Are we better off thinking of financial fraudsters as entrepreneurial start-ups?
“There is no greater danger than underestimating your opponent” ― Lao Tzu
If we imagine a “typical” financial fraudster, it is tempting to think of an opportunistic criminal, an individual that has perhaps progressed from pirating DVDs and shoplifting to skimming bank cards and faking ids. It is precisely this image that leads us to underestimate the sophistication of their methods, leaving us vulnerable to their attack.
In reality, a more accurate stereotype would be that of an internet start-up; a small group of intelligent, creative and driven individuals, constantly looking for new methods to increase their profitability and break into new markets.
So how does such a newly formed “fraud start-up” operate and grow?
It maximises profits: Once a loophole has been successfully discovered in a financial organisation’s processes, the start-up will look to maximise the return on its investment. We can think of this as scaling up production. The start-up will look to produce their frauds in bulk (via a large shared ledger of falsified and stolen identities), they will seek to maximise profit per fraud via testing for hard-coded maximum thresholds in detection systems, and will seek to automate as much of the end to end process as possible.
It innovates: Any existing loophole or exploit runs the daily risk of being discovered and closed down, cutting off a revenue stream to the start-up. This is consequently just an expected part of the fraudsters’ business, akin to their competition. They do not therefore wait for this to happen; like any other start-up they are looking for the next big thing in order to maintain their growth. Any changes in processes, such as new payment systems or on-boarding procedures, will have their fences tested by the fraudsters looking for new growth areas.
It diversifies: In addition to innovating within a single fraud “industry”, the start-up may choose to diversify to further expand their income and spread their risk. Strategies include exploiting multiple different organisations in the same industry, or using the same identities in different fraud types - such as banking, insurance, healthcare and tax – all at the same time.
So how should a financial organisation compete?
Firstly, we recognise that fraudsters are taking advantage of their main strength as a start-up: they are agile. They are fast to react to any moves made against them, and can typically outmanoeuvre the large organisations trying to stop them. To this end, we should stop thinking of fraud systems as static pieces of software that we choose to upgrade every few years - such systems rapidly become ineffective to anything beyond simple opportunistic fraud. An organisation will need to continually assess the impact of internal and external developments on their fraud detection system. Doing so has the added benefit of a strong deterrence effect, leading fraudsters to go after organisations with weaker defences.
Secondly, a sophisticated attacker can only be stopped with a similarly sophisticated system. Systems with hard-coded thresholds have long since been rendered ineffective, as they are too easy to reverse engineer with a few expendable false identities. However, techniques such as machine learning, entity resolution and outlier detection can all be combined to give our fraud start-ups a particularly difficult “research problem”.
Lastly, we can use the structure of the fraud start-up against them. Despite their agility, their business rests on a fundamental pattern. To be profitable, they typically need to have a steady stream of identities moving through the on-boarding, establishment and extraction phases. Avoiding accidentally reusing the same identities, contact details and IP addresses becomes an increasingly complex management problem at scale, and largely only works due to the siloed nature of data in organisations today. As a minimum, fraud systems should use all available data within an organisation to look for discrepancies, shutting down blocks of suspicious identities at a time. Better is to make use of other industry data under the same parent company, as a fraudulent insurance claim could represent a fraudulent mortgage loan waiting to happen. Better still is industry collaboration, where sharing of known fraud data aims to make the fraudster’s identities single use only.
About the Author
Robert Keevil is a fraud expert, Solution Architect and developer for Big Data applications, with extensive experience in financial services domains.
Robert has 9 years' experience in Insurance, Banking (Investment and Retail), Tax and Secure Government, in architecture, team lead, development and infrastructure roles.
Rob is available to advise firms as a contractor on their current and future counter-fraud and Big Data strategies.