Fraud Strategies

Organized Fraud Requires an Organized Response

February 16, 2018

Recently, I had the opportunity to present side-by-side with Brett Johnson.

For those who don’t know, Brett is referred to by the United States Secret Service as “The Original Internet Godfather.” He’s been a central figure in the cyber crime world for almost 20 years, developing many areas of online fraud still seen in operation today.

Learning more about Brett’s story has been fascinating to me. Specifically in that his roots started out in petty crime, but as he grew older and more experienced, he became the leader of an online fraud ring. Groups such as these rely on online fraud forums to communicate and coordinate attacks.

One of these forums (later closed by authorities) was home to over 10,000 members.

Imagine that — 10k people working systematically to defraud your business

It’s funny to think that at certain points, Brett and myself were on opposite sides of the table.

In my previous role, it was part of my job to join forces with merchants and financial institutions to develop stronger fraud prevention capabilities.

While I was spent a lot of time and energy to build effective controls, Brett was just as hard at work on the other side finding ways to exploit and penetrate our vulnerabilities.

These fraudsters test every mechanism, defense and barrier

The main result of sustained, methodical probing at scale is that fraudsters know not only exactly which companies are vulnerable to attacks, but also how and when they should make their moves.

This is why I believe that assessing fraud risk exposure, regardless of current fraud losses, is so critical for companies doing business online.

Here’s an example: A group of fraudsters were able to determine a process where they could easily retrieve money from a bank. For a period of six months, this group of fraudsters were able to net USD 1,000 each week.

Put in perspective, total losses were less than USD 30,000. While these losses may not seem monumental, the vulnerabilities exposed would have severe ramifications.

Because as word spread about this particular bank’s weak point, knowledge was shared amongst fraudsters at scale.

The following weekend after the initial weak point was discovered, that same bank got hit by a fraud attack that resulted in a loss of USD 2,000,000.

The life of fraud professional is not easy … but being a fraudster is

Besides building and protecting existing revenue and ensuring customers have a good experience, you have to always be looking for potential back doors.

In the bank example, it was already too late because the money was gone.

Now, one of the interesting parts is the key aspect where Brett came to recognize that stealing an identity today is easy.

In a time where data breaches have become commonplace, information and data increasingly become commodities—ones you could purchase for cheap, at that, too.

Whereas obtaining information is easy, however, controlling the email address is an entirely different challenge, one much more likely to cause issues for fraudsters.

In the case a fraudster attempts to use a customer’s real email, their window of opportunity is far too narrow, as the consumer himself will be alerted of the transaction, and might be able to stop it before it even goes through.

Similarly, taking over an account and impersonating the real customer is a complicated process, and cannot be employed at a level that’s scalable, slashing potential profits right off-the-bat.

The one thing every fraudster needs to cash out

This leads to the most common method of tackling this issue: creating a fake email address. This process is free and easy, requiring almost no time at all to create an email that *appears* to be real.

That’s why what we have created at Emailage is such a key differentiator in the risk assessment industry. We are able to cross-validate the email history and patterns of millions of emails, creating a clear picture of what a real email behaves like.

With this continuously evolving data, emails that lack salient pieces of information, or whose identity don’t quite add up are easy to identify, greatly enhancing the hitrates in cases such as CNP, chargebacks, and synthetic ID fraud in a scalable manner.

If our threats are organized, we should be too

Presenting alongside Brett was a great experience. Only a former black hat can really drive home just how organized and sophisticated these criminals are. It’s very much a wake up call.

It’s for this reason that I believe so much in what we are doing at Emailage. This new reality of fraud prevention as a revenue generator solidifies why the email address is the best data point for transactional risk assessment and identity validation.

We’ve worked very hard to provide a solution which reduces the risk of fraud while allowing for business expansion. Because this is the evolution. This is the future.

We’re in an era where you have to keep very advanced fraud rings at bay, while helping to enable new business without risk. With the right tools, you can join this fight with confidence.


I invite you to follow me on LinkedIn

Follow Emailage on LinkedIn and Twitter (@emailage)

Click here to discover how to get secure, intelligent risk assessment using just an email address. 

close-link
close-link
close-link