How To Stop Fraud By Thinking Like A Fraudster

Sooner or later, your company will be the victim of fraud. With fraud up 150% during the pandemic and fraud techniques becoming more sophisticated than ever (thanks in part to more experienced fraudsters selling their expertise as ‘fraud as a service’) it’s almost an inevitability.

At SEON we have a personal history with fraud. Originally, my Co-Founder and I started a cryptocurrency exchange. Almost as soon as it was launched the exchange was hit by a wave of fraud attempts, and probably quite a few successful frauds that we just could not detect. When we looked at the market for anti-fraud solutions that would cut fraud attempts off at the source, we found the industry was lacking. Nothing we saw was using the power and speed of cloud computing, big data and assisted machine learning – the industry was a step behind what was possible. So, we made our own. It worked incredibly, and when news spread of how well we were doing other companies asked if they could use the software, and we found that we had a viable business model that could make an impact on the growing and very costly world of digital fraud.

Your company might not have the resources to code an entire anti-fraud solution from scratch, but there are ways to make yourself safer. One of the key things we do as a company at the top level is try to understand how fraudsters operate – half of the interviews on our Cat & Mouse podcast are with former or current fraudsters, and they’re a great source of information on how our opponents operate.

Listing every technique that they use would be impossible, but what you can do is learn to see your company as a fraudster sees it. This will allow you to find vulnerabilities and patch holes that you might not have known about otherwise.

Understand the two types of fraud

Very broadly, there are two types of fraud:

1) Automated:

Using data sets and scripts a fraudster will send hundreds or thousands of low effort, low-level attacks – the easy to spot phishing scams you probably receive in your inbox and delete right away are one example. If your company has an eCommerce site, then a script could create dozens of fake accounts using publicly available or hacked data and exploit loopholes in your systems. SEON’s own automated, and significantly more intelligent, systems are extremely effective at combatting this type of fraud.

2) Sophisticated:

These require a fraudster, or a whole team of fraudsters, to be actively engaged in trying to part you from your money. They could be in contact with you for months to ‘social engineer’ a desired outcome, even call you on the phone or meet you in person. They might even partner with your company or pose as investors. These types of fraud can only be countered by your own wits and a willingness to question everything, no matter how legitimate it appears.

Seeing opportunities

One of the key takeaways from our conversations with fraudsters is that every company has something that they could want. You might think that their one and only goal would be to open up your bank account and transfer everything out, but you would be wrong. Even if you restrict yourself to only thinking about ‘value’ in monetary terms there are dozens of easier ways to get money from a company – sending fake invoices, creating multiple accounts to abuse signup bonuses, claiming to have not received orders that they have paid for and getting a refund and so on.

Information can often be as valuable as currency as it can lead to further frauds or just be sold on dark web marketplaces. A list of every company that your company does business with, for example, could be used in fraud attempts in which fraudsters impersonate (either over the phone or through hacked/spoofed emails) a purchaser at a company and ask for goods to be delivered or payments to be made. 

Identifying threat vectors

Once you have audited your company top to bottom for everything that could potentially be of value to fraudsters you need to look at how everything on your list can be accessed and how likely it is that fraudsters will be able to use each form of access. Nobody is likely to hack the high-end security on your company’s bank account, for example, but they could easily find out the name and email of somebody in your accounting team along with the name of one of your suppliers and send them an invoice that looks real, seemingly comes from a real email address but directs money to another account. They could also compromise an account and ask for a password to be reset that would allow them to download the details of every customer you have ever done business with.

Finding each way for money, goods or information to move out of your company and who controls these access points is key. It is likely that rather than installing firewalls and tightening up processes, a lot of your anti-fraud work will be in educating the staff members who sit at key points (IT professionals, accountants, receptionists or anyone in a customer-facing role) about what information to give out and what questions to ask. If your IT manager gets an email ostensibly from the company’s CEO saying that they need a password reset, how can that be confirmed as legitimate? If your receptionist gets a call asking for the email for your head of accounting to send an invoice, how should they respond?

Fraud is everybody’s problem

Fraudsters are not going to give your company a pass because it is a start-up – they did not when we started our crypto exchange. However, fraud solutions today are incredibly powerful at reducing fraud in companies ranging from start-ups through to established multinational businesses, but even the very best cloud-based software is not going to prevent a junior employee giving out their line manager’s email address. Just as children need to learn not to talk to strangers, your growing start-up needs to know how to spot fraud  attempts and to always have one eye on safety.