When a major telecommunications provider’s anti-fraud team reached out to their internal Cequence champions with an unsolicited note of thanks, the data behind it told a remarkable story. In just a matter of weeks, fraudulent account takeovers on a key set of digital consumer apps had dropped by approximately 75% — and the decline was continuing. No app changes. No friction for end users. No engineering sprint required.
This is the story of how Cequence’s behavioral intent and business logic abuse detection capabilities delivered fast, measurable fraud reduction for one of the world’s largest telecoms — and what it means for organizations facing the same challenge.
The challenge: account takeover at scale in the digital channel
For large telecoms, the digital channel is simultaneously a revenue engine and a high-value fraud target. Customers log in daily from mobile devices — iPhones, iPads, and Android smartphones — to manage their accounts, make payments, and update their plans. Attackers know this, and they work hard to systematically exploit it.
Account takeover (ATO) attacks in this environment are sophisticated. Credential stuffing bots use stolen username and password pairs to automate login attempts at scale. Device emulation tools spoof legitimate mobile device signatures. Slow-and-low attack patterns keep request volumes below thresholds designed to trigger traditional anomaly detection. The result is a steady stream of successful account compromises that fund downstream fraud such as unauthorized plan changes, SIM swap attacks, and identity theft.
This Telecom had already been working with Cequence for several years to protect its broader API and digital estate. Their dedicated fraud prevention team sought to extend that protection to a specific set of high-risk consumer applications with some specific requirements: fast deployment, measurable impact, and zero disruption to the engineering teams responsible for those apps. Enter Cequence Bot Management.
Zero friction, zero app changes — protection from day one
In most enterprise environments, deploying new security tooling against a production application means weeks or months of coordination: SDK integration, QA cycles, release management, and regression testing. Every step adds delay, and attackers don’t wait.
Cequence is architected to eliminate this problem. Because the platform operates inline at the network and API traffic layer and not inside the application, the fraud team was able to onboard their apps and activate protection without touching a single line of code. There was no engineering team involvement required and no waiting for a scheduled release window.
“Starting with the fingerprint blocking that has been going on in early February — we’re already seeing a big decrease in fraudulent account takeovers in our digital space.”
— Internal communication from the Telecom’s fraud team to Cequence champions
Protection was active from day one. The apps continued to serve legitimate customers without any change to their behavior or user experience. The only thing that changed was what the attackers experienced — and for them, the door closed quickly.
Inline protection with no SDKs, no JavaScript tags, no app modifications. Protection starts on day one.
Models the full session to identify malicious patterns, not just suspicious individual requests.
Identifies and blocks fraudulent mobile devices — including spoofed iPhone and iPad signatures — at the traffic layer.
Catches multi-step fraud flows that exploit app-specific workflows, invisible to WAFs and rate limiters.
The results: a structural shift, not a temporary dip
From early January through late February and into March, daily fraud takeover metrics moved in one direction: down. Not a temporary suppression followed by attacker adaptation, but a sustained decline driven by the implementation of Cequence’s fingerprint blocking and behavioral controls.
The account takeover rate — fraudulent events as a percentage of total transactions — offers the clearest view of the impact. In the weeks before deployment, the rate regularly spiked into high territory. After Cequence’s controls activated, that rate declined by more than 95% on the best-performing days and was trending downward overall. By early March, the rate was near-zero on most days.
| Metric | Before | After | Change |
|---|---|---|---|
| Daily ATO rate (peak) | High | Significantly reduced | ↓ ~75–95% |
| Takeover rate trend | Flat / rising | Steadily declining | Structural shift |
| Time to deploy | Months (typical SDK-based tools) | Days | Dramatically faster |
| App code changes required | — | None | Zero disruption |
Across the tracked period, the daily fraud takeover rate declined by more than 75% overall, with individual days reaching reductions of over 95%. The trend continues downward as Cequence’s models accumulate behavioral intelligence on this specific customer environment and attacker cluster.
Why behavioral intent is the difference-maker
Traditional fraud tools rely on what they know: blocklists, IP reputation, static rate limits, and signature matching. Sophisticated bot operators have adapted to all of these controls. They rotate IPs using residential proxy networks, throttle request rates to evade thresholds, and use device emulation to mimic legitimate iPhone and iPad sessions with high fidelity.
What they cannot easily fake is behavioral intent. A real user logging in from a mobile device exhibits a distinct and consistent set of behavioral patterns: how quickly they navigate, how they interact with authentication flows, how their session context builds over time. A credential-stuffing bot — even a well-configured one — betrays itself through the aggregate pattern of how it behaves across a session and across multiple API calls.
Layered on top of this is business logic abuse detection — the ability to identify multi-step attack sequences that exploit the specific workflows of an organization’s applications. Cequence’s platform is purpose-built to detect these sequences — a capability that WAFs, rate limiters, and first-generation bot tools simply do not have.
The ROI case: fraud prevention at Telecom scale
The financial and operational impact of account takeover fraud in telecommunications extends well beyond the immediate fraud event. Each compromised account generates downstream costs: customer support time to investigate and remediate, the cost of identity verification and account recovery, potential regulatory liability, and the brand damage that comes from a customer whose account was taken over by a bad actor.
When those events are reduced by roughly three-quarters, across a targeted set of high-value digital apps, within weeks of deployment, with no engineering investment, the ROI calculus is straightforward. The team responsible for that fraud saw the numbers improve and reached out to thank the team that made it happen.
Importantly, there was no increase in false positives blocking legitimate customers, no CAPTCHA friction introduced into the authentication flow, no slowing of the app or degradation of user experience. Legitimate users continued to transact normally. Only the fraudulent traffic was impacted.
What other Telecom fraud and security teams should take away
Speed of deployment is a competitive advantage.
Attackers iterate in days, not quarters. A protection platform that requires months of engineering integration before it can respond to live attack campaigns is a platform that loses. Cequence’s architecture means protection starts the day you onboard.
Device signals alone are insufficient.
Device fingerprinting is a necessary component of mobile fraud defense, but it is not sufficient on its own. Sophisticated attackers emulate legitimate device profiles. Behavioral intent analysis closes the gap that fingerprinting alone cannot close.
Business logic is your biggest blind spot.
No WAF rule catches an attacker who understands how your API workflows function and exploits that knowledge. Cequence’s business logic abuse detection builds a model of what legitimate use of your API looks like and flags everything that deviates — even when each individual request appears completely normal.
Learn how Cequence can stop bot attacks in their tracks with behavioral intent. Request a personalized demo today.
