Get in Touch
My Account
Data | Identity | Payments Fraud

Episode 273 – The Hard Science of Fraud Investigations, with David Maimon, SentiLink

Yvette Bohanan

September 10, 2025

POF Podcast
Share On Linkedin
Share On X
Share Via Email

If you are a regular listener to our podcast, you know that David Maimon has been a guest this year as part of a series on payments fraud trends and tactics. David is the Head of Fraud Insights at SentiLink, where he and his team use a “data-driven” approach in their investigations to uncover schemes being conducted on the dark web – and sometimes in plain sight – that enable first and third-party fraud.

If you haven’t listened to our previous conversations with him, you can check them out here:
Episode 257
Episode 260

In this episode, we’re delighted to welcome David back for part three in this series to dive into how David and his team create these data-driven insights, and how they have applied their research to predict the fraudulent use of identity information.

 

 

Yvette Bohanan: Hello, I’m Yvette Bohanan, a partner at Glenbrook and your host for this episode of Payments on Fire. If you are a regular listener to our podcast, you know that David Maimon has been a guest this year for a series on payments fraud trends and tactics. David is the Head of Fraud Insights at SentiLink, where he and his team use a data-driven approach in their investigations to uncover schemes being conducted on the dark web, and sometimes in plain sight, that enable first and third-party fraud.

If you haven’t listened to our previous conversations with him, I encourage you to check them out. In this episode, I’m delighted to welcome David back for part three in this series to dive into how David and his team create these data-driven insights and how they’ve applied their research to predict the fraudulent use of identity information.

David, welcome back to Payments on Fire. Thanks so much for joining me for this series.

David Maimon: Thanks so much for having me again, Yvette.

Yvette Bohanan: I learn 5,000 new things every time we talk, so hopefully this will be a very informative conversation once again for our listeners. I wanted to start with a phrase that you talk about a lot and I want to kind of dig into it in this episode. You talk about a data-driven approach to finding out what’s going on with fraud and fraud schemes. I think people might be wondering exactly what you mean. You’re designing experiments, so you’re using the skills that have been developed in the hard sciences. But let’s just start with the very, very first question I have around this, which is, how do you come up with a research question?

David Maimon: So, sometimes Yvette, I’m going to get an email, from a podcasters out there who will give me a great idea for, an amazing, uh, research we want to launch. And, I’m referring to you of course, with one of the questions we got which I don’t have any answer to at the moment.

But I promise next time you invite me, we will have some, interesting answers.

Yvette Bohanan: Excellent.

David Maimon: And this essentially shows that, the research question essentially come from all over. But if you want to put more structure around that, as a scientist, or as a social scientist, we tend to, derive research questions from three different sources.

The first are theories that we have out there, areas which essentially help us explain the world. And so oftentimes what we’ll do is we’ll take the theory, we’ll try to sort of test whether it actually works or not in the physical environment, in online environment, try to find correlations between different variables, try to figure out whether the hypothesis we can come up with based on the theory are really correct or not. That’s just one way for us to come up with research questions. And that is the more sort of hardcore scientific approach, drawing on theories.

Then one of the other approaches for coming up with research questions are essentially talking to people, right? Like you and I talk a lot, right? And folks ask you as a scientist, as an expert, questions which sometimes you don’t know the answers for, right? And so if the question is interesting and it interests you as a scientist, then you definitely want to pursue it. So that’s another very important source which allow us to sort of develop research questions around specific topics.

And then people talk about all kind of topics in the news. You see things in the ecosystem you are part of. If you’re a curious person, you ask questions, you want to understand how the world works, you want to understand why you’re seeing what you’re seeing. And at the end of the day, that helps me come up with some interesting, I think, research questions, which will help push the envelope a little bit. I’m a curious person, I’m looking for answers, and research questions are best, in a sense, for me to try and come up with some answers to the questions we have.

Yvette Bohanan: And do you really try to formulate in terms of like an independent and dependent variable? Once you have that idea or that seed from someone, do you kind of pull at it a bunch of different ways to get to that relationship?

David Maimon: Yeah, 100%. But I would say it really depends on the type of research, right? When I’m thinking about testing a theory or when I’m thinking about testing the effectiveness of a policy or the effectiveness of a tool, then you gotta have a dependent variable, an independent variable in order to really answer the question in an efficient manner.

If, on the other hand, you’re just trying to understand a process, like for example, we had this really cool operation where we tried to figure out how one of the vendors out there, at the time they were selling some kind of a interesting commodity, how are they getting this type of commodity?

Then you don’t really form the question that way. You simply start engaging and you getting to the answer you think you will get. At the time, didn’t really have a hypothesis of how they were getting whatever they were selling, but most oftentimes, when we work with theories, when you’re trying to evaluate tools or policies, you have to design the research in such a way that you have a dependent variable. What is the program or the tool trying to accomplish? And then a list of independent variables, which will allow you to actually measure the effect.

Yvette Bohanan: Right. Okay. This is very interesting. My entire career, I’ve never chatted with anyone who’s using this type of approach. Maybe there are people out there, but this is really kind of intriguing to me. Because when you’re working at a company, a lot of people who are listening, particularly to these episodes in this series are going to be people who are in fraud operations or risk operations or chargeback operations or whatever, and when you’re in one specific company, you’re often tasked with figure out the MO. How are they doing this to us as a company?

You are taking that and you’re really looking at it in a very broad lens of how are they doing this as a professionalized industry or a group or a really sophisticated lone wolf or a set of lone wolves or whatever. And you’re really approaching this differently than following breadcrumbs through the customer journey to try to figure out where the vulnerability is, right, which is a whole different ball game in a sense.

David Maimon: I think it’s a great point that you bring. The approach I take is definitely broader, I would say, than the approach that fraud fighters out there who are trying to protect the house are taking, but I think folks should be open to adopting this approach in the context of their operation because if you think about that, it’s not only MO that we’re trying to figure out. I think many fraud fighters out there are in the market for new tools, new policies, right, in order to reduce fraud losses in the organization.

And, to me, the only way to test it is using the approach I’m talking about, like the evidence-based approach. So, you should try and figure out like what happened before, like quantify fraud losses or whatever you’re trying to sort of get some solutions to before you implement a policy or a tool and after. Right? That’s the only way in my mind to engage in effective fraud prevention. Without that, we’re just all over the place and the approach for fraud prevention and mitigation will be ineffective in my mind.

Yvette Bohanan: Yeah. I think what makes that challenging for a lot of people out there on day to day is, well, first of all, a lot of them don’t have the tools sometimes necessary or the team necessary to do that at that scope. The other thing I think that makes it challenging is when you’re trying to isolate, to understand one particular issue, you’re eliminating a lot of variables and sometimes people’s systems aren’t quite set up to eliminate variability, and so they’re not quite sure how it’s happening.

I’m not excusing, it’s like, they should try to use this. There’s also challenges to it that they have to understand to create that good design, right?

David Maimon: 100%. And I agree with you. It’s challenging and it requires resources. And to be frank, not a whole lot of resources, right? I think once you understand research design, once you understand how to quantify or operationalize specific things you’re trying to measure their impact on, like dependent variables, it’s fairly easy to do. In my mind, you just need to be aware of the fact that these tools exist. And to be frank, all you have to have is just an Excel sheet. And then in your mind, when you’re testing the effectiveness of a tool or a policy, measure or collect data, which will allow you to test the effectiveness of the tool and policy.

Now, that goes without saying that we’re talking about measuring effectiveness of tools and policies. It maybe will not be very relevant to understanding modus operandi of folks taking over your website or taking over your accounts, like how they’re doing this. But once you start doing things on scale, this approach will be relevant for that as well.

And to be frank, because we’re doing that at scale, we are doing that in the context of the online fraud ecosystem, it allows us to identify some really interesting trends and then potentially assess the effectiveness of different law enforcement sort of operations on these activities or the adoption of specific tools in sort of nudging the criminals away or pushing them towards specific types of fraud, right?

So I agree with you that it’s more complicated to do it on a larger scale and in the context of the online fraud ecosystem. But in the context of your own organization, trying to figure out what works and what doesn’t for you in preventing and mitigating fraud, I think that is definitely something folks should be aware of and try to implement in the context of their workflow.

Yvette Bohanan: Okay, so this is a challenge to our listeners if they’re not doing this, or to do better. And a lot of that is about data, right? So once you have a question formulated, you have a hypothesis or you’re making an observation maybe, or somebody asked you a question. Now you’re to the point where you have to look at the data to find out, right? This is data driven.

Where do you go for your data?

David Maimon: So this is where creativity is needed, I guess, right? So one of things I pride myself in is the fact that I’m trying to get as close as possible to my subjects, sometimes without them knowing that I’m actually collecting data. And of course, if you think about it in the context of university, there are a lot of ethic committees that you need to go through in order to make sure that you are allowed to do that. But when you conduct research in order to really try and understand MOs and you’re not going to publish the research, then you don’t really have to sort of engage in this process.

So, what I do is I’m trying to think about the end goal. Like what is it that I’m trying to understand? Am I trying to understand the reason for a dramatic increase in a trend that I’m seeing out there? Am I trying to understand how a specific policy, or a specific intervention, will nudge subjects, criminals, victims away from specific ecosystems? And then I use tools which will allow me to sort of collect the data and operationalize things.

So I can give you an example from one of my favorite studies out there. In one of my studies, I was really interested to figure out whether sending hackers a Facebook message telling them law enforcement is after them will reduce their probability to engage in website defacement. And website defacement is essentially them taking over websites, putting their content there, DDoSing that website, creating some damage to the organization.

So what we’ve done there, we had to figure out a way to measure the potential effectiveness of this message, right? You send someone a message, you want to see whether it actually resulted in reduction of the attacks that they generated. And so what we’ve done was, there was one of the websites that we were familiar with, it’s called Zone Age, and Zone Age is this website where the criminals are essentially talking about what they were defacing and they, they post-

Yvette Bohanan: Oh, so they’re like out there bragging about it.

David Maimon: Exactly. It’s a forum where they brag about their website defacement. And so what we’ve done, we went to that website. We took a sample of 120 hackers who were bragging about whatever they were doing. We downloaded their names, their aliases, and then we looked for those individuals on Facebook. Once we found them, we friended them and then we divided them to two groups. Control and treatment.

The treatment got a scary message saying, Hey, a law enforcement is behind us, you might want to lay low for a period of a week or so. The control, on the other hand, did not receive any message. And so once we sent that message, we continued to monitor the website and their activity, whether they talked and bragged about the website defacement.

And lo and behold, we realized that once you send them the message, they lay low like you tell them, which is really interesting, right? And then after a period of a month, you start to see them going back to website defacement. But to make long story short, it really depends on the type of activity you’re trying to measure, the type of intervention you’re trying to assess, and being creative and as close as possible to your subjects.

Yvette Bohanan: Yeah, and this is really interesting, so let’s just take that example. I want to make sure people really understand what we’re talking about because not everyone has done like scientific method, data design, all that. In that example, can you just call out what was your dependent variable, your independent variable, and then you mentioned how you developed your control group, which was really important.

David Maimon: So in that example, our dependent variable was the number of, web defacement attacks that they reported on the website before and after the intervention. And the independent variable was the intervention, whether we actually sent them the message or not.

Yvette Bohanan: Yeah. Okay. So, and then you split them. So you had a control group.

David Maimon: Exactly.

Yvette Bohanan: And the control group is really important because if you don’t have the control group, you’re measuring against a before and after, but you really don’t know for sure, right. Having that control is, a lot of times we talk about AB testing and things, but actually sometimes AB testing is, you’re changing, you’re taking the group, splitting it and changing differently on both.

So for example, in this situation, if you would have split the group and sent one a Facebook message that was really strong and the other Facebook message that was really weak about law enforcement, you wouldn’t have had a control group. You would’ve had just a sort of an AB test, but not a control group.

David Maimon: 100%. So that’s why control groups are so important. So control groups are those groups, those subjects who will not receive the treatment. They will be sort of the baseline. The assumption is that if you haven’t truly received the treatment, you will continue with your behavior the way it was.

This is one potential experimentalism, but there are other experimental designs like before and after, which does not necessarily mean, you will not necessarily need a control group, right? I love having control groups just to make sure that comparisons make sense, but sometimes we don’t have it. So for example, if you run a natural experiment, natural experiment is an experiment that happened without you having any control over it.

So one example for that will be, the implementation of 2FA by several banks out there, right? We have this really cool study we are about to publish. Essentially what we’ve done, we try to figure out the effectiveness of 2FA in reducing the volume of compromised bank accounts in the online ecosystem for banks who actually implemented it.

Yvette Bohanan: Okay, text message, or is it like authenticator, or just anything?

David Maimon: It’s really the process of text message and authenticator, whatever 2FA that the bank decided to implement in a specific time, specific date. We sit on many online platforms, that specific study was focused on the Canadian ecosystem, and what we’ve done, we downloaded systematically all those compromised bank accounts we’re able to find over a period of a year for all Canadian banks. And then we took the dates in which all the Canadian banks implemented their 2FAs. And then we tried to figure out what happened before and after.

And it was really interesting to see what happened before and after, right, for some of the banks. Two of the banks which implemented the 2FA, we didn’t really see any change, but one of the banks, we were able to observe a significant reduction in the volume of compromised bank accounts. Again, no comparison group, it was just we looking at the ecosystem, so to speak. And that was really interesting, right? We started to think, why is that we are seeing those dramatic differences between these two banks, which were major banks, still major banks in Canada, and other bank, which is another major bank. And then we started diving in and sort of trying to understand what was going on there. And then we realized the major difference between the banks, if you want to try and get it.

Yvette Bohanan: A major difference. Okay.

David Maimon: Let me just spill the beans. The two banks which did not experience this dramatic decrease in the volume of compromised bank accounts we’re able to find out there, were banks which did not obligate, did not force their clients to implement the 2FA. The bank that did experience this dramatic decrease is the bank that required all their clients to implement the 2FA process. So it’s really interesting, just to think about it and those differences, right? And in this example, we didn’t really have a comparison, like a control group.

Yvette Bohanan: Right. You’re just looking at a before after, which is a valid way of studying the situation. And a lot of times it’s what happens when you start, you’re just looking at before and after and then you start to develop hypotheses and then you kind of go into a more formal testing and control and sort of solutioning almost.

David Maimon: 100%. And I think it helps dramatically to the organization to actually assess the effectiveness of a policy. These two banks were spending a lot of money on 2FA, but they didn’t really see any benefit from it simply because they did not require their customers to deploy the 2FA.

Yvette Bohanan: So they were probably afraid, I’m going to guess, that it would be off-putting to customers to ask for this.

David Maimon: Maybe, maybe.

Yvette Bohanan: Good investigation. You always come up with more questions at the end, after you see a result. Yeah. That’s the process. You just keep going.

So when you found these results, did you analyze the compromises in those banks where they didn’t require it to sort of look at individual accounts and activity and what was happening and usage, like did the people who implemented it voluntarily differ in terms of their usage or number of customers who left the bank versus the people who were mandated to use it? Like did they see a drop off in their customers? The two banks that didn’t mandate it, was their fear about losing customers justified or not?

David Maimon: So these are all amazing research question, Yvette. So think about it from where I sit. I did not work with these banks. The data I got came from the platforms I spend a lot of time in, Darknet, Telegram, Signal, WhatsApp. The compromised bank accounts at the time, and this was I think a 2022, 2023 research, we were seeing a lot of those. We simply downloaded all the information to our computers. And of course we didn’t have access to the customers. We didn’t have access to the banks and their processes. All we had was public PRs with respect to when the banks implemented the 2FA process.

I can tell you that if I was an employee in the bank, the question we just traced were questions that I probably would’ve asked as well, try to figure out answers to them. And you can do it fairly quickly with the type of data that banks collect nowadays and the data scientists that many banks are now hiring. But these are definitely the questions that I think more and more institutions, financial institution, the government, credit unions should be asking themselves when they try to understand the effectiveness of the tools they’re working with.

Yvette Bohanan: Right. Absolutely. Okay. Very fascinating. Great examples. I’m going to sort of fast forward because you just came out with some new research on predicting something I find really interesting. You were predicting the probability of loss across different data breach vectors. And this is another thing that, people like to conjecture about this a lot, right?

But hard evidence or a statistically significant type of analysis that’s structured is absent in the general community. Maybe somebody did it in a proprietary way and didn’t publish it, but here you are, you’ve published this. So, this does feel like a question that is important and also super challenging to answer.

And now that we kind of understand the different methodologies you’ve been using, first of all, how did you land on this particular topic? What intrigued you about this or did someone write and ask you? Were you at a conference? Did someone raise their hand? Or did you just look at this data and say, This is just important for us to understand.

David Maimon: Yvette, I really love talking to you every time we meet because you have the same skepticism I have with respect to a lot of the data we have out there, a lot of the estimates we have out there in the context of fraud sometimes. And again, you and I talk constantly about this, I don’t understand how folks are coming up with those estimates, right.

In this specific research, I wanted to know, right? I wanted to understand the fear factor, right? People are telling us that all our identities are out there in Darknet, in Telegram, on the Clearnet. A lot of companies telling us that all our identities are being used or being stolen to facilitate fraudulent operations. And I’m very skeptic, right, about this. I simply wanted to test whether this is something that I’m seeing with my own eyes and can talk about it or not.

But as a scientist, it’s very difficult. If you’re just a professor, if you’re just a scientist and you conduct the research using upstream data like some of the data breaches that you have out there, it’s very difficult to answer questions, which will result in understanding the probability of a loss, understanding the probability of your identity to be taken by a fraudster, simply because you don’t have that information.

Maybe you’ll have access to the data. You’ll have access to the stolen ID. But you will never know how many people are actually using it. It’ll be very difficult to flag the first time it happened, unless you’re working with a company.

Yvette Bohanan: Right.

David Maimon: Unless you’re working with a company which does identity verification and which essentially sees all those identities on their doors, right, on a daily basis.

When I joined SentiLink, it was an amazing opportunity for me because it allowed me to take some of the upstream data that I’m seeing out there on Darknet, on Telegram, on the Clearnet, and try to figure out whether I’m seeing evidence of people using those identities in the context of identity theft attempt.

And that’s essentially how the idea came up with, I was, a lot of people talking to me about the risk of identity theft, if your identity is out there, but what is that probability? Like, what is the risk of having your identity out there? And that essentially what drove this research.

Yvette Bohanan: I’m so glad you did this, this one. When you designed this, in the beginning of the report, there’s three questions. Can you talk about the three questions that you set out to answer as this research unfolded, as you sort of actually took this bigger question and formulated into something that you could contest?

David Maimon: Again, when you ask a question, and we talked about the beginning of this podcast, right, you need to have some structure around, whatever you want to ask, and you need to think about how you’re going to measure what you’re going to measure. Now, our identities are being offered for free, for sale, on many, many platforms out there.

And so it was very difficult for me to cover all those platforms. I decided to focus on some of the platforms I’m very much familiar with and that I know that identities are being offered for free, take a sample from each of those platforms and then go back home to the company and try to figure out how many applications which scored high on identity theft I’m able to find for each of those identities. And so I took identities from Darknet, those identities, and this is a really important point to make at this point, those identities are identities which are being offered for free.

Yvette Bohanan: You said this now for three times, I’m just going to stop you. We always say fraudsters, professionalization, they’re out to make money, and now you’re telling me that the stolen information is offered for free. Why are they offering it for free?

David Maimon: They wanted to test that. At the end of the day, it’s all about building trust with customers.

Yvette Bohanan: Okay.

David Maimon: So if I want you as a potential customer, I would give you something, some proof that the identities will actually work. Whatever I’m going to sell you at the end of the day will actually work. And to do that, what I’ll do is I’ll put a set of identities out there for folks to experiment with.

Yvette Bohanan: So these are free samples.

David Maimon: These are free samples, free samples of identities. It’s kind of crazy if you think about it, right?

Yvette Bohanan: All right. So taste this, you’re going to love the dip. This is a great ravioli. Go buy a 600 pack. Okay.

David Maimon: Or thousands, right, of those identities. They put thousands of identities out there for free. And in this specific study, what we’ve done, we worked with a little over 1400 identities we’re able to find coming from data breaches. We also wanted to see whether the identities and coming from stolen checks will be used by the fraudsters as well.

Check fraud, as you know, has been an issue in this country for the last five years. One of the issues I talked a lot about is the issue of identity theft. You have your check stolen, potentially the fraudsters will steal funds from your account, but at the end of the day, if you alert the bank on a timely manner, the bank will reimburse you for those funds.

But, what’s more interesting is the identity piece on the check. And I was really interested in understanding whether the identities are being lifted from the checks and are being used by the fraudsters as well to engage in fraud. So what I’ve done was, I went to Telegram, downloaded a sample of a little over a thousand checks which were posted on Telegram in 2021 with the identities, with the balances on them.

And then I went to the Clearnet and looked at the voters list. The voters list have our names, our addresses out there. Sometimes they will actually have our political affiliation as well. So what I’ve done was I simply downloaded close to a thousand, names, and then I ran those identities in our systems in order to try and figure out how many identity theft attempts I’m seeing for each of those samples.

That is essentially what the research design was all about.

Yvette Bohanan: Okay. And what did you learn?

David Maimon: It was fascinating, right? The whole process to me was fascinating. Because again, finally I was able to get those numbers I was looking for, the probability of someone using your identity, if it was on a stolen check, if it was part of a free sample of a data breach, or if it was random, randomly disclosed on a voter’s list on the internet.

And so what we found was really interesting. If your identity was part of a voter’s list, the probability of someone stealing your identity is very low. We’re talking about 2%, which is, you know, the baseline. This is if you want your comparison group, Yvette. And

Yvette Bohanan: Okay.

David Maimon: this is the comparison group that we have in this experiment.

If you look at the identities stolen from checks, on the other hand, and you look at the probabilities of those identities to be stolen, we are talking about 9% probability. So significantly higher probability than the probability we find on the voters list.

Yvette Bohanan: Yeah, that is significant.

David Maimon: But then, what was more interesting was the probability of identities which were disclosed as part of a free database coming from a data breach.

The probability there shocked us because it was 96%.

Yvette Bohanan: 96%.

David Maimon: 96%.

Yvette Bohanan: If it’s being A sampled out or B part of the data set that someone goes back and buys, you almost have a guarantee of it being used in a compromised manner.

David Maimon: If your identity is part of these free samples coming from data breaches, from the Darknet, then there’s 96% probability, almost guaranteed, that someone will be using your identity, in the context of identity theft.

Yvette Bohanan: Wow. So if that’s the case with the sample data, your conclusion, you’re saying, and therefore that’s the case with any data, they’d go back and buy from that.

David Maimon: So that’s a great question, which we continue to investigate right now. The free samples, right, are exposed to everyone. Everyone can just download those free samples and use it. If you’re one of the, I would say the least lucky folks, and you are part of those freely available lists, then your identity will be stolen.

I mean, there’s 96% probability someone will be using your identity to engage in identity theft. Very complicated because we don’t want to buy, right, to assign this probability to databases, which are protected by paywall, So we just want to make sure that we convey this to your listeners as well.

Yvette Bohanan: That’s the caveat, but that’s still striking. Even if it’s half or whatever, right, of that 96%, that’s still significantly higher than anything else you tested.

David Maimon: It’s very significant. And what surprised us even more was the intensity of these identities being used. When we talk about intensity, and again, this is where I come from, sort of criminological theories, trying to figure out the progression of an event and how severe the criminal event will be. I’m very much interested in understanding the frequency of use and how long the identity has been used over the years.

Yvette Bohanan: Yeah. And some of this data you were pulling is aged. It’s several years old, right.

David Maimon: Right.

Yvette Bohanan: Sort of a longitudinal aspect here.

David Maimon: 100%. To be consistent, and this is something I forgot to mention, the data coming from data breaches is data that was available in 2021 as well. So we were moving forward with the identities. And again, another very interesting piece of evidence here, when you look at both the probability of identities, stolen identities coming from checks and data breaches to be stolen before and after the breach, you will see those dramatic differences, right? So if your identity was on a stolen check in 2021, moving forward, the probability was 9%, the probability of identity to be stolen. But if you look backwards, you will see the probability is very similar to our comparison group. It’s 2% only.

Yvette Bohanan: So these events matter.

David Maimon: And same goes for the data breaches data.

Yvette Bohanan: Right.

David Maimon: Which is, again, mind boggling because the percentages are so dramatically lower until someone is exposing the identities out there. But in terms of intensity, once the identity’s out there, there are different ways to use them. I was really interested in understanding how many phone numbers will be used in the context of identity theft. The duration, like how long will the identity be used?

And to make long story short, we find that if your identity was on a voter’s list or on a stolen check, then the number of people, the number of phones, which will be involved in attacking your identity will be two. But if your identity was part of a data breach, we’re looking at eight, between eight and ten different phone numbers which will be targeting your identity, potentially fraud rings, potentially different people. Everybody’s sort of trying to get a piece out of your identity.

And then the other really interesting piece is the duration. How long will your identity be used by these criminals? Over there, there were really interesting and dramatic differences. I’m going to read directly from the report. If your identity was lifted from a voter’s list, then essentially what we find is that the identity will be used around 48 days. That is the max, right from the time we found it til the last application we’re able to find. If it was a part of a stolen check, we’re looking at a duration of 109 days.

Yvette Bohanan: So like roughly a few months.

David Maimon: Few months. But if we’re looking at an identity that comes from freely available lists, which are available on the Darknet, we’re looking at 793 days.

Years of folks simply targeting your identities. Which, again, is mind boggling if you think about it in the context of victimization, the duration of victimization.

Yvette Bohanan: Yeah. And, if you’ve received multiple notices in the mail of data breaches where your identity and your information was stolen or whatever, then you’re looking at a compounding effect here. You have sort of like rolling overlapping years and waves of circulation and misuse.

David Maimon: And I can tell you, Yvette, I released a Forbes article, and I think I shared with you as well. My own experience with it essentially speaks directly to this finding, right? My identity has been exposed on one of the platforms out there. A lot of people were targeting it. That started in 2022. I can tell you that as of June of 2025, I was still getting letters in the mail saying someone has used my identity to apply for benefits, right? Or to apply for some governmental programs out there. My own experience speaks directly to the findings I’m reporting here.

Yvette Bohanan: It’s mind blowing when you start to talk. There was some recent research by the, I want to say it was the Pew Charitable Trust, on scams and slightly different, but 78, 73%, somewhere in that neighborhood of people have reported being the victim of a scam.

And a lot of those scams are getting identity information out of people. Some get money, but a lot of them just get identity information and then they take it and sell it and use it and whatever. So I think a lot of people can relate and maybe one degree removed from someone who’s had this happen at this point, at the most.

Did you debunk any myths here with this research or learn something that you, I mean, these are all pretty interesting findings because they’re quantified and you’re measuring time, you’re measuring probability, you’re putting hard numbers against something that people have suspected or conjectured. But did anything really, did you just sit back one day and look at something and go, what?

David Maimon: I think, again, the duration is something that I was very, very surprised about. One of the other things that we’ve done in the report, in the study was we actually try to figure out the industry that folks will be using the identities with, and one of the recommendations we give folks who their identity has been stolen is essentially freeze their credit score, right?

Because we believe that the first thing criminals will do once they have the stolen identity is they will try to take a loan under your name, right? And when we looked at these samples, we’ve seen that the first couple of things folks will try to do with identities coming from data breaches and the stolen checks is go and open a new bank account or a telephone account. These are the first things folks will be doing with those identities. And that was surprising to me.

Yvette Bohanan: Yeah, get the tools to do the other stuff.

David Maimon: And so it’s really interesting to see how they sort of set the ground. The first couple of things they will do is they’ll go to those sort of the FIs, open a bank account, try to get a telephone associated with the identity, and then potentially hit the lending institutions.

That was something that, again, I was able to see for the first time with my own eyes. This was giant squid. I keep using the giant squid story. The first time I was able to see this in my own eyes and it made perfect sense. But, when I thought about the use of an identity in the past, it was always folks trying to take a loan under your name. But it’s more complicated than that it looks like.

Yvette Bohanan: It’s more systematic.

David Maimon: Yeah.

Yvette Bohanan: So based on what you learned here and kind of what you know in general, we have people listening who are in financial institutions. What do you have for them? Like what advice, knowing what you know, sitting here today, what would you say to them or to a business or to a regulator or a government agency?

Do you have any thoughts of like what they should be considering?

David Maimon: Yeah, it’s a great question. And, given what we know at this point, I will definitely still encourage folks to make sure that, their credit scores are frozen, right. But maybe before that, when you think about sort of advice to the industry, those identities which are out there will be used, right? We know now we have evidence suggesting folks are actually using the identities.

There are different probabilities of using those identities, depending of the vertical or the exposure vectors, but the identities will be used. And so folks definitely need to have a strategy with respect to how to detect stolen, identities or synthetic identities, otherwise accounts will be open, under victim’s, names, right? So, for the banks, they need to be aware of that. They need to be aware of the fact that there’s a process. The folks are essentially following processes we just talked, right?

Folks will go, they will take the identity, they will try to get a telephone number to it. They will go to the banks, then they will go to the credit union, then they will go and try to get a loan. Then they will maybe put together a business around the identity and then file for tax refund. But, we definitely see the first couple of steps that these guys take with the identities in getting a phone and a bank account, right? So in that sense, it’s really important for folks to understand, I think, for, businesses as well as for individual. It’s really important to check how many bank accounts you have under your name, right? I Again, this research is a very important evidence for the fact that even if your identity, or your credit score is frozen, folks can still use the identity in order to open a bank account. So I strongly recommend folks ChexSystems or any other reporting agency, which has the list of bank accounts you have under your name. Order the annual report just to make sure that you are familiar with all the accounts under your name. If you’re not, then you should definitely flag it to the relevant institution.

And then I think identity theft protection plans are also important. Very difficult for me to sort of talk about the effectiveness of those plans in respect to flagging the fact that your identity is being used. Some of them are better than others, but many of them come up with some kind of an insurance that helps you recover some of the funds if funds are being lost with your name. So, this research essentially helps me sort of validate some of the things I’ve already, known in respect to how we should protect our identities and, with respect to the industry, put those numbers out there and allow us all to understand that this is not a myth, sort of speaking. It’s not a myth. The identities are being used and these are the probabilities that we find to them.

Yvette Bohanan: Great. So where can our listeners locate this in publication and other publications that your teams are putting out?

David Maimon: This publication, this report is available on SentiLink website, so I strongly recommend folks to just go on the website and download the report. It’s free. I think it’s an interesting read and strongly recommend fraud fighters to just go through it.

Yvette Bohanan: Yeah, there’s a lot of great reporting out there on that website. David, it’s a special time, unfortunately, when we have to wrap this up, so I want to thank you for taking time with us on this episode, and thank you and your team for all the work that you are doing. You are putting a lot of effort into grounding us all in this industry on what is, what isn’t and what could be so that we can get better at helping each other and helping our customers and everybody else stay safe out there.

So thanks for helping us sort of reshape what fraud fighting and risk management is all about.

David Maimon: Thank you so much for having me, Yvette. It’s always a pleasure.

Yvette Bohanan: And to all of you listening, thanks for joining us. I hope this gave you some food for thought today. And until next time, keep up the good work. Bye for now.

Take us with you

Payments on Fire is available on iTunes, Spotify, Google, Stitcher, Pocket Casts, and other podcast apps and services. Or just say “Alexa, play Payments on Fire podcast.”

Goodpods Top 100 Payments Podcasts

Listen now to Payments on Fire™ podcast

Payments News

Stay on top of the rapidly evolving payments world with Glenbrook’s free curated news feed, delivered daily to your inbox.

Learn More

Payments Views

Read our commentary and opinion blog written by members of the Glenbrook team on payments industry topics, large and small.

Learn More

Payments Boot CampTM

Glenbrook’s live and on-demand workshops help you understand and apply the innovations shaping the payments industry. Register today or schedule a custom workshop for your team.

Learn More

Stay up to date on payments

Join Glenbrook’s mailing list to get access to valuable information about payments and discover how you can expand your knowledge.

Sign me up!
$

Trending Episodes

Catch up on popular conversations

Episode 253 – Glenbrook Partners: 2024 Payments Industry Trends Wrap Up

Episode 261 – Fanning the Flames: Global Payments Acquisition of Worldpay

Episode 249 – Two Decades of 3-D Secure: Can Strong Customer Authentication Succeed in the US and Unregulated Markets? Dewald Nolte, Entersekt and Amandeep Batra, Stripe

Episode 214 – We Just Can’t Stop Talking About Tokenization

Episode 238 – Will Pay by Bank Really Compete with Cards? Trevor Nies, Adyen

Episode 241 – How Open Banking is Reshaping the Financial Playing Field – John Pitts, Plaid

Episode 164 – 5th Annual RTP Network Update – Steve Ledford, The Clearing House

Episode 162 – Stablecoins, Cross-border Payments & Interoperability – Ran Goldi, First Digital Assets Group

Episode 263 – Driving Digital Financial Inclusion: The Journey We’re On and the Road Ahead – Michael Wiegand, Gates Foundation

Episode 248 – The Ins and Outs of Payouts – Manish Vrishaketu, Tipalti

Launch, improve & grow your payments business

Talk to the Payments Experts