Understanding the fraudster`s modus operandi
Transcription
Understanding the fraudster`s modus operandi
Understanding the fraudster’s modus operandi An Experian white paper Table of contents Executive Summary.....................................................................................................................................2 Four stages of understanding the fraudster’s modus operandi...........................................................3 Identity theft and manipulation.................................................................................................................4 Perpetration.................................................................................................................................................13 Delivery.........................................................................................................................................................18 Distribution..................................................................................................................................................20 Conclusions about the fraudster’s modus operandi............................................................................23 Law enforcement........................................................................................................................................24 Evolution of the industry............................................................................................................................26 About Experian’s Decision Analytics......................................................................................................27 An Experian white paper | Page 1 Executive Summary Understanding the behaviour of fraudsters is essential in order for us to enable our clients to manage and optimise risk prevention and to detect and reduce fraud throughout the customer life cycle. Through interviews with both convicted and unconvicted fraudsters we’ve built firsthand insight into ‘Understanding the fraudster’s modus operandi’. This research has been conducted through face-to-face and telephone interviews with both convicted and unconvicted fraudsters and fraud industry stakeholders, such as law enforcement officials, ecommerce professionals and fraud managers. The research was carried out over a four year period involving over one hundred participants. The perpetrator research was conducted within the framework of the ethical guidelines of the British Society of Criminology. Care was taken to ensure that the data generated was anonymised to protect the confidentiality and integrity of research participants or the company for which they are employed. All fraudster names are therefore fictitious. Fraudsters were identified and contacted via a ‘snowballing method’ with research participants encouraged to contact other potential subjects from within their fraud networks. As a result, findings were based on a non-random sample of convenience. Therefore they give a snapshot of fraudulent behaviour - but without any geographical context or regional variances in trends. The research behind this document has been distilled into four stages which break down the fraudster’s modus operandi (MO). This is partly as a result of the wealth of insight that fraudsters were happy to divulge about how they initially stole the victim’s identity. Also as identity theft is often only the first stage in the fraud life cycle there is the prospect for more of the fraudster’s behaviour to be understood and acted on, thus providing further opportunities to detect fraudsters as they ply their trade. The four stages of the fraud life cycle we focus on in this document are categorised as identity theft, perpetration, delivery and distribution. Page 2 | Understanding the fraudster’s modus operandi Four stages of understanding the fraudster’s modus operandi The four stages of this white paper and the resulting insight into understanding the fraudster’s modus operandi can be recognised as follows: 1, Identity theft and manipulation How do fraudsters get hold of identities with which they commit fraud? • Who aids fraudsters in obtaining identity information? • Where can credit card numbers and Card Verification Value (CVV) codes be acquired? • How do fraudsters consolidate stolen identities? • How is circular identity theft achieved? 2, Perpetration Once the fraudster has stolen the requisite identity information, how do they commit fraud? • What types of fraud are perpetrated? • Do fraudsters target particular kinds of companies? • How can you tell the fraudster from the real customer? 3, Delivery How do fraudsters take delivery of the goods, services or money that they have fraudulently obtained? • Where are the goods sent to? • Do fraudsters have accomplices or colleagues in the delivery process? 4, Distribution How do fraudsters profit from goods that they obtain through fraud? • What happens to the spoils of fraud? • Are goods obtained by deception still sold in the back of pubs? • Has technology opened up new markets to the fraudsters? There are inevitably aspects to the fraudster’s MO that we have not covered in this research exercise. Instead we have only included content where we have a direct insight into how and when the fraud was perpetrated and who was involved. This way we can ensure an undiluted first hand account of the fraudster’s modus operandi. An Experian white paper | Page 3 Identity theft and manipulation In this section we examine how the fraudster obtains the personal characteristics needed to perpetrate fraud. Namely how does the identity theft take place so the fraudster can then use that stolen identity in a fraudulent transaction? We’re not going to focus on some of the more publicised methods of identity theft such as bin-diving. Instead let’s look at some of the less well known aspects of how fraudsters go about their daily business. Fraudsters go to a fraud shop! It will come as no surprise that if Fraud Managers have their own online fraud forum to share information and fraud alerts and to work together to beat the fraudster, then fraudsters have their own forums too. Multiple fraudster chat rooms exist on the web, of which this screen grab from a common “carding” site is just one. We have chosen not to reveal the site’s URL as we feel that this would only serve as a signpost for trainee and aspiring fraudsters A quick visit to these kinds of sites reveals the language and the habits and practices that go on in “the carding scene”. In essence, fraudsters log in and buy sets of card numbers, names, addresses and other information which any web-literate person can then purchase and start running CNP (Card Not Present) frauds. Lists of stolen identities are transferred via hard to track and detect web data transfer tools such as IRC (Internet Relay Chat) and ICQ, an acronym for “I Seek You”. So when fraudsters sell these databases of names and credit card numbers online, where are they coming from? The answers to this question could form a whole separate report. There have been plenty of high profile examples of organisations losing data which leaves their customer Screen showing a post from an illegal forum details exposed, many of these cases specialising in sharing stolen card details. have been attributed to human error or in some instances poor security processes. In reality though, the majority of the identity data that is available online is provided by hackers that have illegally gained access to databases, usually from attacks on the servers of poorly defended companies, and then sold on to the fraud market via sites such as this. Page 4 | Understanding the fraudster’s modus operandi “It makes burglary easier and more worthwhile ‘cos before it was a gamble that people had anything worth having, you had to get it out without looking suspicious and then you had to find somewhere to flog it. Its easy now cos everyone’s got cards and it fits in my pocket and I get a good price for it.” Julie, Fraudster #E19, convicted “The going rate for a freshly stolen credit card was about £250 with the price rising beyond £500 if it was accompanied by a PIN number or if the victim was at work for the day or, better still, on holiday ” Ian, Fraudster #E17, unconvicted Fraudsters have people on the inside “They work in bars where the pay’s crap and they get treated like crap by the boss and the customers so it’s like Christmas for them when I come along and offer them a way to make shed loads without any risk. “ George, Fraudster #B14, unconvicted “The workers at our call centres are stopped every day on their way out of work by the fraudsters bribing them to buy customer identities from inbound calls. They just brazenly hang around outside the office complex gates” Security & Risk Manager at leading online computer retailer An Experian white paper | Page 5 The fraudster is direct in their approach to identity theft and is not afraid to approach those working in jobs where there is easy access to customers’ personal and/or financial details. These jobs are often poorly paid so the financial incentive that the fraudster offers is generally very attractive and frequently overcomes any concerns that the employee has about collusion with the fraudster. Fraudsters who use this approach report a high level of cooperation and note that more employees have qualms about getting into trouble with their employer than they do about the legality or morality of their conduct. Fraud begins at work! “I decided to enter the world of work and got a job at a call centre. In a grimy, freezing room, a few dozen miserable people sat in front of computers with headsets on, muttering into mouthpieces with their eyes stuck on their screens. Every day dozens of people were using their cards through me to pay. There had to be a way for me to take this information and make use of the cards myself.” Elliot Castro, prolific fraudster & author of “Other People’s Money” “I have their address and credit card details from the booking so all I need is the number from the back. When they turn up, I say I’ve got to check their card against the list in the office so I go and get the list and look at it so the card isn’t ever away from them. I take the form straight back into the office so that I can write the number down before I forget it and they’re none the wiser.” Chris, Fraudster #E6, convicted Page 6 | Understanding the fraudster’s modus operandi Fraudsters play dead “I might sound a bit cruel but I read the obits in the local paper. If it says ‘sadly missed by her husband’ or ‘survived by his wife’ then its odds on that the house won’t be empty. But if it is all children and grandkids, you’ve got a good chance that they lived on their own so you see if you can find the address to scoot round and have a look… Lots of these oldies, they’ve got great credit ratings because they’ve spent a lifetime saving and paying their bills on the dot… Credit is easy to get and you’ve got long-standing residency on the electoral register too … The bonus is that you know that nobody is going to have to foot the bill because grandma’s dead so it’s not like anyone’s getting hurt.” Douglas, Fraudster #C5 Fraudsters get up close: Mail interception “So I pose as a small-time property developer and ask for lists of executor sales. Some estate agents will let you take keys and go and look yourself but most take you round. If I’ve got the keys, I take a copy but if I’m just looking round I can slip a window latch open sometimes or just work out whether or not there’s an easy way to break in – looking at whether the back garden is accessible and not overlooked, that sort of thing. Once I’m sure I can get in, I can get the applications in for credit cards… [and] wait for them to come rolling in.” Ben, Fraudster #C16, unconvicted “Outside letter boxes are great too. You’d be surprised how many people have them … You have to watch a bit to see if they leave for work before postie arrives. All that sitting around is a bit tedious but worth it when it pays off.” Catherine, Fraudster #D11, convicted An Experian white paper | Page 7 Fraudsters have a variety of strategies for accessing post once it is delivered, whether this is by targeting properties that have mail that is easier to access, such as external letter boxes or flats with multiple mail boxes in a secure area, or by gaining access to the house itself. More sophisticated fraudsters will have a range of safe addresses to use and will arrange for particular items of mail to be redirected, e.g. by advising the bank of a change of address and then ordering a duplicate card. “Provided you sound official, people will tell you anything.” Michael, Fraudster #E5, unconvicted “A little bit of knowledge goes a long way. Knowing who [the victim] works for or banks with is all that it takes. You’d be surprised but ‘I’m calling from Lloyds, there’s a problem with your account’ still works despite the publicity telling people not to believe it. But the thing is that banks, insurance companies, Sky all still do it anyway. They phone up and ask customers to identify themselves so there’s no point in telling people not to fall for it until the companies stop doing it.” Rob, Fraudster #E2, unconvicted “Email’s the best way. Quick. Can’t be traced. Once it’s mocked up to look like eBay or whatever, it can go out to hundreds of people a day.” Sam, Fraudster #A8, convicted Page 8 | Understanding the fraudster’s modus operandi “It isn’t hard to copy – look at the real Amazon and copy it. If it looks like Amazon, people accept that it is Amazon. They log in as a returning customer so we’ve got their password too and plenty of people use the same password for everything so that can be handy. Then they get a screen that says they need to put their details in again for security purposes, they press ‘click’ and that’s their name, address, bank details and everything else that we needed sent straight to us.” Sam, Fraudster #A8, convicted “I use dating chat rooms as people are keener to talk about personal stuff. I never ask anything outright. After a bit, I say ‘you know, I can’t believe how easy you are to talk to – I bet you’re a Cancer’ and that always gets a response, like, ‘oh no, I’m Pisces’. So then I say ‘oh wow, 6 what are you? what a coincidence – so am I. I’m the 10th, They give you the date of their birthday and you can work out the month from the star sign. I’ve got all sorts of things that I can do.” Michael, Fraudster #E5, unconvicted “[Chat rooms] give me a way to spot potential victims. It takes a while to build up trust but that’s ok, its worth the effort in the end. As time goes on, people give out more and more stuff …I mean, to start with, I can be a man or woman online. I use sex-free user-names like ‘Filmlover34’ so I can be whatever sex I need to be.“ Michael, Fraudster #E5, unconvicted An Experian white paper | Page 9 In a widely publicised scam a group of fraudsters set up a bogus website claiming to sell a variety of electrical goods at reasonable prices and which stated that it had stock of the ‘must have’ Christmas gift: a Sony PSP. Over two thousand orders were placed, all providing personal identity information and bank details. Once the details were obtained, prospective purchasers were sent an email advising them that their order could not be processed due to lack of stock. As no money was lost, there seemed to be nothing amiss to alert the victims to the theft of their identity details particularly as the fraudsters waited several months to undertake fraudulent transactions in order to minimise the risk that the victims would make the link with the website. Site cloning involves the replication of the look and style of a genuine and trusted website that leads victims to input their personal or financial details in the belief that this is part of a genuine transaction. Sham sales websites are a similar way of harvesting information from the unwary consumer as they purport to offer items for sale, often ‘must have’ items at a very competitive price, in order to obtain personal and bank details of the victim. Fraudsters are hi-tech and run card cloning scams Identity theft often takes place by cloning a credit card rather than stealing or intercepting one. This is most often done by fraudsters installing a false front to cash point machines that contains some clever kit that can clone all the relevant card details necessary to then go and use that card as if it were the original. Their typical cashpoint cloning kit consists of: • A scanner which reads the magnetic strip on the reverse of the card to capture the card data. This equates to the 16 digit card number, the card start and expiration dates, the cardholder’s name and the three digit CVV code on the rear of the card. • A small digital camera which is configured to capture the card owner entering the PIN number as an mpeg file • And a memory stick which records all this information for fraudsters to recover and use at their leisure Of course, this method of capture means that fraudsters have to return to the cashpoint to recover their data to complete the identity theft. As a result they are often caught red-handed thanks to the good work undertaken by the economic crime departments of local police forces, in particular the City of London Police and the Metropolitan Police Forces. Specialist organisations such as the Dedicated Card & Plastic Crime Unit (www.dcpcu.org.uk) sponsored by the UK banking industry are also at the heart of fighting this hi-tech means of Identity Theft. Worryingly, the latest trick that the fraudsters employ is to add the latest generation mobile phones to their box of tricks. The result? The cloned card data is packaged up and messaged to the fraudster’s HQ leaving less opportunity for law enforcement to run intervention operations. Page 10 | Understanding the fraudster’s modus operandi One of the most effective methods used by the fraudster to obtain personal information from victims is by conversation. This may be in person, by telephone or even online. Fraudsters are often adept at creating an appropriate persona to induce disclosure whether this is impersonating a bank employee to obtain account details or creating an aura of easy intimacy in an internet chat room and eliciting personal details from the victim. Fraudsters work with counterfeiters “Once I’ve got someone’s details, I want some sort of photo ID to support it. A driving licence is great. I used to take a driving test to get one but it takes too long to do and I used to fail sometimes too which was a real nuisance so now I used one of these websites where you upload a photo and they make it into a driving licence for £25 … I’ve compared it with mine and I can’t see the difference.” John, Fraudster #D8, convicted “We’ve got all the gadgets and can do most documents to a passable standard.” Brian, Fraudster #B16, unconvicted Technological advances make the replication of genuine documents a relatively straightforward matter. The quality of these varies but many would stand up to close scrutiny although not, of course, referencing with official records. For example, a counterfeit driving licence could be used to authenticate identity and address for the purposes of store credit but would not be supported by details on the DVLA computer if it were produced to the police following a traffic offence. However, whilst the DVLA database would be a great verification tool, it’s not available to fraud prevention Screen showing numerous fake identity professionals as a verification resource. documents that are available online. Sites such as the one in the example shown are commonplace on the internet where counterfeiters serve ID thieves as a preparatory stage to fraud or other crime. Again, we’ve chosen not to publicise the precise URL of this site, but if you want to find out more about this site and others, please contact us. An Experian white paper | Page 11 Fraudsters work the circle of identity theft “So I get bank info from purchasers and sort out duplicate cards, either me or the wife goes out and uses the cards to buy anything we want or that we’ve got orders for and then we just buy stuff that sells well on [auction websites]. You learn what goes well by trial and error. My missus does the selling. Then she’ll tell the buyer that she needs payment by cheque because of bank problems and offer them a discount for the inconvenience of not using PayPal. The cheque comes and gives us bank details and the name and address of the buyer so its easy to use that to get duplicate cards and so it starts again… It was a bit of a sideline at first but its so lucrative that we do it full-time now.” Peter, Fraudster #B2, unconvicted It is often the case that goods are actually supplied to avoid drawing attention to the transaction. Some fraudsters sell items on genuine auction websites in a cyclic enterprise to dispose of property obtained by fraud and to obtain identity information of fresh victims in a single transaction. Fraudsters play the substitute card “We’ve got it down to a fine art over the years. Stolen cards get picked up by banks looking for unusual account activity or by people checking their statements online which they can do now so its far more risky than it used to be so we get fresh cards that the account holder doesn’t know about … How? Well, like I say, I don’t want to give all our secrets away … [the] best way is to apply for an additional card for a husband or boyfriend or whatever … Yeah, you’ve got to sort the change of address first but its no problem if you know what you’re doing.” Ian, Fraudster #E17, unconvicted Page 12 | Understanding the fraudster’s modus operandi Many fraudsters shy away from the actual theft of cards and they prefer to obtain cards themselves but without stealing them. One means of achieving this is known as account takeover. Here, the fraudster obtains sufficient information about the victim to impersonate them in dealings with the bank, either personal, by telephone or in written form. The fraudster changes the address associated with the account so that all mail is delivered to an address of his choosing and then obtains a fresh card on the account; this may be done by reporting the existing card lost or stolen or simply by requesting an additional card on the account as if for a partner. Once the card arrives, the fraudster is able to use it without fear of detection as its loss is not detected by the victim, nor can transactions be noted on a statement as these are delivered to the fraudster (although there is some prospect of detection if the victim uses internet banking). A further advantage of this strategy for the fraudster is that any PIN number associated with the card will also be delivered to him thus giving him all that he needs to make purchases on the substitute card. Perpetration In this section we examine how the fraudster commits the act of CNP fraud once they have committed the initial identity theft. What have we learnt as an industry that we can share to make for a more effective defence against the fraudster? Fraudsters select their targets carefully by looking for the point of least defence Once fraudsters have obtained identities that they can use to perpetrate fraud, they need to be confident that their false identities will beat the merchant or the financial institution that they are trying to defraud. As such, it pays for fraudsters to know what defences the merchants and financial institutions have (or haven’t) got in place, and fraudsters Screens showing members exchanging information in an illegal card sharing forum. happily share this information with each other, partly for bragging rights, and partly to become a vouched-for member of the fraud community. Of course, recognised members of the carding scene are more likely to be trusted as a vendor or a buyer of stolen identities with which to perpetrate further fraud. The fraudster strikes late at night In a recent industry survey, the UK’s leading ecommerce operators revealed that their peak fraud period was 9pm to 12 midnight. In fact 28 percent of the companies surveyed cited this period in which most fraudulent orders were put through their site. Worryingly, one Fraud Manager survey respondent revealed that fraudsters had recently begun to cram their orders into the period of 4pm to 6pm Friday. This is when he and his team had the occasional practice of finishing work early on Friday to go to the pub! Needless to say, their local barman stopped enjoying their company on Friday afternoons before long. An Experian white paper | Page 13 Screen showing a member of an illegal card sharing forum requesting assistance to test card details. Fraudsters are aware that it’s a numbers game “You don’t always get lucky first, second or third time. As long as there’s a good supply of card details and rubbish websites, sooner or later you’re going to get a result. That makes the waiting more than worth it.” Gavin, Fraudster #B17, convicted With thousands of sites to defraud and thousands of institutions offering credit, it’s no great loss to fraudsters when they do get beaten by the fraudster defences that companies put in place. Fraudsters simply move onto the next site in the list. All they’ve lost is a little bit of time and the sad truth of the matter is that they are highly unlikely to be prosecuted for fraud. Industry estimates from Fraud Managers at internet retail operations suggest that around 70 percent of retailers don’t report fraud to the police. If some of the identities that fraudsters use are compromised or are recognised as being fraudulent by more prudent online merchants who subscribe to fraud alert systems, then they just open their next identity with the name, address and credit card number that they have all ready to go. Fraudsters test the water before they go in for the kill “I carded $800 per order, but I try a first order of $100 or $150” Gavin, Fraudster #B17, convicted Before fraudsters place an order for a laptop, or for the latest designer couture, they want to be sure that their order isn’t going to be detected as fraud. Since the growth of CNP fraud following the introduction of Chip and Pin, companies have been forced to improve their fraud defences. Tools such as identity checking, shared fraud alert databases and IP address validation are now commonly implemented in retail ecommerce websites. As a result, fraudsters have recently begun to use charity or porn websites to test the water before they go for it and place the fraudulent order for the goods or services that they really want to obtain. Page 14 | Understanding the fraudster’s modus operandi Fraudsters call the call centre with claims of “Oops I pressed the order button twice” Retailers need to watch out for this trick from the fraudster’s playbook. Typically fraudsters will deliberately press the submit button twice in the web transaction process. They then ring into the call centre with a plea not to charge their card twice. With this air of legitimacy inferred by their wish not to be overcharged for their mistake, their next request is to change the delivery address and call centre staff unwittingly comply believing that they must be on the phone to the real customer. Fraudsters fly under the radar Fraudsters tend to go for the mid-range fraud that doesn’t arouse suspicion or merit careful scrutiny by the company’s fraud team or by the card owner’s card scheme or bank. Evidence from fraud managers suggests that around 43 percent of attempted fraudulent transactions were in the £250 to £500 range and that 29 percent were in the £500+ range. This supports the view that fraudsters work a stolen credit card across a range of ecommerce operators and retailers to elicit maximum value from the card. Of course, this throws an interesting light on the view that law enforcement should only intervene in large scale frauds. It’s a fair conclusion that investigating a £500 fraud against an ecommerce operator selling laptops would be highly likely to also lead to similar sized frauds against a range of other mail order, travel, or audio and TV retailers. Fraudsters are virtually in your office It’s not just consumers that need to guard against fraudsters gaining access to their wireless network. Fraudsters have in the past been able to steal a retailer’s database by driving into the car park of one of the stores and connecting to that store’s wireless network. The identity thieves then simply browsed that store’s servers and downloaded their customer database, complete with credit card numbers. Similarly fraudsters with access to a retailer’s wireless network have been known to place orders within the order processing system, change the delivery address and approve the order. All whilst sitting in the car park of a store whose wireless network was poorly protected. An Experian white paper | Page 15 Fraudsters hit the window of opportunity “I hit the shops fast and hard. There’s a window of opportunity to really hammer the card but it isn’t big and the longer I use it the greater the risk there is that the card’ll come on top.” Gavin, Fraudster #B17, convicted “I only ever take cards that won’t be noticed missing for a while so there’s usually at least a couple of days of life in it.” Ian, Fraudster #E17, unconvicted Stolen or cloned credit cards will only last until the unlucky owner reports them as lost or reports transactions against their account as not being their own. At this point the fraudster simply moves onto the next identity/set of card details that he has in his armoury. Fraudsters take the card into a physical fraud environment “I do the sort of shopping that I’d do if it was my own money. Clothes and stuff, you know? And some short supermarket visits too so that I can get cash-back. I’ll do, say, four supermarkets for about £25’s worth of stuff that I can grab quickly and then get max cash-back at each … It’s the best way to get cash out of the card.” Gavin, Fraudster #B17, convicted Fraudsters will maximise the value of each set of card details, particularly if they have the card in their possession. Of course, there is a higher level of risk in perpetrating face-to-face fraud with a stolen or a cloned card and it’s likely that this is more the MO of casual fraudsters rather than focused CNP fraud rings. Page 16 | Understanding the fraudster’s modus operandi “You’ve got to have balls to do it but you take your stolen card, stand there in the shop with your flat screen TV and let them offer you store credit. They get a cut on it so they always will. A quick form with questions where you know the answers because you’ve done your homework and you’ve got your TV and poor blokey’s got the bill.” David, Fraudster #A7, unconvicted Sometimes, fraudsters who are maximising the value of each card will only use the possession of a physical card as an entry point to be offered further credit when in-store. Keen salespeople, who often automatically earn higher commission on goods sold on credit, will often try to persuade a customer about to spend on their credit card to take advantage of the store’s own credit facility. Fraudsters play the long game Some fraudsters expend a great deal of effort in establishing an effective strategy for maximising the financial return from their fraudulent activities. This may involve a series of fraudulent transactions that are all directed towards the longterm objective of draining the victim’s creditworthiness, even though this very creditworthiness may have been established by the fraudster in the first place. For example, highly organised fraudsters own or rent a series of properties that can be used as residences for the victim in whose name bank accounts are opened, using a range of supporting documentation. There then follows a period of seemingly exemplary account activity that involves regular income and the regular repayment of small loans and credit card bills designed to build up the victim’s credit with a view to making an application for a large loan which, once obtained, will be withdrawn and no repayments made. In the period after the loan has been obtained but before the lack of repayment is noted by the lender, the fraudster will take out as much other credit in the victim’s name as possible in order to maximise the gain. An Experian white paper | Page 17 Delivery How do fraudsters take delivery of the goods, services or money that they have fraudulently obtained? In this section, we look at how the fraudster operates once they have stolen the identity and placed an order with someone else’s credit card. How do they get the goods? Where do they have them delivered? Fraudsters pretend to be the friendly neighbour “I park my car outside the house next door and either tinker with the engine or give it a wash. When the van turns up and the courier knocks at the door, I shout over ‘they’re out mate’ and tell him that they work all day then I offer to take the parcel. It’s never failed yet. It means quite a bit of waiting round sometimes plus you have to move about it bit so that couriers don’t recognise you but that’s a small price to pay.” Jonathan, Fraudster #C5, unconvicted Fraudsters use a range of methods to secure delivery of fraudulently obtained goods at an address that cannot be traced to them. For example, homes with external mail boxes may be used as a delivery address for credit cards or smaller items. Any address that is habitually empty during working hours may be used as a delivery address, as fraudsters wait nearby pretending to be a neighbour to offer assistance to a courier whose primary interest is to find someone to take delivery of the parcel to save taking it back to the depot. Fraudsters use empty houses “All you need is an address where you’re going to be left to your own devices and you’re laughing.” Fraudster #C16, unconvicted Empty houses offer a potential delivery address to the fraudster. This may involve gaining access to the house, either by breaking in, by posing as a purchaser to an estate agent or by collaboration with an estate agent. Alternative measures include adding an external mail box to an empty property or leaving a sign on the door advising that all deliveries should be left behind a wall or in the shed (as appropriate). Some fraudsters trawl the obituary column of local newspapers in search of properties that are left vacant as a result of the demise of the sole occupant with a view to assuming both the identity of the deceased and using their house for the delivery of goods. Page 18 | Understanding the fraudster’s modus operandi Fraudsters have multiple addresses Some fraudsters rent several properties simultaneously to deal with the scale of their operation with many paying for the full rental period in advance on the basis that the owner or letting agent may be less concerned about what is happening at the property provided that they know that they will be paid. Fraudsters use and abuse their own address and then move on “I’m as sure that I can be that whoever moved into the flat after me was responsible for the debt. All the companies that I’ve talked to say that my old address was where the stuff got delivered so it must’ve been whoever moved in but the police said that this wasn’t enough proof and didn’t do anything so they got away with it.” Jane, Victim #C12 “I never stayed more than six months. Long enough to use and abuse the address and the credit of whoever lived there before me.” John, Fraudster #D8, convicted Many fraudsters use rented accommodation as a delivery address. Some favour renting a room in a shared property to minimise the cost involved whilst others rent flats or houses for periods of six months; just enough time to build and destroy a credit rating. Fraudsters using this approach tend to move every six months and then commit fraud in the name of the previous tenant in each new property. Fraudsters set themselves up for business For ambitious large-scale fraudsters, the purchase of property is part and parcel of the fraudulent enterprise. Properties may be purchased in the fraudster’s own name and put back on the market immediately, being used for delivery purposes in the interim period. One fraudster who deploys this method explained that he purchases houses and rents them out for a six month period during which the tenants are advised that mail and parcels might arrive for the ‘previous occupants’ which they are asked to pass to the owner of the property for redirection. The house is then used for fraudulent purposes whilst generating income from the rental and, ultimately, appreciating in value ready to be sold on once it has become associated with fraud. Other fraudsters use fraudulently obtained mortgages to purchase property which they then convert into multiple occupancy accommodation, giving each room a separate number and registering these as flats for the purposes of council tax. Each room can then be used as a separate address for the purposes of fraudulent transactions. The fraudster may either pay the mortgage or default, safe in the knowledge that the time taken to effect repossession proceedings provides an ample opportunity to benefit from the property. An Experian white paper | Page 19 Distribution How do fraudsters profit from goods that they obtain through fraud? In this section, we look at how the fraudster operates once they have stolen the identity and placed an order with someone else’s credit card. How do they get the goods? Where do they have them delivered? Fraudsters sell on the web “I buy stuff online and flog it online on [auction websites] so it isn’t traceable back to me. When people pay, I’ve got a head start on their details so I usually don’t have a problem in getting enough info to get a card in their name. I do that online too so there’s no comeback.” Ian, Fraudster #E17, unconvicted “My missus does the selling. She’s got four or five [auction website] accounts and lists stuff as if it’s a private sale – not a commercial seller, people don’t like that as much – and that way she can bid the prices up from her other accounts so we get the best price.” Peter, Fraudster #B2, unconvicted “[Online auction sites] are the way forward. Before, I was selling stuff in pubs and that’s well risky in case someone reports it and you never know who’s watching.” Jason, Fraudster #B17, convicted “[Online auction sites] mean that the whole world is my customer”. Ian, Fraudster #E17, unconvicted Page 20 | Understanding the fraudster’s modus operandi Many fraudsters make use of online auction websites to distribute property to unwary purchasers whilst others establish web-based businesses to facilitate distribution. The relative anonymity offered by the internet is seen as a major advantage when it comes to disposing of goods. Online distribution has to a great extent taken over from the traditional means used by fraudsters in the past: markets, car boot sales, advertisements in local newspapers and second-hand shops have dwindled in popularity as a means of disposing of goods obtained by fraud. Fraudsters fraud to fund their material needs “We live off it. Me and the missus. We do all of it ourselves and nobody else knows or is involved so there’s no risk. We live like kings really but cash can be short because we don’t sell the stuff on. It’s too risky.” Ken, Fraudster #E16, unconvicted For many small-scale fraudsters, there is no need for distribution as the goods are purchased for personal use and benefit. This tends to be the case in relation to individuals acting alone or with a few others. For example, one couple adopted their fraudulent activities involving the acquisition and use of stolen credit cards in order to generate income as a family. They purchase clothing, food and household items for personal use only. They travel a great deal to avoid being recognised and report that their friends and family think that they both work in sales. Fraudsters fraud to order “People tell me what they want and I get it kiting the card. I charge between half and a third of the cost price.” Mary, Fraudster #D1, unconvicted “So I usually buy anything that I need or stuff that people have ordered but then I just get stuff to sell on. I’ve got a couple of different people that I use for that and I usually check with them to see if there’s anything in particular that they want” Simon, Fraudster #D17, unconvicted An Experian white paper | Page 21 This also tends to apply to smaller scale fraudulent enterprises. In addition to the purchase of goods for personal benefit, the fraudsters ‘buy to order’ for friends, customarily charging between half and one-third of the retail value of goods. In this way, the fraudster transfers the goods into cash. This appears to be a relatively high-risk means of distribution as several fraudsters adopting this strategy reported that disclosure by ‘customers’ often led to detection. Fraudsters put their feet up and get their fence to finish the job “The woman where I get the cards sells stuff on for me too but she takes a pretty big cut so I tend to use the others if I can.” Ben, Fraudster #C16, unconvicted Despite the obvious possibilities offered by the online retail environment, many fraudsters still prefer to use a fence to distribute property, often citing the convenience of a speedy cash sale to a trusted source as the primary attraction of this approach. This is a particularly popular approach with fraudsters working within a cooperative network. Page 22 | Understanding the fraudster’s modus operandi Conclusions about the fraudster’s modus operandi Here’s our conclusion on what we do know about the fraudster... Whilst this is only a partial insight into the fraudster’s modus operandi we hope that it helps you understand how fraudsters operate. Here is our summary of the tools and the tricks of the trade commonly used by the fraudster. The fraudster is opportunistic If we leave the window open they will come through it. Lock down your business and make your defence against the fraudster. The fraudster is well equipped They have credit cards, CVV codes, full identities and the tools to back-up these identities. There are a number of ways to mitigate against fraudsters that have obtained genuine customer details, these include the use of trusted data sources to identify intelligent questions that only the legitimate owner of the identity will know. As we have seen throughout this report, the fraudster is well prepared and is likely to know the common security questions that are used, therefore variation of questions can help identify potential fraud. The fraudsters can be based in the road outside or on another continent Businesses that have products and services available online should be using an IP address validation tool to work out whether customers are where they say they are. The ease at which credit card information can be distributed means that the threat of being hit by the online fraudster is truly global. Simple checks such as geographical distance between billing and shipping addresses, geographical distance between IP address web connection and billing addresses, or the geographical relation of the card’s country of origin to the delivery address and IP address can quickly and easily identify suspect activity. The fraudster evolves and learns their way around the defences that organisations put in their way Employ a series of identity technologies, much like a set of hurdles to trip up the fraudsters. Use as many or as few hurdles depending on the value or the risk in the transaction. Tools that automate monitoring for suspicious behaviour can also help quickly identify patterns of behaviour, ensuring that you can limit any potential exposure to the fraudster. The fraudsters share information as they ply their trade Join a fraud forum and learn from your fellow fraud prevention professionals. Share fraud alert data so that fraudsters cannot use the same email, credit card, address and IP addresses to commit fraud at multiple retailers. The more information that is shared the more powerful your defences against the fraudster are. An Experian white paper | Page 23 Law enforcement What are law enforcement agencies doing to prevent fraud on a global scale? In this section, we look at how law enforcement agencies from around the world are working to combat fraud. In April 2012 a worldwide operation involving police and intelligence agencies from seven different countries resulted in the closure of 36 website domains. These websites had been identified as specialising in selling stolen debit and credit card information, as well as identity information and online bank account details. The websites used e-commerce type platforms known as Automated Vending Carts (AVCs) allowing criminals to sell large quantities of stolen data quickly and easily. Visitors trying to access these sites are now directed to a screen indicating that the web domain has been impounded by law enforcement. The joint operation involved security services including the Australian Federal Police, the BKA in Germany, the Korps Landelijke Politiediensten (KLPD) in the Netherlands, the Macedonian Ministry of Interior Cyber Crime Unit, the Ukraine Ministry of Internal Affairs, the Romanian National Police, the UK’s Serious Organised Crime Agency (SOCA) and the United States’ Federal Bureau of Investigation (FBI). Security services have been tracking the development of AVCs and monitoring their use by cyber criminals, who support payment card and online banking fraud on a global scale. Working together these agencies have recovered over 2.5 million items of compromised personal and financial information over the past two years. Ongoing threat of fraud Whilst law enforcement agencies are working hard to dismantle these high-tech illegal operations, the scale of problems they face is alarming. Closing down websites that offer illegal information can be a long process that involves chasing huge paper trails and digital footprints that often lead nowhere. As many copyright owners have found in the past, particularly from the entertainment industries, domain names and server technology has advanced to the point by which it can be almost impossible to tell which servers are supporting a site and where they are physically located. Technology The recent advances in technology have allowed both individual fraudsters and organised criminal gangs to sell and obtain huge volumes of personal data. Usually the vast majority of the data that has been harvested has done so without the knowledge of customers, which means that both businesses and consumers need to be vigilant, monitor transactions and guard against unauthorised access. Yet with the rapid rise of smartphones, consumers in particular, are often exposing themselves to unsecure communication channels and giving application manufacturers access to data. This is obviously a situation that fraudsters will look to take advantage of and as mobile security takes time to catch up with other computer technologies it represents a vast window of opportunity for fraud. Page 24 | Understanding the fraudster’s modus operandi Jurisdiction Added to the issues of fraudsters hiding behind technology is the challenge of jurisdiction, with many legal systems still struggling to adapt their existing legislation to combat the challenges of frauds that are orchestrated on a global scale. Conflicting legislation exists which means that for some systems the crime is committed in the country where the fraud takes places, others where the card holder or card issuer are based, all of which leads to inter-agency negotiations which takes time and resources to resolve. Distribution The huge volumes of financial and identity data that are available to fraudsters can also be used in a wide range of ways to generate funds. As we have seen throughout this paper, auction sites, fences, buy to order schemes and other routes all offer potential sources for fraudsters to turn transactions into cash. Given the scale of commerce just for auction sites the challenges law enforcement face in determining the fraudulent activity against the genuine transactions is vast. Geography The diverse geographies involved and the relative anonymity of the internet mean that the market for personal data and financial information is strong and therefore the threat to both consumers and businesses that do not take sufficient steps to combat fraudulent activity is great. As technology has brought about a global marketplace where a single card can be used almost anywhere, the challenge for law enforcement is mammoth. For example, a stolen card could be used in one location whilst the details of that card are simultaneously used on the other side of the world to purchase goods online. An Experian white paper | Page 25 Evolution of the industry As fraud continues to rise, it is clear that businesses which take effective steps to tackle it are also directly taking steps to safeguard their cash flow and protect their profitability. At the same time protecting customers from the threat of fraud will not only ensure regulatory compliance, but will also help underpin your reputation. While the fraudster is continuing to indiscriminately use traditional routes to attack financial institutions and organisations, the fraudster also continues to be fast, flexible, inventive and willing to quickly adapt to new technology and opportunities. Threats are also continuing to evolve and develop in line with the proliferation of mobile channels, interfaces and platforms that consumers can choose to use. As technology advances we are racing towards a tipping point en-route to full mobile interaction and transaction, which will see traditional payment habits change forever. It’s a trend that will affect every sector of society – from personal banking, to retail, telecoms, insurance, to the way we directly interact with government departments. It is clear that hand-held devices will become more and more important to transactions in the future. Their success also hinges on ensuring fast and secure access to personal data, which is the key to keeping customers safe and engaged. The penetration, relative ease and convenience of mobiles and other hand-held devices means they will soon play a fundamental role as our new virtual identity cards, available for use at anytime, anywhere and by default creating a virtual wallet that replaces consumers’ current stack of plastic credits, debit, loyalty and membership cards. During most transactions we’re actually only obliged to prove that we’re entitled to complete it – rather than disclosing the complete picture of who we are. As a result, our identity will instead be encapsulated within our mobile wallets and hand-helds, proving our authority at any point of purchase that we are entitled to complete transactions. But as the volume of transactions completed via virtual wallets rises, safeguarding our identity, personal privacy and data will become more critical than ever in validating payments and tackling fraud. As a result, they will become our personal firewalls. Fortunately advances in real-time data-sharing technology mean virtual identities can be protected without disclosing critical and sensitive information every time an electronic transaction takes place. Mobile platforms and hand-held devices offer huge opportunities given their enormous convenience, constant evolution and exponential development that has continually improved every stage of the consumer’s journey – from acquisition, with quick and easy sign-up procedures, to secure validation, maintenance of regulatory compliance and reduced exposure to fraud for both users and businesses. Page 26 | Understanding the fraudster’s modus operandi Fraud consultancy services Experian Decision Analytics has a deep understanding of the dynamics of fraud prevention and has developed a proven methodology for controlling risk by reducing our clients exposure to fraud. Our history of partnering with some of the world’s largest institutions, in a variety of industries, enables us to leverage global best practices to solve a diverse range of business challenges. Our team of consultants engage closely with clients to advise on a range of fraud prevention and identity verification issues. These can cover aspects such as organisational and process design, investigations training, fraud typologies, and effective fraud management strategies, as well as assessing different analytical techniques. Through gaining a detailed understanding of our clients’ business challenges, processes, data and systems architecture we work in partnership to ensure that we recognise the latest industry trends. This understanding enables us to optimise our products and services so that our clients can overcome new obstacles and protect themselves against emerging threats, such as organised fraud rings. For more information about our fraud consultancy services contact us. About Experian’s Decision Analytics Experian Decision Analytics enables our clients to make analytics-based customer decisions that support their strategic goals, so they can achieve and sustain significant growth and profitability. Through our unique combination of consumer and business information, analytics, decisions, and execution, we help clients to maximise and actively manage customer value. Meaningful information is key to effective decision-making, and Experian is expert in connecting, managing, interpreting and applying data, transforming it into information and analytics to address real-world challenges. We collaborate closely with clients to identify what matters most about their business and customers, then create and implement analytics-based decisions to manage their strategies over time. In today’s fast-paced environment where developing, implementing, and sustaining an effective strategy is imperative, Experian Decision Analytics helps organisations unlock a wealth of benefits immediately—and set the stage for long-term success. Increased revenue: Our products and services enable clients to increase revenue by providing the insight and agility they need to find and engage the right customers, target products more effectively, and grow market share. Controlled risk: A broad range of risk-management products and services help our clients to verify identity and manage and detect fraud, optimise collection and recovery, and balance risk and reward. Operational efficiency: Experian Decision Analytics helps our clients to quickly integrate various information and processes to enhance operational efficiency and boost agility. Our flexible, collaborative approach helps organisations increase speed to market, enhance business agility and improve the quality of customers’ experiences. Compliance as differentiation: Proven expertise lets clients use compliance as source of competitive advantage. Experian Decision Analytics helps ensure compliance with essential regulations, while helping organisations better understand customers. An Experian white paper | Page 27 www.experian.com © Experian 07/2012. The word ‘EXPERIAN’ and the graphical device are trade marks of Experian and/or its associated companies and may be registered in the EU, USA and other countries. The graphical device is a registered Community design in the EU. All rights reserved.