified cookies artificially inflate impressions and clicks, distorting your KPIs and increasing your costs.
• Session hijacking: Hackers can access customer accounts, generating fraudulent transactions.
• Reputational damage: A vulnerability exploited via cookies can damage your image and your GDPR compliance.

Examples of techniques used by fraudsters

• Session sniffing: Interception of cookies on unsecured websites.
• XSS injection: Malicious scripts to steal cookies.
• CSRF: Fraudulent actions performed without the user’s knowledge.
• Predictable credentials: Exploitation of weak algorithms to guess sessions.

How to protect your digital ecosystem?

• Proactive monitoring: Detecting anomalies in cookie-related behaviour.
• Advanced anti-fraud solutions: Identifying falsified or cloned cookies.
• Awareness and transparency: Informing your users and building trust.

Conclusion
Cookies are valuable tools for improving user experience and optimising marketing strategies. However, their exploitation by fraudsters poses a major risk: session theft, identity theft, advertising fraud, etc. These threats can impact customer confidence, distort your metrics and damage your image.

To remain competitive and protect your digital ecosystem, it is essential to take a proactive approach: secure your customer journeys, integrate anti-fraud solutions, and inform your users. Protecting cookies means protecting your business and your reputation.

Contact us to secure your customer journeys and build trust in your services.

The post Cookies: a marketing ally… but also a loophole for fraud appeared first on Oneytrust.

Unlike traditional identity theft, where the fraudster steals an entire real identity, a synthetic identity is a hybrid combination. It combines authentic data (in the United States, this is the social security number, while elsewhere it is usually the national identity document, date of birth and postal address) with invented information (usually contact details). This combination creates a seemingly coherent profile, especially when only the so-called authentic data is verified/analysed (as in a banking KYC process, for example).

As a result, traditional systems, which are often calibrated to validate an identity by digitising traditional practices (‘your papers, please’), miss the mark.

Why institutions are vulnerable ?
Fraudsters exploit the trust placed in partially accurate data. In the United States, with a valid official ID or minimal credit history, synthetic identities pass the initial verification stages. The fraudster can then ‘mature’ their identity: open a bank account, take out small loans, make regular payments… until they obtain a solid credit rating. This patience pays off: once credibility is established, the fraudster takes out a larger loan and then disappears. This is known as ‘bust-out fraud’.

The cost is considerable: across the Atlantic, synthetic identity fraud already accounts for several billion dollars in losses each year, according to estimates by major firms. In Europe, the figures are beginning to follow the same trend, particularly with the rise of 100% digital processes.

The limitations of traditional approaches
Traditional controls – document verification, historical scoring, ad hoc analysis of events or transactions – struggle to detect these hybrid profiles. Weak signals (email username, telephone number attributes, presence of ‘digital footprints’) can only be detected through rare expertise. Furthermore, current regulations focus almost exclusively on KYC compliance. However, control and fraud prevention are two distinct things. The former encompasses all the characteristics/steps that allow access to a service… but because all of this is exposed, it also makes it possible to understand and therefore circumvent the measures.

Towards a new approach to detection
Faced with this threat, companies must change their paradigm. The future lies in solutions capable of:

• Going beyond ‘declarative’ data by being able to add additional information.
• Cross-reference dynamic signals (browsing behaviour, machine fingerprint, location) with static identity attributes.
• Detect relational inconsistencies between different identities: shared telephone numbers, recycled addresses, accounts linked to the same device.
• Use artificial intelligence to analyse massive volumes of data/information in real time and identify patterns invisible to the human eye.

These approaches transform detection: moving from simple documentary/contextual validation to a holistic and behavioural view of the user.

A strategic challenge for digital players
Synthetic identities are not a marginal phenomenon: they directly threaten profitability, regulatory compliance and customer trust. For banks, e-merchants and insurers, investing in advanced prevention technologies is no longer an option: it is a condition for survival in the digital economy.

The post Synthetic identities: the invisible fraud that costs billions appeared first on Oneytrust.

Adopted in 2016 and effective since 25 May 2018, the GDPR has profoundly transformed the way companies collect, process and secure personal data.

Its objectives:

• Strengthen the rights of European citizens.
• To make companies more accountable in their use of data.
• To harmonise rules within the European Union.

For the anti-fraud sector, the impact is significant: the detection of anomalies and suspicious behaviour relies on the analysis of many types of personal data (identity, payment methods, transaction history, etc.). The GDPR therefore requires a balance between security, performance and respect for individual freedoms.

2. A legacy of innovation and security with our historic CNIL authorisation

Long before the GDPR came into force, Oneytrust had already adopted this approach to compliance.

In fact, we benefited from a historic agreement (FIA-NET in 2005 and Oney Tech in 2013) with the CNIL, authorising the pooling of our customers’ data, mainly in the e-commerce sector, subject to guarantees of privacy. Oneytrust has thus become the only French player to benefit from such extensive experience in data sharing, spanning more than 20 years.

This authorisation, developed in collaboration with the supervisory authority, has made it possible to:

• To significantly streamline the journey time for customers already known in our database,
• To identify anomalies and fraud trends more effectively by relying on velocity and using our fraud experts to make decisions,
• To protect both consumers and merchants,
• while ensuring a high level of personal data security.

This expertise was even cited by the CNIL in its 2021 White Paper, proof of the added value and pioneering nature of our approach.

3. A stronger internal GDPR culture

The implementation of the GDPR marked a new stage: beyond technical measures, we focused on fostering an internal culture of compliance.

At Oneytrust, every employee plays a role in data protection, thanks in particular to:

• mandatory annual training,
• regular awareness campaigns and monthly newsletters,
• the systematic involvement of our Data Protection Officer (DPO) and compliance team in our projects,
• the implementation of a data protection impact assessment on all our projects that have a structural impact on personal data,
• a continuous improvement process to adapt our practices to regulatory changes.

This collective effort means that compliance is not only perceived as a legal and regulatory issue by our teams, but more as a shared value in our daily work, by design, and acts as a differentiating factor for Oneytrust in a landscape of anti-fraud players, many of whom are based outside Europe.

4. Enhanced security thanks to our membership of a major banking group

Our membership of the BPCE group, France’s second-largest banking group, imposes particularly high standards in terms of security and compliance. Banking institutions are subject not only to horizontal regulations but also to numerous sector-specific regulations due to the critical nature of their activities.

This is reflected in particular by Oneytrust’s active participation in the Oney group’s DPO community, where we share best practices and regulatory monitoring, the implementation and execution of ongoing internal controls (quarterly, half-yearly, annual) that require the commitment of all our teams, and the integration of banking standards into our contractual processes (GDPR annexes, security clauses). All this is coupled with advanced technical measures: regular security tests, data flow security, etc.

Oneytrust’s commitments reinforce the robustness of our systems and the trust placed in us by our customers, placing compliance by design at the heart of our decision-making processes and projects.

5. Data protection: a key lever in the fight against fraud

Trust is the cornerstone of the fight against fraud. Consumers and businesses alike must be assured that their data is protected, even in the most sensitive contexts.

At Oneytrust, we consider compliance with the GDPR to be a strategic weapon. We see it as an opportunity: an opportunity to legitimise our role as a trusted intermediary, to ensure that the fight against fraud is conducted in a manner that respects individual freedoms and privacy, while also preparing for the future.

Indeed, with the proliferation of artificial intelligence applications, new challenges are emerging. In order to counter the increasingly widespread use of AI by fraudsters, it has become essential for those involved in the fight against fraud to increase their use of AI. This allows us to remain adaptable and effective in the face of these new fraud trends.

However, AI makes extensive use of data, particularly personal data, and requires continuous development of protection and compliance measures. This is why the CNIL (the French supervisory authority responsible for enforcing the GDPR) has already published several series of recommendations on the proper handling of personal data when using AI. These are new challenges that need to be fully taken into account by those involved in the fight against fraud!

In conclusion, for more than 25 years, Oneytrust has placed data protection at the heart of its anti-fraud measures. The GDPR should not be seen as a constraint, but rather as an opportunity to strengthen trust, protect our customers and guarantee ever more effective and responsible solutions.

In a context marked by the rise of artificial intelligence, this requirement has never been more essential. It guides our daily commitment: combining security, performance and respect for fundamental rights. Please do not hesitate to contact us if you have any questions about the security of our fraud prevention processes and solutions, including the protection of personal data!

The post GDPR and fraud prevention: a historic and strategic commitment for Oneytrust appeared first on Oneytrust.

It all starts with fake advertisements on a reputable marketplace, offering an educational game (story box) called MERLIN at a slightly discounted price compared to the competition. The buyer, enticed, places an order. But behind this transaction lies a well-oiled mechanism: the fraudster uses the customer’s details and a stolen bank card to purchase the product from a legitimate retailer – one of our partners specialising in childcare products.

The result: the customer receives their product, convinced they have got a good deal. But the retailer faces a bank dispute and will never be paid.

Rapid detection, immediate response

Thanks to a sudden spike in sales of this product, our models detected an anomaly: our analysts were immediately alerted. Expert rules were put in place for our teams in less than four hours! Less than 12 hours after detection, the network was neutralised. This efficiency is based on the synergy between our Data department and our Investigations unit.

• Investigators analysed weak signals to reconstruct the modus operandi.
• Data analysts transformed these insights into enhanced security rules capable of blocking future attempts and monitoring network developments.

In-depth investigation: knowing your enemy

The story does not end there. Our experts continued their investigation to gain an in-depth understanding of how the network operated:

• Four ‘professional’ shops were identified on the marketplace, all registered under different company names – identity theft.
• Active since March 2024, they generated hundreds of orders, exclusively for educational games.
• The fraud network manipulated the platform’s algorithms to push his products to the top of search results, notably by offering lower prices than others.

The result: a few hundred pounds in damages, but thousands of pounds in fraud prevented. Enhanced security rules, seasoned investigators, and fraudulent shops closed. A healthier marketplace.

The return of the Merlin network

In February 2025, the network returned, more cunning than ever. This time, it targeted two other partners via a new marketplace, with different products: small electrical appliances. The cat-and-mouse game lasted until May 2025, with the opening of fake shops, changes in products and targeted retailers.

This new round required:

• Constant monitoring,
• Regular updates to security rules,
• Ongoing training for our investigators,
• And above all, close collaboration with our merchant partners, who are fully committed to this fight.

How can you protect yourself against triangular fraud?

Here are the key levers for anticipating and blocking this type of fraud:

1. User awareness: Inform buyers and sellers about warning signs: prices that are too low, suspicious contacts, unusual payment requests.
2. Identity verification: Strengthen controls on platforms: supporting documents, cross-checks, etc.
3. Transaction monitoring: Implement analysis tools to detect abnormal behaviour and weak signals.

Triangular fraud is a growing threat. But with the right tools, constant vigilance and active collaboration between all e-commerce players, it can be effectively contained.

The post MERLIN Network: the comeback! appeared first on Oneytrust.

a) Security and protection of citizens

The primary purpose of digital identity is protection. Users whose identities are stolen suffer dramatic consequences: loans taken out in their name, administrative disputes, damaged online reputations. Having a robust digital identity based on reliable technical and behavioural signals helps limit these risks.

b) Trust and fluidity of exchanges

For a company, accepting a new customer involves a risk. Digital identity provides the necessary elements to establish a trust score: is this a real, consistent person who has been active for a long time? This trust then facilitates exchanges, reduces friction (simplified KYC, smooth user journey) and improves the customer experience.

c) Sovereignty and independence

Today, proving one’s identity online often involves major private players (connection via Google, Apple or Facebook). However, delegating this strategic function to a few companies poses a problem of sovereignty. European states are seeking to regain control in order to avoid excessive dependence and guarantee data protection.

d) Inclusion and equal access

Digital identity must not become a factor of exclusion. People who are digitally excluded (the elderly, rural areas, vulnerable populations) must have access to simple and accessible solutions. Equity requires an inclusive design of these tools.

2. Future prospects

By 2030, digital identity could undergo three major developments:

Increased standardisation: adoption of international standards enabling seamless recognition between countries and services.

Biometric integration: enhanced association with biometric fingerprints (voice, face, fingerprint) to further secure access.

Enhanced user control: emergence of solutions where users decide which elements of their identity to share, depending on the context (e.g. proving they are of legal age without revealing their date of birth).

In a nutshell…

Digital identity is no longer a technical curiosity. It has become the beating heart of digital societies. It protects, streamlines and empowers, but also raises questions about surveillance and sovereignty.

By understanding it, decision-makers and citizens have an essential lever for navigating a world where the virtual and the real are inseparable. Ultimately, digital identity is the identity card of the digital age: intangible but decisive, invisible but unavoidable.

The post Digital identity: the new identity card for the digital age – Part 2 appeared first on Oneytrust.