Online fraud - the game has changed

It is a widely used analogy that stopping fraud is a game of whack-a-mole - stop it in one place and it will pop up in another - and I believe that is still true, but the fundamentals of the game have recently undergone a significant change. The moles are now on steroids and as fraud fighters (no TM:) we have one hand tied behind our back!

So let’s have a look at some of the key factors changing the game, as always, this is a community and we are better together. So what do you think is changing the game? Here are my top 3:

1. Proliferation of tools and techniques available to fraudsters.

Once the purview of dark web lurkers only, with the explosion of messaging platforms and, unavoidable buzzword alert, Generative AI in the form of malicious LLMs, all the tools and techniques a fraudster needs are readily available and low cost. And with a kind of wannabe celebrity amongst these groups, fraudsters regularly boast and share about their ill-gotten riches and how they made them. This inevitably helps to recruit more people to similar nefarious activities.

Chat GPT soon got locked down - although there was an amusing interim stage where you only had to add “for research purposes” to the prompt to circumvent the moderation filters - but actually that just spurred the growth of dedicated platforms such as WormGPT, FraudGPT and EvilGPT.

Note, at the time of writing, I could access WormGPT on a standard web-browser and it is free to use! FraudGPT and EvilGPT still seem to be accessible only via dark web and are a paid subscription, but as we are alluding to already, these things change pretty quickly so I wouldn't be surprised to see these or new services be offered free.

And if I don't want to go to the extent of writing my own malicious code, I can just check out the forums and messaging apps. How-to guides, especially for eCommerce refunds, are readily available on Telegram, Tik Tok, Reddit and other forums, despite the platforms (sometimes limited) effort to identify and remove this malicious content. So often the perpetrators don’t think it is ‘real fraud’ and in the cost of living crisis are just exploiting loopholes - unaware that most online retailers are running on such thin margins, a spate of lost goods or fraudulent returns can put them out of business.

Of course, there is also the ever-increasing element of organised crime, with gangs recruiting unsuspecting individuals into scam farms and then forcing them to commit fraud with threats of violence. This approach continues to present two unique challenges. First, the target is the individual, not a technology so it is harder to identify and prevent. Secondly, alongside the enforced motivation, these scam farms have scale and time to carry out protracted attacks in which the scammer becomes trusted by the victim, often more than the fraud platform or bank trying to protect them.

Worryingly, the speed of iteration has never been faster. These widely available fraud-on-demand tools make it easy to test and learn. If the attack vector fails, tweak the process, the message or the channel. Attack a different part of the customer journey. Succeed and share it back to the community for your 'kudos'.

The most effective way we can combat the agility of the fraudster is to build the same agility into the solutions we deploy. For example, the ability to add additional monitoring points in the customer journey with minimal additional engineering lift - e.g. so a Remote Access Tool (RAT) can be detected at any new point in the journey, not just log in or payment or a new attack on password reset can quickly be protected by just adding the URL to your fraud tool.

That is one of our key product innovations at Darwinium, and why we leverage the CDN where possible - to remove the need for engineering lift and allow you to react as quickly as the fraudster.

2. What worked before for fraud prevention, doesn’t work anymore.

Just as the tools being used to commit fraud have changed, the tools used to combat fraud need to be updated too. Let's first think about how online behaviour and technology has changed and the impact that has.

(a) Device Proliferation: We all have multiple devices across various platforms and each device has its own unique identifier. When a device is updated or replaced it gets a new identifier, erasing any history about the good or bad nature of that device. Couple that with the fact that more and more browsers are not sharing device ID due to enhanced privacy concerns and it becomes very clear why it is challenging to maintain a cohesive and accurate user profile. Fraudsters know this and have become increasingly sophisticated in spoofing or manipulating device IDs. They can use software tools or techniques to change or mask the device ID, making it difficult to rely on this information alone for accurate identification.

(b) IP and Network: Hands up anyone who has watched sport or their favourite drama series whilst on holiday abroad? You probably had to get a VPN to do it. You then never uninstalled that VPN, it proliferated across your devices and now every connection is through a VPN. Browsers auto-update, private browsing is commonly used and mobile traffic frequently shares IP addresses. A lot of the traditional and easy sources of uniqueness have been obfuscated or marginalised.

We need to look deeper into the data that is still left behind - and we will in the next post.

But in the meantime, if a fraudster can easily spoof a device and the natural advancement of technology means we leave less ‘breadcrumbs’ about who we are, what is left that is much harder to spoof and is a reliable and persistent indicator of who we are? Our behaviour.

And that’s what we believe at Darwinium is the next frontier in online security and fraud prevention. Not in isolation of course, but when coupled with all of the more traditional fraud signals, it is our behaviour that gives a repeatable and reliable indicator of whether it is truly us or an imitator, whether we are behaving normally or under duress or coercion, and indeed if we are just not human at all...

Is there a mouse arc between those clicks, is it possible for a user to actually move that fast through the site or app. What are the swipes, keystrokes and navigation like? Is this how the user normally navigates and behaves on the application? How do I enter my username and password, what is my dwell time on the account page?

We are creatures of habit, but with inevitable variation. If the behaviour is repeated with zero deviation (think across accounts for multiple account creation) or repeated within a suspiciously close tolerance (think the same user logging in to multiple accounts) then these are not normal behaviours.

That intelligence, combined with more traditional data types will route out the most sophisticated of bots, and persistent click farms and also go a long way in helping you understand if your customer is being coerced and you need to step in.

3. Privacy and Security Regulations.

There's no disputing it, we need a strong regulatory landscape otherwise we could end up with even more chaos. While it’s good governance to give reasons for why we are capturing data, how we process it, where we send it and what we capture (all good intel for the fraudster by the way), our adversaries have no such obligation to the people and companies they are ripping off, impersonating or defrauding. Strict data localisation laws that we see springing up more and more frequently (is it intended to boost domestic technology spend?) make it harder to share security and fraud prevention data across borders when the fraudster is borderless. And of course, anyone can ask for their data to be deleted.

It is a difficult challenge, but there are highly advanced one-way modern encryption techniques and even the potential to anonymise all data before leaving the client’s environment (check out our content delivery network-based deployments) that could make cross border sharing of fraud prevention data highly secure. There is some good progress from the UK banks sharing data to mitigate against APP fraud and support the scam reimbursement regulation. The Nordics are strong with their Digital ID, but that tends to be supported only domestically currently. Green shoots for sure and I think this will be a massive area of future innovation. Sweden style chips under our skin and readers on all digital devices anyone?

Still, the greatest thing we can do is work together, share knowledge, trends, new technologies and approaches. Try things and let your colleagues know what has worked, failed or just outright interested you. Show more commitment to the community and progression that our counterparts on the ‘other side’ do and we will continue to keep up, if not start to win the battle.