The economics of fraud and cybercrime

• identity information, such as a social security number, birthdate, name, address etc.

• payment information, such as credit/debit card info and check info

• system knowledge, such as the policies and verification systems employed by companies like merchants, banks, service providers etc.

These items represent what I call the ‘3 pillars of a fraudster's operation’. Every transaction has these components – for example, an online retailer accepts payment for an order (payment information), takes the shipping information (identity information), and the order makes its way through the merchant's system (system knowledge).

This is where the economics of this system comes into play. Everything from products and merchandise to drugs, services, prepaid gifts cards, stolen account information, and more are traded for someone else's trove of stolen information. Anonymity and dodging law enforcement are critical for both parties, so precautions are taken on both sides.

There is more to be said, but this paints a pretty clear picture of what goes on regarding the economics between fraudsters and cybercriminals.

Discovering vulnerabilities within a company, while leading to the authoring of new methods

In a couple of years into my operation as a fraudster, I had accumulated countless pieces of payment and identity information, and so, running trial and error transactions were common practices when authoring new methods against businesses. Small purchases were put into the system with varying information in order to find out what worked.

These transactions would not be associated with any of my current addresses, nor any of the real information that I was presently using. The orders would or wouldn't go through, but I would track packages to delivery or cancellation and make notes. This is referred to as pen testing and cardables sites list building, however, during my time as a fraudster, I called it ‘checklist building’.

The noted results of these transactions would vary greatly and could apply to many different transfers of value within a company: 

• in transactions, I discovered uses for generated credit card numbers accompanied by little-or-no verifiable identity information, as well as the need of complete and correct payment information, alongside months of profile building (needed to associate new information to the identity before requested and receiving a new line of credit);

• in customer service interactions, I learned that rerouting packages was possible, telephone orders could bypass website security features, and more;

• in accounting, refunds could be issued to different names unrelated to the initial billing information.

The perpetual nature of fraud

Every company has exposure to fraud, that’s a harsh reminder. Companies exist somewhere along with an unwritten list, based on the difficulty that a fraudster experiences when attempting to exploit their operations.

Organised fraud operations are flexible, resilient, and dynamic, while merchants have approval processes, compliance regulations etc. that hinder their ability to think on their toes and respond in significant ways quickly.

What merchants can do to identify systems weaknesses PRIOR to being attacked

Earlier, I used the term ‘transfer of value’. The idea behind it is that fraudsters are not limited to checkout forms for their attempts to exploit a system. What looks like a good transaction during checkout can adapt and evolve into something else entirely. The methods that I authored worked to exploit companies of all sizes by attacking different touchpoints along the way. That being said, it is important to understand the duality between a customer journey and an unintentional fraudster journey. With this in mind, I have developed a 4-step strategy development process that I employ with merchants and service providers across the space.

Fraud prevention strategy development process

Identify – Identify the TOV's that your company participates in. This might be retail transactions (both in-store and online), payment for services, lines of credit, returns, refunds, stored payment information, and more. By identifying the various ways that your company engages with the public, you'll have a good understanding of what fraudsters might come for. 

Establish data/monitor – By putting eyes on the data associated with each TOV throughout your operations, you can begin to see the effect that fraud/dishonest consumers are having on your bottom line. This will help you understand your losses/justify your budget for solving issues.

Automate – The fraud prevention service providers are doing an awesome job discerning the tactics that exist under the data. By working with merchant networks and aggregated data, they are able to put dynamic determination processes in place that will help to mitigate losses while removing the cost of manual transaction analysis.

Repeat – Your company intends to grow, right? As it does so, keep in mind the shifts in policies and procedures that go along with that growth and repeat the process. Strike and maintain the balance between merchant security and customer satisfaction.

This article was originally published inside the Fraud Prevention in Ecommerce Report 2021/2022. To download the report, please click here.

About Alexander Hall

Alexander has 14 years of experience relevant to fraud and fraud prevention. Since joining the fraud fighter community, his strategies and processes have been successfully applied to companies ranging from retail to financial industries. In 2020, Alexander founded Dispute Defense Consulting and has since accepted a position on the board of advisors for the customer experience programme at the University of Nevada, Las Vegas.

About Dispute Defense Consulting

Founded by Alexander Hall in March 2020, Dispute Defense Consulting provides fraud prevention strategy development consulting to merchants and works with merchant service providers to challenge, refine, and expand their offerings in the digital trust and safety space.