Ted Datta from Moody’s explains how to identify a fraudster, starting with the question, ‘does this make sense?’
How do you spot a fraudster? It’s a question individuals and organisations are constantly wrestling with. If people are buying, selling, applying, and transacting, there will be people trying to cheat organisations and their clients out of money.
It’s harder than ever to identify and avoid scammers and fraudsters. They are well organised, well equipped, well informed, and used to changing tack at speed. New types of fraud can emerge incredibly quickly, presenting prevention teams with a hill to climb when it comes to keeping up.
Today, organisations of all types and sizes must view fraud as inevitable, but the risk and its cost can be minimised. Practical steps can help teams identify fraudsters and potentially save millions in losses.
What is fraud?
Starting with the fundamentals, fraud is any activity which seeks to criminally deceive individuals or organisations for personal or financial gain. One useful way fraud experts break it down is into first, second-, and third-party fraud:
- Third-party fraud, which is in some ways the most straightforward, involves the fraudster impersonating someone the target doesn’t know or who doesn’t exist at all.
- First-party fraud – or ‘friendly fraud’ – is slightly more complicated and tends to involve a malicious actor posing as someone the target individual or entity knows personally, perhaps a relative, colleague, or friend.
- Second-party fraud is somewhere between third-party and first-party fraud. Typically, the fraudster will pose as someone else and walk the victim through their plan to execute the fraudulent activity.
Third-party fraudsters are experts in confounding institutions’ efforts to stop them. They build up carefully organised databases of information before exploiting that to bypass security checks. Criminals carefully enrich their data before targeting victims. Some of this data may come from the dark web. Still, data aggregators and even an organisation’s own systems can supply fraudsters with seemingly harmless data, which, when collected, becomes a potent resource for committing an offence.
So great is the threat of fraudsters acquiring and enriching data that industry experts Greg Richardson and Kyle Caldwell fear criminals are almost “better at KYC than we are”. KYC stands for know your customer (KYC). As such, organisations are now in a constant race to shore up their defences. This means making sure they know their customers better to prevent criminals from being onboarded or entering a third-party network as a supplier.
Along with becoming more organised and professionalised, fraudsters have also grown more patient. It’s rare now to see a ‘smash and grab’ approach in high-level fraud – criminals accessing a digital account and withdrawing all they can get their hands on right away. More often, fraudsters wait for a big opportunity.
In his book The Lazarus Heist, Geoff White explores the story of the notorious North Korean ‘Lazarus’ hacking group who spent months hiding in the systems of Bangladesh Bank. The group was learning how the bank operated and how best to avoid rousing suspicion before stealing just over $100 million. Lazarus is a well- known hacking group, but Richardson and Caldwell stress they simply represent a scaled-up example of how many fraud enterprises operate today.
In addition to all this, there are actors crucial to the fraud industry who aren’t technically doing anything wrong. For example, individuals who create bots with what appear to be legitimate uses – and then sell these bots to fraudsters, knowingly or unknowingly. While not engaged directly in the fraud, these actors can be essential to its execution.
Actions and transactions make up an entire fraud ecosystem, consisting of legal, semi-legal, and outright criminal activities, which can seem overwhelming to dismantle.
What can be done to prevent fraud?
As experts are fond of saying, the only way to prevent 100% of fraud is to stop 100% of operations. The problem for organisations is how best to tackle and manage the risks of fraud to disrupt it.
For seasoned fraud experts, the most important thing is to have a solid basic approach to identifying and preventing fraud. Fundamentally, organisations should always ask: ‘Does this make sense?’ Does it make sense for this person, customer or client to request this much money? Is it realistic for them to be active on their account at this time of day? Any unusual behaviours, be they from individuals or commercial entities, are the first signs of a possible fraud.
Educating people is vital, too, and is the most effective means of preventing third- and second-party fraud. The public, customers, and other entities should be informed as soon as possible about the nature of a known scam and constantly reminded to look out for unusual communications or transaction requests. The more society asks, ‘does this make sense?’ the more resilient it will be to fraud, even cutting-edge fraud.
Committed criminals are masters at flexing and adapting strategies. So, as well as continuing to ask the question – ‘does this make sense?’ – those tasked with preventing fraud can go back to another of the basics with up-to-date KYC processes, data, and analytics. In short, it is important to keep a picture of who they are working with and the risks of working with them.
Entity identification and verification
Government agencies can be tasked with handling a large volume of cases each day. If employees manually check if every transaction makes sense, the department risks becoming bogged down in inefficiencies and mistakes. This fraud detection and investigation is less efficient than a prevention strategy enabled by proactive due diligence and KYC processes.
Some of the telltale signs of fraud can be hard for humans to spot – an IP address known to have been used for previous frauds, for example. Whereas a digital, AI-enabled screening system can find fraud risk alerts, while reducing false positives on name matching, which can, for instance, support departments dealing with benefits and loans.
The solution isn’t to replace humans but to allow them to direct attention where it is most likely to be effective without blocking genuine applications and transactions. Here, organisations can use a single solution to automate complex checks in a streamlined way, aggregating and curating data to support due diligence.
Perpetual KYC
Another approach is to practice ‘Perpetual KYC’ (pKYC). Where traditionally, an organisation might conduct periodic risk reviews to assess an individual or entity for fraud risk, a pKYC approach means profiles are reviewed and updated in near real-time. This may include negative news screening. If a case of fraud is associated with a profile held by the fraud prevention team, this can be flagged quickly, and action can be taken.
GenAI and intelligent screening
Embedding AI capabilities – such as chat interfaces – to interrogate data and understand who sits behind a business or an individual application can help highlight critical insights that could otherwise go undetected. Other AI and machine learning (ML) capabilities can also simplify the process of identifying the ultimate beneficial owner(s) of a business that is bidding to become a new supplier or that is applying for a loan.
These are just some approaches that can assist anti-fraud and anti-financial crime teams in making better, data- driven decisions and answering the crucial question: Have I spotted a fraudster?
Spotting fraud: Does that make sense?
As fraudsters become more organised, patient, and sophisticated, the task of identifying and preventing fraud has become increasingly challenging. However, by asking the simple question, ‘does this make sense?’ and implementing proactive due diligence, robust KYC processes, data analytics, and AI technologies, teams tasked with preventing fraud can keep pace with even the most cunning criminal.
By educating the public and businesses, practising perpetual KYC, and using intelligent screening tools, anti-financial crime teams can help minimise the risk of people falling victim to fraudulent activities and create a solid foundation for tackling evolving threats in the future.
Fraud prevention: Get in touch
Effective fraud prevention starts with knowing your customers and their risk profiles. If you need to know if someone is who they claim to be before approving a loan or grant or onboarding them as a supplier, please get in touch. The Moody’s team would be delighted to hear from you.
![‘Two Merchants Shaking Hands’ (c.1776), engraved by Thomas Bewick. [British Museum Prints & Drawings, no: 1882,0311.3998]](https://www.openaccessgovernment.org/wp-content/uploads/2024/08/handshake-image-100x70.jpg "Human history: A socio-cultural examination of handshaking")
