Jerome Dangu, CTO and Cofounder

 •  3 minute read

Verification Is a Step. The Industry Needs the Whole Staircase.

Google's expanded verification requirements, Ofcom's proposed scam advertising rules, and tightening European regulatory scrutiny all point in the same direction: stronger identity verification. But verifying who enters the ecosystem is only the first step toward reducing risk.

On July 23, Google's expanded financial advertiser verification requirements take effect across the European Union. It is the latest response to growing regulatory pressure over financial scams and a broader push for stronger identity controls in digital advertising.

This is a necessary move. Verification genuinely matters because it increases attacker friction at scale. Google's program has already blocked or removed hundreds of millions of unauthorized financial services ads globally, proving that raising the barrier to entry makes the ecosystem harder to exploit. But raising the cost isn't the same as removing the incentive. Threat actors adapt to maximize profit. As long as the economics continue to work in their favor, they'll continue to evolve.

Identity verification only changes the scope of the problem, it doesn't solve it. It proves who is attempting to advertise when they enter the system, but not who they are and what they do after they get in.

One illustration of why this distinction matters. Google's program allows certain "Approved Third-Party Advertisers" to run campaigns on behalf of a verified financial entity or to apply for approval if the Advertiser is not approvable themselves. This institutionalizes a chain of trust that is shared between Google and the specialized third party, G2, they’ve chosen to support them. But like any chain, it is only as strong as its weakest link.

Not only will approval create a target on the back of the account holders who are approved, hacked accounts with pre-approval can most easily spit out fake investment opportunities. But Google has also had to clarify with precision what level of plausible deniability an entity needs to meet if they wish to play the long con. That long con of having a clean front of house and a swindling operation in the back room is very lucrative. With the data of identity assessment and behavior assessment now split between two different entities, it becomes easier too.

That's the limitation of identity-based security. It establishes trust at the point of entry. Risk emerges through what happens after onboarding.

Regardless of how they get through, threat actors don't sit still once they pass the gate. Our threat intelligence shows they adapt almost immediately—flipping domains, swapping out landing pages via cloaking, and shifting distribution paths the second they are onboarded. They also build deep redundancy. If one account is disrupted, another is already warm.

We saw this play out with threat actor D-Shortiez. As parts of its infrastructure were exposed, the operation continued through parallel campaign clusters and newly staged infrastructure, keeping scam campaigns moving even as individual assets were disrupted. The account changed. The media channels changed. The operation monetizing via scams survived.

Recent regulatory developments are beginning to reflect this reality. Google's requirements focus on pre-flight identity. Google's expanded verification requirements focus on identity before advertising begins. In the UK, Ofcom's proposed Online Safety Act measures require platforms to prevent scam advertisers from returning, reduce account hijacking, strengthen fraud reporting, and demonstrate that their controls reduce harm. At the same time, the European Commission's expanding scrutiny of systemic platform risk includes penalties of up to 6% of global annual revenue for failing to meet Digital Services Act obligations.

Google deserves strong credit for pushing verification further than much of the industry has today. But the broader ecosystem remains fragmented. As Check My Ads recent advertiser verification report demonstrates, major advertising platforms still apply highly inconsistent verification requirements and enforcement approaches. Stronger verification on one platform is meaningful progress. It is far from being  an industry standard.

This regulatory shift changes the economics of investment scams. Platforms now have liability-driven incentives to invest in continuous prevention rather than reactive remediation.

Adversarial threat actors will respond by optimizing for cost, scale, and probability of success. When one environment becomes too expensive to exploit, they will simply migrate to platforms where enforcement is weaker and accountability is lower.

Security controls do not eliminate risk; they redistribute it. The next phase for digital advertising cannot just be about verifying more advertisers. It must be about reducing exposure across the entire lifecycle.

If identity verification is the first step, continuous, post-onboarding behavioral monitoring is how we build the rest of the staircase.