![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#56 - Fraudsters limit exposure too. Here's how to exploit it.
Fraudsters limit their exposure to protect themselves from getting caught.
Fintechs limit their exposure to protect themselves from catastrophic losses.
Ever notice this parallel?
But this isn’t just about dramatic irony. By being aware of the game we play, we can devise methods that strengthen our strategy while exploiting our adversary’s vulnerabilities.
Want to play offense? Let’s talk about it.
The Game Both Sides Are Playing
Fraudsters and fintechs are playing the exact same game, just from opposite sides.
Fraudsters know some of their attempts will get blocked. They know some stolen cards will be flagged. They know some accounts will be shut down.
They accept these losses. What they cannot accept is getting caught and prosecuted.
So they limit their exposure: invest in VPNs, buy high-quality fake IDs, age stolen identities, cover their tracks meticulously.
It’s not only about succeeding. It’s also about protecting themselves from the worst-case scenario, especially knowing some level of failure is a certainty.
On the other hand, fintechs know some fraud will get through. They know some good customers will be declined. Perfect prevention is impossible.
They accept these losses. What they cannot accept is a single fraud attack that kills their business.
So they limit their exposure: cap transaction amounts, restrict new accounts, and implement safety nets for catastrophic scenarios.
Evidently, both sides are playing containment strategies.
Fraudsters are containing their legal exposure, while fintechs are containing their financial exposure.
The question is: whose containment strategy is more vulnerable?
How Limits Create the Perfect Trap
Here’s what we need to keep in mind:
While fraudsters don’t want to get caught, they also need to have a positive ROI. There is a limit to how much they can invest in hiding their tracks if they want to make a profit.
Account limits force them to make a choice between two bad alternatives:
Reduce their own investment, fail more often (which further reduces ROI), and risk their identity being exposed
Invest the same as before but for a worse ROI
Notice the issue? Whatever they choose to do–their ROI will suffer.
And this is how the trap is sprung: to deal with the loss of ROI, fraudsters are forced to scale their efforts.
When you set a $500 limit on new accounts, you're not stopping a $10,000 fraud. You're forcing the fraudster to commit fraud 20 times to reach their target.
And why does this matter? Because with each fraud attempt you force them to make, you also present a new opportunity for them to slip and make a mistake.
Forget to clean their device. Forget to turn on their VPN. Forget to switch to another email.
And if I learned anything about fraudsters in the 16 years I’ve been chasing them, it’s this–they all make mistakes.
This is exactly what I wrote about in What fraudsters fear more than AI–time and scale are the fraudster's biggest enemies.
By forcing them to operate at higher velocity, your limits aren't just capping losses. They're generating detection opportunities.
Why This Often Fails in Practice
This all sounds good and easy, but in practice I see very few organizations that understand this, and even fewer that manage to effectively implement an effective solution.
Why is that? The first issue is with setting the limits themselves.
Sometimes I see teams that are thinking (hoping?) that just placing limits on their own would block fraud. That’s never the case and the disillusionment is usually fast.
In other cases I see limits being used crudely, unnecessarily disrupting the real customer’s experience with friction and missing features.
There’s a lot to be said on how to properly implement account limitations, but that’s not today’s focus.
Instead I want to examine how teams often fail to connect the dots between limitations and fraudulent behavior.
And even more specifically–not exposing limitations to the risk engine, and not defining which behaviors are suspicious in this context, such as:
Users testing your limits to find the ceiling
Accounts hitting limits repeatedly across payment methods
Multiple accounts from the same network all maxing out
Linked accounts being opened after the original one hit a limit
First you leave fraud signals at the table, and then you leave your money too.
Connecting the Dots
Here’s how you want to avoid it:
First, instrument your limits as risk signals. Track when users approach limits (within 90%), hit them exactly, or test systematically.
This optimization behavior–trying $450, then $475, then $499–is highly predictive of fraud.
Second, connect limits to your velocity counters. When you see velocity across shared identifiers, check if they're ALL doing limit optimization.
Same IP, five accounts, all maxed on limits? That's not a coincidence. Your low limits just forced a fraud ring to expose their entire network.
Third, feed limit interactions into your risk models. Create features like “times_approached_limit” or “time_to_first_limit_test”. Use these in your scoring.
Better yet, use them to identify fraud rings before they fully monetize. When NOT to act fast applies here–limits buy you time to gather intelligence.
Side note: If you're still treating limits as purely operational controls managed outside your fraud system, you're solving the wrong problem. Limits are detection mechanisms that happen to also cap losses.
The Bottom Line
Most fintechs set limits to answer: "What's the most I can afford to lose per account?"
Smart fintechs set limits to answer: "What limit structure forces fraudsters to expose themselves?"
It's a subtle shift in thinking, but it’s a crucial one.
Because you're not trying to stop all fraud.
You're trying to make fraud expensive enough that fraudsters must scale their operations. By doing that, you enable them to make more mistakes which you then expose as velocity.
And that’s how you play offense in fraud prevention.
Do you set limits to cap losses or to force detection? And more importantly–can you measure the difference? Hit reply, I'm curious to hear how you think about this.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
