In a recent letter to federal banking regulators, the Bank Policy Institute (BPI) urged a major reform in how the U.S. handles payment system fraud. BPI reports that in 2024, Americans experienced over $16 billion in losses due to fraud, more than twice the amount from three years prior.

BPI contends that the current system for preventing fraud is outdated and overburdens banks, while neglecting the role that technology, telecom, and social media companies play in facilitating scams. The organization states that fraud prevention should not be viewed as merely a “bank problem.” Instead, it must be a nationwide effort involving all sectors involved in the payment process — from phone providers to social media platforms.

One of BPI’s top suggestions is to develop a White House–led national strategy for coordinating fraud prevention across government agencies and private companies. They recommend that a federal leader, similar to a cybersecurity or artificial intelligence advisor, could help bring order and accountability to what is now a fragmented set of efforts. This office could unify agencies like the Treasury Department, the Federal Trade Commission, and the Federal Communications Commission to collaborate on scam prevention, consumer education, and law enforcement.

The letter also advocates for stronger regulations for technology and social media platforms. These companies often serve as the initial contact point for scammers, yet unlike banks, they are not obligated to follow strict fraud prevention rules. BPI aims for uniform anti-fraud standards across all sectors to prevent criminals from exploiting vulnerabilities. For instance, online platforms could be required to verify advertisers’ identities, remove fake accounts, and alert users to suspicious activity.

Another major issue, according to BPI, is that banks are constrained by outdated regulations that hinder their ability to prevent suspicious transactions. Currently, banks face legal risks if they delay or block payments that are legitimate, even when they suspect fraud. BPI is asking regulators to update these rules so banks can pause transactions when fraud is suspected without fear of penalty. The group also seeks clearer definitions of what constitutes a forged or altered check, as many fraud disputes depend on confusing technical differences that hinder investigations.

Information sharing is another area where improvement is needed. Currently, banks and other companies often hesitate to share fraud data due to privacy and liability laws. BPI suggests that the government should establish safe harbor protections to enable companies to exchange information about scams and suspicious accounts quickly and securely. This would help prevent fraudulent activity before money is lost.

Read the letter to see the specific recommendations the group has for Fintechs, Social Media Platforms, and Telecommunications providers.

https://bpi.com/wp-content/uploads/2025/09/BPI-Response-to-RFI-on-Potential-Actions-to-Address-Payments-Fraud.pdf

The News…

If you frequent any of the more popular law enforcement message boards or email listservs, you know that about every fifth request is, “Hey, can someone from (insert state) search this plate for me?” Well, you might want to think twice before offering assistance, especially if you’re from California. The California Attorney General has sued the city of El Cajon and its police department for allowing law enforcement officers to search an automated license plate reader (ALPR) database for out-of-state searches, which violates state law. The lawsuit targets the use of Flock Safety’s ALPR technology, used in over 6,000 cities across the U.S., and raises concerns about the misuse of personal data. The state aims to stop these searches and clarify that such actions are illegal under California law. https://therecord.media/california-lawsuit-el-cajon-police-out-of-state-searches-flock-database

A recent scam targets seniors via fake Facebook groups advertising activities such as travel and dance classes. These groups entice users to download malicious Android apps that steal personal data and banking details. The malware, including Datzbro and Zombinder, can bypass Android security and drain bank accounts. Researchers discovered that these groups used AI-generated content and fake iOS app buttons, suggesting they might target iPhone users in the future. https://www.malwarebytes.com/blog/news/2025/10/scam-facebook-groups-send-malicious-android-malware-to-seniors

Malicious digital invitation attacks, impersonating Evite and Punchbowl, are nothing new, but Sublime Security shows they are increasing. These attacks vary in payload, including credential phishing and malware distribution. The post also touches on RMM (remote monitoring and management) attacks. https://sublime.security/blog/impersonated-evite-and-punchbowl-invitations-used-for-credential-phishing-and-malware-distribution/

Domain Tools reports on a financially motivated actor who targets users with fake applications and websites designed to mimic government tax sites, consumer banking, and more. The attacker uses spoofed domains to deliver trojans for credential theft. The article provides a substantial list of indicators of compromise for threat hunters. https://dti.domaintools.com/securitysnack-18e-crime/

Two men face conspiracy charges for allegedly rigging poker games and winning over $30,000 using card-bending techniques. The criminal complaint states that they and an unnamed co-conspirator marked high-value cards to cheat, employing methods that have been used for centuries. They reportedly carried out the scheme at two California casinos, changing clothing to avoid detection. https://www.sandiegouniontribune.com/2025/10/02/men-charged-with-conspiracy-for-allegedly-rigging-casino-poker-games/

Authorities in 14 African countries arrested 260 suspects and seized 1,235 electronic devices in Operation Contender 3.0, targeting cyber-enabled crime like romance scams and sextortion. The operation identified 1,463 victims and seized 81 cybercrime infrastructures. https://www.interpol.int/News-and-Events/News/2025/260-suspected-scammers-arrested-in-pan-African-cybercrime-operation

My stupid voice, my stupid thoughts

I often have my best or sometimes worst ideas while in the car or shower. Neither is ideal for note-taking, and I’ve had moments when I thought of a “brilliant and revolutionary” idea while driving, but later couldn’t recall it. After several close calls trying to access my phone’s voice recorder while driving, I decided to get an old-school, 2000s-style voice recorder for the car. It has two buttons—record and stop—allowing me to operate it single-handedly without taking my eyes off the road.

So I decided to open myself up to more criticism by sharing some of my voice notes. These are raw, unedited, and stream-of-thought style recordings. And I have a lot.

Feedback: matt at threatswithoutborders.com

Dammit, they got the PDFs too

A common question I get is, “Someone I don’t really know sent me a PDF by email. Is it safe to open?” I respond with another question: why is someone you don’t really know sending you a PDF? That’s the first step toward security. Who is sending it, and why? Answering these questions is crucial before interacting with any attachments.

However, this new attack method has made the process much more complicated, even if you think you know the sender.

Daniel Kelley from Varonis exposes MatrixPDF, a phishing and malware toolkit that transforms ordinary PDF files into deceptive attack vectors. It allows attackers to load a legitimate PDF document and augment it with malicious features, such as payload URLs, social engineering modifications, and content blurring overlays. He specifically discusses Gmail but I imagine it will affect any email service not offering elevated scanning and anti-virus protections.

https://www.varonis.com/blog/matrixpdf

Housekeeping

Occasionally, authors and bloggers contact me to ask me to link their work in the newsletter. I will do so if I find the content interesting and it’s not a sales pitch. However, I’ll no longer link to any posts on the Medium platform. First, I consider it a shitty poor publishing site, and second, most posts require readers to have an account. I avoid linking to paywalled content for the same reason—the point is to provide accessible resources. Don’t send me links to Medium articles.

Cool Job

Senior Information Security Architect - The Pokeman Company. https://job-boards.greenhouse.io/pokemoncareers/jobs/6591856003?gh_src=6a43c0013us

Cool Tool

See where all your damn money is going? https://www.rootbeermath.com/budget/

Check your air quality. https://explore.openaq.org/

Irrelevant

For us Gen X’ers, connecting to American Online for the first time was magical. AOL killed its dial-up service this week after 34 years. https://www.latimes.com/business/story/2025-10-02/aols-dial-up-internet-takes-its-last-bow-marking-the-end-of-an-era

Sign Off

Thanks for sticking with me. See you next week.

Matt

“BE PROUD OF YOUR SCARS. THEY REMIND YOU THAT YOU HAVE THE WILL TO LIVE.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.