How can one man, armed with just a telephone, commit $9,000,000 worth of account takeover fraud? In this episode, Head of GIACT Systems Melissa Solis, and GIACT Executive Vice President of Sales Brett Petersen share the details of this incredible story.
Melissa Solis is Head of GIACT Systems, and Brett Petersen is GIACT Executive Vice President of Sales. Read GIACT’s report on Account Takeover Fraud here.
Merchant Fraud Journal’s ‘To Catch a Fraudster’ Podcast is supported by Sift, the leader in Digital Trust & Safety. Sift empowers companies to stop fraud and grow without risk. Sift’s Trust and Safety Architects — industry experts who have decades of fraud-fighting experience at companies like Facebook, Square, and Google — can help you create a custom plan for your business with an emphasis on technology, organizational structure, and process. To schedule an assessment, click here.
Bradley Chalupski: Hey everyone. This is Bradley Chalupski, co-founder and editor-in-chief at MerchantFraudJournal.com. And this week on the podcast, we have Melissa Solis, Head of GIACT Systems, and Brett Petersen Executive Vice President of Sales Client Relations at GIACT. They’re going to be talking to us about a new report GIACT released on the subject of account takeover fraud. This is an extremely important topic for merchants to be informed about. It’s one of the most important vectors that fraudsters are using today to attack merchants. And GIACT released a wonderful report taking a deep dive into this topic, and we were very excited to have Melissa and Brett on the podcast to discuss it. So, thank you, Melissa. Thank you, Brett. Hope you guys all enjoy the episode. And as always, you can get the latest merchant fraud tips and tricks at MerchantFraudJournal.com.
Bradley Chalupski: Hey everyone. Thanks for joining. How are you guys?
Brett Petersen: Great. How are you doing?
Melissa Solis: We’re doing good. Thank you for having us this today.
Bradley Chalupski: Of course, my pleasure. So, I’ll get all the good stuff out of the way. I’ll let you guys introduce yourself; who you are from, who you represent, what you’re here for. And then we’ll get into it.
Melissa Solis: I am Melissa Solis. I am the Head of GIACT Systems, which is owned by the London Stock Exchange.
Brett Petersen: I’m Brett Peterson. I’m the EVP of Sales and Client Relations at GIACT.
Bradley Chalupski: So, you guys are here because we at Merchant Fraud read an amazing report that you put out on account takeover fraud, which is a huge topic right now in the community, lots of people getting hit with this. It’s an extremely lucrative business right now for fraudsters. And we’re seeing huge upticks in these types of attacks and the damage that they’re doing to people. So, I want to start off by getting a quick overview of what you guys found in that report that you can tell merchants right off the bat that they will find useful in honing their own fraud prevention techniques. And then we’ll jump into some more stories.
Melissa Solis: Well, I think there were several things that really stood out to me personally. And I think Brett can jump in here and add some too. But when you look at the report and see that 47% of US consumers experienced financial identity theft, where someone actually had an application fraud in their name or account takeover in the past two years. That is crazy. I mean, that’s nearly half of consumers in the US. And then also, when you look at 38% of the US consumers experience account takeover in the past two years. I mean, those are staggering percentages.
Brett Petersen: So, let’s face it, I mean, the fraudsters had a banner year last year with COVID. The stimulus speed to deliver uncertainty with that, there was an accelerated move to a complete digital buying and payment experiences. And then the fraudsters were able to exploit the vulnerabilities of existing fraud protection tools. And it’s all being driven – everyone wants things faster digitally, and so forth. And the fraudsters have just evolved. They’ve gotten way, way better at detecting and finding holes in an onboarding process or in a payment process.
Bradley Chalupski: It’s definitely a huge problem that we’ve heard about. So, I want to get into a couple of the angles here with what you talked about. One of the things that I’ve always wanted to ask people who deal with this type of fraud every day is how the psychological impact affects merchants. This is something that I’m super interested in learning about and hearing how you guys coach up or help people that are suffering this type of fraud because we talk a lot about how chargebacks are [04:38 inaudible], they’re particularly painful, that’s why there’s a lot more focus on them than there is on friendly fraud. Even though dollar-for-dollar friendly fraud is usually an actual larger revenue killer. Here you’re getting into entirely new realms of invading people’s privacy, and taking over account, and full-on representing people falsely. And I have to believe that when merchants get this kind of information, it can be really jarring to them to think that some of the customers that they think that they’re servicing are actually people that are out to harm their business, as well as the people that are coming to their businesses – honest consumers. And knowing how important those relationships are to small business owners especially, but medium and enterprise-level customers as well. I’m curious what kind of stories you guys have about dealing with this type of fraud on an emotional and personal level with the people that actually experience it.
Melissa Solis: Well, first of all, I think reputational risk is huge. And I think that that’s one thing that companies are realizing, it’s not just about the financial loss, it’s about how people think about you, because consumers are now becoming more and more educated, and they’re understanding that you have a responsibility to keep their information safe. But also, you have a responsibility to make sure you’re dealing with the right person. And when you think about the fact – in this report that we did, the study – that 30% of consumers reported it took them over 100 hours to recover from this identity theft incident. And the fact that 12% to 30% of consumers are unlikely to do future business with a financial institution or company when they’ve allowed fraud. And there are some other percentages, I think, that are interesting. But consumers now expect companies to take the necessary steps to make sure they’re dealing with the right person. And I’ll tell you a personal experience.
Melissa Solis: So, I was setting in my office a few years back, and I received a phone call and it was from a department store. And they said, “Hi, this is Mary from this department store, and who am I speaking with?” And I gave her my name, and she said, “Well, I wanted to verify that you just tried to open an account.” And I was like, “No, where are you at?” And she was setting in Atlanta, Georgia. And so I said, “No, I’m set in Dallas, Texas.” Well, what was crazy is the fraud and risk tools that they had in place were not what stopped the fraud, it was a clerk who had a weird feeling because they opened a card with my information, passed all the fraud and risks checks and balances. But the person who was fraudulently opening was basically maxing out the approved amount. And so the lady said, “Man, something’s not right.” She stepped away and took the extra step to get my information to call me, or unless someone would have literally purchased thousands of dollars with the merchandise and walked out of the store. I will tell you that it took me almost six months to get that off my credit. It took multiple times reaching out to the credit bureaus. It took multiple times talking to that department store to get that done. And I’m educated, I know how the systems work. But imagine a consumer that doesn’t know what to do. So, what’s happening is faster payments equals faster fraud. I know that it’s easy just to look at COVID and say, “Well, COVID is driving the fraud.” And don’t get me wrong, it has increased since COVID. But really what’s happened is, like Brett said earlier, what’s driven is that more people are doing business mobily through the internet on a mobile device or through a computer since you don’t have that face-to-face interaction with COVID. And then also real-time payments has really pushed people to make decisions in seconds. The problem is, the fraud solutions in the marketplace have not moved at the same rapid speed of payments going faster. So, we see an increase of fraud, and people solutions have not kept up with that.
Brett Petersen: If you think about it from a company standpoint, how they’re viewing this is there’s a lot of frustration, I think, in this field, simply because this industry is very fragmented in terms of solutions that they can buy. And what that means is that there is no central source of truth for consumer identity that exists anywhere. So, you have a lot of different companies that use a lot of different sources, mainly relying on, say, credit bureau data and different flavors of that credit bureau data. And the challenge with that is it has created an even greater problem with synthetic identities. So, they can scheme the credit bureau data.
Bradley Chalupski: Can you explain what synthetic identity is for people who might not know that are listening?
Brett Petersen: Sure. Synthetic is when a fraudster will use some real information, combine it with some fake information, and create a brand new profile. So, they may steal Social Security Number, they may have other points of data. And what we find, typically, in this space is they a fraudster wants to manipulate two pieces mainly, and that’s the Social Security Number and the email address. Because once they can do that, and they can successfully fill out an application get approved, that’s when they can now control the account and make changes to the account and so forth. And the problem with synthetic identities is that they’re very hard to detect. So, a lot of companies don’t even know they have a synthetic identity problem; they write it off as a credit loss. But these are actually synthetics that have gotten through their onboarding system. So, getting back to your earlier question; how are they feeling about this psychologically? They’re very frustrated. Because you could have an onboarding platform, you could have a transaction monitoring system, you could be using predictive analytics, AI, you could be using all this. But if the data that’s being fed into your system is bad, you’re going to just have bad information throughout.
Bradley Chalupski: And I think the most shocking thing from that story is that at the end of the day, it’s – as I put to one of our previous guests – the old-fashioned MacGyver stuff that’s finding these people. It’s a clerk sitting at a store desk going “This just doesn’t feel right, I’m gonna escalate this.” And that, to me, continues to be one of the most incredible stories that threads through everything that we see right now with fraud prevention is that there’s so much great investment in technology. And at the same time, there is still a lot of room for fraudsters to operate in the blind spots. And we see it time and time again. And the way that it was explained to me on this podcast was that there are actually almost two separate realms of fraud prevention. We interviewed an ex-fraudster, and he was saying that there are still things that you have to check that can’t necessarily be automated; things like checking that licenses have the proper state seals on them that they’re valid licenses, or here where somebody comes and they – I love the word they use – maxed out the proof, and a human is sitting there going, “Yeah, people don’t usually do that.” A computer would probably think that’s great. It’s checking 15 boxes when they only need three. Whereas the human goes, “Yeah, nobody really takes the time to do that unless there’s really something going on behind the scenes.” And I just find that so fascinating. I’m wondering if you find that that adds to the sense of frustration when you come to people and they say, “Well, I just spent X dollars on this fraud prevention solution – or multiple fraud prevention solutions – and you’re telling me that it was a clerk that spotted this.” So, what am I paying for at the end of the day?
Melissa Solis: I’m going to let Brett jump in here in a minute, but I think it’s a couple of things. One is, fraud has moved as fast – if not faster – than the movement that we’ve had in going mobile or faster payments, and taking things where it happens in real-time. The problem is that a lot of solutions out there – first of all, they’re built on foundations that don’t allow them to change with the speed of fraud. The fraud rings now it’s no longer where Jim Bob and his friends are in the basement, hanging out committing fraud. These are well-funded fraudsters. They’re smart. Because of all the breaches, they have all the data in the world they need to commit fraud to create synthetic identities. You have bureaus that are promoting this synthetic identity because they’re actually creating identities that are then fed into the system based on inquiries. You have companies that are providing data without verifying it, reporting it back into the bureau. So, you’ve got all these things that are happening, that basically unless your fraud solution is really a solution that follows you from the time you come into the space through the complete lifecycle. And catchy fraud does not start at the payment, it starts from the moment that you walk into that space and start doing business and having communication with a company. And that’s where companies screw up; they wait until the transaction happens, and then they want to start the fraud and risk tools. It doesn’t work. The bottom line is the way you look at fraud and risk, the tools that you have, I think, are super important. So, Brett, why don’t you add a little bit to that?
Brett Petersen: I think, Bradley, you mentioned blind spots. To me, that really resonates because you talked to companies who have been using very large, well-known, ID-proofing companies, and they’re still getting hit with fraud. I’ll give an example of that. So, we did a proof of concept or test. And we had a well-known company that had a fraud problem. And they wanted to run their data through our system just to see what we would have found on these known fraudsters, so they gave us 22 subjects. We found over 52 different flags. And it wasn’t because necessarily that the company they were using on the front-end was bad, it shouldn’t have different data types. So we always talk in terms of traditional nontraditional data. So, traditional data would be a credit bureau, it would be utility files, it’s everything that we call aggregated data that everybody is searching. We have the advantage that we have some nontraditional data and its privileged access; things like bank account information, different things that we can add to the mix. And so when we did that, we found 52 different potential flags. And they would not have onboarded those particular people, had they seen some of those things. It also goes back to the risk tolerance of the organization too; what you’re willing to accept and not accept. But I think there’s this feeling that people have relaxed a little bit. And if they get a score of an X percentage from an identity vendor, they don’t worry about it and they just keep going. And I think the numbers will back it up. We have an epidemic of synthetic identity fraud right now. The numbers are not just trending up, they’re out of control. And I don’t think companies really pressure test their systems enough on a yearly basis or quarterly basis to find potential fraud.
Bradley Chalupski: So, can you give me an example of some of the things that you’re talking about when you say 52 data points that other people might not, or other solutions might not have been looking at? Can you give me an idea of what you’re looking at that’s not being looked at otherwise?
Brett Petersen: It could be as simple as a bank account, that maybe there’s a bank account open and valid but there’s no way to prove that they’re an owner of that bank account. Sometimes we can see it’s a prepaid card, it’s not an actual bank account. We can see addresses associated that maybe are a campground and aren’t actual physical addresses. There are all sorts of different consumer alerts that come up on our identity data that really speak to the truth. So, again, at GIACT, we don’t score data, we do it internally, but we provide a fact pattern. So, rather than saying, “78% sure that you are who you say you are,” we’re going to say, “Alright, we need to see different points of data, align and collaborate the result here.” And we’re going to give you the fact result of that. So we’re gonna tell you what it is that we found that matched, what didn’t match. Then you can take that data, load it into your analytics platform, and make decisioning based on an actual fact.
Melissa Solis: In fact, there are so many of these, I can spend the rest of the day talking about them. But there was a Florida man that was sentenced to 37 months in prison for laundry more than $9 million on an account takeover scheme. And basically, what he was doing is he was calling the company, impersonating a representative of one of the victim companies. So, he would call up and say, “Listen, I need to change my bank account information.” And so they would verify some basic information and let him change the account. And then they would pay those invoices to the fraudulent account. Whereas, if they were using our platform, one is they could have known that that particular account did not belong to that company, that the name did not match. So they would have never sent the updated the information and they would have not sent out $9 million to a fraudulent account. And as soon as the funds were actually received, then they were obviously wired out to Russia, Turkey, and Ukraine. You look at that just came out for the SBA, I mean, when you look at that 1 million referrals for loan fraud, for the PPP. And then you look at a fraudster siphoned over $100 million in COVID relief through online investment platforms again. When you have a comprehensive solution that truly follows through the complete lifecycle and you can see the different picture, you might get around one of the mousetraps but you’re not getting around all of them. And so by having a solution that really evolves with the speed of fraud, that’s how you win in these situations, trying to piecemeal single-point solutions or companies that are not updating their solution to meet the times of fraud and how it’s moving right now, you’re going to lose. And people will say, “Well, how do I know if it’s true?” Read the news. I mean, my God, every day, it’s story after story of how fraud is happening in our country. And there are solutions out there that are keeping up with what’s happening, that better arms you to fight against those. But status quo doesn’t work anymore.
Bradley Chalupski: So, I want to dive into two aspects of what you just said. The first one is “I want the audience to be clear.” If you could state the difference between account takeovers of a consumer account and an account takeover of a corporate account, which is what you were just talking about. But we haven’t made that distinction totally clear on this podcast, so I just want to make sure for anyone listening who’s a little lost in the woods here, the difference between those two types of fraud.
Melissa Solis: So, it really works quite simply the same. With a corporate account, let’s say, if it’s vendor management and I call up and I say that I’m with so and so company and you need to pay your invoice to my new bank account. So, that company then changes, it sends the money to the fraudulent bank account. And now a company, basically, is out that money if they’re not able to recuperate it. And now fraud has been committed against them. The same holds true with an individual. A lot of times with account takeover, they’ll go in and change an account with an investment company or something where you have funds – a real-time payment platform, a wallet, whatever it may be – go in, they’ll change where the money is being forwarded. So they will go in, take over your account, a lot of times it’s done through email – that’s how it starts – and they’ll take over and send funds out before you realize that someone has taken over your account and send funds.
Bradley Chalupski: I think that’s the really big difference here is you’re talking about corporate accounts, this money can get siphoned off totally silently. And that’s something that I don’t think is understood enough, a consumer-facing fraud attack, in general, the business hears about it, if one of their consumers or somebody got defrauded because somebody faked their identity, you’re going to hear from either that consumer whose account was taken over within your system or somebody else who was fraudulently represented or had been fraudulently represented to your business. Those types of things eventually, more times than not, will end out in the open. Ironically, I don’t know if it’s more damaging because the accumulative problems of having too many customers have poor experiences with your sites, as you mentioned, is extremely potent. But in terms of the absolute dollar value of any individual attack, when you’re talking about a corporate takeover, you could literally lose thens of thousands, hundreds of thousands of dollars before you even realize that anything is wrong. And that’s what’s really scary.
Melissa Solis: Yeah, it could be millions. I mean, we’ve heard cases of millions of dollars. In fact, Brett, why don’t you share?
Brett Petersen: You really touched on it that what’s not being seen or publicized as much as some of this vendor payment supplier fraud. It’s all account takeover. It’s all the same. We had a customer, they’re in the investment community. And they found out that they were paying a nonexistent vendor. They were sending money to a bank account. It took them before about $2 million, somebody figured out. There’s a lot of examples. And what we found last year, especially, is we had Fortune 500, Fortune 50 companies coming to us because they had a fraud incident. And what I found interesting from a sales perspective is that generally when you do business with a very large company, their procurement process is extremely slow, it takes a long time to get through. When they actually had a fraud incident, it happens overnight. We had some very large companies that signed up for us. It took less than a week. And I was shocked by that. But it just goes to show that when you have a problem like that, and who knows? In those particular examples, they wouldn’t disclose how much money they sent to a fraudster, but I suspect it was quite a bit. When I first started at this company, it was the University of Connecticut had their vendor management system hacked and someone was able to reroute checks that were intended for Dell Computer to her personal bank account. And again, that would have been an easy solve for us.
Bradley Chalupski: It’s unbelievable when you hear stories like that. I’m curious when you’re dealing with these types of situations, and you’re dealing with professionals who are coming to you, and you’re in big Fortune 50 companies, what is the conversation like? This is kind of bringing my initial point full circle in that, do these people feel angry? I can’t imagine that they feel indifferent because even if you’re working at a Fortune 50 company and you’re as corporate as corporate can get, and people are very professional, and they’re in some ways detached. It’s not a small mom and pop business that this is their livelihood. These are professionals getting paid to do a job. It still has to be really, really shocking, disconcerting, and upsetting to people.
Bradley Chalupski: That’s part one of our conversation with Melissa and Brett on account takeover fraud. Huge thank you to them for taking the time to come out and talk. We’ll be releasing part two of the episode in the coming weeks. Make sure to catch that. You don’t want to miss out on more of those great insights on an extremely relevant topic. Until then, take care, everyone.