What happens when the post office is in on the con? In part one of our conversation with Bruno Ferinalli from ClearSale, he shares incredible stories of inside fraud jobs at the post office, explains how companies can protect their sensitive data against attack and prevent account takeovers, and more.
Bradley Chalupski: Hey everyone. This is Bradley Chalupski, co-founder and editor-in-chief at MerchantFraudJournal.com. And this week, we have part one of a conversation that I had with Bruno Farinelli. He’s the head of fraud analysis and data science teams at ClearSale. And he’s going to be talking to us about some incredible stories including inside jobs at the post office, how companies can protect their internal data from fraudsters, and a whole lot more. I really appreciated, Bruno, coming out and talking to us on the podcast. I hope everyone else enjoys it as well. And remember, you can get all the latest merchant fraud tips and tricks at MerchantFraudJournal.com. Enjoy everyone.
Bradley Chalupski: Bruno, thanks for being on the podcast.
Bruno Farinelli: Thanks for the invitation, Bradley. I love having the chance of discussing fraud with listeners. And I think this is a subject we could spend days talking about. But I’ll let it settle for some minutes.
Bradley Chalupski: So, let’s get all the good stuff out of the way. Tell everyone who you are, who you represent. And then we’ll dive right in.
Bruno Farinelli: My name is Bruno Farinelli. I am a Brazilian. I lived in the United States for five years. I’ve been working with ClearSale for almost 10 years already. And right now my position is that I am leading the fraud analysis and the data science teams – so, all the things that are handling fraud at ClearSale, which is an amazing challenge. The beginning of my career was in Brazil. And I have to say that our fraudsters are pretty impressive even though we were always fighting those guys. And after five years, I had a chance to lead the international fraud teams for ClearSale, which has also been a huge challenge.
Bradley Chalupski: So, we’re definitely going to get into Brazil, without a doubt, by the end of the podcast. But let’s jump right in and tell me what your craziest instances of fraud are.
Bruno Farinelli: Well, I think one of the craziest that I recently heard is actually a client of ours. Imagine the following situation: You have a fraudster and the fraudster has access to your credit card. But besides that, he’s also going to make a purchase online using your name, your billing address, your shipping address, the phone number is going to be your phone number, the email is going to be your email. So, he’s going to basically use everything that you have to, let’s assumed, buy a television. And then he goes there and buys television. And what’s gonna happen? In the past, some fraudsters were able to connect with someone that was compromised at a career, and they would be able to redirect the shipping. But in this case, I think the guy was bolder if I can say that. The move he made is very simple. Let’s assume he used your credit card, Bradley. In the end, with this behavior, the television would be arriving to your house, and you would be there without knowing what to do. The next move from the fraudster would be to go to your house using a code from this client, from this e-commerce. And he would say, “Hey, Mr. Bradley, did we deliver a television here by any chance? I think you received something that was not for you.” And then what he would do in that moment is that he would simply be delivering something that was purchased with your credit card to the fraudster that made the purchase.
Bradley Chalupski: I have two questions about this. This is definitely a new one. Definitely super interesting. We’ve had fraudsters at the door before, not in this specific context. But I always have two questions about this: One is if you ever heard about there being a confrontation, if there was ever somebody who realized that something wasn’t quite right and tried to confront anyone about it and if there was a physical altercation; and then the other one that I’m always really curious about is what is the group that is doing this? Because this is obviously a more highly sophisticated operation. And what that looks like on the back end when you really dig in and try to figure out how to prevent this, what you’re finding as you go down the rabbit hole.
Bruno Farinelli: Actually, Brad, the second time we heard of this case happening, it was from a customer that refused to deliver the product, and he did say that he would be calling for the police. And in the end, the fraudster simply went away and there was an altercation.
Bradley Chalupski: How did that person know?
Bruno Farinelli: It’s very simple. Nowadays we have alerts to our phones. He received an SMS saying that a purchase happened that he wasn’t aware. And then on the day later, a television arrives on his house. So, he knew what’s happening there.
Bradley Chalupski: And the fraudster just walked away.
Bruno Farinelli: Exactly. They know that anything worse — It’s one thing to commit cyber fraud, it’s another thing to try and trespass and evade or even go into violence. The crimes are different. And in regards to who’s doing that, there could be some fraud rings, I bet. But in reality, it isn’t hard for you to find clothing for a famous brand if you search well on the internet. So, for you to pretend to be an employee of a huge chain or even of a courier, it’s not that hard.
Bradley Chalupski: Are you seeing these types of cases come about organically or is this more of an outlier? I’m wondering because as the industry gets better at catching some of this type of fraud if you’re seeing an uptick in the number of fraudsters that are creating or going for this kind of hybrid model that’s both online and in real life, or if this is still remaining something that you see in kind of a rare instance.
Bruno Farinelli: We saw two instances. And in both of those instances, it was obviously the action of a fraud ring because we saw several cases in the same region. This was one of the things that allowed us to detect and prevent. And that’s how it works. Once you are able to successfully decline the right orders. The fraudsters are going to try somewhere else.
Bradley Chalupski: So, what kind of advice would you have for the companies? Because this is their brand name that’s on the line. And we’ve discussed this a lot in the industry. The reality is when your brand is co-opted by a fraudster and you end up in a situation like this where you have somebody show up at your door, that does make an impression on people – not everybody perhaps – but it is definitely a liability that brands have to contend with. And I’m wondering if you counsel merchants that you work with about how to prepare customers for this type of fraud if that’s done. It might not be, I could see it not be because we know brands don’t really like to talk about it. But if you’ve had any brands specifically ask you how they can go about prepping customers for this so that it’s not such a shock when it happens. Or if they don’t, why they should and how you would counsel them to go about doing that?
Bruno Farinelli: think the first, in this case, one of the advice we gave to this company, but it was specifically to always advise their customers that any interaction like this one wouldn’t be handled on a person-to-person basis. So, what basically would happen is that they would be calling the client, they would be sending an email to the client, anything that could be recorded and that could be saved if the customer ever needs it. In the end, explaining the customer how an interaction would happen, and it wouldn’t be like it was on this case. But I have to say that it’s a very tough case. On the other hand, you want to make sure that there isn’t a scenario in which a fraudster is going to have access to anything that’s going to be able to make him pretend to be from your company, like closing documents and so it goes on. So, there are also security policies that should be in place in regards to those.
Bradley Chalupski: So, the other question coming full circle, we were talking about the types of organizations. You said some fraud rings, but mostly individuals for this type of fraud that you’re seeing.
Bruno Farinelli: No, we actually saw more than one.
Bradley Chalupski: So, you’re seeing a trend that when this does happen, it’s more sophisticated groups of people that are running these kinds of frauds.
Bruno Farinelli: Exactly. When it happens, it was more than one case and probably more than one fraudster as well. But in both instances, we saw this, it was exactly the same behavior. They started trying a lot, once they’re prevented, they seem to disappear because they’re likely trying the same memo somewhere else.
Bradley Chalupski: Are you finding from the backend data perspective that the people that are running these types of scams, if you do catch them, that you can use that information to prevent fraud elsewhere that they might have been perpetuating? Or is the nature of the crime such that it is isolated and that you can’t really use it to stop them in other ways?
Bruno Farinelli: Yeah, because all of the data points he’s using, usually, belongs to the cardholder. This is going to make it a little bit harder. Obviously, we would still have a device identification that a lot of merchants have – that’s very reliable information that might assist in cases like this. Once you know that that device is compromised it, you know that you have to take care with anything that is coming from that device. Other than this, what caused this is that we have several algorithms that are going to be looking for deviations. So, from one day to the other, the volume of orders in a specific region was much higher than it was in a normal day. And this is, in the end, how we were actually able to identify those cases and to properly address them, because you cannot simply be second-guessing every order that has all the data of matches that you need.
Bradley Chalupski: So, you’re looking for larger trends in a broader area. So, you said you had a list and I want to make sure we get through at least a couple. So, let’s go on to the next one.
Bruno Farinelli: I’m going to give you one from Brazil now because this was one of my first. It’s always one that I like to discuss. This is actually a former employee of an e-ommerce in Brazil. He left the company and he decided to [12:00 inaudible]. This company wasn’t e-commerce and he had access to a huge batch of credit card numbers from that [12:14 inaudible] that company also had a private label credit card, and he had access to all that list. So, after this happened, we had two or three months of action, because he was trying every day and changing patterns because he knew one thing or two about how anti-frauds were operating. So, this was back in 2013. So, back then, what he was doing is that he was changing all the addresses using symbols, spaces, changing the orders of the fields but in a way that a postman would still be able to understand what’s happening there. So, for example, he would put the street in the name of the city and the city in the name of the street, but for the postman, it would still make some sense because that website back then didn’t have addresses standardization – so, this was an issue. And it was, in reality, a huge game of [13:15 inaudible] because he was always changing patterns. Obviously, after a while, we were able to encapsulate all of the patterns and successfully prevent them. And then he discovered something that is only internal to both offices in Brazil, which is that he discovered a code that it wouldn’t matter what the address that the he was utilizing to ship an order; if this code wasn’t there, the postman would not try to deliver and he would hold the order in the post office. And when he was doing this, then he would go directly to the post office to retrieve the product. This was an internal code, it’s not something that even people from the outside should be using.
Bradley Chalupski: Internal to the post-service.
Bruno Farinelli: Exactly.
Bradley Chalupski: How did he get that?
Bruno Farinelli: Impossible to know. Obviously, it’s likely someone from the post office was the one that told him and he was able to do this. We only caught him, though, when we were able to see he was doing that. We collaborated with this client of ours, because obviously, he was going to the post office to pick up something. So, it was extremely easy to catch him. When we were in the middle of this collaboration, believe it or not, the fraudster – the former employee – had the audacity of calling our client’s customer service to ask about the order because it was delayed. And then the customer service rep screw up a little bit, and he said, “Look, we’re going to catch you. You are ours. We’re going to catch you. You can do what you can do but your time arrived.” And then obviously, he didn’t go there to pick up the product. So, it was an extra couple of months since our client was successfully able to catch this guy.
Bradley Chalupski: How much was the loss?
Bruno Farinelli: Not a lot. In attempts, a lot. We’re talking about million dollars in attempts from a single person. But in losses, actually, there wasn’t a lot. But they had a lot of complaints because of the credit card problem as you can imagine.
Bradley Chalupski: You were going to say what was crazy to you?
Bruno Farinelli: The crazier thing for me is that he was actually arrested at some point. He just kept in jail for nine months. As you can imagine, nine months later, we were back into having to deal with this guy.
Bradley Chalupski: Yeah, I mean, what’s nine months in a Brazilian prison? I would do that. No problem. I don’t think I would last nine seconds in a Brazilian prison, much less nine months. But I have two questions to ask after this. One is this is a really good point that you bring up on something that is not discussed enough, and so in all seriousness, can you talk to me about preventing inside jobs? And this is something that, I think, companies obviously take seriously when they’re talking about sensitive corporate information. But some of this information, employees have to have access to, they have to see what’s going on in the backend or their processing transactions or whatever they’re doing.
Bruno Farinelli: I actually help with in some investigations like this. It’s definitely something that happens.
Bradley Chalupski: Why is this happening is my first question. Why aren’t there more controls on employees? And then my second question would be what people can do to try and strike that balance between preventing it but still allowing people to do their jobs?
Bruno Farinelli: Well, the first thing is that you got to have very strict policies when it comes to security, and even more if you’re dealing. Because one thing is someone that understands an anti-fraud system and knows how to do fraud. Another thing is if that person has access to sensitive information. If that’s the case, you got to have some very strict security policies on your end to prevent this person from distributing that information somewhere else. While at ClearSale, we have a culture that values freedom a lot. When it comes to security, we’re very strict; employees cannot send emails. Our analysts, for example, the ones analyzing orders, they cannot send emails to anything outside of ClearSale, because you have to be very strict. While the data is stored at ClearSale, the data belongs to the customers, so we need to be very respectful with that. Something else that I found, Brad, is that investigating cases like this, in most of those cases, the employee enter in the company already with the idea of doing something bad. He knew where he was entering. So, being careful with the recruitment process is also something that is very important here. Obviously, in some cases, the opportunity for the employee is going to appear during his time at the company. But in some cases, he’s going to enter in the company already with this intention.
Bradley Chalupski: Do you have any advice for how you can find those people? Or is it just a case-by-case basis? Or do you see a common link between the people that end up doing that, that you can identify during the interview process?
Bruno Farinelli: What I saw is in the cases, those guys who were able to enter the recruitment processes with almost very little restriction when it comes to making the play, understand the risks, and the penalties that he could receive if he did something wrong. And even in the selection itself, the filters were not allowed. There weren’t a lot of filters. Because what you’re talking about is something that is very sensitive, so you need to have a lot of filters when it comes to hiring someone, running the proper background checks, for example. In some cases, we found even background checks would be able to prevent that.
Bradley Chalupski: Hey everyone, thanks for checking out part one of my conversation with Bruno Farinelli at ClearSale. Next week, we’re going to continue with more incredible stories of fraud. I hope you enjoyed. And as always, you can get all the latest merchant tips and tricks at MerchantFraudJournal.com.