A dark, minimalist landscape image featuring a modern smartphone standing upright. The phone’s screen displays the text “ZERO TRUST FOR WEB LINKS” in bold white lettering against a black background.

December phishing will show banks and payment companies why PSD3’s refund mandate will hurt and why their exposure is far bigger than they think

By the end of this article you’ll understand why fraud, account takeovers, and data theft keep rising, why all of today’s conventional security systems are failing to protect everyone from new phishing scams, and why Zero Trust for web links is now the only way for EU banks and payment companies to meet their PSD3 obligations and protect customers before harm occurs.

The December pattern

During this December we’ll see the same pattern we saw in December 2024, 2023, 2022, and every year before it. Millions of people will face new fake delivery updates, security alerts, charity appeals, shopping deals on Facebook, account warnings, QR codes, and app downloads that have never appeared in any scam or targeted attack before. And because the phishing links inside them are new and unreported, every security system will treat them as safe. People will get caught, accounts will get taken over, companies will be breached and have their customer data stolen, and billions of dollars will disappear.

The annual loop defenders can’t escape

  1. When January arrives, banks, payment companies, tech companies, security vendors, and law enforcement will investigate the scams that worked in December.
  2. They’ll study the patterns, map the attack paths, and produce future risk assessments in the hope that analysing yesterday’s evidence will help them predict tomorrow’s incidents.
  3. But while defenders are analysing December in January, criminals will already be doing the same thing in January with new messages, new apps, new QR codes, and millions of new phishing links.
  4. Those will become the successful attacks everyone studies in February.
  5. And in February criminals will create a completely new wave again.

The cycle never stops.

Why phishing keeps rising

Every year since 2016 has been recorded as the worst year on record for phishing because we’re investigating landmines after people step on them. This is why cybercrime costs the world $1 trillion dollars a year today and is predicted to surge to $15 trillion by 2029. So if you think the wave of fraud and account takeovers is bad now, it’s on track to become 15 times worse over the next 4 years. It’s growing exponentially with no evidence that conventional security or human “vigilance” will slow it down.

The logic is simple. 90% of all cyberattacks start with phishing, and almost all phishing starts with a link.

Mixpanel, OpenAI, and the new link problem

A screenshot from The Register shows a news headline announcing that OpenAI has terminated its partnership with Mixpanel following an analytics leak that exposed API users. The subheading notes that OpenAI has placed other vendors under review. The article is authored by Connor Jones and dated Thu 27 Nov 2025 at 15:45 UTC.

We see the same pattern in high profile incidents. Mixpanel, a major analytics provider, failed to protect staff from a targeted SMS phishing attack that used a new link. Because the link had no history, every system assumed it was safe. Attackers gained access to customer data belonging to OpenAI and multiple other companies. OpenAI publicly denounced the failure and cancelled the contract. No matter what new precautions OpenAI or any new partner adds now, none of it reduces their exposure to the same type of attack.

The threat everyone faces every day

This is the same threat every person and organisations faces every day. Dangerous links inside SMS messages, emails, social apps, business apps, QR codes, and now chatbots. And we all know that today’s conventional security is failing because every bank, every regulator, every security vendor, every telecom operator, and every employer tells people to “stay vigilant” and “check links“. That advice is the evidence.

💡 If protection worked, people would never need to act as human firewalls.

We need an entirely new approach. And this is where there’s finally light at the end of the tunnel.

Zero Trust for links changes everything

Zero Trust” is widely considered the gold standard and a best practice for modern cybersecurity. It represents a fundamental shift in philosophy to a never trust, always verify approach. It doesn’t rely on history or pattern matching. It verifies everything before trust is granted. And MetaCert is still the first and only company to apply the concept of Zero Trust to web links, the single chokepoint for most cyberattacks. Why invest in an expensive Zero Trust framework when you can stop most attacks before anyone even reaches the point of opening a link?

Zero Trust for phishing must apply Zero Trust to the URL. There’s no other way to remove the point where almost every attack begins. Anyone claiming Zero Trust protection without authenticating the link itself either misunderstands Zero Trust or is offering a comforting illusion. This is the only approach that’s effective and reliable.

How it works in practice

Zero Trust for web links assumes every link is untrusted unless verified as legitimate.

Link Verifier is MetaCert’s newest innovation, installed through the phone’s share menu so it works inside every app without reading any messages or webpages. It gives people a simple way to check the authenticity of any link in any text, email, app, browser, or chatbot before they open it. When a link matches MetaCert’s database of verified legitimate sites and services, the person sees a clear confirmation. Similar to the concept of threat detection, but the complete opposite.

Banks can now give this protection to every customer simply by adding the Link Verifier SDK to their own mobile app. Once included in an app update, Link Verifier is delivered instantly to every customer and becomes available across the entire mobile experience without any extra installation. Banks can now automatically deliver Zero Trust Mobile Security to every employee and every customer.

What people say once they experience Zero Trust for web links

The feedback is consistent. Once people experience Zero Trust for web links, they’ll never return to conventional security. It mirrors a familiar pattern. People who have never owned an automatic car often insist they’d never leave a manual gearbox. People who have never driven an electric car often say they’d never give up petrol or diesel. Yet once they make the switch, they rarely go back. Zero Trust creates the same shift. Once people see what safe actually feels like, old security suddenly looks outdated and unnecessary.

For banks and payment companies, Zero Trust for web links and Link Verifier provides something critical. It gives a clear, provable control that shows they took every reasonable step to protect customers from fraud, which strengthens their PSD3 position and removes the liability created by unverified links.

Finally, the security industry has finally stepped up with a solution that everyone can rely on.

What happens when an unreported dangerous link is checked

Two iPhones side by side. The left screen shows an SMS phishing message with a suspicious DHL link and the share menu open, highlighting the option “Verify Link with Mackie Mobile.” The right screen shows the verification result from Mackie Mobile, warning that the link is not verified and advising caution.

When an unknown dangerous link is checked with Link Verifier before it’s opened, the entire attack chain collapses. No account takeover. No fraudulent payment. No stolen data. No breach to investigate next month. Nothing to analyse, nothing to chase, and nothing to explain to regulators or customers. It becomes almost impossible for anyone to fall for fraud because if a customer forgets or chooses not to check a link, that’s their own decision.

And if they do open a link, there’s a second layer of protection. A shield appears automatically at the side of the browser and turns from neutral to clear warning when the page is verified, unverified, or classified as dangerous, giving people one last moment to stop before any harm can occur.

Based in the US, Mackie Mobile will soon be the first mobile network operator to build its entire service around customer security and privacy, offering full Zero Trust mobile protection by providing Link Verifier turned on by default for every business and subscriber.

Why the world hasn’t heard of this yet

When we provide demos, people are immediately impressed and sometimes, they ask why the whole world doesn’t already know about it. Our response is always the same. Thank you. That is the biggest compliment anyone can give us because it shows they understand how real innovation works. Very few people knew about OpenAI before ChatGPT despite the fact the company had existed for years. Once ChatGPT launched, the entire world became instant experts in AI.

Link Verifier is to MetaCert what ChatGPT was to OpenAI. Once Mackie Mobile and our other early partners go live with this model, people will suddenly question every legacy security product that still treats links as safe until proven otherwise. The shift will feel immediate even though the work that made it possible took years and years to build.

Recognition and momentum

This is the innovation that won MetaCert the Established Trendsetter award at Sibos 2025, hosted by SWIFT. It was recognised as the first major upgrade to phishing protection in twenty years and the model that will define the future of fraud prevention across banking and payments.

PSD3 and why Zero Trust is now essential

And the timing couldn’t be more important. The EU just agreed on language for PSD3 and the new Payment Services Regulation. For the first time, banks and payment companies will be liable when customers fall for fraud unless they fail to implement appropriate prevention mechanisms. Instant payments remove the time buffer that once allowed banks to intervene after a transaction was authorised. If a customer is deceived by a fake link, the bank will now carry the loss. The new rules demand stronger authentication, mandatory verification, and a demonstrable effort to prevent impersonation fraud. Telling customers to stay vigilant without giving them a practical way to verify what they see will no longer count as a demonstrated effort to prevent impersonation fraud.

Soon, everyone will recognise how misguided it was for today’s security systems to treat every link as safe until proven otherwise. We’ll look back and wonder why we expected people to spot impersonation attacks that technology was supposed to prevent but never could.

Zero Trust link protection is the only approach that aligns with the intent of PSD3. If banks want to cut their exposure to risk and liability, protect their customers, and prove they’ve taken every reasonable step, they need a new approach that stops attacks before they begin rather than one that continues to chase the past.

The world is changing faster than detection can cope. Zero Trust for web links changes the architecture entirely. And that’s how we finally break the loop.

Until you install Link Verifier, stay vigilant. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed with MetaCert’s latest updates, expert analysis, and real examples exposing how digital deception works and how it can be stopped.

A dark, minimalist landscape image featuring a modern smartphone standing upright. The phone’s screen displays the text “ZERO TRUST FOR WEB LINKS” in bold white lettering against a black background.

December phishing will show banks and payment companies why PSD3’s refund mandate will hurt and why their exposure is far bigger than they think

By the end of this article you’ll understand why fraud, account takeovers, and data theft keep rising, why all of today’s conventional security systems are failing to protect everyone from new phishing scams, and why Zero Trust for web links is now the only way for EU banks and payment companies to meet their PSD3 obligations and protect customers before harm occurs.

The December pattern

During this December we’ll see the same pattern we saw in December 2024, 2023, 2022, and every year before it. Millions of people will face new fake delivery updates, security alerts, charity appeals, shopping deals on Facebook, account warnings, QR codes, and app downloads that have never appeared in any scam or targeted attack before. And because the phishing links inside them are new and unreported, every security system will treat them as safe. People will get caught, accounts will get taken over, companies will be breached and have their customer data stolen, and billions of dollars will disappear.

The annual loop defenders can’t escape

  1. When January arrives, banks, payment companies, tech companies, security vendors, and law enforcement will investigate the scams that worked in December.
  2. They’ll study the patterns, map the attack paths, and produce future risk assessments in the hope that analysing yesterday’s evidence will help them predict tomorrow’s incidents.
  3. But while defenders are analysing December in January, criminals will already be doing the same thing in January with new messages, new apps, new QR codes, and millions of new phishing links.
  4. Those will become the successful attacks everyone studies in February.
  5. And in February criminals will create a completely new wave again.

The cycle never stops.

Why phishing keeps rising

Every year since 2016 has been recorded as the worst year on record for phishing because we’re investigating landmines after people step on them. This is why cybercrime costs the world $1 trillion dollars a year today and is predicted to surge to $15 trillion by 2029. So if you think the wave of fraud and account takeovers is bad now, it’s on track to become 15 times worse over the next 4 years. It’s growing exponentially with no evidence that conventional security or human “vigilance” will slow it down.

The logic is simple. 90% of all cyberattacks start with phishing, and almost all phishing starts with a link.

Mixpanel, OpenAI, and the new link problem

A screenshot from The Register shows a news headline announcing that OpenAI has terminated its partnership with Mixpanel following an analytics leak that exposed API users. The subheading notes that OpenAI has placed other vendors under review. The article is authored by Connor Jones and dated Thu 27 Nov 2025 at 15:45 UTC.

We see the same pattern in high profile incidents. Mixpanel, a major analytics provider, failed to protect staff from a targeted SMS phishing attack that used a new link. Because the link had no history, every system assumed it was safe. Attackers gained access to customer data belonging to OpenAI and multiple other companies. OpenAI publicly denounced the failure and cancelled the contract. No matter what new precautions OpenAI or any new partner adds now, none of it reduces their exposure to the same type of attack.

The threat everyone faces every day

This is the same threat every person and organisations faces every day. Dangerous links inside SMS messages, emails, social apps, business apps, QR codes, and now chatbots. And we all know that today’s conventional security is failing because every bank, every regulator, every security vendor, every telecom operator, and every employer tells people to “stay vigilant” and “check links“. That advice is the evidence.

💡 If protection worked, people would never need to act as human firewalls.

We need an entirely new approach. And this is where there’s finally light at the end of the tunnel.

Zero Trust for links changes everything

Zero Trust” is widely considered the gold standard and a best practice for modern cybersecurity. It represents a fundamental shift in philosophy to a never trust, always verify approach. It doesn’t rely on history or pattern matching. It verifies everything before trust is granted. And MetaCert is still the first and only company to apply the concept of Zero Trust to web links, the single chokepoint for most cyberattacks. Why invest in an expensive Zero Trust framework when you can stop most attacks before anyone even reaches the point of opening a link?

Zero Trust for phishing must apply Zero Trust to the URL. There’s no other way to remove the point where almost every attack begins. Anyone claiming Zero Trust protection without authenticating the link itself either misunderstands Zero Trust or is offering a comforting illusion. This is the only approach that’s effective and reliable.

How it works in practice

Zero Trust for web links assumes every link is untrusted unless verified as legitimate.

Link Verifier is MetaCert’s newest innovation, installed through the phone’s share menu so it works inside every app without reading any messages or webpages. It gives people a simple way to check the authenticity of any link in any text, email, app, browser, or chatbot before they open it. When a link matches MetaCert’s database of verified legitimate sites and services, the person sees a clear confirmation. Similar to the concept of threat detection, but the complete opposite.

Banks can now give this protection to every customer simply by adding the Link Verifier SDK to their own mobile app. Once included in an app update, Link Verifier is delivered instantly to every customer and becomes available across the entire mobile experience without any extra installation. Banks can now automatically deliver Zero Trust Mobile Security to every employee and every customer.

What people say once they experience Zero Trust for web links

The feedback is consistent. Once people experience Zero Trust for web links, they’ll never return to conventional security. It mirrors a familiar pattern. People who have never owned an automatic car often insist they’d never leave a manual gearbox. People who have never driven an electric car often say they’d never give up petrol or diesel. Yet once they make the switch, they rarely go back. Zero Trust creates the same shift. Once people see what safe actually feels like, old security suddenly looks outdated and unnecessary.

For banks and payment companies, Zero Trust for web links and Link Verifier provides something critical. It gives a clear, provable control that shows they took every reasonable step to protect customers from fraud, which strengthens their PSD3 position and removes the liability created by unverified links.

Finally, the security industry has finally stepped up with a solution that everyone can rely on.

What happens when an unreported dangerous link is checked

Two iPhones side by side. The left screen shows an SMS phishing message with a suspicious DHL link and the share menu open, highlighting the option “Verify Link with Mackie Mobile.” The right screen shows the verification result from Mackie Mobile, warning that the link is not verified and advising caution.

When an unknown dangerous link is checked with Link Verifier before it’s opened, the entire attack chain collapses. No account takeover. No fraudulent payment. No stolen data. No breach to investigate next month. Nothing to analyse, nothing to chase, and nothing to explain to regulators or customers. It becomes almost impossible for anyone to fall for fraud because if a customer forgets or chooses not to check a link, that’s their own decision.

And if they do open a link, there’s a second layer of protection. A shield appears automatically at the side of the browser and turns from neutral to clear warning when the page is verified, unverified, or classified as dangerous, giving people one last moment to stop before any harm can occur.

Based in the US, Mackie Mobile will soon be the first mobile network operator to build its entire service around customer security and privacy, offering full Zero Trust mobile protection by providing Link Verifier turned on by default for every business and subscriber.

Why the world hasn’t heard of this yet

When we provide demos, people are immediately impressed and sometimes, they ask why the whole world doesn’t already know about it. Our response is always the same. Thank you. That is the biggest compliment anyone can give us because it shows they understand how real innovation works. Very few people knew about OpenAI before ChatGPT despite the fact the company had existed for years. Once ChatGPT launched, the entire world became instant experts in AI.

Link Verifier is to MetaCert what ChatGPT was to OpenAI. Once Mackie Mobile and our other early partners go live with this model, people will suddenly question every legacy security product that still treats links as safe until proven otherwise. The shift will feel immediate even though the work that made it possible took years and years to build.

Recognition and momentum

This is the innovation that won MetaCert the Established Trendsetter award at Sibos 2025, hosted by SWIFT. It was recognised as the first major upgrade to phishing protection in twenty years and the model that will define the future of fraud prevention across banking and payments.

PSD3 and why Zero Trust is now essential

And the timing couldn’t be more important. The EU just agreed on language for PSD3 and the new Payment Services Regulation. For the first time, banks and payment companies will be liable when customers fall for fraud unless they fail to implement appropriate prevention mechanisms. Instant payments remove the time buffer that once allowed banks to intervene after a transaction was authorised. If a customer is deceived by a fake link, the bank will now carry the loss. The new rules demand stronger authentication, mandatory verification, and a demonstrable effort to prevent impersonation fraud. Telling customers to stay vigilant without giving them a practical way to verify what they see will no longer count as a demonstrated effort to prevent impersonation fraud.

Soon, everyone will recognise how misguided it was for today’s security systems to treat every link as safe until proven otherwise. We’ll look back and wonder why we expected people to spot impersonation attacks that technology was supposed to prevent but never could.

Zero Trust link protection is the only approach that aligns with the intent of PSD3. If banks want to cut their exposure to risk and liability, protect their customers, and prove they’ve taken every reasonable step, they need a new approach that stops attacks before they begin rather than one that continues to chase the past.

The world is changing faster than detection can cope. Zero Trust for web links changes the architecture entirely. And that’s how we finally break the loop.

Until you install Link Verifier, stay vigilant. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay informed with MetaCert’s latest updates, expert analysis, and real examples exposing how digital deception works and how it can be stopped.

Recent blog posts