So if you're in the room earlier, you've already heard several really good discussions about fraud. I think it's a, a very interesting topic. It's one of course we would rather not deal with. It's a cost to business, it's a hassle and it can be far worse than that even, but it's an unfortunate thing we have to deal with. So I'll just launch right in. Talk about what the fraud landscape is.
You know, it just rapidly evolves. It's actually quite surprising how quickly the techniques and targets move around in this field. So everybody likes statistics. I won't read through all of these, but I think some of the most important things here are the, the, the sheer numbers in terms of losses, the number of attacks and, and where things have shifted in the last, even just the last year, investment scams, cryptocurrency, investment scams in particular are, are taking a huge chunk out of the economy, over $10 billion.
And this number is rising.
And this is, this is a development, you know, just within the last couple of years that there's been such an emphasis by fraudsters on trying to get people to invest in cryptocurrency. And, you know, it sounds like, well, surely I wouldn't fall for a thing like that.
But these, these fraudsters go to such great lengths to try to make things look real. You know, they will contact victims initially over social media or, or over SMS or even call and, and their goal is to sort of develop a friendship with you and then get to the point where they say, you know, by the way, I've got this, this thing I've been making some money on. And then the person goes to this site and they look at it and they go, wow, this is, this site looks more sophisticated and better than my bank.
You know, and they'll do things like require the use of multifactor authentication. So, I mean, it looks really legitimate 'cause it's more secure in some ways than a lot of financial institutions. But in the end it's not.
It's, it's, it's a big scam and people have lost a lot of money on that.
And again, just another view of statistics, you know, it's like those graphs you see on social media, the things are bubbling up and changing positions.
Well, right now, these investment scams are kind of at the top. But you know, you can also see things like business, email compromise, tech support, confidence, romance scams. These things are, are overall increasing in volume and in the numbers of lost money, you know, and in Europe, I think we have been quite happy with PSD two in the last few years because, you know, that has required strong customer authentication. So that means using, you know, risk adaptive authentication, two factor multifactor authentication.
And this really has helped with sort of taking away some of the higher level account takeover types of fraud. But you know, what happens when the fraudsters go after the credentials themselves?
So, you know, strong authentication is great, but if somebody can get those credentials away from you, then it looks like you are authenticating to your bank and trying to transfer money. That's why it's really important to have, you know, non fishable credentials. But you know, on the whole, I think PSD two has made a, a positive impact.
So let's talk a little bit about the major types of fraud. You'll see that there's lots and lots of different types and we've heard a bit about ai, you know, over the last year, who hasn't.
But, you know, one of the things that we have heard repeatedly that it helps fraudsters develop better phishing text, which is true. You know, you used to be able to a little bit more easily detect that an email was not quite legitimate because maybe it didn't have the best grammar, the best spelling.
But, you know, thanks to some of the LLMs are that are out there, it's gotten a lot easier to write. Or for the fraudsters to write phishing, spear phishing texts. Especially we have seen, you know, within the last couple of hours some demonstrations of what it's like to use face swapping technology. So image generation for synthetic ID fraud, much easier now than it used to be. There are other ways you can use LLMs to sort of make inferences about other parts of data.
Let's say you get somebody's name and address, but you want to use that to create an account on their behalf where you can use LLMs to kind of help you fill in the blanks to be able to fill in other forms to get accounts in the names of, you know, an intended fraud target.
And, you know, some account opening accounts. Sometimes it requires creating a utility or having a utility bill or something that demonstrates you've lived in an address. Guess what, LLMs can help you generate utility bills or fake bank statements or things like that.
So there's, there's lots of different avenues that AI is being used to help fraudsters today, unfortunately. So three of the biggest account fraud types we've seen mentioned account taker, account takeover already. That's trying to get at least temporary access to, you know, a legitimate account. Why do they do that?
Well, of course, to get money out of it and, you know, any kind of account that can be convertible into some kind of currency is something that they're gonna be going after. You know, it used to be, well, finance of course makes sense 'cause that's where the money is. But retail, e-commerce, travel and hospitality has been hidden quite hard.
You know, because frequent flyer miles or other kinds of reward points, anything that you can convert into money or, or something of value. So it has definitely moved way beyond finance.
And the interesting thing is, is now trends are according to those who follow that the bad guys will take over accounts and maybe wait months to do something with that account. So there, there may be this period where let's say they've gotten in, gotten information from the dark web, you know, username, password combinations, they'll go in and reset passwords on accounts and just let them sit for a while until they decide to use them.
So there's this period where, you know, you may have a signal if you are, let's say running a consumer facing business, you may see a signal that indicates a potential account takeover. What, what should your responsibility or our responsibility as practitioners in the industry be, you know, in that interim time with regard to, you know, how do we safeguard that account? I think that's something that we need to start thinking about. There's account opening fraud, kind of mentioned a bit of that already. That's trying to create fake accounts based on real people's data.
And I'll tell you a bit more about where that comes from in a minute. But this is, you know, really about going after financial fraud, money laundering, creating mule accounts to move large sums of money around. And then there's synthetic fraud. This is the one that's kind of in the middle.
You know, the goal is to make fake accounts that kind of look real. And you can see these pictures I got by using the, this person does not exist or whatever. So they look very real, but yet they're not. And this is also used for financial fraud. And something I've recently learned is that, you know, they will start small. So they might do something like get a credit card for, you know, a small business, maybe the hardware store or something like that. And it might have a pretty low credit limit, but they, they farm these accounts.
So they'll start, maybe they'll get a 250 euro limit and they will use that and pay it back until, you know, over the course of time you get a much higher limit then it's certainly worth more. They may trade those accounts to others, but they've farmed these accounts now to where they have higher credit limits and therefore more valuable.
And again, just like account takeover fraud, any industry that's offering credit really can be targeted.
So how do they do these? So a TO account take over phishing, probably the biggest one.
Again, like I said, it's good to have non fishable credentials, but they're still using brute for force. Password guessing, compromised credentials from dark or data breaches, running credential stuffing attacks, that's often generated by bots. That's one reason we like to do bot detection. And then anything that, you know, might put malware on a device that would, you know, allow full access, you know, a key logger that way you can capture username passwords and things like that. Account opening.
You'll notice there are lots of cases in the news where you might wonder, well, why would a hacker go after something like school records or employment records? Well, it's to get that data to, you know, take over somebody's account or help build an account, you know, that looks like a real person.
So they'll use government records, school records, healthcare records, insurance records, anything that, you know, gives them sufficient data to create an account. And we saw a good example of this earlier too, with synthetic synthetic fraud information sources.
There are AI image generators out there. They can use generative ai.
As I said, there's app cls, the face swap tool, mobile farms, virtual phone, emulators, there's all sorts of tech that can help them with synthetic information, credit card fraud, an oldie, but a goodie, I guess if you're a fraudster card not present. Those are still quite commonly seen in industry card not received counterfeit cards and stolen cards. So credit card fraud is still a problem, certainly hasn't gone away.
I wanted to drill down just a little bit here on phishing Smishing and Vishing and heard of a new one.
You know, phishing, you know, using QR codes, you, you've seen QR codes in public a lot. You know, sometimes they can be links to malware now. So you have to be very cautious about what you scan in terms of QR codes. But you know, beyond the fake investment opportunities, you know, you'll see a long list of fake this and fake that. Anything to try to get the attention of someone such that you can get malware on their device, take over their device or get their credentials. So all of these different kinds of methods have been used and are, are still in use as well.
E-commerce fraud.
So a lot of this has had kind of a financial angle and you'll see that there are a whole different set of attacks on e-commerce or retail sites, you know, and a lot of these are bought perpetrated. You can see things like inventory hoarding, we call 'em Grinch bots, API inventory checking bots, you know, and you can't just blanket say no bot traffic can come to our site because, well, API calls are, you know, the bulk of what we see on the web today. So that's how business is being done.
So you, you can't just deny all bots because some bots are actually legitimate and then some kind of fall into a gray area where, well, you know, it may not be bad, but I don't want it to interfere with normal business operations in my site. So you can see there's lots of different schemes here that that can certainly impact. E-commerce, fake reviews, fake comments. I think we all wonder about those from time to time when we're acting as consumers ourselves. Is this comment real? Is this review real?
You know, and it's a, a bit of a cottage industry to try to determine which ones are and aren't and keep that environment clean. Fake job postings, you know, fake downloading bots ticket purchase. So there's just a wide range of e-commerce sites and, and the, the kinds of threats that they face.
So to wrap up here, I wanted to talk about the six major detection and mitigation techniques.
This, I do a lot of research on fraud as part of my job here at KuppingerCole. It's one of my coverage areas. And these are the six major categories that I look for in what we call fraud reduction intelligence platforms. First is identity proofing or identity verification. We've heard a bit about that today in this week, and I'm sure we'll hear some more. I think this is becoming much more popular because it is absolutely necessary to help prevent some of this account opening fraud that we've been talking about. There's credential intelligence.
This is, you know, has this account been, somebody's tried to break into it recently. You know, these fraud reduction intel platform vendors will use information about what's going on within their entire customer base. But we don't, what we don't see a lot of right now is sharing of information between these vendors.
So, you know, if, if an account is used over here and we know that it's fraudulent or suspicious, and then, you know, some other company experiences a hit from that, that same credential, it would be nice if there was some near real time signal sharing between those domains. But in most cases, that's not there yet. Device intel, this is looking at features and factors about our devices, computers as well as mobiles. User behavioral analysis. This is looking at, you know, say login location transaction information.
If you're in an e-commerce setting, does this look like something that I would buy based on my transaction history, behavioral biometrics, this is how we interact with our devices. This is, you know, touchscreen pressure, keystroke mouse. You can use that to build a, a, a personal profile. And when deviations from that come in, then you can say, well, it's time to raise the risk level and make a decision. And then I've talked a bit about bot detection and management and why those things are important. So I see amount of time here, but that's kind of an intro to where we are in the fraud space.
I'll open it up for one question in a minute, but how many are concerned about fraud from your own business perspective? I mean, are you running a consumer facing site or are you, do you, do you see fraud as a, an ever present danger? You've gotta deal with, just raise your hand if you do.
Okay. Okay. Any questions, anything online?
I, I'd really just like to make a statement in support of what John has been talking about. I suggest that anyone that's interested in this go and Google the BBC report on how a Bulgarian gang manage to defraud the UK benefits agency of 50 million pounds by scamming identities, all the kinds of documents to prove these identities and so on and so forth. So not only is it important to understand the techniques, but it's also important to actually protect yourself.
Agreed. Well thanks Mike.
