Bad bots used to be a nuisance. They had weird names like YissouSpider and Yandex. They were something for cybersecurity teams to tune out with filters and rate limits.
No longer. For banks, marketplaces, FinTechs and anyone else in the digital economy, adversarial bots are now attacking the core of the business: onboarding, account access, fraud controls and compliance workflows. With the heightened awareness of cybersecurity due to geopolitical turbulence, companies that don’t have a solid strategy for dealing with them are vulnerable.
When a website comes under a bot attack, it’s essentially being flooded with fake, automated visitors all hitting the site at once. This overwhelming wave of artificial traffic can slow the site to a crawl or knock it offline entirely, the same way a highway grinds to a halt when too many cars pile on.
Behind the scenes, the company’s servers are straining under the load, legitimate customers can’t get through, and the technical team is scrambling to figure out what’s real and what isn’t. It can feel like someone turned a firehose on a garden hose system. Everything backs up and breaks down, and the damage—whether to sales, reputation or data—can pile up fast.
When those systems fail, the damage is not limited to one fraudulent transaction. Companies face higher manual review costs, lose legitimate users to false positives, and expose themselves to anti-money laundering/know your customer (AML/KYC) risk. In the worst cases, they hand fraudsters the keys to accounts, promotions and payment credentials.
New data from PYMNTS Intelligence’s October report, “The Hidden Costs of ‘Good Enough’: Identity Verification in the Age of Bots and Agents,” produced with Trulioo, shows how expensive that threat has become.
Advertisement: Scroll to Continue
Based on a survey of 350 global companies, the report finds that 56.3% now face threats tied to bots or agents, 58.6% struggle with bot-driven fraud, and 52.3% say bot traffic increased over the last 12 months. Financial services firms are feeling it most acutely: 60.6% report increased bot traffic, the highest share of any industry. Firms also lose an average 3.1% of annual revenue because of identity verification gaps—an annual collective hit of roughly $95 billion across the companies surveyed.
The most telling data point may be the confidence gap. Nearly all respondents—96.3%—say they are confident in their ability to detect harmful bots. Yet nine in 10 report challenges from harmful bot traffic.
That mismatch helps explain why “good enough” identity stacks are becoming a strategic liability. The companies that appear to be coping best are moving beyond fragmented checks toward integrated, global identity platforms. In the report, 78.9% of companies using global identity platforms say vendor quality and reliability drive confidence in their verification procedures, while 65.6% report lower digital transaction decline rates and 62.5% report lower false declines over the past year.
What does that mean for banks, acquirers, issuers, PSPs and digital platforms? The report’s four actionable insights offer a practical roadmap:
- Recognize that the damage is bigger than most organizations think. Many firms still underestimate what adversarial bots and weak identity controls are costing them. That is not just a fraud problem; it is a revenue problem. Between false positives, customer drop-off, compliance exposure and missed growth opportunities, “good enough” identity verification functions like a hidden tax on the business. For institutions that still treat KYC/KYB as a compliance box to check, the message is to reframe identity as a strategic growth and revenue-protection capability.
- Invest in systems that can distinguish malicious bots from helpful automation. The report highlights a dangerous disconnect: 96% of companies are confident in their bot defenses, but 59% still struggle with bot-driven fraud. In an environment shaped by credential stuffing, fake account creation, deepfakes and AI-driven abuse, the issue is no longer simply blocking automation. It is separating hostile bots and agents from legitimate ones in a way that reduces fraud without adding more friction. For payments and banking players, that means moving toward smarter risk models and “Know Your Agent” thinking, not just broader denial rules.
- Adopt an integrated global identity platform to reduce operational drag and improve the customer journey. Fragmented verification systems do not just create blind spots; they make life harder for good users and operations teams. The report finds that 52.9% of companies report user drop-off during onboarding, 44% struggle with false positives, and half cite bad customer experiences and high manual review costs. By contrast, firms using globally integrated identity platforms report stronger outcomes, including lower decline rates and fewer false declines. In sectors where conversion and trust are tightly linked, cutting that friction can translate directly into better economics.
- Use global identity infrastructure to support international expansion. Identity gaps are also a growth bottleneck. Nearly two-thirds of companies say weak KYC/KYB processes limit their ability to win new business and enter new markets. The report suggests that global platforms help close that gap by improving verification quality, easing compliance management and giving firms more confidence in cross-border onboarding. More than eight in 10 companies using global identity platforms rate their systems as high performing, and nearly 94% say those platforms make KYC/KYB management easier over time. For firms pursuing cross-border payments, marketplace expansion or supplier onboarding at scale, that is infrastructure for growth.
The broader takeaway is that identity verification is moving from the compliance perimeter to the center of digital commerce strategy. As the report puts it, “good enough” is a roadblock to reducing fraud, accelerating onboarding, expanding globally and preparing for the age of agent-to-agent transactions.
