Using data to fight fraud fire with fire

Now, in the midst of the crisis presented by the coronavirus pandemic, fraud is on the rise, and nimble-thinking fraudsters are preying upon the vulnerabilities, anxieties, and fears of the public while others exploit opportunities within supply and demand chains. Then there are those who head straight to the big money found in healthcare budgets and government-funded business support schemes.

Attitudes toward fraud have changed the criminal landscape, because criminals have calculated the risks and determined fraud is a low-risk, high-return business. It is now possible to steal far more with fingers on a computer keyboard than fingers placed upon the trigger of a gun. Law enforcement agencies, moreover, are playing catch-up, and they are considerably behind the organized crime groups exploiting a criminal justice system that perversely encourages this crime.

In the United Kingdom, the Serious Fraud Office directly proposes there is a level of fraud that is not critical (previously determined to be losses or gains of £1 million [U.S. $1.3 million]) and, therefore, not likely to be investigated. With the pandemic, that level has likely risen much higher, and all of this adds to the risks faced by firms and individuals. Meanwhile, the internet gives the fraudsters an almost limitless pool of targets and potential victims.

Data drives fraud, hence, the need for firms and individuals to protect the same, but do firms understand the value of the data as much as the fraudster? Presently on the dark web, criminal groups sell a wide range of data, both personal and corporate, including bank accounts of potential victims and other accounts where money could potentially be laundered. The pricing is variable and reflects the value of funds that may potentially be stolen or laundered.

Are any of you interested in buying such data? I suspect the answer is no, and I posit this is the wrong answer. This is a major problem, because it enables fraudsters to operate with reduced fears of being caught, compromised, or disrupted. I am not asserting anyone should actually buy the data, but fraudsters need to fear that legitimate actors will disrupt them by seeking to turn the data against them. It is not possible to steal money from a closed, blocked, or no longer existing bank account; likewise, money cannot be laundered through such accounts.

Given the reduced levels of law enforcement activity in the environment of online fraud, there is a need for the private sector to be smarter, vigilant, and most importantly proactive. Work with the notion that behind every online business there is a real bank account somewhere and the same applies to online fraud. Of course, there are crypto coin payment options but, ultimately, these too connect to mainstream, High Street bank accounts.

Imagine a scenario in which you or your firm attack the fraudster’s data; imagine identifying the bank accounts into which the fraudsters take payment for data they sell relating to you, your firm, or even your bank account. It’s time to take action, to turn the tables and make your firm a hostile environment for fraudsters. Work on the basis that behind every online fraud/attempted fraud, including attempted frauds against your company, there is a bank account used by the fraudster. Now imagine identifying this account and causing the same to be closed.

Understanding the architecture of the internet also presents you and your firm with an opportunity to identify and block not only e-mail addresses, but also computer server addresses and mobile telephones that may have attempted to defraud your firm. There was once a time when it was said, “To catch a thief, you need to think like a thief.” The 21st Century online thief is a new breed, and to counter these new, online fraudsters, we need to understand them and think like them.

Critical to their thinking is data: how to steal it; how to use it; when to use it; where to store it; and how to manipulate it. Consequently, we need to not only think about and protect our data, we need to understand and attack their data. Those who do this will make their firm a hostile environment for fraudsters and cause them to identify another potential victim in the almost limitless pool of targets presented by the internet.

Keep in mind, on the internet it is possible for a fraudster to be somebody, anybody, and nobody, all at the same time, but behind all of this there will be real person, even if he/she is hiding behind a computer robot. It follows, you too can deliberately present yourself as a potential victim and almost invite the fraudster to engage with you. By doing so you can draw out the fraudster’s data and turn it against them. The best form of defense is attack, and this logic also applies to online fraud.

We are way beyond the point of being sitting ducks, waiting for the fraudster to strike. We need to protect ourselves, our firms, our customers, and our shareholders, because to us all fraud is serious and all data is valuable, including that of the fraudster.