In this episode of the “To Catch a Fraudster” podcast, Rich Stuppy, Chief Experience Officer at Kount, talks about fraud in the food service industry and how eCommerce fraud prevention is helping in the fight against human trafficking.
Bradley Chalupski: Hey everyone. This is Bradley, editor-in-chief of Merchant Fraud Journal. Thanks so much for checking out the podcast. This week, we’re going to be speaking with Rich from Kount. Kount is an AI-driven fraud protection platform that recently launched their identity trust global network that allows you to gain the insights across all of their users in order to protect your customer journey at every touchpoint from account creation through to payments disputes. The platform will help you reduce chargebacks, manual review, and false positive. So, you definitely want to check them out on the web at Kount.com. We’re going to be speaking with Rich. He is their customer experience specialist. And he told us some absolutely incredible stories about fraud and pizza, but also some really sobering but important anecdotes about how fighting eCommerce fraud can actually help fight some of the worst crimes currently being perpetrated in the real world, specifically, human trafficking. And how the work that the entire fraud prevention community does, is contributing to that fight and making the world a better place, in general. You definitely don’t want to miss this episode. Some really, really great stuff. Thanks so much for checking out the podcast. And as always, you can get the latest eCommerce fraud news and tips at MerchantFraudJournal.com.
Bradley Chalupski: Rich, welcome to the podcast. Thanks so much for joining us.
Rich Stuppy: Thank you, Bradley. Really appreciate you having us. And always love talking about the crazy things that fraudsters do to steal money from people. So, I’m really looking forward to the discussion today.
Bradley Chalupski: So, I think a great place to start is with pizza plugs. That was how you presented it to me in the communications leading up to this podcast. And I am a huge lover of pizza and I don’t quite understand what the term “pizza plug” means. So, please enlighten me. Let’s hear it.
Rich Stuppy: You bet. And I too am a huge lover of pizza. As a matter of fact, I just finished a piece of cold pizza for breakfast this morning. I know not everybody likes it, but I sure do. So, pizza plugs is a confluence of a bunch of things, not the least of which the way pizza companies are moving into being primarily digital businesses versus traditional order and phones sort of businesses. So, if we break down the term “pizza plug,” pizza is pizza, it stands for pizza, any sort of food that you can order online; plug comes from the drug culture. If your drug dealer hits you with a plug, that means that they hooked you up. So, the idea is, somebody is going to hook you up with some really awesome food, and they’re going to do it in a way that’s a lot illegal. And so the way that they do this is they’ll advertise a pizza plug, or a DoorDash plug, or pick your favorite recipe restaurant with an app. They’ll advertise on social media – like on dedicated Twitter accounts – and they’ll say, “Pizza plug is open. Shoot me your information and 10 bucks, and I will get you somewhere between 50 and 100 bucks worth of your favorite awesome food delivered to your door.” And the way that they do this is they use stolen credit cards or stolen credentials or some other brand of stolen identities, and they go to the online app, they fill it out, and they put in your information – the buyer’s information – and the stuff goes to them. Works like a champ, but it can be very, very expensive for businesses that employ this business model. We think it’s somewhere between 600 million and a billion dollars in losses a year just from this sort of behavior.
Bradley Chalupski: Can you explain to me – I’m always interested to hearing these types of things; the psychology and the data-driven areas, the technology-driven areas behind – why this scam is working? So, it sounds like this is kind of a type of identity stuff almost, where people are able to do this. Can you talk to me a little bit more about that?
Rich Stuppy: Sure. I think you hit the nail on the head. It’s a classic identity theft. It could be an account takeover attack, or it could be a stolen payment credential attack. But the way it works is if I’m dealing in stolen accounts, I’ll go out and maybe do a credential stuffing attack and get a list of known good accounts. And then when my [05:23 inaudible] person PMs me on social media and says, “I’m gonna shoot you some money via Venmo,” or very different ways of giving you the money. They take those stolen credentials, log into that account, and change the profile of the account so it gets delivered to the right place. Or they simply create a new account and put in a stolen credit card that they’ve gotten through a breach of some sort. Or they take an existing account and adjust the profile to include the new payment type, a new stolen credit card, and a new address. It’s a combination of multiple different types of what I would say traditional digital fraud, but they can use it especially well in the pizza delivery and QSR space Because many of these companies are just now doubling down on their digital customer journeys, and many have not put the controls in place that you need when you’re in a purely digital environment. And these are the controls that pure-play eCommerce players learned over the course of a couple of decades. These food restaurants are learning, literally, in weeks, the bad things that fraudsters do.
Bradley Chalupski: So, take me through some of that. That’s really interesting thought is that these establishments – unlike, let’s say, traditional eCommerce stores – are not really used to this kind of thing. Like you said, maybe even five years ago, this was not an issue for them at all. It was a very traditional model. What are you hearing from people when they get hit with this kind of fraud? They must be completely flabbergasted. I’m wondering if you have any stories of people coming to you and saying, “I can’t even believe this is happening.” And how the industry is trying to orient itself, and pick up all that knowledge, and implement it that everyone else has had for 20 years now building and put it all in a single shot within a very short timeframe.
Rich Stuppy: You bet. And flabbergasted is a great word. Because the people running the digital shows, so to speak, or the digital customer journey, and these entities – they’re the customer experience person, they’re the IT development department. And they work with their cybersecurity because – especially if you’re at a global or national chain – everybody’s got extremely competent cybersecurity people. What they don’t get is that on the left-hand side, let’s say, you’ve got the cybersecurity people and they’re worried about the prevention of data loss, primarily. So, they’re doing vulnerability scans, they’re doing pen tests, they’re doing secure coding challenges, they’re doing all this stuff. And on the other side, you’ve got customer experience, people that want amazing one-click experiences, hit the button once on your mobile app and you can get $100 worth of product delivered to you plus a $20 gift card, and they have dreams about how amazed their customers are going to be. And in the middle, you got a fraud and loss prevention people that are like, “Hold on, guys, neither of you have it right.” Because these two groups don’t have what I call the fraud mindset, they don’t know that fraudsters will take those amazing features and take the perfectly secure APIs and interfaces, and because they’ve got access to stolen identity data, they’ll use the company’s own pipes against them to commit millions of dollars in fraud, untold millions of dollars in brand damage. Because let me tell you when somebody uses your account and runs up 300 bucks on your credit card, you’re gonna be pissed and you’re gonna think it’s the pizza restaurant’s fault.
Bradley Chalupski: My mom once ended up calling our local pizzeria because my sister-in-law had ordered something – because we’re big consumers of pizza – and used the card that they had on file. It’s a local pizza joint that we know the guy personally, very close local relationship. And my mom actually called them and said, “Sal, what’s going on with my card? I see a charge for whatever.” And then he had to say, “Well, your sister-in-law.” “Oh, okay.” She was very quick on that, very quick, to call and ask what was going on?
Rich Stuppy: This is a global phenomenon now because I can be sitting in Ukraine or I can be sitting in literally any country on the planet and I can execute this scam, harvest the profits. And there’s a lot of places in the world where if you’re making 20 bucks a day, you’re a high roller.
A: So, in that context, this doesn’t even need to be so “spectacularly successful,” to be profitable, and way better than anything else that you would be doing.
Rich Stuppy: You bet. And if you think about that broad, diffused global attack, and then you go back to the people that are running the show in these companies, and you got the cyber people, the fraud people, and the customer experience people; they have a very, very daunting challenge, and they really need the help of people that have experience in these sort of controls, have access to a network of fraud data and like customers, and know-how to employ it in a way that doesn’t implode their business by making it too hard to actually do business, because I hear lots of stories about people that have massive losses and fraud. But I also hear lots of stories, which I think can be arguably worse, where they invested $5 million in a new digital initiative to employ 10 very specific digital customer experiences. And one after the other, they’re turning them off because they can’t take multi-tender online, they can’t offer loyalty points because of fraud, they can’t convert loyalty points into gift cards because of fraud, they can’t deliver in certain counties, and areas, etc because of fraud. And so you’re caught in the middle and you got to strike the right balance and you need expertise to do
Bradley Chalupski: So, the next story – you wrote gas fraud, including stealing of gas into bladder trucks. And this is another term. I know what each of these words mean separately, but I don’t know what they mean together. So, if you can let everyone know because this also sounds pretty crazy.
Rich Stuppy: It’s funny that you mentioned that because I find the fraud world fascinating. And one of the most fascinating parts is what I call the weird words in fraud. So, we just covered pizza plug, which is a couple of weird words. And now we’ll cover bladder truck, which is another really couple of weird words. So, breaking it down: bladders a bag that holds liquid; a truck is picture a pickup truck, some might call it a lorry, etc. You take your truck or your van, and you put a giant bladder or set of tanks inside it. And you drill a hole in the side of this vehicle where it looks like it might be the legit gas tank, except it flows into this bladder, this, let’s say, 200 gallons or 400-gallon bladder. And as you’re stealing the gas, you’re going to picture a giant gas station with 16 pumps, and you go from one pump to the next. And each pump has a limitation on how much you can pump per credit card or app interaction. In the US, it’s like 100 gallons are probably $100 or thereabouts, I forgot that number but you get the picture. So, you go to Pump 1, and you go to your app, and you use a stolen credit card, and you fill your $100 there. And then you go to Pump 2, use your stolen app, maybe even on a separate stolen phone, fill another $100 worth of gas there. Pump 3, Pump 4, Pump 5 – pretty soon, you’ve got this bladder truck very full of gas. And to give you an idea of this; petrol weighs about eight pounds a gallon, you got 400 gallons in there, do the math. That’s like a heavy, heavy pile of explosives. You then say, “The way I’m going to monetize this is I am going to go to a location, be it in a city or in a place where there is a fleet of folks that have to buy gas and it’s a cost of doing business for them.” And they have a pump rig set up, and they put a little sign up that says, “I will, on the down-low, sell us this petrol or this gas for 50 cents on the dollar – 50% discount.” They monetize it. They make a bunch of money on it. And they do it over and over.
Bradley Chalupski: So, this is a really interesting case because it’s an instance where you’re seeing really a combination of real-world and virtual world fraud. The pizza fraud is that a little bit but this is really where you’re selling things offline. And that’s a really interesting combination. I’m kind of surprised that fraudsters are so brazen. Who buys that? I mean, I’ve worked in fraud too long and I’m a cynical human being. If somebody comes up to me and says, “I’m going to sell you this for half of what you get it on the open market.” I would say, “I don’t know what this scam is but I know that they’re [17:12 inaudible].” So, I’m kind of surprised that this works on the offloading end as well. What are these fraudsters thinking that they’re so brazen at this?
Rich Stuppy: Yeah, I think they’re thinking “If I maintain a solid reputation with the people that I’m hooking up, they’re gonna continue to do business with me.” I will call it a fairly recent development, maybe it’s not that recent but it’s certainly more pronounced, people that you would look at, you would say, “They’re great people.” Your friends and family, people you know are willing to be to participate in fraudulent scams. I call it willful blindness to the fact that they are participating in this fraudulent scam. Everybody knows that $10 worth of food or $50 worth of food for 10 bucks and the pizza plug, everybody knows that that’s not legit. Everybody knows that 50% off gas being pumped from a van in an alley is not legit. But they’re willing to be blind to this fact and participate in a scam.
Bradley Chalupski: So, this is an interesting point too on the psychology of fraud and the psychology of fraudsters. And I’m guessing Kount finds this throughout all of the verticals that you work with, where when people aren’t actually the ones that are stealing the product. And by that, I mean, not in the broader sense, but the actual physical act of receiving the gas. They’re just getting it from some other person and they know that something is going on, but they feel like well, “I’m paying what this guy is offering or asking for.” This is a really interesting area of human psychology. I guess people don’t think it’s theft. Do you run into this often, I guess, across all the different verticals?
Rich Stuppy: Yeah. And not only do they not think it’s theft, there’s a pretty well-known psychological set of theories around the way people motivate themselves and take an opportunity, and then justify the stealing or the commission of crimes. It used to be when they talked about it inside organizations, they would talk about the Fraud Triangle. And now really, it’s more of a Fraud Diamond, that is a mental model that says, “If I’ve got an opportunity and I have some sort of pressure or stress, that makes me think that my conscience should take a vacation on this thing. And then I’ve got the technical skill to do it.” I’m murdering the Fraud Diamond right now. But it’s a mental model that, basically, what it leads to is, once you convince yourself to do it, you convince yourself it’s okay. And then once you’ve convinced yourself it’s okay, you convince yourself it’s cool to keep on truckin’ and you keep on doing it. And one of the things that people don’t get in the whole fraud environment – and we see this all the time as we’re battling specific attacks – is the people on the other end, the bad guys, the fraudsters, the thieves, they are thinking, feeling human beings. And we see this where they become frustrated because we are causing them to expand their list of stolen credit cards and stolen emails and stolen devices, and they’re not getting the profit.
Rich Stuppy: We had a legit example. And I am not lying about this. And this was literally a bladder truck situation where they were attacking us or attacking our customer and we were declining and blocking, etc. And they started changing their email addresses that they had to: whytryIcantwin@gmail.com, firstname.lastname@example.org, Igiveup@gmail.com. And there’s a Senzu sort of thing going on there where if you break the enemy spirit. You’ve won the battle without fighting. And you see that happen and then you connect the psychology of the Fraud Diamond. And then you realize, if you have the controls in place and you are a strong adversary, they will move on to where victory is easy.
Bradley Chalupski: That is a really incredible story. I’ve never really thought about that, the idea that if you were you were able to stop people enough. Because you’re right, you definitely do think of these people as just criminals, and you put them in that bucket in your head, and you don’t really think about the fact that they’re actual people with actual psychological thoughts. And to them, every time that you’re preventing fraud is wasted effort and frustration to them. But to telegraph it like that as well I mean, that’s really — It just also gets at the thought of “Why people would choose this lifestyle?” I guess, like you were saying, when you’re in Ukraine or you’re in some other place where you’re not able to make a lot of money for a living, you go after, I guess, where you feel like money is. You probably almost feel justified, like, “Well, this person can afford the $50. They live in North America where the average income is much higher.” And so you probably don’t even really feel guilty about it in some instances.
Rich Stuppy: And you’ve hit on something also that operates there in the psychology and the mindset of the fraudster is there is a substantial amount of anti-Western and anti-US sentiment in the world. And the idea that you’re getting one over on a big North American or, more specifically, US brand, and you’re bringing that money back to your hometown, that’s a powerful shot of dopamine or serotonin that only gets better as you spend the money.
Bradley Chalupski: So, you think that there is some, I don’t know if jealousy is the right word, but there is some thought to “Well, these people are so rich.” And it’s not purely about the money, but it’s also about some kind of pseudo revenge factor.
Rich Stuppy: For sure. And just as a shout out to the people that run fraud operations, we’re coming up the Independence Day holiday. And then at the end of the summer in the US, the Labor Day holiday. These three-day weekends or these long weekends are launching pads for fraud attacks. So, be vigilant because we tend to generate a lot of business in the month following long weekend because somebody gets stung really, really bad and figures out that they need to put some controls in place.
Bradley Chalupski: Wow! That’s crazy. So, we have two more really interesting stories here. Sad stories, I want to be clear. But I’m sure, extremely valuable and important for everyone in the community to hear. One is you wrote that pet food fraud and how it can be linked to human trafficking. And that is, I don’t even know what to say about that before I even hear what’s going on behind the scenes. But why don’t you fill me in on what this looks like?
Rich Stuppy: I’ll go quickly here. But basically, we have a number of clients that are in the pet supply, pet food, etc, vertical. And one, in particular, encountered a fraud ring that was stealing animal food, number one, but also a variety of things like the shock collars, wireless fences, restraints like collars, and things like that. And a particularly enterprising person figured out that they may, in fact, be being used in a human trafficking effort to control the victims. They actually opened a case with law enforcement. But this is an example of, to me, once you open the case in a crime like this, you don’t necessarily get to see what the outcome is. You’re dealing with international fraud. I call it, in this case, the law is a little bit of a T-Rex. It’s got a really big bite, but the arms are particularly short and they can’t reach out many times. The long arm of the law isn’t there to go get the folks that are perpetrating this stuff.
Bradley Chalupski: That sucks. I can’t even imagine. This really goes to, one, just how crazy the idea is that people would be so horrible as to do that. And certainly, the way that they try to hide it, I’m sure, because it’s through pet food. Most normal human beings would not even think to put those two things together because it just wouldn’t occur to you to use those types of things on a human being. I’m really interested on this specific story to talk about, as a fraud prevention specialist, your personal psychology, and dealing with people who are trying to scam, trying to thieve, doing these awful human trafficking things. As a fraud prevention professional, how do you protect your own mental health as you’re going through all these cases and you’re seeing the worst of what people are capable of here? I mean, this is intense stuff to be involved in human trafficking. This isn’t like stealing money, which is obviously already bad enough, but this is very serious stuff, very dark places that you’re going to when you’re looking at this.
Rich Stuppy: Yes. I do think even the stealing of the money concept, that’s the first put. The second put is funding a whole variety of other really nasty activities. And so you’re right that this “feeling this” concept looms over all fraud professionals. Like these people are my people. I’ve had thousands upon thousands of conversations with fraud analysts and fraud experts and fraud risk executives, and we all know, deep down, that we’re not just protecting our brands, we’re not just protecting from the theft of money. We know that there are downstream things that we are preventing, be it terrorism, be it human trafficking, being it drugs, weapons, you name it. Criminals have a supply chain, and they raise their funds, and they fund their activities however they have to do it. But the psychology for a fraud prevention person is the terrific feeling that you get when you block them. And like I said, these are like my people, I talked to a whole bunch. They tend to be really, really smart; really, really good at connecting dots; and have an energy and ambition to them. They want to win. Like this will to win against the invisible and anonymous enemy is a thread that runs through everybody that I talked to.
Bradley Chalupski: That’s a really important statement, I think, within the community, which is the idea that you’re not just protecting your company, that there’s awareness around where these activities exist in the human comings and goings on the planet, and that these are very often – not always, but often – tangentially related to some kind of organized crime syndicate. And being aware of that, and thinking about it, not just as an economic job for your employer, but for almost a greater cause in whatever small measure in the kind of global criminality picture that’s going on. That’s really important. Thanks for sharing that, Rich.
Rich Stuppy: I’m happy to. Hopefully, it’s a space where we can be doing well by doing good, which is where I think everybody likes to be.
Bradley Chalupski: So, before we go, I want to make sure that I give you a chance to talk about Kounts and tell us where to find you on the web.
Rich Stuppy: Kount is a Software-as-a-Service-based fraud control platform. Fundamentally, we help companies protect themselves from people that use stolen credit cards, stolen identities, stolen credentials, and the like to commit fraud. One of the things that we build our business on is what we call our identity trust global network. This is a collection of the data and connections that we’ve built over a decade-plus of fighting fraud. It’s a massive amount of intelligence and data. And we mined it and use it to help our customers protect themselves via AI and Machine Learning. And we give our customers all the tools that they need to protect themselves from the nasty stuff that we’ve talked about and will talk about. That’s what we do.
Bradley Chalupski: Thanks so much for joining us on the podcast, Rich. Can’t thank you enough for these insights. And keep fighting that good fight.
Rich Stuppy: You bet. Bradley very, very much appreciate you having us. I love talking about this. So, I would say anytime you want to swap fraud stories and talk about how to catch a fraudster, we are there.
Bradley Chalupski: All right. Sounds great, Rich. Thank you so much.
Rich Stuppy: You bet. Bye-bye.