Whispers on the Wind: Detecting Early Fraud Indicators

Posted August 14, 2018

Whispers on the Wind: Detecting Early Fraud Indicators

Most fraud prevention teams specialize in locating fraud-in-progress by mapping links to known fraud events. The methodology is based on sound logic: if we know that fraud has taken place, then it stands to reason that linked activity is also fraud, justifying active mitigation and preventing further fraud losses.

This approach pits the speed of identification and mitigation against the speed of fraudsters, and the automation of fraud attacks is a modern reality. Fraud teams already recognize that in many instances the speed of fraud has eclipsed the speed of mitigation, necessitating a new approach to fraud prevention that stems from the intersection of cyberattacks and tried-and-true fraud schemes.

In order to combat this complex and growing threat, it is critical to pair real-time fraud intelligence tools like ThreatMetrix, with enhanced information-sharing approaches between fraud teams and organizations to identify and mitigate threats as early as possible in the chain of events.

The Problem – Obsolete Fraud Prevention Methods are Ineffective

Just based on the numbers alone, fraud teams are failing to halt the growth of cyberfraud. This is not somehow an indictment of fraud teams, or a claim of a lack of effort by industry – it is a simple statement that despite growing investment in combatting cybercrime, fraud rates continue to grow, accelerated by increasingly sophisticated and automated attacks that are threatening profit margins everywhere.

To put it in perspective, according to the FBI’s Internet Crime Complaint Center (IC3), the cyberfraud five-year growth rate is double the return of the Dow Jones Industrial Index over the same period. Total reported cyberfraud losses have nearly doubled in five years, growing from $781 million dollars lost in 2013 to $1.4 billion dollars in 2017 , compared to 49% DJIA change within that period. Gauging actual losses can be even more difficult as losses frequently go unreported.

The silver lining to this changing playing field is that digital surfaces convey vastly more data per event than an analog surface ever has, leaving reliable traces of every stage of a fraud attack. Fraudsters are constantly developing new fraud techniques, and that development has naturally trended to the familiar development/testing/production paradigm of any other software development.

When combined with the billions of cyber events profiled by ThreatMetrix across scores of different industries, we can spot some of the earliest signs of fraudsters testing new techniques and proactively build innovative rule structures to frustrate attackers before they see any profits – and therefore preventing fraud losses rather than reacting to them.

A Different Approach – Match Human Against Human, Bot Against Bot

This approach to fraud identification and mitigation is to identify high velocity activity that shows signs of being a coordinated attack. These signs can include shared bulletproof hosting providers, similar methodology, or shared data suggesting a coordinated actor.

Fortunately, ThreatMetrix technology is built to make this behavior stand out, allowing fraud analysts such as myself to leverage highly automated processes to filter out noise in order to detect high velocity fraud events. I can then attempt to “find the human” by backtracking across events that show a similar methodology until I discover the original low-velocity human activity. This represents the pre-automation or pre-attack development cycle of the fraudster.

Despite some claims that the only solution to fraud is to fight bots, there is no such thing as a fully autonomous fraud robot. Behind every bot attack is a human who profits. Cross-referencing human events across organizations under the ThreatMetrix umbrella using tokenized data allows me to see the full picture, as many fraudsters take advantage of the industry’s unwillingness to share fraud data between other firms – or even between separate fraud teams within the same organization. For the fraudster, this approach serves to obscure their development and testing phases. This fraud advantage is entirely useless against coordinated big data analytics incorporating data from multiple monitored surfaces across a given industry. Sometimes this can be something as simple as spotting accounts entirely free of fraud, but with an odd pattern of swapping SIM cards or logging in from different bulletproof hosts. Other indicators can be fraudsters testing login credentials that they have obtained for a large-scale account takeover attack.

Target in Sight – Preemptive Strike

Once I have identified a particular type of testing or pre-attack activity, I build new and creative rules to harass their production cycle in order to frustrate the fraudster and arrest fraud before an attack can be successful. To understand this approach, I rely on Colonel John Boyd’s tried and true OODA loop model. Fraudsters, no matter their level of complexity, follow a predictable pattern:

  • They “Orient” themselves towards a particular type of target
  • They “Observe” the effect of different schemes on a small scale against many targets
  • They “Decide” on a plan of attack and target victim
  • They “Act” and stage their attack

Finally, they learn from that attack and orient themselves towards the next attack. Traditional fraud prevention approaches are no different, however, they are reactive as they only begin to move in response to fraudsters “acting.” As the speed of fraud increases, the fraudsters are able to “get inside” the OODA loop of the defenders, acting while the defense is still trying to build a response to the last attack. In combat, this causes chaos and defeat. In business, we see net fraud loss growth that can exceed revenue growth, producing a mounting drag on profits.

Lastly, I ensure my strategies target the weakness of fraudsters and leverage the strength of industry and law enforcement. Thieves steal by their very nature, and the most vulnerable victim of a criminal is always another criminal since they cannot go to the police. This produces a massive lack of trust, keeping valuable experience and information siloed across millions of potential criminals.

When fraudsters do attempt to combine their skills, assuming they don’t rob each other before the attack even takes place, they enter a “criminal conspiracy.” Fortunately, this means that they are now higher profile – and we can aggregate the data that shows the collusion. These groups are more valuable to law enforcement, and only motivated by profit.

In conclusion, getting ahead of the crooks to detect early indicators of fraud requires a mix of the following: global visibility into fraud indicators far beyond one organizations’ data; a detailed understanding of how fraudsters develop new schemes; and a creative approach to building out new rulesets that stop them in their tracks. This ultimately means that the fraudsters spend time and effort developing new methods with no payoff! We thereby can put a halt to the increasing rates of fraud- defending the profits of digital businesses and preventing online consumers from falling victim to fraud.

Maximilian Gebhardt

Maximilian Gebhardt

Fraud Data Analyst, ThreatMetrix

close btn