#83 - Good customers are messy. Fraudsters are not.

“If I haven't seen you before, that becomes a stronger and stronger negative signal."

The latest TSFS pod just dropped, this time featuring Cy Khormaee - founder of Aegis AI and former product lead for reCAPTCHA at Google.

Cy and I talked about how fraud prevention and cyber security teams are siblings. Close enough to look alike, but not the same thing. 

But one thing Cy said really resonated with me because it guided me through my entire career. While bad actors operate with design and intent, good users are messy.

It made me think about how fraudsters and scammers are different from one another.

Scammers tend to “telegraph” fraud signals to “help” the more alert victims filter themselves out so they don’t spend time and effort on them.

Bad grammar, ridiculous claims, funky email domains - you’ve seen the signs.

But fraudsters tend to behave exactly the opposite.

They aren’t trying to fool human victims, but whole systems. Automated, alert, and built to catch exactly what they're doing. That requires precise execution, not intentional sloppiness. 

So instead of looking suspicious, they go to extreme lengths to look clean. Normal.

And that's a tell.

Real users leave a mess behind

A legitimate user has a digital life they've never thought to curate or hide.

An email they've had since 2012, registered on a dozen platforms. A phone number tied to their bank or their food delivery app. Browser cookies from three devices they haven't thought about in years.

Fraudsters show up with none of that.

They will try to disconnect each attempt from their infrastructure using disposable emails, burner phones, and freshly scrubbed devices.

Or as Cy brilliantly put it: “if you walk into a bank with a ski mask on? Well, that's immediately gonna raise a bunch of questions, right?”

But ironically, fraud teams are obsessed with finding negative data instead of looking for absence of data as the signal itself.

As I once wrote, if you work with data enrichment vendors, your aim should be to establish user history - meaning, proving they’re legit - rather than looking for fraud connections.

In most cases you won’t find them.

Instead, you should look for the absence of a messy past.

Real users make mistakes

When a real user fills in a form, they're typing it all up - their name, phone, email, and address. 

Half the time they're on their phone. So the chance they'll accidentally mistype something isn’t huge, but it definitely happens. Would they notice? Would they double check?

But a fraudster filling in stolen data is going to do that programmatically - either by manually copy-pasting it, or by some automation means.

And if it’s the former, they will double check everything before submission.

The chance they’ll mess it up is slim.

Does that mean you should block any user that has immaculate inputs? No, that would be silly.

But when someone mistypes an input, that can actually be considered a sign they are not fraudsters. It’s a sign of a messy user being sloppy.

Is that a strong enough signal to automatically approve such users? Probably not, and you definitely don’t want to train your fraudsters on how to easily bypass your defenses.

But when I review a case manually and I see something like that, I tend to look at it positively.

Real users wander

A legitimate session is messy.

A user lands on a product page, backtracks to search, adds something to their cart they don't buy, spends two minutes on the FAQ page, and abandons the session before coming back an hour later.

What looks like confusion is actually a representation of the user’s full decision making process.

But a fraudster's session is efficient: go to the product page. Checkout. Done.

More than efficient - it is intentful.

The decision making process was done off-platform. What we’re seeing is the execution.

The thing is, we tend to associate behavioral analytics and user journeys with bot detection. And that’s true, but it’s not only about that.

Fraudsters cannot fake confusion, hesitation, or evaluation. Not when they program bots, but also not when they execute fraud manually.

Messy user journeys are a major sign you’re dealing with a real user.

The bottom line

These are just three examples. The real question is what this pattern looks like in your system. 

Where does legitimate user behavior leave fingerprints of imperfection - hesitation, inconsistency, the organic noise that real people generate without thinking about it?

And on the other side: where does something look suspiciously intentful? Too efficient. Too clean. Too precise for someone with nothing to hide.

Fraudsters optimize to disassociate with fraud, not to look like good users. And that optimization has a shape - it shows up in their data entry, their session behavior, and their identity trail. 

I guarantee that once you start looking for it in your own system, you'll find it in places you didn't expect.

What's the “too clean” signal in yours? Hit reply - I’d love to hear about more such examples.

In the meantime, that’s all for this week.

See you next Saturday.

P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:

Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
​Schedule a Discovery Call Now »​

Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
​Book a Consultation Call Now »​

Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next. ​
Sign-up Now »

Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!