Fuelled by the growing automation of cyberattacks and the large-scale use of artificial intelligence (AI), cybercriminals now possess unprecedented offensive capabilities. Identity theft, fake digital profiles, bypassed authentication systems and certificate theft are all on the rise. The various building blocks of digital identity have become targets in their own right.

Faced with this trend, how do we ensure that digital authentication cannot be forged or hijacked? How can trust services remain secure when attacks are increasingly automated? And how far can we strengthen authentication without degrading the customer experience that most users now expect?

After exploring the challenges of digital sovereignty, our CEO, Fabrice Aresu, turns his attention to the security of trust services.
 

From mass campaigns to targeted fraud: the evolution of cyberattacks

Cyberattacks have shifted from mass campaigns to highly targeted operations, changing both their scale and nature. This evolution has been driven by the emergence of ready-made platforms such as Phishing-as-a-Service (PhaaS).

For the price of a subscription, cybercriminals gain access to complete toolkits that include email and SMS templates, fake login pages, sending infrastructures, dashboards for tracking victims and regular updates designed to evade detection.

In other words, technical expertise is no longer a barrier. An inexperienced individual can now launch a large-scale, sophisticated campaign in just a few clicks, constantly recycling lures to bypass antivirus systems and spam filters. These campaigns follow a “spray-and-pray” approach – large-scale, non-targeted attacks that are usually launched opportunistically.

For consumers, this shift towards large-scale automation translates into millions of daily messages designed to steal credentials and banking information, often supported by mirror websites or fake support centres. For businesses, cybercriminals increasingly favour spearphishing campaigns designed to deceive targeted employees using publicly available information, such as organisational charts or corporate event details, often automated using AI.

As Fabrice Aresu points out: “We are seeing attack methods become increasingly automated and industrial in scale. Phishing campaigns now double in volume every six months.” In response to this trend, digital environments must strengthen by continuously improving authentication processes for online transactions, but also by investing in people through cybersecurity awareness programs and ongoing training. 

Artificial Intelligence serves both as a driver of fraud and a security asset

AI-driven image and video generation has advanced so quickly that it is becoming increasingly difficult to distinguish real from fake. Many online services now make it possible to create counterfeit documents, generate deepfake faces of known or unknown individuals, or mimic the voice of a company employee.

This trend is fuelled by how easy these techniques are to use, as AI tools are now widely available, often free of charge or through a low-cost subscription. Recently, a Polish researcher demonstrated how easy it is to generate a fake passport  using an online AI tool. We are now seeing this reflected in real incidents: two French tourists, aged 28 and 26, attempted to defraud a hotel in Spain by presenting a fake “paid” invoice generated using such tools. Although this scam was foiled, many others likely go undetected.

While AI makes it easier to create false identities and sophisticated attacks, it can also be a powerful tool for strengthening security. Artificial intelligence should not be reduced to a source of threat; it is also part of the response to these new types of fraud.

A recent attempt to open accounts using a fake Italian passport was stopped thanks to our artificial intelligence algorithms,” explains Fabrice Aresu. “The AI system spotted the anomaly, proving that technology can be a valuable ally.” The rapid adoption of AI constantly shifts the power dynamic. Each technological advance simultaneously generates legitimate uses – and malicious ones.

A delicate balance between security and user experience

While cyberthreats are both real and growing, end-user expectations create a paradox that is often difficult to manage. According to the 2025 Thales Digital Trust Index, more than 75% of users prefer passwordless authentication, attracted by the speed of biometric processes or the simplicity of mobile-only experiences.

Yet, in the same study, 64% of consumers said their trust in a brand would increase significantly if it adopted innovative or advanced technologies to strengthen data protection. Users therefore want both a frictionless experience and strong security guarantees. This dual expectation highlights the complexity of today’s trade-off between user experience and data protection.

But this quest for balance runs up against another reality, with cybercriminals now exploiting this preference for simplicity by targeting the authentication mechanisms themselves. Push bombing attacks, which involve bombarding a user with authentication requests until they approve one out of sheer exhaustion, are one example. At the same time, one-time passwords (OTPs) are being bypassed with increasing frequency.

Under this pressure, some banks have taken a clear stance by introducing deliberate friction into their user journeys. Additional notifications, mandatory delays, detailed confirmation screens – all safeguards that slow down the process, but heighten user vigilance. As our CEO puts it: “This slight step back in user experience is intentional; removing even one factor would open a major breach.

In response to this trend, we offer a concrete solution. As a Qualified Trust Services Provider, we issue certified digital identities, develop authentication journeys that preserve user experience and continuously monitor fraud signals, to block attacks proactively.

Securing tomorrow’s trusted services

The widespread use of digital services places cybersecurity at the core of every interaction – opening an account, signing electronically or accessing an online service. In today’s environment, digital identities and authentication mechanisms have become prime targets for cybercriminals, whose methods are constantly evolving.

For Fabrice Aresu, the response cannot be static; it must continuously anticipate emerging attack patterns. “Our role is to stay one step ahead, anticipating threats, not waiting for them to materialise, and delivering trust services that guarantee both security and fluidity.

This is why we see trust services not only as an additional layer of protection, but also as a key enabler of digital trust in an ever-changing environment.