"First seen to you is not first seen to us," writes IPQS in its overview of layered fraud defense.
Transaction Level: monitoring checkout, customer service, and the limits of siloed checks
Fraud programs commonly begin at the transaction level, driven by pressure from chargebacks to monitor performance at checkout. The source warns that monitoring individual interactions "in siloes" can be effective for many isolated incidents but also produce increased false positives and false negatives. Fraudsters respond rapidly when one attack surface closes — moving from payments to account takeovers (ATOs), deposits into transfers, and then upstream into identity theft, synthetic ID fraud, and mule accounts. Those shifts can happen in seconds, the report says, and practitioners frequently deploy checks at each touchpoint to counter them.
Account Level: baselines, behavioral fingerprints, and the ATO storyline
At the account elevation, defenders gain a time-series view of behavior. The report lists device intelligence, spending behaviors, geolocation, behavioral biometrics, and step-up verification interactions as evidence that helps identify ATOs. Tracking an account's historical performance reveals what the report calls "trusted" behavior; fraudsters cannot duplicate that trusted baseline and still succeed. In practice, the fraudster in the example calls customer service from a new phone number, updates contact information, orders a secondary card, and times transfers and withdrawals to mimic historic transaction summaries — all detectable when account-level telemetry is collected and correlated.
Platform Level: grouping accounts to detect rings and reduce friction
Grouping accounts across a single platform lets practitioners contrast "trusted" and "confirmed fraud" performance to reduce friction for legitimate customers while tightening controls where needed. The source explains that by automating the tracking of regions, IPs, devices, and behaviors, teams can rapidly identify fraud rings and multi-account attacks and shorten the time multi-account exploits remain active. The report underscores the speed: the described attack sequence — from initial compromise to ordering an authorized card and moving funds off-platform — "takes a matter of hours" and is likely running in parallel against many accounts. Platform indicators called out include the shipping address for an authorized card, device fingerprinting, user geolocation, geolocation of withdrawals, dollar-amount patterns (including gradual increases), and funding institutions.
Network Level: sharing intelligence across providers to act in the moment
The final elevation is partnership — connecting to providers that deliver data enrichment and decisioning across their networks. Where a single practitioner operates in isolation, a solution provider allows a fraud program to leverage "the performance of all of the other practitioners." The practical payoff is the ability to automate against known suspicious data points drawn from peers' operations: the phone number used to call customer service, the device interacting with the platform, the shipping address for an authorized card, the name of the authorized user, and more. The guiding aphorism from the report is plain: "First seen to you is not first seen to us."
Example fraud case: the customer-service-led account takeover at a bank
The report walks through a concrete scenario against a bank holding stored value. A fraudster armed with payment, identity, and system knowledge targets an identity known to bank with "Bank X." The attacker uses bureau information to satisfy knowledge-based verifications (KBVs) over customer service, resets access, requests an authorized-user card for themselves, moves funds into the account from other compromised accounts, and then shifts funds off-platform to a third compromised account. Because the fraudster mimics historic spending and transaction amounts, they can often "fly under the radar" and satisfy siloed verifications until the legitimate customer contacts customer service and files a report. The account-level and platform-level visibility described elsewhere in the report is what would make that storyline visible earlier.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The source emphasizes collating datasets across touchpoints — transaction, account, platform, and network — to turn interaction-by-interaction visibility into context-rich signals such as device intelligence, behavioral biometrics, geolocation, and IP resolution.
- Affected enterprises and procurement leaders: The report urges building "an effective fraud program that addresses threats at every elevation without sacrificing your budget or customer experience" and notes that vendor partnerships extend visibility beyond a single platform; the sponsor also advertises a free trial of "1,000 free credits" and a demo.
- End users and customer service operations: The narrative demonstrates that customer-service KBVs remain an operational pivot for account takeovers and that, in current scenarios, fraudulent activity can run for hours before detection if interactions are handled in siloes.
The core lesson the report advances is straightforward: visibility without context leaves gaps that fraudsters exploit in minutes or hours. By layering transaction, account, platform, and network intelligence, practitioners can both reduce false positives for trusted users and act faster against multi-account and rapidly evolving attacks. The remaining practical question the report leaves for operators is whether defenses across those four elevations will be joined in time to blunt attacks that adapt in real time.
