Sometimes an episode sticks with me. It just keeps coming back in different ways. Reading an article, having a conversation, even watching TV can make me stop and reflect on a recording. This is exactly what has been happening since we sat down with Dr. David Maimon, Head of Fraud Insights at SentiLink, to talk about fraud.
As always, we covered a lot of ground in this episode. As you might expect, we talked fraud trends. What you might not expect is a conversation, most enlightening, on the psychology of fraud and those who perpetrate it.
Many thanks to David for sharing his insights on the dark web, on this podcast and regularly on LinkedIn. If you are not following him there, you should be.
Last but not least, a shout out to Georgia State University and the work they are doing in their Evidence-based Cybersecurity Research Group. Good stuff.
Yvette Bohanan:
Welcome to Payments On Fire, a podcast from Glenbrook Partners about the payments industry, how it works, and trends in its evolution. Hello, I’m Yvette Bohanan, a partner at Glenbrook, and your host for this episode of Payments on Fire. Before we begin this episode, I want to send a huge congratulations out to the folks who completed our prep course for the MRC Payments and Fraud Prevention Professional Certification Program, and who passed the exam. Well done. We are so delighted for you. And by the way, we’re gearing up for our next prep course that begins in September and runs for 10 weeks. It’s easy to attend, scheduled for two hours each week and is recorded, so if you miss a session, you can watch a recording and catch up. If you’re interested, check out the details on our website at glenbrook.com.
In keeping with the theme of fraud prevention, let’s get into our episode. Fraudsters go by many names, schemers, convincers, con artists, insiders, bit players, little blind Mice, peanut grifters, state-run agencies, and organized crime rings, just to name a few. What do these have to do with payments? If you’re asking yourself that question, you haven’t been paying attention. After all, stories about identity theft and scams are making headlines every day. Many of you listening have been notified that your account credentials or personal information has been compromised at least once, if not multiple times. And we all get those phone calls that seem to have no one on the other end of the line. Beware, they may be trying to get enough of your voice for a deepfake. And those text messages. “How’s the weather in Connecticut today?” Maybe you should text someone who lives there. Also in the headlines, now and again, are stories about the billions of dollars spent on cybersecurity and fraud prevention.
Billions and billions of dollars globally. The cat and mouse game that has been going on for decades, actually centuries, is now more extensive, better funded, and more sophisticated than ever on both sides. The more that has been invested to stop criminal activity, the faster it has accelerated. So what exactly is happening on the Dark Web or in plain sight that we can’t seem to stop? And what should we be doing differently to get our arms around the situation? Joining me with his trusty flashlight to peek into the dark web is Glenbrook partner, Bryan Derman. Bryan, I hope you have extra batteries for this conversation.
Bryan Derman:
Great to be with you on the pod event. I am ready.
Yvette Bohanan:
Ready and able. Okay. If you follow David Maimon on LinkedIn, you know that he is a wealth of information on this topic. As a faculty member at Georgia State University’s evidence-based cybersecurity research group, he educates on and advocates for scientific methods to back the techniques used to curb criminal activity, and he recently joined SentiLink as their head of fraud insights. David, welcome to Payments on Fire. We are absolutely delighted that you’re joining us for this episode.
David Maimon:
Thank you so much for having me. I’m really excited about this.
Yvette Bohanan:
You are one of the gutsiest, most knowledgeable and informative people in this space. Hands down. I’m very curious, what got you started on this path and what keeps you going? And what do you get up and do every day? I’m very curious about what a typical day looks like for you.
David Maimon:
So first of all, thank you so much for the compliment. I’ve always been fascinated with crime, and this is one of the reasons why I decided to pursue a PhD in sociology and focus my dissertation and my work, at the time, on traditional types of crimes. At the time, I was working a lot on trying to understand violent behaviors and some of the factors which contribute to individual engagement in violent behaviors, and specifically how the neighborhoods they live in contribute to that. But fairly early to my academic career, while I was doing that type of research, I started to get really bored, simply because I was sitting next to a computer, and I ran a lot of really cool analysis with data sets that other people collected. Most oftentimes the data folks collected was collected in the form of surveys, or oftentimes it was the FBI, the UCR databases.
And in that sense it was extremely challenging because got me into a really awkward position in my academic career when I told my wife, “Listen, I don’t want to do it anymore. I still love science. So instead of sitting next to a computer and running analysis all days, I want to pursue another PhD in marine biology. I want to go to Australia and I want to understand the giant squid.” And the reason why I wanted to do that was that I simply wanted to be in a submarine in the deep with a flashlight and simply expose everything that takes place over there. We do know more about the moon unfortunately than we know about the deep.
Yvette Bohanan:
That’s true.
David Maimon:
And so I got to this really awkward position. But then I had some conversation with other academics, other criminologists where I was, and one of them suggested the issue of cyber crime, and the fact that not too many people at the time were working on that. That in a way allowed me to open a new door to a new world, so to speaking, and replace my desire to be in the deep with the giant squid to be exploring different types of crimes that, at the time, folks really didn’t spend a whole lot of time in understanding.
And so yeah, that essentially what got me there, the fact that when I started it was a whole new world, it allowed me to deploy really cool technologies in order to collect data that I wanted to collect and answer questions that I was able to come up with and find answer to on my own. It was simply fun. And that is essentially what keeps me going. The fact that every day is a new day. Every day you find a new type of fraud that folks are working on and that we are not familiar with. And so someone needs to be there, out there in the deep and with a flashlight, tell everyone about that. So maybe it’s this curiosity of a little kid.
Yvette Bohanan:
Yeah.
David Maimon:
That what makes me going. My days are exciting. I love waking up every morning because, as I mentioned, every day is a new day. I start my day out there in the online fraud ecosystem with my buddies, sort of speaking, listen to their conversations, looking at the images and the videos that they put out there, trying to understand what they’re working on, trying to understand why they’re working on what they’re working on, how they’re thinking about different types of illicit activities that they would like to engage in. And then I take all this information, which I term as an upstream information, a lot of stuff that the criminals are working on, and I try to merge this information, some of the information that we in the company have, to really try and come up with more sophisticated solution to detect and prevent fraud in our society.
So it’s really fun to take the upstream signal and merge them with a downstream signal, because at the end of the day, it allows us to create a more comprehensive understanding, the modus operandi, and how folks are engaging in different types of operation. But at the end of the day, once you work with a company, and specifically with SentiLink, it allows you to create tools which are designed to prevent and mitigate those types of fraud. So every day is an exciting day, fortunately.
Yvette Bohanan:
Yeah. Fortunately and unfortunately all at the same time. Right? That’s fascinating. And we’re very fortunate that you’re not in the deep looking at the giant squid-
David Maimon:
Thank you.
Yvette Bohanan:
… that you’re here with us. So we were prepping for this, and I was mentioning that being in the for a while, and some of the numbers I’m hearing around the exploitation and the crime and the proceeds of all of this. I’m a little bit gobsmacked at the numbers. I hear numbers being thrown around of 600 billion a year in pig butchering schemes, or we only know and can count about 2% of all of the money laundering and catch that that’s going on out there.
These numbers can be conflated and conflicting in payments in general, but particularly in this space, because we don’t know what we don’t know, and we only know what we do know. We’re trying to figure this all out, and it’s trying to be hidden from us when we’re trying to figure it out. When you’re looking at all of this and you see it, what is your perspective on the numbers that are out there in the industry right now, around fraud and losses and crime?
David Maimon:
I think you hit the nail on the head when you say we don’t know what we don’t know. And in the context of fraud, there are a lot of unknowns. So every time I read a report talking about specific numbers or disclosing specific numbers, volume of losses, the first thing I’m trying to think is how does the author know what they know? How does the author know what he knows? He or she. And oftentimes I find myself having issues with the way the authors or speakers operationalize the numbers. Because once you start drilling in the rationale, the use, in order to come up with those numbers, you realize that it’s problematic.
You start asking them, “How do you know that these are the numbers out there? How did you measure it? What exactly did you look at? Did you talk to the criminal? Did you talk to the victim? What’s your estimate in respect to how much of it goes under reported?” So at least for me as a scientist, I feel like I’ll be doing a disservice to the discipline and to the industry if I start talking about numbers or estimating numbers, which I have no confidence in. In order for me to be able to talk about a number, I need to be confident that I know what I’m talking about, and I know how to explain and defend the position. We know that are a lot of signals out there, which allows us to surmise that, yeah, we are seeing an increase in fraud cases here in the United States and around the globe.
We see that with more victims reports. We see that with more reports of financial losses. We see that with more of the fraud rings, taking some of the money that they’re able to make, their fraud proceeds, and funneling it back to the streets in the form of drugs and guns. We see that in the form of criminals and fraud rings across the nations being explicit about that on social media, flashing a lot of money. But at the end of the day, these are all signals which are very fun to observe and make sense out of, but they do not allow me to really come up with a number with respect to how big this problem is. So hopefully that makes sense.
Yvette Bohanan:
It makes perfect sense, and I think it’s a very honest answer.
David Maimon:
As a scientist, first and foremost I’m a scientist, I need to stay true to scientific discipline. I can talk about what I see, I cannot talk about things that I cannot.
Bryan Derman:
We don’t know quite how big it is, but we can say confidently it’s bigger than it was yesterday. It’s clearly a growth industry, if you will, if I can call it that.
David Maimon:
Right. So if you take into consideration the FTC reports, the IC3 reports, governmental agencies, which at the end of the day, have no inherent bias to over report or exaggerate numbers. We are seeing an increase in the volume of reports there. Having said that, I’m not sure that fraud victims are aware of those organizations, like all fraud victims are aware of those organizations, so maybe we are talking about some under reporting. I have a feeling that not all fraud that we’re seeing out there is being reported. There are many types of fraud that people are not aware of because nobody talks about them. A lot of fraud victims who are ashamed of their victimization, and so we don’t see this fraud in the report. So a lot of that goes under disclosed. In general, fraud is this really huge concept which allow us to… This concept encompasses so many different types of illegitimate activities. And so, very difficult to put a number around specific types of illicit activities, at least in my book. So I don’t feel comfortable talking about numbers simply because I don’t know.
Yvette Bohanan:
Right. So if we could say it’s… I love this, Bryan, a growth industry, and we figure out, “Okay, what does this mean?” There is an industry underneath here that you’re out there exploring in this dark web area. And if we think about it at a macro level, there’s a lot of money being exchanged within this underground community and economy to fuel what we’re seeing and what is exposed. We know where they’re getting the money, they’re stealing it somehow from a scheme. But it begs the question of where are the fraud rings getting their talent to do this? Right? We have a hard time recruiting people as it is. They have everything from mules to Gen AI developers, data people, website developers. How are they recruiting? Who are they recruiting? How are they doing this?
David Maimon:
It’s a really important and interesting point, in my opinion. You mentioned that it’s very difficult for us to recruit, and on the other side, they have their own difficulties to recruit as well, but they have something that is very attractive to folks, and that is a lot of money. Unfortunately I would say fraud fighters and individuals we engage in fraud prevention do not make, or they do not make what you could make as a mule or as an insider who can make a lot of money, simply by allowing the fraud rings to facilitate their operation. On the other hand, on the fraud ring sides, they do bring in the issue of breaking the law, the small issue of breaking the law.
Yvette Bohanan:
Just a minor technicality.
David Maimon:
But some people are willing to take the risk. Now in terms of who they’re recruiting, I can tell you that, from my conversation and from my observations in the online fraud ecosystem, I can tell you that we see everybody. Folks are recruiting individual who can help them fetch identities, for example. Those individual could be technical or less technical. You can either design a malicious software that allows you to then phish individuals and then get all their PII’s, or you just need someone who knows where to look for in the Darknet for some of the identities for you to use. So they recruit these kind of individuals. They recruit individual who can help them work with some of the software and hardware which will allow them to produce fake documents. Fake documents, create fake videos. Those individuals are definitely part of what the fraud rings are looking for.
These guys are looking for distributors, individuals who, at the end of the day, will be able to take the identities, take the commodities that they have in their hands and then sell them. We were talking about individuals who can sell them in the street, and we have a lot of examples for that coming from New York where the New York Post had a recent article where they exposed a string of individuals who simply stood up in the street next to store and sold identities along with fake documents. But of course, you can have those distributors working on online environments in Telegram or Darknet or even Instagram nowadays. We see a lot of it happening on Instagram. So all these folks are individuals that the crime rings are looking to work with. Another very important actor, or actors, are the insiders, insiders in financial institutions, insiders and credit bureaus, insiders in all those organizations, which, at the end of the day, have access to PII and sensitive information.
Those insiders are usually not getting paid a whole lot by their employers and, in a way, the criminals are offering them more income, and that’s attractive enough. It’s fairly easy for you to be on a tool that you’re using for work to simply provide some service to a criminal ring as well. And if you get 100 bucks or 150 bucks per search, it’s good money if you make 60, $70,000 a year. So a lot of the insiders also help the crime rings open doors to sensitive information and PIIs. We are seeing the recruiter speaking, looking for those insiders. And then of course we have the mules, the unwitting mules. And again, in the context of the mules, they really come from all walks of lives.
We see people with families, we see adolescents and youth who are eagerly jumping in this ship and want to be part of those criminal activities. We’re seeing senior people being recruited to this operation. We’re seeing people who are unemployed being recruited to be mules, drug addicts, that goes without saying. Anyone with an identity who can get into a bank or retail shop and help the criminal organization to facilitate their operation is game, in that sense. So really, recruitment efforts are all over the place. They take place in the street, they take place on social media. And they’re very explicit. Folks are saying, “I need a mule with a bank account to engage in first party.” Very explicit.
Bryan Derman:
David, as a sociologist, a little off the script here, but do you feel like in the current environment people are more willing to take on those unlawful activities, I’m talking about the mules or in the payment systems, we’re seeing a big increase in reports of first party fraud, people who otherwise appear to be honest, but know the rules of the payment system and how to take advantage of it, and maybe under a kind of ethical fading that says, “I’m just… A little money off the top from these big banks or wealthy tech companies. It’s not really that wrong.”
David Maimon:
It’s a great question. And my gut feeling, and I’m talking about the gut feeling, again, I don’t have numbers to support, and my gut feeling tells me that, yeah, we are seeing, I would say, an erosion, morals, I’m speaking, in our society in that sense. So more and more people willing to take advantage of loopholes in order to support their lifestyle, sort of speaking. I think social media definitely plays a role in it. I think that-
Bryan Derman:
Everyone’s doing it logic.
David Maimon:
Yeah. So I definitely see that. But unfortunately, my gut feeling tells me that there’s a reason why we’re seeing more of it. And as a sociologist, I have to get us back to one of the classical theories out there, anomie theory, which at the end of the day suggests that in some countries, some societies, people are valued based on their monetary success. In some societies when there’s really no emphasis on the way you were able to make it big, people will feel more comfortable to engage in illicit activities in order to make it big. And unfortunately, when we talk about this anomie theory and the more recent version of the theory, the United States is being mentioned as the number one country where we believe that our society does not really consider how you are able to make it as long as you make it. And that in a way create a lot of pressure of individual to deviate and engage in crime. So hopefully that answered the question.
Bryan Derman:
Yeah. Very interesting.
Yvette Bohanan:
Very interesting. Yeah, there’s all sorts of infrastructure out there that enables the justification or rationalization of this. Everything from that to countries where it’s a well-known fact that the government’s involved in it. Just a lot of enabling structures that allow people to get into the game, if you will, and not feel so bad, not feel so bad. I think that’s the real crux of what we’re talking about here. They don’t have the internal DNA to restrain themselves from doing it, so they’re justifying it.
David Maimon:
So there are all kind of chronological theories which explain this. I can tell you that one of the theories out there suggests that opportunities are ubiquitous, opportunities are all over the place to engage in crime. And in a way, different explanation, with respect to why people do not take advantage out of these opportunities, some of the explanations, the chronological explanation focuses on human and their ability to restrain their thoughts, their behavior. And that is essentially what prevent them from taking advantage out of those ubiquitous opportunity to engage in crime. Other explanations put emphasis on the society, and society’s efforts to restrain individual’s and put some kind of a control individual’s likelihood and willingness to engage in this kind of behaviors. So there are different explanations there.
Bryan Derman:
The likelihood of being caught obviously plays into it, right?
David Maimon:
So rational choice is definitely one of those theories folks like to mention in that context. So rational choice is essentially you constantly weighing the cost and benefits in your behavior in the context of engagement in crime. You, again, weigh the cost and benefits in your behavior, and if you believe that the punishment you will receive for your criminal behavior will be severe enough and folks will detect you, you’ll refrain from getting involved in criminal behavior. And I think that in the context of fraud, Bryan, you are % correct because the probability of detection we know is relatively low. And folks have learned about this and folks learn more about this on social media because everybody is talking about this.
And so more and more people start forming thoughts around the probability of detection. And once they think the probability of detection is, I don’t know, one to 3%, they make conscious decision of saying, “I’ll take the risk because it’s only one to 3%. If it’s such a low probability, I will get involved in deviance and crime and I’ll engage in fraud and I’ll deal with the consequences if they come.” So you are 100% correct there. There’s some explanation that speaks to deterrence and detection and the probability of detection in folks’ decision process.
Yvette Bohanan:
I want to get into techniques in a minute, but you’re making me go off on a tangent a little bit. So I’m going to touch on this because there’s another side to the psychology of this. And there’s another side to the “recruitment,” which is people being trafficked, human trafficking and kidnapping, for lack of a better word, into compounds that are very organized structures of people being forced into the psychological side of the fraud schemes. Getting people to willingly give up money, romance scams, pig butchering, whatever it is. Right? There’s all really, really some very dire things going on out there and some real victims of this that are suffering. And it’s global. But the scams that they’re using and the techniques that they’re using, from a psychological perspective, to get people to give up their money are interesting as well.
So there’s the psychological aspect of people weighing things out or having a propensity to get involved in the first place, and then they’re turning around and using some very sophisticated techniques to win people over and convince them to give up their money. So it’s not even… It’s stealing, but you don’t even need a mule… It’s a complicit act because people believe they’re being fooled, they’re being tricked, the trickery side of it. How gullible are we as individuals to this stuff? Because we all hear about it, but it seems to be on the rise.
David Maimon:
Yeah, it’s a great question. So in a way, you bring in the psychology of the offender as well as the psychology of the victim. And we’re talking about two different processes in that sense, right? In the context of the offender, it really depends who the offender is. Are we talking about someone who’s forced to do that,, or are we talking about someone who is just doing it because they believe that’s the only way they can make money? So it’s again, decision-making process on their end. On the victim side, we know that many of the criminals are essentially latching on biases and decision-making processes that we all have, heuristics and decision-making processes. We know, for example, that many of the online romance fraud, fraudsters build relationship and rapport with their victims. And then in a way they build on the altruistic nature of their victim once they put forward a request to send money because “I, your lover, I’m at the hospital and I can’t afford paying my bills.” It latched into heuristics and decision-making which relates to urgency.
So they put a lot of pressure on you to make decision right away and send the money right away because we know that we human don’t make good decision under pressure. They use many different biases that we have as human. We know and we want to think that we are 100% rational, but unfortunately we’re not. There’s bounded rationality, and I just talked about it, we don’t know what we don’t know, and we make decisions sometimes without knowing what we don’t know. So we have that issue. And also you have the major issue of none of us is 100% rational because we all suffer biases in our decision-making processes.
Our gender plays a role, our upbringing plays a role in our decision-making process, religion, everything plays a role. And what the criminals do is they do a very good and thorough job understanding who we are as human, especially in Western societies, where we know that individualism is a value. And unfortunately a lot of people are lonely at this point, and they seem to latch into those specific issues and take advantage of faulty decision-making that we all make. So yeah, this is extremely interesting and something that, at the end of the day, we all need to be aware of, but sometimes even if you’re aware of those issues, you will still make the wrong decision. Right?
Yvette Bohanan:
Exactly.
David Maimon:
That’s the brilliancy I think of those fraudsters, unfortunately.
Yvette Bohanan:
Yeah, no, we always say there’s no one on the planet that’s above a psychological hijacking.
Bryan Derman:
It’s interesting to me how labor-intensive a crime that is, right? Yvette, you and I are accustomed to thinking about scalability, including criminal activity. “Where can I go to steal a hundred thousand credit cards?” Compared to pick pocketing three of them from your wallet. And here they seem very content to go one by one, spend some time cultivating targets. And I guess the prize can be fairly big with –
Yvette Bohanan:
And I don’t know if they’re really going one by one. I think they have multiple relationships or whatever’s going on…. At the same time. There’s phone banks dialing for dollars and sending text messages out now. So I think it’s very interesting because there’s a human element to it and there’s a automation element to it that they’re combining, right?
Bryan Derman:
Yeah. Does this business run well on a 2% response rate sort of thing?
Yvette Bohanan:
Yeah.
Bryan Derman:
Send out a hundred texts, I get two victims
Yvette Bohanan:
Yeah.
Bryan Derman:
They take of them for $5,000. Maybe that’s a good return. I don’t know.
Yvette Bohanan:
Could be a brilliant return for some folks. There’s lone wolves out there acting, and there’s organized rings, and for a lone wolf that’s an incredible return, and maybe they’re not as interested in scale as they are at a hit rate, if you will. So yeah.
David Maimon:
There’s so many different types of fraudsters out there and so many different types of fraud out there. In the context of online romance fraud, we know that you do have folks who are lone wolves, so to speaking, who will engage in online romance fraud, but not necessarily in the same sense of the type of crime we hear a lot about in the news. So the Yahoo Boys or the Ghanaian Boys who will reach out to you online and try to form a relationship with you and then steal all your money. We know… We all know of some people who stayed with us in the past simply because they have interest in us. Maybe it wasn’t as explicit as the Yahoo Boys operations are, but we’re still talking about romance fraud. If someone is with you, even in person, and the only thing that person sees in you is a wallet, that’s an issue, right?
Now, these are the lone wolf, but then you were asking about… And the lone wolf’s motivation and justification for their behaviors, I think very different than the justification of the Yahoo Boys for their operation. If we’re talking about someone here in the United States who latched to you and want to be your partners in order to steal your money, that’s one way to go. But the Yahoo Boys essentially have a group of individuals who work out a criminal operation. It’s a gang usually, and they work together on this type of fraud, and it’s very profitable for these guys. Not every conversation with the victim will result in a big payday, but in some cases those conversations will result in very high fraud proceedings that they were able to get. So We need to keep that in mind. Fraud is very diverse, and again, this is one of the reasons why I really love studying it. You have so many motivations, so many people, so many plays on even the same type of fraud that we have in mind, and so we just need to be aware of it.
Yvette Bohanan:
Absolutely. So I want to take a moment to turn our attention into the investigation work you’re doing because it is really fascinating, and there’s a lot to unpack here around different dimensions. And when it comes to the state of fraud and all of its forms and functions and facets, the first thing I wanted to probe on with you is identity. And you alluded earlier when you talked about the industry and the different skill sets and fake documentation, and people who are really good at developing that. And you’ve posted some really interesting things online in your LinkedIn feed about this too. Driver’s license, passports that are linked to actual identities is one area. Another area is taking a driver’s license and passport and linking it to a fake identity. Can you walk us through what’s going on here, maybe the categories of fake documentation and what you’re seeing here, and how that relates to things like synthetic identity and how this is playing out?
David Maimon:
Yeah. Again, in the context of the documents, we know that there are many actors out there who, at the end of the day, have access to software as well as hardware, which allows them to produce a very high quality of those fake documents. And we are talking very high quality. Forget about the fake driver licenses we all use in order to get into a bar when we were 16 and get some beer or wine. We’re talking about driver licenses which could bypass inspection of police officers, with the UV controls on them, driver licenses which could be scanned and bring all the individual information on the computer screen. This is what we’re talking about right now. And the reason why many of the vendors out there can offer this service is that the supply chain, the illicit supply chain of stolen identities, simply has access to the hardware and the software.
In terms of software, we can all simply go online and download some of the software these guys are using in order to create those documents, in order to get the holograms, in order to get some of the hardware, like the pieces of papers that you need in order to print the documents on. Folks have a lot of intelligence which allow them to bring that as well from legitimate sources, not necessarily from the online fraud ecosystem, but from Amazon. You can buy a lot of the hardware on Amazon. And that definitely supports the production of these fake documents. Now in the context of hardware, we should also mention printers. The printers that many of the organizations we work for and help produce those documents are being used by individuals as well, or being offered for sale to individuals out there as well.
I can tell you that I’m familiar with one case, one of the DMV commissioners out there, who was out there trying to figure out the best printer to use, which his agency will be the only agency, the vendor will sell the printer to, to make sure that no one else will have the same driver license and no one else can produce the same driver licenses. And he got a promise that the printer will be sold to his agency only. And unfortunately a couple of months after, he was able to find similar documents which were manufactured by another source, so to speaking. So this is essentially what we’re talking about in the context of manufacturing those fake driver licenses, fake password and so on. Now, in addition to that, and specifically in the context of synthetic identities and stolen identities, we are seeing people using those identities, and actually go to the DMV or State Department with those identities and producing real documentations to those identities.
We are seeing that as well. One of the posts I had a couple of years ago on my LinkedIn page was of a fraudster who essentially used a synthetic identity to go and take the driver test in Chicago. And he was bragging about the real driver license he got on the platform. I think it was Instagram or Telegram, I can’t remember. But we’re seeing a lot of people doing that as well. And in that sense, the insiders play a very important role. So if you have an insider in one of those key agencies, which allows you to manufacture those documents, those legit documents, while using or while assuming another person identities, it’s a lost battle.
Yvette Bohanan:
Right. So it’s a pretty widespread in terms of access to the tools to do this. And what I hear you saying is it’s not just a handful of sophisticated rings anymore. It’s rather prolific in terms of people if they’re determined to create fake documentation and deep fakes.
David Maimon:
It’s all over the place. And with social media and with the internet, we know that we can buy very high quality of US driver licenses in China. And the quality is impeccable. So that brings another very important aspect to the table that we need to discuss. So it’s not only local groups. We are talking about international groups who have access to all this information, and which at the end of the day can work on things on their end. Now the fact that this happens all over the globe, and the fact that you have the internet bringing everyone together and creating this market, so to speaking, allows anyone to simply place an order for a fake driver license in a very high quality with a Chinese vendor, or with a Korean vendor, or Romanian vendor, simply because everything is online and everyone is accessible to that medium. So that definitely fuels and exacerbate the issue of fake driver licenses and password we’re seeing out there.
Yvette Bohanan:
So moving from identity to authentication and authorization, we see a lot of work going into in the past is particularly everyone getting OTPs through their SMS text messages. We see 3D secure in a lot of countries mandating 3DS technologies in that, but they’re not as effective as they once were. They are getting circumvented more and more. Can you take us through how that’s happening? As if the identity news isn’t bad enough, let’s talk some more about authentication and authorization.
David Maimon:
The OTPs is a really interesting topic. Wearing my professor hat, we had some research around that topic in the past, trying to figure out the effectiveness of adopting 2FA in reducing the volume of compromised bank accounts in the Canadian ecosystem, of all places. So essentially what we’re trying to do, and that was like three years ago, we were trying to figure out whether financial institution adoption of 2FA will reduce the volume of compromised bank accounts we are seeing out there of the customers. And we had some really interesting findings there. The key findings were that A, if a bank is obligating their customers to adopt 2FA, then we’ll definitely see a sharp decrease in the volume of compromised bank accounts we’re seeing for them. And if the adoption of 2FA is not mandatory, then at the end of the day we’ll not see any difference in the volume of compromised bank accounts in the ecosystem.
Yvette Bohanan:
So if you leave it up to someone as an option, you’re not going to see the result. It has to be a mandated requirement.
David Maimon:
Exactly. Yeah.
Yvette Bohanan:
Interesting.
David Maimon:
But that was 2022 that we concluded the research. And since then we’ve been following things, and some of the banks which were successful with the adoption of OTP, so a year after we started to see more and more of their compromised bank accounts again on the ecosystem, a sharp increase. And again, that speaks volume to the level of innovation of criminals out there, because we believe, we have evidence suggesting that folks were able to find ways to bypass OTPs. We are familiar with several vulnerabilities in Telegram, which allows allow people to simply hijack the OTP or the 2FA password. Know there are a couple of research articles talking about that, more technical, but we also are seeing a lot of videos criminals are putting out there showing how they steal the OTP simply by calling the victim, pretending to be from their banks, calling the banks at the same time and simply luring the victims to provide with the OTP they just got from the financial institution to give it to them.
A couple of videos are posted out there on LinkedIn, which demonstrate this process quite clearly. We’re talking about a very sophisticated call center which are located in China, which are located in Russia, which are located in other places around the globe, which automated the process completely. And not only automated the process of feeding in your OTP, but also allowing folks to spoof the call ID. So once you get the call, you will think that your bank is calling you because you will see Wells Fargo or other brand names on your computer screen or your smartphone screen. This is how sophisticated things are right now, and unfortunately, OTP is not as safe as it used to be in the past.
Bryan Derman:
David, we are, I feel like seeing some progress on the use of pass codes.
Yvette Bohanan:
Passkey, FIDO. Yeah.
Bryan Derman:
Generally with the biometric component to them. Do you feel optimistic about that path?
David Maimon:
I was talking about the study we conducted with respect to the OTP before I disclose the evidence that we currently see out there. Yeah, I’m very optimistic about some of the solutions, but based on my experience and based on my understanding of fraudsters’ operation, they are constantly trying to bypass those security solutions. So if the solution is effective or not, that is for us to investigate and test, but also I think time plays a very important role in determining whether this solution is effective over time or is it just a short-lived solution which we’ll need to rethink in the future.
Yvette Bohanan:
Most likely the latter, unfortunately. But it buys us time a little bit. It’s a complete cat and mouse game, as we always say, and it’s getting more sophisticated, for sure. You were talking about bypassing, the other thing that comes to mind is this notion of what red and heard is adversarial AI. A lot of the recommendations that have been out there in the past few years in particular have been around creating an environment of layered controls, especially for online fraud detection and transaction screening. You have different things triggering and you have step-up authentication if you go down a certain pathway and you have the behavioral analytics that’ll trigger another control or screening.
And it sounds like the fraudsters are turning the table a little bit on this technique and using AI to figure out, based on latency of page loads, what pages, what actions are actually triggering screening, and they use that information to figure out how to circumvent the controls. That’s pretty frustrating for a lot of people that have invested in these layered controls, and even orchestration layers of controls and vendors that they’re paying. How far behind are businesses in being aware of adversarial AI? How far ahead are the fraud rings? What are you seeing out there in terms of evidence around this? And are there any countermeasures for businesses right now too?
David Maimon:
It is a great question. And I think my best answer for it is very difficult to tell, but the way I’m thinking about it is you have a lot of businesses out there, a lot of FIs out there, which at the end of the day can address this issue by spending a lot of money on it. On the other hand, most of the organization out there, most of the FIs out there simply do not have the same resources. And so in terms of how far folks behind, again, I don’t know. I assume though, given what we see, is that some of the actors, some of the organization maybe are more able to address this issue than others. Now, I agree with you 100%. We are seeing fraudsters using Gen AI in the context of different types of operations. It’s really important though to make sure that we explain or we’re specific with the type of frauds that we see them using this type of technology and the uses of it.
So for example, in the context of creating synthetic identities, we, in SentiLink, do not believe that Gen AI is playing a very important role there because at the end of the day, it doesn’t really require a sophisticated tool to create a fictitious identity. Having said that, Gen AI will be very important maybe in bypassing the liveliness test that we’re seeing out there, maybe helping folks with cloning voices and things of that nature. We are seeing people, and by people I fraudsters, we are seeing fraudsters using these technologies in order to try and bypass the later verification checks that we have there.
We also see many fraudsters using a lot of the Gen AI tools, I’m sorry, out there quite openly. I can share that in July 2023, it was a very important month, because we were able to see evidence of criminals selling access to FraudGPT on Telegram and the Darknet. For 500 bucks, you were able to get access to the tool, which allowed you to put together very, very sophisticated smishing text or phishing emails, allowed you to come up with very legitimate looking scam pages, allowed you to write malicious software, allowed you to use remote desktop protocols in a more efficient manner. And so we know that folks started using these tools because we’ve seen people purchasing and working with it and putting their commodities out there.
Yvette Bohanan:
And that’s what it’s called, FraudGPT.
David Maimon:
Yeah, FraudGPT. You have several Gen AI tools out there, Fraud GPT is one of them. And yeah, folks are using it. For 500 bucks, you can get access to it. 500 bucks a month, you get a membership for it and you can start using it to create all these amazing tools. The other tools, other Gen AI tools, which allows you to create malicious software easily. And we are seeing the criminal using those tools.
Bryan Derman:
That’s an industry.
David Maimon:
That’s an industry. Definitely… We are talking about an industry-
Bryan Derman:
That’s a component of the software industry. It’s only a matter of time before they introduce a loyalty program, I think.
David Maimon:
Yeah. And to me, what’s interesting is this is only the things we see. There’s so much… There’s so many things which we do not see. And the level of sophistication there I would assume is way higher than what we see on the surface level. So I can definitely tell you that Gen AI is being used by the criminals for specific types of operations. Again, we don’t see a whole lot of it happening in the context of the creation of synthetic identities. We don’t think that it has a lot of use in that sense, but maybe there’s some use for it in the context of creating fake images, bringing images to lives, bypassing liveliness tests, voice cloning. In that sense, Gen AI may play a role.
Yvette Bohanan:
Probably play a big role. And one of the things around identity and this sort of fabrication and the tools, you did some research recently that you shared about looking at a hundred random identities between 2022 and 2024. And you noticed that when you hit that against your consortium data at SentiLink, that on average exploited identities weren’t actually showing up in other channels for sale or use, I’m assuming, for 10 months. When you say, “We know what’s happening, but we don’t know what’s happening, we see what we see, but we don’t know what we don’t see, does this point that finding point to that a little bit?
David Maimon:
Definitely. It’s definitely an indication that there’s a lot happening under the ground and we’re not seeing this until we’re seeing it. And so this really interesting exercise we ran with SentiLink is an evidence for that. What we’ve done there was we took 100 random identities, which the criminals posted out there on Telegram, and we simply looked at our database to try and figure out what can we see, what can we learn about them. And one of the interesting things that we’re able to find about those identities is that before they are leaked, the criminals are using them quite a lot. They use them for a fairly long period of time. We’re talking about 10 months usually. They’re using it to submit applications to many, many different types of companies, which is really interesting. And it seems like only once they exhaust operation respect to the utility of the identity, they leak it to the ecosystem.
And that is a really interesting finding. And the other interesting finding, which we haven’t really discussed yet, and I’m happy to share here, is that oftentimes when folks’ identities are being stolen, they’re not even aware that is happening. One of the interesting findings we have there is we took the identities I just talked about, and we tried to figure out whether those identities have some kind of a fraud victim marks on there, whether folks have a designation of a fraud victim or whether they have some kind of a credit freeze on the identity. And we realized, unfortunately, that 38% of the identities we work with had no idea that someone is using their identity to try and open a new bank account or take a loan on their behalf, 38%. The number is actually a little higher.
It’s around 40 something percent. But one of the interesting things that we were able to find was that after the identity was leaked, a month after, around 5% of the individuals were able to figure out the fact that the identity has been stolen and then they placed a freeze on their [inaudible 00:52:36] But in reality, we still have large number of individuals whom their identity has been stolen and they’re not even aware of it. That is extremely interesting, and that speaks volume to the fact that a lot is going on underground. And we as a big company who actually specialize in verifying identity and offering risk solution, can spot some of it, but the layperson unfortunately will not be able to tell that they became a victim of crime.
Yvette Bohanan:
Right. Unless they were phished and then realized it, or unless it was a direct, direct hit, you just don’t know. And I think that begs the question around… We may have freaked some people out on this podcast a little bit more than maybe they already were. Any advice for our resources to be aware of for individuals who may suspect that they’ve been a victim of a scam or identity theft, what do you recommend people do? And then I’m going to flip it around and ask you, for decision makers out there in business trying to figure out how to protect their business and their customers or their clients, how should they be thinking about this? Because no one has enough money in their budget, as a leader anywhere these days, to protect against everything. And we’ve pretty much covered off that any form of payment and any person is vulnerable. So how do you decide what controls to invest in if you’re a business leader? So you could take the first one. I don’t know which one’s the easier, you can take whichever one you think is the easier guidance to give first.
David Maimon:
So listen, the last thing I would want that will come from this interview is that things are gloomy and that we’re all going to doom and anything and things of that nature. I can tell you that because of the many signals for the increase in fraud that we’re seeing out there, a lot of good people and a lot of amazing companies getting into this ecosystem, they’re getting into this field and trying to produce effective solutions. So that is something that is very important to remember. So in the case of SentiLink, one of the companies who are doing the work. We’re the leading provider of identity verification and risk solutions, and at the end of the day, our mission is truly try and increase trust and confidence in order to allow our financial institutional partners to verify identities in a more efficient way. So it’s important to understand that that is happening as well.
Now with respect to decision-making process, with respect to the adoption or tool of policy, I strongly recommend folks to follow, what I call, an evidence-based approach. We actually wrote a book called Evidence-Based Cybersecurity with a focus on cybersecurity. And the whole point of the book was to explain what evidence-based cybersecurity is, and make sure folks in the industry adopt the approach when making decisions with respect to adoption of a tool or a policy in the context of their organization. At the end of the day, as you mentioned, most organizations do not have all the money in the world. They can’t just spend money on the problem, and they need to be very strategic with respect to the way they are purchasing a tool or applying a policy. And to me, the best way to do that is by relying heavily on evidence produced by scientific research, or by research that is impartial, unbiased, that you can trust.
I think… We wrote the book in 2021, focusing on cybersecurity. I think that we need to do another one, to write another one, focusing on evidence-based fraud prevention. Because at the end of the day, we are seeing a lot of tools, a lot of policies out there, but at the end of the day, we’re not really familiar with the effectiveness of the tools. And at the end of the day, the consumers, any organization out there, any decision-making out there, want to know what they’re buying, want to know what they’re getting for the tool they’re purchasing, or what they’re getting if they embrace a specific policy, which in their mind will help prevent and mitigate the consequences of fraud.
So relying heavily on scientific research, which tells us what works and what doesn’t, to me is the answer. Testing those tools in the wild is extremely important, because things looks very different on the lab versus on the wild, and keeping an eye on the ecosystem, I think it’s important as well in the context of the evidence-based cybersecurity approach, evidence-based approach in general, because many tools or many policies will help you solve an anecdotal issue, but they will open a slew of other problems. So folks need to be aware of that, and evidence-based research should guide them in their decision-making process.
Yvette Bohanan:
And is this what you’re teaching and working on through? Is this what the Georgia State University… I mean it’s in the name, right? Evidence-based Cybersecurity Research Group. Is there an offshoot at all around…
David Maimon:
So wearing my professor hat, yeah, that’s definitely one of the things that we’re teaching, is simply to take the approach, implement it in the context of cybersecurity, is also in the context of online fraud prevention.
Yvette Bohanan:
Yeah. I think it’s interesting because I’ve talked with a lot of people who are in decision-making roles, I’ve been in a decision-making role around investments like this, and the skepticism… Because you’re talking about healthy skepticism, and the skepticism you often hear in the room in these conversations is either skepticism around the fraud team or the CISO. “Is it really that bad? Are you sure we’re having this problem? Are you sure that this is something we have to invest in? We really don’t want to defer our marketing dollars to this.” That kind of skepticism. And what you’re saying is accept that there’s an issue, be clear about what the issue is and get clarity, but be skeptical about the solution that you apply to it. I think what actually happens is the reverse, people are skeptical of their own folks saying there’s a problem or the evidence that they’re seeing around that, and they’re not skeptical enough. They jump to the first solution they can find and not really dig in and say, “Is this the right solution?”
David Maimon:
But I think it’s on both sides. I think based on my understanding of a lot of conversation I’m having with CISOs as well as fraud prevention officers out there, the major challenge is first to convey to the C-suite the issue we’re experiencing. Because as you said, they’re very skeptic about that. How do you know what you know? And so I think first thing folks need to do in that sense is to be able to convey to the C-suite the issue using visuals. I think one of the reasons folks like lurking on my LinkedIn page, we simply put a lot of visuals out there which help demonstrate people the issue. How things look like. At the end of the day it’s not just numbers, it’s how the criminals are doing what they’re doing. So that helps a lot. Convince the C-Suite to come up with a decision that “Yes, this is an issue and we want to invest in it.”
Now on the other hand, once you have the money, again, you don’t have all the money in the world, you need to make conscious decision in respect to, “Okay, which solution will be most effective, most relevant to what I’m experiencing as a company?” And I think in that sense, finding evidence for the effectiveness of the solution is what, at the end of the day, you should drive your decision-making process with respect to adoption. And then of course, you adopt the tool, you test it, run it for a while, you figure out whether it works for you or doesn’t. Hopefully it will, and then you continue with it. But I think evidence-based is extremely important to make decision in the context of fraud prevention.
Yvette Bohanan:
Makes a lot of sense. We apply it in a lot of other things in life. Works here too.
David Maimon:
Yeah.
Yvette Bohanan:
Well, David, I hate to say this, but it’s that special time when we have to wrap things up, and this has been a really illuminating conversation and I hope… Well, I hope you’ve enjoyed it as much as we have. It’s been very interesting.
David Maimon:
It was really great, and I really appreciate you having me on your show.
Bryan Derman:
Very educational and a little scary.
Yvette Bohanan:
Yeah. Yes.
David Maimon:
Oh good. We. Have good people working on the issue.
Yvette Bohanan:
That’s right. That’s right. We have to… A big shout-out to all of the fraud fighters and data scientists and developers and software engineers, everybody out there who’s working to prevent this. And to the decision makers who are listening and the VCs who are investing and all of that, we need everybody’s help, the regulators, everybody, needs to be in on this game. So thanks. And to all of you who have joined us for this episode, until next time, please keep up the good work. Bye for now.
If you enjoy Payments on Fire, someone else might too. So please feel free to share this podcast on your favorite social media outlet. Payments on Fire is a production of Glenbrook Partners. Glenbrook is a leading global consulting and education firm to the payments industry. Learn more and connect with us by visiting our website at glenbrook.com. All opinions expressed on our podcast are those of our hosts and guests. While companies featured or mentioned on our show may be clients of Glenbrook, Glenbrook receives no compensation for podcasts. No mention of any company or specific offering should be construed as an endorsement of that company’s products or services.