Has there ever been an easier time to be a professional fraudster? In this episode, Simon is joined by Brittany Allen, Trust and Safety Architect at Sift to discuss the rise of the “fraud influencer” and “fraud-as-a-service”. They discuss fraud rings, task scams, and social engineering, then dive into Brittany’s undercover work on the deep and dark web.
Has there ever been an easier time to be a professional fraudster? In this episode, Simon is joined by Brittany Allen, Trust and Safety Architect at Sift to discuss the rise of the “fraud influencer” and “fraud-as-a-service”. They discuss fraud rings, task scams, and social engineering, then dive into Brittany’s undercover work on the deep and dark web and the impact of AI.
---------
“There's also the side of it that's fraud-as-a-service, where these same criminals have realized, yes, I could keep getting this information, I could keep using it for myself, but also I can build up a business if I'm just the middle man who repackages that information.”
“If they're able to then reach people who aren't comfortable joining fraud channels, who are worried about getting caught or the consequences of fraud…then, why not try to reach them where they are? And that brings us to the fraud influencers.”
---------
Time stamps:
01:19 Fraud rings and social engineering
02:40 Task scams and social engineering
07:13 “Pig butchering” scams
10:52 The rise of fraud influencers and fraud-as-a-service
20:37 Exploring the deep web and dark web
26:33 Recent changes in identity document fraud
34:9 The impact of AI and the increase of deep fakes
38:46 Final thoughts and predictions
---------
Brittany Allen on LinkedIn
Simon Horswell on LinkedIn
Onfido’s Identity Fraud Report
[Subscribe to the Podcast]
On Apple Podcasts
Simon Horswell: [00:00:00] Costing the global economy five trillion dollars every year, fraud is big business. In the digital age, fraudsters are constantly evolving and exploiting new vulnerabilities, and staying ahead and protecting your business can feel like an insurmountable challenge. That's why we founded the Fraud Lab, to deconstruct attacks, mimic behaviours, and share insights with our partners.
In this podcast, I'll be talking with business leaders and policy makers about their experience, the fraud landscape. And what's coming next. I'm your host, Simon Horswell. Welcome Inside the Fraud Lab.
Narrator: Inside the Fraud Lab is brought to you by Onfido. Onfido's real identity platform is trusted by thousands of businesses to stop fraud and know their customers.
Their AI powered identity verification means [00:01:00] businesses can securely and seamlessly onboard customers anytime, anywhere.
Simon Horswell: Welcome to Inside the Fraud Lab. I'm your host Simon Halswell and I'm joined today by trust and safety architect. Brittany Allen. I'm fascinated to talk to you today. So Brittany, if I could just sort of open things up.
I've read a number of articles that you've done. I, I, I'm a big fan of your work, but I was wondering if we could kick things off by talking about fraud rings. So you've done a lot of work about fraud rings and social engineering. So I was hoping you could tell us a bit about that.
Brittany Allen: Yes. So my role at SIFT, because, you know, trust and safety architect, you have to admit that's not a very common title, is one where I use all of my experience as a merchant.
So I worked in trust and safety teams and fraud prevention teams for over a decade at a lot of different e commerce marketplaces. And being able to see what's actually [00:02:00] happening behind the fraud we work to stop has been a really exciting part. of the work that I do now. So looking into your fraud chatter on Telegram and then on marketplaces and forums on the dark web sort of gives that whole picture.
So it's not just stopping, you know, one suspicious use of a credit card, but seeing overall how that activity supports the entire fraud economy. And I read an article recently that talked about a type of fraud that I was familiar with a little bit, but hadn't really worked in one on one as a merchant within my career.
And that was with social engineering scams that are task scams. So I don't know how familiar you are with task scams, but I'd love to dive into that one first. Yeah,
Simon Horswell: please. I've heard the phrase, but I could all, I'm always open to learn more. That's kind of the point of, uh, of this podcast.
Brittany Allen: So, actual, you know, task work has existed for a really long time [00:03:00] online.
I can remember doing some of those, like, MyPoints promotions over a decade ago where you'd click a link and then you'd get a tiny bit of money for as you watched a video or you viewed an ad, and it's similar to that, except, well, this is a scam. So this is somebody who is looking to, like, make a little bit more money online.
They find a listing, they have to either download the app. or set it up on their laptop or PC to then do those little tasks to make a small amount of money, but they're always asked to put some funds in an account first, which we all know is advanced fee fraud. If anybody asks you to pay some money to make some money, whether it's because you won a lottery you never entered.
Yep. Or some other type of scam. It's
Simon Horswell: not going to be the 419 scam from Nigeria with the whole, everyone knows the Nigerian Prince scenario, or you're the last surviving member of the family. Yeah.
Brittany Allen: And in those instances, it's millions of dollars, you know, it's a really big ticket [00:04:00] winning that gets people excited.
But in this case, for the task scams, it's like put in. Put in 20, put in 30, and that'll be enough to get your account activated. People are a little more willing to do it, even though they shouldn't be. So that's one part of the scam. And the article went on to talk about how some people, you know, fell into giving as much as, you know, 50, in a case, thinking they were unlocking more and more earnings they had made.
And that's horrible by itself, but it got me thinking, well, what else could be done? By the fraudsters perpetrating the scam with the information they've got with this victim that they now have kind of at their mercy. So my first thought is the stolen PII, any information that these victims provided in order to sign up for the tax scam.
We would see that when I worked at one of the marketplaces that I worked at in the past where people thought they were working as, [00:05:00] uh, basically as gift wrapping employees. They thought they were receiving items to wrap them and then send them on elsewhere. But what actually happened was all of the information they turned over to get a job was then being used to open new lines of credit in their name to create synthetic identities attached to their PII.
So that's my first thought of something else that can be happening with these scams. Second thought is part of their tasks were to make small purchases to quote unquote test checkout flows. Right. Wouldn't that be a really great way for a fraudster to do distributed card testing from known safe devices?
From maybe IP addresses that have only had safe, good, legitimate activity on it. And all of a sudden they get somebody to only test maybe five cards a day, ten cards a day. That is something that if you've got A lot of people working, quote unquote, under you with this task scam, that could actually be a pretty compelling way to make that card testing activity [00:06:00] look more
Simon Horswell: legitimate.
Spreading it out. Exactly. Spreading it out. Making it look genuine and unsuspecting people that have got no history. It's, it's, yeah.
Brittany Allen: A hundred percent. And then the last thought. is, well, if they're doing this via their phone, they have to download an app. If they're doing it on, like I said, a laptop or a PC, then they may or may not have to download something.
But if you could get them to click a link to otherwise introduce malware onto their device Yes, then you've got another device that you can add to your bot network. But yes, just one example of, you know, there's one part of the fraud, you do know the victim has lost money because they've fallen for that task scam, but you need to also be able to zoom out and take that high level view to see all of the other potential uses of that information and other ways that Your fraud will keep perpetuating, and those are just, you know, three or four examples piling up on that one task scam.
Wow,
Simon Horswell: fascinating. What are some [00:07:00] of the cases that you've seen recently, or one of the, you know, some of the bigger cases, if you can talk about them?
Brittany Allen: So another one that's been really compelling is one where it's, again, kind of following that line of social engineering. Reported on this in the past at SIFT, but the idea of pig butchering scams.
Simon Horswell: It's a wonderful phrase, I've come across it before as
Brittany Allen: well. Such a lovely phrase. Every time I say it, it's not lovely at all. Maybe if
Simon Horswell: you could just explain that as well.
Brittany Allen: Sure. So that is one where the victim is basically led to believe that they are making really great and successful investments. That can either be done because the person, the criminal they're communicating with, is pretending to be a potential love interest.
Trust is when people make money on a dating app, or they pretend to be a financial consultant that happened to get their information for what reason or the other. They establish that level of trust, get people to put money into the fake investing platform, it's usually cryptocurrency, but it can be [00:08:00] a fiat platform, and then show fake returns.
That encourage people to put more and more and more money in and that is sort of the, the way that the name pig birchering came along because you're fattening them up. Yeah. And so in those instances, it's for me, even though that's something that's been happening for years, it's It's still such a relevant topic to talk about right now because I think as fraud prevention professionals we need to be more focused on how the fraudsters are establishing such trust with their victims that they would be willing to hand over large amounts of money.
Uh, there was one recent case where a particular crypto exchange had to ask the victim to hold up a piece of paper that said, I've been warned that this is likely a scam and I'm unlikely to recover my funds if I proceed with this transaction because they wanted the victim to just understand that [00:09:00] there was no legitimacy to this.
And she still sent, I believe, around 90, 000. For a crypto investment and of course lost all of it, but it's because the victim was a older woman who I guess was a bit lonely and the fraudster was more than happy to talk on the phone for hours, listen to stories about her grandchildren, talk about ways she could spend the money and go on vacation and sort of fill that needed void in her life.
And that's really tough for, you know, a merchant or a bank or a crypto company to get into those conversations and establish an equal level of trust. When we haven't been having, you know, the chance to build up that rapport the same way that the fraudster has. So, those keep happening. I'm sure we'll hear about more of those in the news, but I really like working with companies where we can try to take a step back and see, How we can try to cut off that communication if possible, but also maybe how we can build up more trust and [00:10:00] rapport with our user community to try to make it, you know, just more possible to get through to people and let them know that they're victims of a scam.
Simon Horswell: Yeah, I mean, the thing is with a lot of the, certainly the romance scams, you do find that the victims, they just fail to, Believe, they, they won't believe that what they've experienced because of the feelings they have, they won't believe that it's untrue. They won't, you know, understand that it's a scam, even when you present them with evidence, but it's, it's, as you say, it's trying to get to them early to make sure that these things don't happen in the first place.
It's very, very difficult. One of the other things that I read from one of your articles, again, was this idea of the fraud influencer. Now, given all the interaction everyone has nowadays with social media, the weight that people put on it with influences, guiding them to buy different items here and there.
I thought this was a particularly good one to bring up. It's, [00:11:00] again, just the way you've described the whole kind of scenario, I think fraud as a service was Something else that you mentioned. Could you unpack that a little bit for us? Yeah.
Brittany Allen: So let's, let's define both of those up top. We'll start with, with fraud as a service.
So it has been, you know, sort of historically when you picture a fraudster online, the stereotype of they're stealing your credit card info and then they're going to use it to purchase something. Or they're breaking into your Facebook account or your other social media account. There's some, you know, sort of direct connection there.
And then they're going to use whatever they steal from you. To, you know, get financial gains. But! There's also the side of it that's fraud as a service where these same criminals have realized, yes, I could keep getting this information, I could keep using it for myself, but also I can build up a business if I'm just the middleman who repackages that information, maybe provides methods or provides guides on, you know, let's say platforms like Telegram within those fraud channels, and actually [00:12:00] then builds a business providing the service of committing fraud.
And that then opens up their customer base where if you think about the internet, you know, sort of from, from light to dark, let's say, or at least difficulty of accessing it, you've got surface web, deep web, and dark web. If they're able to then reach people who aren't comfortable Joining fraud channels, you are worried about getting caught or the consequences of fraud and certainly aren't comfortable figuring out how to download the TOR browser and find onion links and access dark web marketplaces and get a cryptocurrency wallet so they can put money on file, all of those things, then why not try to reach them where they are right.
And that brings us to the fraud influencers. So, coming out of mostly communicating on dark web forums, or even just being comfortable in secure messaging apps and, you know, encrypted chats like via WhatsApp and Discord and Telegram, moving into the surface web and [00:13:00] posting a TikTok. Yeah. We've seen not just, you know, the how to get something for free or even how to commit refund fraud, but we've seen fraudsters ranking the five best dark web marketplaces where you can buy stolen credit cards and why they think Brian's Club is better than BNOM and throwing out all of those names.
But then. You know, knowing that their audience maybe isn't as sophisticated to get to that, forwarding them along to this site where they sell their own services, where they can sell you credit cards they've already checked and provide a guarantee and show you all of the reviews they've gotten from their customers, or sell you an OTP bot.
So a one time password bot where you can effectively get people's, let's say, uh, SMS codes and log into bank accounts. You do everything. that you could do with that bot, but not have to build it yourself, not have to maintain it yourself. And so it's just really a way for them to open up to more customers.
[00:14:00] And of course, then they have to sort of play the game of, well, how do I make sure I don't get kicked off these platforms? What do I do? How can I stay just enough under the radar, but still be able to get attention?
Simon Horswell: Well I think that's the thing. They don't want to stay in one place. for too long so there is a lot of movement and I think that was one of the things that appealed to me is we've started to see the same well no no not in that respect but about these terms is we've been seeing the same kind of thing certainly I think one of the things that shocked me with Document fraud was the fact that you don't only have websites that are selling fake IDs as, you know, novelty items, or souvenirs, or works of art, or just for fun, but are clearly fake documents.
It's the fact that there are so many of them on the surface web, that you have websites now that are consumer reviews of who sells the best fake document. And they show you videos of Bending the document, trying it under different light [00:15:00] sources to show how effective it is. So the idea, I mean, we, we'd come across this as well, the, the selling of methodologies, which is, you know, the, the thing you're talking about, it's, it's definitely a scary prospect.
The fact that now people have realized, but it's not that far a leap. When you see, if you watch YouTube long enough, then sure enough you'll get an advert that comes up and says, why don't you monetize what you know? You could set up this training course. And unfortunately the wrong people have seen this and now we've got this fraud as a service where people are selling their methodologies.
Yeah,
Brittany Allen: but let's, let's talk about that, that path because you were talking about, you know, document fraud. So let's say we're not comfortable with that yet. We're just completely, you know, on the up and up and we are looking at social media and we see somebody talking about getting free food or heavily discounted food.
Or
Simon Horswell: free movies, that's another one. So the latest movie without having to subscribe to this channel or the other, there's loads of those
Brittany Allen: around. Yeah, we could absolutely get started on how [00:16:00] people don't see actually, you know, using a digital good. or service as the same sort of level of theft as a physical good.
So if we go back to that idea of food delivery or something like a movie, it's lower value, it doesn't cost too much, and you know, in the case of food, it can fulfill a basic need. And so then people are able to sort of unravel any guilt. around that fraud. Oh, it's only 20 bucks. Oh, I'm only hurting a very large corporation that doesn't need that 20 bucks anyway, and it's food.
My family needs food, so I can easily start to justify this. But once they're then invited in, they move, let's say, from a link on Instagram to a telegram channel, then they're going to be seeing so many other options and opportunities to learn more about fraud and to do more. And you might then get into the fake document side.
You might realize that it's possible to, you know, sign up for a car sharing [00:17:00] service. Without having to provide your real ID and maybe that REALI or that that ID you get isn't super high quality. Maybe you also need to pass a selfie test and they realize there's tools that allow you to do that with Deep fix.
There's tools that allow you to do that with people who are willing to do the verification for you because they look similar to the ID or that is actually their face on that fake id. Right. There's just so much more there and it seems like. I'm making a large leap but it's
Simon Horswell: step by step though it's increment by increment it's if you've gone this far why don't you just go a little bit further
Brittany Allen: and the information is so easy to access
Simon Horswell: and with someone selling a package like that as well and then I think this is one of the things you talked about in one of your articles this whole idea that I think this is the fraud influencer angle that they kind of promote the lifestyle they're able to lead.
As a result of the money they're making and how easy it is, and that can be really tempting as well. That's quite seductive. It
Brittany Allen: can. There's a lot of flash to [00:18:00] that. I've seen one where there was a minor, so someone in the U. S. under 15 can't even get a learner's permit to drive, bragging about getting a car sharing ride to school every day, but he was doing so with stolen credit cards.
So first of all, the minor doesn't need to be, you know, by himself. in an Uber or Lyft or whatever he was using, but he is, and he's doing it with stolen credit cards, and he already knows how to do that at that age. So that was just like one example. It's,
Simon Horswell: if you start at that at 15, if that's where your entrepreneurship kicks off.
There's, you know, there's a few places that's going to lead to it.
Brittany Allen: Right, but imagine how he could share that with his friends, he could share that with other people who would be excited and want something similar to that. He was also showing off the shoes that he got saying that these were legit. Can see it spiraling out from there.
We've also seen, uh, in some cases though, that does help us learn more about the fraudsters and [00:19:00] where they are. There's one particular one I'm thinking of that loves to show off his cars and do street racing, which gives us a view of the city that he lives in. Of course. So can learn a little bit more in some of those
Simon Horswell: cases.
Because, of course, otherwise the location is going to be blocked, so VPN, masking the IP address, but then those little bits of intel are quite valuable. We found the same thing when we've been looking at, um, biometric fraud, picking up little tidbits from the background, so you're trying to place what country a particular fraud ring is operating in, and then you just happen to catch a little sign out the window, or you see an advert that's just You know, sitting in the background and it gives you a bit more of an insight as to where they're likely to be based instead.
Brittany Allen: You're like those people that do the Google map activity where they're extremely zoomed in on one intersection and they end up realizing that they're in like, you know, they're in, they're in Belgrade or they're in [00:20:00] Boise, they're somewhere and they figure it out just from viewing
Simon Horswell: it. That's cool. Just by constantly sort of scanning around.
Yeah. I mean, we're not, we're not quite. That precise? I'm not going to say that we are, but certainly we can get a ballpark figure, right? We can get the, we can get the, the, the country at least. Oh, nice. So, part of what you do, you mentioned earlier that you go into the, the deep web and the dark web. What can you tell us about that?
Because I'd imagine most people haven't done that. They may not even know what the difference is between the two. And I'd be fascinated to hear what your experiences have been like on there.
Brittany Allen: So you're right that the terms deep web and dark web can be interchangeable in some instances, or people will use them interchangeably.
But when I say deep web, I mean something that requires a password or requires information to access and isn't able to be surfaced on a search engine like Google. So think about your own personal Gmail. Emails. You can't go into Google and pull those up because you need to be logged [00:21:00] in and you need to be in that specific view.
I mentioned the app Telegram the most because it's just one that's favored by fraudsters because it's very privacy focused. And we've had a lot of success tracking fraudsters there. But when you get to the dark web, that's where you need an actual tool or a piece of software to be able to view the sites there and Tor is the most heavily referenced.
So there is a divide between those two, but going on to those sites, besides just getting an insider look at fraud and seeing what's for sale and what's available, I also have been really appreciative of learning the lingo and just seeing, you know, how they talk about Certain things versus how we talk about it in an industry.
So they will say a hacked account, or they'll talk about selling logs, where we would say an account takeover, an ATO'd account, and we would talk about, you know, credentials. So username and password, but they call those logs. So just being able to [00:22:00] tie together all of those terms has also been really useful to sort of decode more of How they approach, you know, what they've got and what they're able to sell.
But it's also a, it's also a situation where you have to be careful. Because even though an app like Telegram is very privacy focused, they also, you know, say, we don't guarantee that every link Posted in these channels has been vetted. We certainly don't check them all for malware. So you have to be careful about what device you're using it on.
And as somebody who works for a fraud prevention company, I do not want to be the person who compromises the work computer. Yeah. Yeah. I don't need that happening to me. So
Simon Horswell: I, I think a lot of people may overlook that fact that fraudsters don't really care who they defraud. And if it's other fraudsters, so, you know, So much the better.
It doesn't really make any difference because there's no loyalty in this case amongst thieves.
Brittany Allen: Yeah, and they would call those fraudsters Rippers. So Rippers are fraudsters who [00:23:00] defraud fraudsters. Right. Which, whenever I see them complain, I kind of smirk a little bit too. Yes. That's just, you know, kind of fun to see a fraudster lose the money.
But regardless, now that I see how it feels, it's still something where they try to avoid that by building up that reputation, by getting reviews, by having vouchers. Now vouch channels are also really helpful for us to monitor because it's one thing to list some stolen credentials for sale, but think about it like a marketplace, like eBay, just because it's for sale at this price, doesn't mean that it's going to actually sell at that price.
Yeah. Be used by anybody or be useful and be as described. But when we see vouchers come through where people say, you know, thank you so much for sending me to this basketball game or this flight that you just purchased or the food that I just got, then we're able to start closing the loop and honing our focus on the fraudsters that actually do seem to be providing information and methods that are useful to their customers [00:24:00] instead of the ones that are just, you know, maybe taking screenshots and To actually have something for sale and committing merchant fraud against other fraudsters.
Simon Horswell: Yeah, so it's kind of like a trust a tradesman. Uh, like a trust a trader type thing, but just for foodsters. So it's not this, this, this guy's food is good. You can trust it. Right.
Brittany Allen: Although we don't put any funds into, you know, any of these sites, we don't pay for any information. That's just something that.
We don't want to continue, you know, building up the fraud economy, we don't want to draw particular interest to certain companies that we might be researching.
Simon Horswell: So effectively, I mean, it's, it's kind of a bit like you're, you're an undercover cop essentially, but on the internet.
Brittany Allen: Right, but not with any sort of ability to follow up or the actual enforcement side.
And so we do really enjoy opportunities to speak to law enforcement and to be able to pass along the information that we find. So within SIFT, my [00:25:00] role is really focused on helping any company that we're speaking to, one of our customers, et cetera, learn more about how their brand is being discussed and what the threats are and show them those tangible examples.
You know, having worked as a merchant, I've definitely had situations where management or, you know, sea level of a company. just didn't believe fraud was really a threat because they couldn't see it. It was so easy to say, yeah, your team stops X amount of orders a week, but how many of those are false positives?
How many of those are just you turning away good customers and what is actually fraud? And so being able to see that chatter and that activity helps make it real for those individuals. But we have to know that, again, in my role, I'm not the victim. I'm not the company being taken advantage of. I'm not the person, hopefully, whose credit card is being used.
But if we can pass that information along to agencies that [00:26:00] can actually investigate on behalf of the victims, then that's something that, you know, I always, I always try to do. Now, you said that you have, you know, done some research on the document side.
Simon Horswell: Well, on the identity
Brittany Allen: side. Identity side. I'm really curious when it comes to like a compelling fake ID or other document, have you seen any recent changes?
Simon Horswell: I think one of the biggest changes that we've seen over the last year, and we've documented this in our fraud report, is the fact that people have now really kind of made a bit more of a shift towards just the digital manipulation of documents. So we would see And I'd still say the bulk of what we see is people digitally manipulating an image of a document but then printing it out so they have what we would describe as a physical counterfeit.
So the minute they've made it physical, because it's come from completely remote, completely raw materials, we would call that a [00:27:00] counterfeit, a physical counterfeit. But the image that they've manipulated, we would describe, or at least at Onfido, we would describe this as a digital forgery. And we're now seeing more fraudsters kind of skipping the phase of going to physical counterfeit and just trying to submit the digitally manipulated image.
Now the reason why this is interesting is because previously, by getting people to adopt our SDK, our software development kit, you can stop uploaded images. But we've seen this kind of new accessibility to tooling, so that fraudsters are starting to inject those altered image files. And that, to me, is the interesting part that's changed over the last year.
So I think it's an accessibility to tools, and again, this idea of selling methodology. So someone's writing down in the methodology, and once you've done this to the image, then this is how you submit it. That's the interesting thing that's changed.
Brittany Allen: Yeah, and just How difficult our work is within [00:28:00] fraud prevention to know that just because a document is, let's say, manipulated, maybe it doesn't necessarily mean that this person is a fraudster, is committing fraud.
I remember at one of my past roles, we had people who had to submit their driver's license to verify their account, but simply didn't want us to see their address. To see information about them, and these are legitimate people, and they would photoshop and scribble out or otherwise alter parts of their ID.
Which then came across as looking manipulated or, you know, having had something done to it, but it was just a real person who didn't quite trust us enough yet, but needed to use our product and therefore was willing to give some, some level of their ID
Simon Horswell: over. Some level of censorship on their private details.
Brittany Allen: And you don't want to start labeling those as fraud because then you aren't learning. But they're
Simon Horswell: not, they're not malicious if they're obscuring or redacting data. But I actually, we do see this from time to time [00:29:00] eject those because the purpose of the document is to identify that person and give them some credentials to start with before you attach it to their biometrics.
But we've seen a couple of cases where people would redact their own photo. Which I, what I found particular, I couldn't make the logical leap because it's like, oh, so you don't want us to see the photo on your document, but then you're submitting the biometrics. Yeah,
Brittany Allen: no, I mean, yeah,
Simon Horswell: how does that work?
Brittany Allen: It's, it's that I can't answer. No,
Simon Horswell: I don't want them to know my face. It's like, okay, now turn your head to the side. Maybe it
Brittany Allen: was a really bad ID photo.
Simon Horswell: Maybe it was, maybe it was. I think I've, I've seen that happen before as well, where someone has submitted a document, but they, pasted a younger photo on top.
Oh my gosh. Okay. And you can, and again, you can tell cause in the biometrics. They look themselves as they are now, and in the photo that they've stuck on top of the document, it's a much nicer, younger photo of the same person.
Brittany Allen: The links that we'll, that we'll [00:30:00] go to for a little bit of vanity, you know, as a merchant or as a company, you're completely right.
We're all right. You can't label that as fraud. You can just, you know, move it towards sort of a customer service approach of speaking to that individual and trying to get them on the right path, but it can muddy and cloud signals. between what is the activity of a legitimate account holder and what is the activity of a fraudster maybe trying to take over an account or trying to create a new account with a fake id there's just so much of a grey area?
Simon Horswell: Yeah, it's, it's, it's a real spectrum. And you know, I speak to some people and they're like, well, if, if someone submits a copy of a document or uploads a photo of a document, then, you know, there's no harm in that. It's like, well, there kind of is. If the purpose is to identify that that person currently owns that document.
And then they submit a photo that was taken three years ago of that document because you look at the file string and it's like, that's not [00:31:00] when it was captured, then you can't accept it. So whether you consider it fraud or not, it's kind of irrelevant. The bottom line is you have to reject it. You can't take it for what it is because it doesn't have everything authenticated properly.
Brittany Allen: Yeah, and you have to stay under toes. There's one example I remember with a very high value purchase. From when I was a merchant where the person who was doing ID verification, the customer, submitted an expired driver's license. And you would say, okay, well, of course we're going to reject that. Maybe they picked this up from the DMV, somebody lost their wallet, who knows, but this is not a valid ID anymore.
And they then said, Oh, I'm so sorry. You're right. Oh, I had it replaced. It slipped my mind. And then they gave us. A current ID, as their second form of verification, had two different photos, looked different enough, you know, that there's a slightly different hairstyle, there could have been time that passed between both, and it ended up [00:32:00] being a fraudulent purchase.
Completely stolen credit card, we got full confirmation that all of that activity was fraudulent, but we think that, to go back to that first point, When we first started talking about social engineering, they thought maybe if I act like a normal customer who makes a simple mistake and then submits a second ID, because I had both of those, because the photos, you know, were both convincing but different enough, they'll think I am a real person.
I'm a legitimate customer. Please let me buy this 50, 000
Simon Horswell: Rolex watch. And it'll be a bit of a clumsy one at that.
Brittany Allen: Yeah, but you have to admit that could be a strategy that has worked for them and that's why they were, they were implementing it on me.
Simon Horswell: Entirely. Or it could have been, no, I mean, it's another thing that comes to my mind is this, um, we, we've seen fraudulently obtained documents.
So fraudulently obtained genuine. And that one's [00:33:00] much, much harder to spot.
Brittany Allen: Back to those task scams. Maybe in order to start doing that task work for the fraudulent employer, you have to submit your ID and they make you also submit a selfie. Because perhaps they have you check your face with the app to, you know, ensure that it's actually you doing the tasks and that's why they tell you they're doing it.
But they're just turning around and using that biometric information and that ID to sign up some more apps. To do some other fraud,
Simon Horswell: what are the things that you've seen change significantly over sort of the last year or so?
Brittany Allen: Well, I think the elephant in the room for us to point out is probably AI. Yeah, we've seen generative AI be discussed.
We've seen multiple tools. come out. There's sort of legitimate ones that you can use, like ChatGPT, where if you ask them to write malicious code to test email addresses and passwords against a website's login, they would say, absolutely not. That's fraud. I [00:34:00] can't do that. Good day, sir. Yeah. But then there are the versions that exist, like WormGPT, where you'll type in that exact same request and be given code.
That's real code. Whether or not it'll actually work, whether or not it's sophisticated enough to test those credentials, and you've got the other setup, is another question to ask. But you could at least get started and at least start working forward when you're looking to commit fraud by using those tools.
So it has helped people write more convincing phishing emails, you know, actually proving spelling and grammar. And it's helped Spinning up mass amounts of online profiles, like Write Me Dating profiles, 10 different versions, 20 different versions of this particular bio. This
Simon Horswell: is the main thing I've seen is the scaling that it allows people to do over such a short period of time.
That's the real scary part of it.
Brittany Allen: Yeah, and that is absolutely taken off. The only sort of hesitancy that I've seen fraudsters have are, is [00:35:00] when their current method works well enough that they're not yet looking to adapt the more advanced technology available via AI. So an example of that Could be deep fakes or faking a voice.
If you as a consumer are comfortable with your bank texting you or giving you an automated call, that's a robot voice that you would talk to. Mm, why bother making a deep fake voice that can speak your native language or you know, has the appropriate accent and try to trick you that way? When you're just perfectly fine getting the robo call, and so we've seen them communicate there and saying, yeah, I don't really need to deal with that.
I don't need those tools as much. What I'm doing right now works just fine. But of course, those tools that I mentioned are being used to go after higher value targets. Like, you know, be a business email compromise, going after the large funds that a corporation would have on file. That's a different
Simon Horswell: topic.
Yeah, well, I mean, we've, [00:36:00] we've seen a 3, 000 percent increase in the usage of deepfakes. So the number of attempts that involve deep in account setting up fake accounts. 3, 000 percent increase on last year. So yeah,
Brittany Allen: in that case, it could be pretty useful if all you needed to do was try to get through one selfie, but using it in those, you know, other contexts where a text still works, where it's not necessary to show your face, they haven't really moved in to meeting that as a requirement.
That's fascinating for a 3, 000% Increased.
Simon Horswell: Yeah, it was triple figures last year, like over the whole of last year, it was triple figures and already by October this year, we were seeing sort of tens of thousands. So it's, it's huge,
Brittany Allen: huge increase. I was really lucky to be able to talk to somebody a few weeks ago who actually is working on building tools to identify if text is AI generated or not.
And now
Simon Horswell: that's, that's the interesting one.
Brittany Allen: Yeah, and then be able to spin [00:37:00] it back. So, sure, you can use a deepfake to try to get through this identity verification, but if we can tell that it's a deepfake with certainty, no matter what you do, we're not going to prove it. And the same with that generative text.
This is a review on a website, and we can tell that it's AI generated, so whether it's five star or no stars, we're not going to let it up on the platform. Yeah. Although the person that I spoke to said that. One unfortunate side effect is he has found that students have been uploading essays to his platform to make changes to AI generated text until it gives the thumbs up that it's not AI generated, until the score goes down low enough.
So, you know, that's an unintended use of his
Simon Horswell: product. Well, I think that's the thing with, with any of these tools, there's always an unintended use. That's the whole the whole issue that we're talking about really, isn't it? And, you know, this whole idea of experimentation is if you're, if you're doing research, you need to have these kind [00:38:00] of tools and facilities available.
But unfortunately, other people will want to do research with different objectives. And that's really what we're seeing, I think. Before you go, I'm going to see if you, how far you put your neck out. Given what you've seen over the last years and the recent changes that we've seen, what do you think? Is going to be coming over the next year or so, or the next five years even.
Brittany Allen: So we'll obviously see a continuation of social engineering scams. They're not going away. I know that's been sort of the top topic that I've been talking about today. But it's just a constant issue and we'll also see A continued push into policy abuse, whether that's refund fraud or otherwise taking advantage of a company's policies and then, you know, being able to use those for financial gain.
And that kind of work isn't going to stop anytime soon, but also keep an eye on big events. [00:39:00] And, uh, I think one of the biggest ones for us to focus on next year here in the U. S. will be the election in 2024. So it's an election year. Are we going to see a huge increase in misinformation? Probably. But what will it look like?
How will it be delivered? How will it be generated? Will it be using all of these AI tools we've just been speaking about that have become more prevalent over the past year or more? And this would be that first election that will have More of these tools to unfortunately support that miss and disinformation.
That's another big focus to look at and to maybe circle back and regroup at the end of next year to see how that went through. But those are very top of mind for maybe some of those. TACs that will keep me up at night for 2024.
Simon Horswell: Wonderful. Brittany, thank you so much for your time today. It's been a great conversation.
Thank you so much. And I hope you will come back and join us again in the
Brittany Allen: future. [00:40:00] Absolutely. All right. Thank you, Simon.
Simon Horswell: Thank you for joining us on this journey inside the Fraud Lab. If you'd like more insights into ATT& CK patterns and trends as we see them at Onfido, head to onfido. com or click the link in the show notes to access our annual Identity Fraud Report.
It's full of proprietary research into how fraudsters are attacking identity verification and how the world of prevention is changing. It's full of insights. For example, financial services has seen a 23 percent increase in fraud versus last year and 46 percent of document fraud targets national ID cards.
If you'd like to learn more, get your free copy by clicking the link in the show notes. Goodbye for now and I hope you join us again next time.