#39- What fraudsters fear more than AI

What is a fraudster’s biggest nightmare?

What is the number one reason most fraud fails? 

AI? Authentication? Tokenization? You?

No. The downfall of most fraudsters is unstoppable.

It is time.

Fraudsters, in the vast majority of cases, do not acquire their stolen cards / identities / account credentials on their own. They buy them online.

And supposedly, once they buy them, they have all the time in the world to commit fraud, right?

But here’s what they know:

It’s very likely that the same information was sold to other fraudsters as well. Even worse, it might be that they are the last ones who have bought it.

Those card details they just spent money on?

They might already be flagged as stolen and deactivated, their money gone to waste.

And if there’s something fraudsters hate, it’s negative ROI.

Every Fraudster’s FOMO

I first realized it during the early days of my career, when I was a fledgling fraud analyst at PayPal. I remember that one specific new account I was reviewing.

Everything looked fine: IP address looked clean and geographically close to the billing address. The email was ‘yahoo’ but looked ok, matched the customer’s name. Cookies were fresh…

But here’s why I remember it to this day: it was the actual transaction that triggered the review. A $199… sex toy. 

Yeah, not the hardest thing a fraudster would be able to resell, but also not what I’ve learned to treat as a red flag in terms of fraud activity.

Nothing screamed fraud. There wasn’t a lot of history to go on by, but that was obviously normal with new accounts.

And then it caught my eye.

When I was reviewing the linked accounts, amongst the dozens of random IP-linked ones, I noticed one that was only linked by the same credit card. 

It was two days old and registered under a different name.

I opened it and immediately noticed a foreign IP address. It was also pending a review after the initial transaction was declined.

Then I knew it - both accounts were fraud.

But here’s the thing that really got my attention: other than sharing the same credit card and opening a PayPal account within 48 hours of one another, the two cases shared nothing else.

Not only that, in my original account it looked like the fraudster really did their homework and took their time in establishing the account. Honestly, if it weren’t for the other account, I would have probably let it go as a good one.

But that other account? It was the usual sloppy work I was familiar with from most fraud cases.

Foreign IP, high amount, and if I remember correctly, they purchased “World of Warcraft" gold from a pirate-run website.

(It was 2009, it was a thing.)

I had to smile to myself. Here you have a fraudster who spent their money on stolen card details, just to get sidelined by an amateur rushing to get their payday.

The sweet irony.

It took me many months, and many, many reviews later, to start suspecting it was the second fraudster who was the smart one.

He knew that if he didn’t take his shot quickly, he would be left with no bullets.

Victims cannot deactivate their identities, but does it matter?

I know what you must be thinking: 

This really only matters in payments, where you can report your card as stolen. 

If your identity is stolen, you cannot simply deactivate it. And if that’s true, why should fraudsters rush to exploit it?

But consider David Maimon’s recently published article on how his own identity got stolen, and how he and his team at Sentilink monitored how fraudsters used it.

The first 96 hours saw an explosion of activity with multiple different fraud attempts being committed with his personal details. In the first 24 hours alone, he counted 10 different cases.

But the real scary fact? The last fraudulent attempt (to date) happened more than two years after the initial info leak.

As said, identities don’t get deactivated, and so fraudsters are more keen to try them out even if it has been some time.

But here’s the thing: 

Identities, as with cards, do get flagged as stolen. They get flagged by individual organizations that were already targeted by them, by fraud vendors, and by data consortiums.

Yes, you can use a stolen identity even two years after it has been compromised, but the likelihood for it to go through goes down dramatically with time.

As does the fraudster’s ROI.

From FOMO to FAFO

How do we use fraudsters’ sense of urgency against them?

It’s a tricky one. To be frank, I am not sure we can do more than what they are already doing themselves: rushing to be the first one to exploit new compromised data.

What is the point then?

The point is that understanding the time limitations and the fear of unknown "competitors" deeply influences fraudsters’ thinking, and how they approach committing fraud.

Take account aging for example: a fraudster would never disclose a stolen card when opening an account if they intend to age it. 

They would age it first, then add a freshly stolen card, and then hurry up to squeeze everything from it.

See how this pattern would look completely different from the vast majority of good users?

Side note: Noticed the “vast majority” cop out? If I learned anything it is that good customers will always surprise you with how “suspiciously” they might act.

And if you want to take it one step further? Consider developing network analysis tools and techniques.

It’s not just about block lists or velocity checks.

Like in the story I shared, sometimes it’s concluding that two events happened in a certain sequence, sharing certain identifiers and not others, that helps identify fraud when there are no other clues.

First, it’s about getting the data - from your own system, through consortiums, or through other partnership models.

And second, it’s about the ability to tell complex stories, first as part of manual investigations and then through algorithms.

Did you find other tricks to turn FOMO against fraudsters? Hit the reply button and let me know what worked for you!

In the meantime, that’s all for this week.

See you next Saturday.

P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:

Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
​Schedule a Discovery Call Now »​

Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
​Book a Consultation Call Now »​

Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next. ​
Sign-up Now »

Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!