Guest post by Alexander Hall
Disclaimer:
In today's article, we present a unique perspective often concealed – that of a former high-level fraudster turned Fraud Defense consultant, Alexander Hall. With his extensive experience, the author sheds light on the tactics and strategies employed by those on the other side of the battle against financial crime.
We have seen a steady rise in data breaches and mail theft across the United States. This increase is flooding criminal marketplaces with sensitive information, supporting countless fraudulent methods. In this article, Alexander Hall shares his unique insight from his time operating as a fraudster and provides actionable preventative measures your company can deploy today.
Breaches and Mail Theft - Feeding the Abyss
For the last several years, data breaches have been the primary concern for the influx of stolen information on criminal marketplaces. These breaches provide fraudsters with an array of sensitive data; payment information, login credentials, account information, and most importantly, personal identifiable information (PII). The PII of potential victims with valuable credit profiles and/or well-funded accounts appeals to fraudsters as it can be employed in a wide range of methods, yielding valuable returns.
Following closely behind, and rising quickly, is mail theft. Where PII is the most valuable dataset collected through data breaches, checks are the most sought-over piece of mail. Any Google search will provide an article showcasing hundreds of checks in the hands of criminals.
How valuable are stolen PII datasets coupled with Checks when placed in the 'right' (wrong) hands? Extremely. The formulaic puzzle has three components; PII, Checks, Methods. Speaking from my experience on the other side, here's the potential I see:
- Mule accounts can be created by any one of hundreds of millions of compromised identities. These mule accounts stand to be funded by any one of the stolen checks. The process is unintentionally supported by hundreds of banks, credit unions, fintechs, neobanks, challenger banks, iGaming platforms, etc. whose platforms are less than capable of identifying bad actors at the door.
- The fraudsters will always discover the lowest-hanging fruit.
- The abundance of information available for mule accounts serves two purposes: the ability to create new accounts to deposit into/transfer out of and insulation from the last documented transaction. Leveraging PII for insulation is a very powerful tool employed by fraudsters and effectively sends investigation teams on a wild goose chase.
- The common nature of mailed checks exposes organizations from all over the marketplace to a number of check-related fraud. The majority of the general public (along with novice fraudsters) believe that a stolen check is only worth the amount printed or written on the check. Advanced fraudsters have tactics which serve to drain accounts through calculated execution.
- The sheer number of platforms that accept or transact with ACH or check elements is innumerable. I'll reiterate: The fraudsters will always discover the lowest-hanging fruit.
Methods from my past, leveraging compromised PII and Checks:
Here are overviews of the three most relevant methods from my former life:
- Identity Theft: The successful theft of an identity has five requirements: Association of superficial information, Access to the credit report, Injection of Credit Information, Control of the credit profile. Once achieved, the fraudster effectively has complete control over the target identity, opening the door to virtually any defined method.
- 3rd Party ATO's: One valuable profile and one "less-than-valuable" profile are used in conjunction to drain the funds from an established account into an unrelated account. The less-than-valuable profile is worked through to a point wherein a new bank/fintech account can be established. This account is linked to an established account via micro-deposits. The micro-deposits are verified by accessing the transaction history (typically accessed through an automated phone system) - traditional account takeovers need not apply. By tracking the spending habits of the funding accounts, fraudsters can mask their transactions, extending the longevity of the exploit.
- Draining of Compromised Accounts (Checks): A counterfeit check operation is exceedingly cheap to build. Because of this, fraudsters can get up and running pretty quick. Washing a check and using it for mobile deposit or for payment/cashing is already a headache for many institutions. Creating a batch of counterfeit checks and mimicking the check spending behavior is more reliable and more viable for fraud operations. To achieve this, fraudsters need to get ahold of associated PII information and track the transaction history.
So what do we do? Proactive strategy development
My clients come to me to solve a laundry list of fraud-related issues ranging from identity theft to ATOs, automated card verifications, check fraud, and a great deal more. The strategy development process is much less demanding than most assume and there is plenty of work that can be handled in-house, while navigating compliance and regulatory demands.
Similar to retail theft, fraudsters are looking for any part of your operation where you don't have coverage. They will troubleshoot every available touchpoint and are armed with the information needed to put through numerous iterations within an hour (if they are determined to find the weakness specific to your organization).
Step 1. Identify your Touchpoints
Proactively identify every touchpoint wherein a user can transact with/manipulate the back-end of your operation. Common touchpoints for FIs include Account Creation - Login - Deposits - Withdrawals - Payments (Cards and Checks) - Credit Lines/Loans - Customer Service - Chargebacks.
Once identified, it becomes much easier to build a list of precedence and move on to...
Step 2: In-House Data
Build in-house data for each touchpoint with the intention of quickly identifying suspicious patterns. At this point, I typically suggest the deployment of two different datasets: one for all performance, one for escalations/suspicious activity. Once we know what suspicious behavior looks like for each touchpoint and have the data in place to identify suspicious patterns, we will then know the volume of processing required by our team and can move to...
Step 3. Automation
Once we know what we need, we know what we are looking for as we begin to qualify technology vendors with the intention of taking the heavy-lifting off our team's shoulders. Once automated, it's important to work with your account managers to refine your models as needed and work in tandem to squeeze as much ROI out of each engagement as possible.
Automation and data aggregation go hand-in-hand. Expanding beyond in-house data provides a massive boost to the accuracy of your determination process and ability to accurately identify users who would otherwise be categorized as "First Seen."
Reflecting on my experience as a fraudster, I am well-aware of how effective fraudsters can be at manipulating information and submitting what seems to be accurate information for engagements. Because of this, I often find myself leaning toward what I consider "passive" data sets for determinations. A passive dataset is one which is not submitted by the user. Examples include behavioral analytics, geolocation, and device fingerprinting.
Now we're off to the races... with one step left:
Step 4: Repeat
Successful organizations are constantly adjusting policies, introducing new product lines, adjusting for low-friction environments, etc. It's important that your fraud teams evaluate these new processes for possible exposures.
The process starts again...
Up Next:
Join us on December 14th @ 2pm ET as FiVerity CEO Greg Wolff and I co-host a fireside chat and open dialogue about the current landscape of fraud, the exposures to be aware of, and how to integrate behavioral analytics into your fraud prevention strategy.
Be proactive, my friends.