BOSTON—Brute force cyberattacks may still occur, but fraudsters are increasingly using persuasion, fatigue and impersonation as means of getting past defenses—especially multi-factor authentication–that were designed to stop credential theft but now sit at the center of more complex attack chains, according to a new report.
The shift is showing up in data, said PYMNTS Intelligence, which has released a new report “2025 State of Fraud and Financial Crime in the United States,” a collaboration with Block, that found that unauthorized-party fraud now accounts for 71% of total fraud incidents and dollar losses, reversing last year’s pattern and signaling a resurgence of externally driven attacks rooted in compromised credentials and account takeovers.
‘More Adaptive’
According to PYMNTS, the report described a fraud environment that is becoming more adaptive, not less.
“Attackers are increasingly exploiting access points that sit upstream of payments, including login credentials, session tokens and authentication workflows, which include multifactor authentication protocols.”
At the same time, half of financial institutions report damage to customer loyalty and brand reputation tied directly to fraud, reframing the issue as a growth and trust problem rather than a narrow operational cost, the company added.
When MFA Becomes the Weak Link
Against that backdrop, MFA still stands out as a foundational defense, PYMNTS said, before adding that the Delinea Labs report, “Cybersecurity and the AI Threat Landscape” showed how frequently MFA is now implicated in successful attacks, “not because it is absent, but because it is misused or manipulated.”
PYMNTS noted that nearly half of security incidents analyzed by Cisco Talos involved MFA, with fraudulent push notifications present in roughly one-quarter of those cases.
“These attacks often rely on ‘push fatigue,’ where users are bombarded with repeated authentication requests until one is mistakenly approved,” PYMNTS explained. “The mechanics are straightforward and effective. Attackers first obtain valid credentials through phishing, infostealer malware or token theft. Once inside the authentication flow, they trigger repeated MFA prompts, often outside normal working hours, betting that frustration or confusion will override caution. In other cases, MFA protections are inconsistently configured or not enforced across all accounts, creating uneven coverage that attackers actively probe.”
MFA Failures in the Spotlight
PYMNTS said that recent high-profile breaches illustrate how these weaknesses play out at scale. Such incidents ripple outward, exposing not only data but also confidence in cloud and identity
infrastructure.
“The lesson from these events is not that MFA is obsolete, but that attackers increasingly understand how it is deployed and where it breaks down,” the company said.
It added that timing also matters, noting that the Delinea report found that attack volumes often dip during midyear holidays and then surge toward year-end, when staffing gaps, elevated transaction volumes and consumer urgency combine to create ideal conditions for fraud.
“That seasonal pressure overlaps with peak shopping periods, faster payment rails and heightened customer activity, raising the stakes for authentication systems already under strain,” PYMNTS said.
The Deeper Issue
According to PYMNTS’ analysis, the deeper issue is strategic.
“Many banks and payment firms still rely on MFA implementations that attackers have studied for years,” the report said. “Static controls, once effective, are now predictable. Fraudsters do not need to defeat MFA outright; they only need to persuade legitimate users to defeat it for them.”
It added that this reality helps explain why institutions are shifting investment priorities. According to the PYMNTS Intelligence report, 68% of financial institutions increased fraud detection spending year over year, with artificial intelligence and behavioral analytics increasingly viewed as essential infrastructure rather than optional upgrades.
Moving Beyond MFA Alone
“The data suggests that preventing MFA-based fraud requires layering intelligence on top of authentication, not replacing it. Behavioral signals, device fingerprinting, contextual risk analysis and continuous monitoring can help distinguish legitimate approvals from coerced or manipulated ones,” PYMNTS said. “Machine learning and behavioral analytics are now among the most widely adopted fraud prevention technologies, reflecting an industry move toward adaptive defense rather than fixed checkpoints.
For the full report go here.
