Fraud rings rarely debut new tactics against banks. They test them first where money, goods, and people move quickly—and where friction is hardest to impose without hurting growth: online marketplaces.
I spent more than 20 years working in online marketplaces before moving to DataVisor. One pattern shows up again and again: the attacks that eventually hit financial institutions at scale are often refined first in marketplaces.
Marketplaces act like real-world fraud laboratories. Collusion rings, fake listings, return abuse, account takeovers, and off-platform scams are constantly tested, refined, and scaled in these environments. Once a tactic proves effective, it rarely stays contained—it migrates into banking, payments, and fintech ecosystems.
In the DEFEND Webinar: Protecting Marketplaces from Fraudsters, Spammers, and Jerks, I sat down with Nicole Pauls, Senior Principal Product Manager of Trust & Safety at OfferUp, to talk through what modern marketplace fraud defense looks like in practice—and what financial institutions can learn from it.
Below are five of the most practical lessons from that conversation.
5 Strategies for Preventing Marketplace Fraud
Marketplace fraud is evolving quickly. As platforms grow, fraud rings continuously experiment with new ways to exploit trust between users.
What makes marketplaces interesting from a financial crime perspective is their speed. Fraud tactics can be tested and iterated faster than in traditional financial systems. That makes them an early signal for the kinds of attacks banks and fintechs will likely face next.
The strategies we discussed during the webinar reflect that reality: fraud prevention today is less about one big control and more about layered defenses, smart experimentation, and understanding attacker economics.
1. Fraudster Economics: Make Fraud Expensive
One of the most insightful parts of the discussion came from Nicole’s perspective on attacker behavior.
Despite all the attention on sophisticated attacks, she reminded us that most fraudsters still follow the same economic logic.
❝Scammers are going to bias toward being lazy and cheap.❞
That means basic defenses are often surprisingly effective.
Simple techniques can catch a large percentage of abuse, including:
- keyword and content analysis for suspicious listings
- detecting obfuscated contact information
- identifying reused images or duplicated posts
- monitoring repeated account naming patterns
- enabling user reporting and feedback mechanisms
User feedback in particular can be powerful. When platforms make it easy for legitimate users to report suspicious behavior, they effectively create a distributed detection network.
Fraudsters adapt, of course. As we discussed during the webinar, AI tools now allow attackers to generate more realistic email addresses, messages, and account details.
But the economic principle remains the same: if defending a platform becomes too expensive or time-consuming, fraudsters often move on to easier targets.
What this means for banks and fintechs
Financial fraud follows similar economic patterns.
Fraud rings look for systems where they can automate account creation, test small transactions, and scale quickly. If detection systems force attackers to spend more time or resources, the profitability of those attacks drops significantly.
In many cases, the most effective strategy is simply to increase attacker costs faster than they can adapt.
2. Let the Fraudster Think It Worked
Another important tactic we discussed is avoiding immediate feedback when fraud is detected.
If a platform instantly blocks suspicious behavior, fraudsters quickly learn which tactics failed and adjust.
Instead, teams can use soft blocks and delayed responses.
As I mentioned during the webinar:
❝Don’t reveal your hand.❞
For example, a suspicious listing might appear to post successfully while actually being held for review. A transaction might be delayed rather than immediately rejected.
Nicole gave a practical example: if a new post takes five minutes to appear on a marketplace, most legitimate users won’t notice. But those five minutes allow the system to run additional checks and detect coordinated activity.
This kind of delay increases the cost and uncertainty for attackers without disrupting legitimate users.
What this means for banks and fintechs
Financial institutions often rely heavily on hard declines or account locks.
While those tools are necessary, they also give fraud rings immediate feedback.
In some cases, softer responses—such as step-up authentication, transaction delays, or temporary restrictions—can reveal larger fraud networks by allowing suspicious behavior to continue long enough to identify linked accounts and infrastructure.
3. The Trust–Growth Paradox
Fraud teams and growth teams often want opposite things.
Growth teams want onboarding to be fast and frictionless. Trust and safety teams want more signals and verification. That tension is constant.
As I mentioned during the webinar:
❝There’s inherently a conflict between marketing or growth teams and the trust and safety teams.❞
Higher friction typically leads to fewer users but higher quality ones. Lower friction increases growth but may introduce more risk.
Nicole pointed out that the most effective way to manage that tension is through measurement and thoughtful timing of friction.
For example, OfferUp does not require email verification at signup, which can be frustrating from a security perspective. Instead, the team relies on passive signals such as email deliverability, domain characteristics, and device information.
They also experiment with voluntary verification prompts during meaningful moments in the user journey.
Interestingly, Nicole noted that when these prompts were timed well—such as during a high-value transaction—users often responded just as frequently as when verification was required.
Sometimes a small incentive helps. “Badges and confetti work surprisingly well,” she said. “People like that instant feedback.”
What this means for banks and fintechs
Financial institutions are increasingly facing the same trade-off, especially in digital onboarding and payments.
One takeaway from marketplaces is that friction doesn’t have to happen at the first interaction.
Instead, it can be introduced at moments of higher risk or higher user investment—for example:
- large transfers
- new device logins
- unusual transaction patterns
- payout events
- account recovery attempts
Applying friction strategically allows institutions to maintain good customer experiences while still collecting the signals they need to detect fraud.
4. Risk Segmentation in Action
Another concept we discussed during the webinar was orchestrating fraud defenses through risk tiers.
At a previous company, we implemented a decision flow that categorized users into three groups:
- Low-risk users, who could proceed with minimal friction
- Medium-risk users, who were sent through additional verification steps
- High-risk users, who were either manually reviewed or blocked outright
With the right tooling, these flows could be adjusted in real time.
For example, we could route most medium-risk users through our standard verification process while sending a small percentage to a new experimental method to measure drop-off rates and fraud outcomes.
Because the system was orchestrated dynamically, we could observe results quickly and adjust controls within hours if necessary.
What this means for banks and fintechs
Risk-tier orchestration is increasingly important for financial institutions as well. Banks can apply similar decision flows to areas such as:
- account opening
- payment approvals
- ACH and wire transfers
- card provisioning
- account recovery
- suspicious behavioral activity
Instead of treating every user interaction the same way, institutions can allocate friction and investigative effort where it matters most.
This improves both fraud detection and operational efficiency.
5. Strategic Verification Testing
One of the most effective ways to prevent fraud is to test verification strategies carefully before rolling them out broadly.
Nicole explained that verification testing isn’t a one-size-fits-all exercise. The right approach depends on what you’re trying to learn: are you introducing a new security control, measuring friction, or trying to reduce risk exposure?
She outlined three common testing approaches.
Random segmentation exposes a new control to a randomly selected group of users. This is great for measuring overall impact but mixes good and bad users together, which can make results harder to interpret.
Audience-based segmentation, such as launching a feature in a specific geographic region or user group, allows teams to pilot protections in a controlled environment.
Risk-based segmentation, which is the preferred approach for most trust and safety teams, targets users based on behavioral signals. Low-risk users experience less friction, while higher-risk users encounter stronger verification.
Nicole shared an example from OfferUp when the team introduced a one-time password challenge for logins from new devices. Initially, they used random segmentation to measure pass rates.
The downside quickly became clear.
“We learned the hard way that we weren’t isolating the bad and good populations,” Nicole explained.
❝We had to spend a lot of time analyzing the data afterward to figure out whether failures were fraud or just good users hitting friction.❞
That experience reinforced the importance of combining multiple segmentation approaches when testing new defenses.
From my own experience at eBay years ago, we used a similar strategy. We segmented users by email domain risk—anonymous domains versus corporate or university domains—and then ran test and control groups inside those segments to measure results.
What this means for FIs and fintechs
Financial institutions face the same challenge whenever they introduce new controls: step-up authentication, new onboarding checks, transaction monitoring changes, or device verification.
The key lesson from marketplaces is to test controls within risk tiers, not just across the general population. If you only run random A/B tests, you may end up with misleading results because fraud activity is concentrated in specific user segments.
Risk-based testing helps answer two critical questions separately:
- Did the control actually reduce fraud?
- Did it introduce unnecessary friction for legitimate customers?
Those are very different outcomes, and marketplaces learned long ago that you need to measure them independently.
Marketplaces as an Early Warning System for Financial Crime
Fraud rings move quickly, and the tactics they test in one environment rarely stay there.
Marketplaces often experience these tactics first because their transaction ecosystems evolve rapidly and their growth pressures limit how much friction they can impose.
For banks and fintechs, that makes marketplaces a valuable early warning system.
If you want to understand what fraud techniques might reach financial institutions next, it’s worth watching how attackers experiment in these environments and how marketplace teams respond.
The organizations that adapt fastest are the ones that treat fraud prevention as a dynamic system: testing controls continuously, measuring results carefully, and forcing attackers to spend more time and resources to succeed.
To learn more about the attack vectors hitting marketplaces and how to deal with them, watch the DEFEND Webinar: Protecting Marketplaces from Fraudsters, Spammers, and Jerks.
