Understanding the fraudster`s modus operandi

Transcription

Understanding the fraudster`s modus operandi
Understanding the
fraudster’s modus
operandi
An Experian white paper
Table of contents
Executive Summary.....................................................................................................................................2
Four stages of understanding the fraudster’s modus operandi...........................................................3
Identity theft and manipulation.................................................................................................................4
Perpetration.................................................................................................................................................13
Delivery.........................................................................................................................................................18
Distribution..................................................................................................................................................20
Conclusions about the fraudster’s modus operandi............................................................................23
Law enforcement........................................................................................................................................24
Evolution of the industry............................................................................................................................26
About Experian’s Decision Analytics......................................................................................................27
An Experian white paper | Page 1
Executive Summary
Understanding the behaviour of fraudsters is essential in order for us to enable
our clients to manage and optimise risk prevention and to detect and reduce fraud
throughout the customer life cycle.
Through interviews with both convicted and unconvicted fraudsters we’ve built firsthand insight into ‘Understanding the fraudster’s modus operandi’.
This research has been conducted through face-to-face and telephone interviews
with both convicted and unconvicted fraudsters and fraud industry stakeholders,
such as law enforcement officials, ecommerce professionals and fraud managers.
The research was carried out over a four year period involving over one hundred
participants.
The perpetrator research was conducted within the framework of the ethical
guidelines of the British Society of Criminology. Care was taken to ensure that
the data generated was anonymised to protect the confidentiality and integrity of
research participants or the company for which they are employed. All fraudster
names are therefore fictitious.
Fraudsters were identified and contacted via a ‘snowballing method’ with research
participants encouraged to contact other potential subjects from within their
fraud networks. As a result, findings were based on a non-random sample of
convenience. Therefore they give a snapshot of fraudulent behaviour - but without
any geographical context or regional variances in trends.
The research behind this document has been distilled into four stages which break
down the fraudster’s modus operandi (MO). This is partly as a result of the wealth
of insight that fraudsters were happy to divulge about how they initially stole the
victim’s identity. Also as identity theft is often only the first stage in the fraud life
cycle there is the prospect for more of the fraudster’s behaviour to be understood
and acted on, thus providing further opportunities to detect fraudsters as they ply
their trade.
The four stages of the fraud life cycle we focus on in this document are categorised
as identity theft, perpetration, delivery and distribution.
Page 2 | Understanding the fraudster’s modus operandi
Four stages of understanding the fraudster’s modus operandi
The four stages of this white paper and the resulting insight into understanding the
fraudster’s modus operandi can be recognised as follows:
1, Identity theft and manipulation
How do fraudsters get hold of identities with which they commit fraud?
• Who aids fraudsters in obtaining identity information?
• Where can credit card numbers and Card Verification Value (CVV) codes be
acquired?
• How do fraudsters consolidate stolen identities?
• How is circular identity theft achieved?
2, Perpetration
Once the fraudster has stolen the requisite identity information, how do they commit
fraud?
• What types of fraud are perpetrated?
• Do fraudsters target particular kinds of companies?
• How can you tell the fraudster from the real customer?
3, Delivery
How do fraudsters take delivery of the goods, services or money that they have
fraudulently obtained?
• Where are the goods sent to?
• Do fraudsters have accomplices or colleagues in the delivery process?
4, Distribution
How do fraudsters profit from goods that they obtain through fraud?
• What happens to the spoils of fraud?
• Are goods obtained by deception still sold in the back of pubs?
• Has technology opened up new markets to the fraudsters?
There are inevitably aspects to the fraudster’s MO that we have not covered in
this research exercise. Instead we have only included content where we have a
direct insight into how and when the fraud was perpetrated and who was involved.
This way we can ensure an undiluted first hand account of the fraudster’s modus
operandi.
An Experian white paper | Page 3
Identity theft and manipulation
In this section we examine how the fraudster obtains the personal characteristics
needed to perpetrate fraud. Namely how does the identity theft take place so the
fraudster can then use that stolen identity in a fraudulent transaction?
We’re not going to focus on some of the more publicised methods of identity theft
such as bin-diving. Instead let’s look at some of the less well known aspects of how
fraudsters go about their daily business.
Fraudsters go to a fraud shop!
It will come as no surprise that if Fraud Managers have their own online fraud
forum to share information and fraud alerts and to work together to beat the
fraudster, then fraudsters have their own forums too. Multiple fraudster chat rooms
exist on the web, of which this screen grab from a common “carding” site is just
one. We have chosen not to reveal the site’s URL as we feel that this would only
serve as a signpost for trainee and aspiring fraudsters
A quick visit to these kinds of sites
reveals the language and the habits
and practices that go on in “the carding
scene”. In essence, fraudsters log in
and buy sets of card numbers, names,
addresses and other information which
any web-literate person can then
purchase and start running CNP (Card
Not Present) frauds. Lists of stolen
identities are transferred via hard to
track and detect web data transfer
tools such as IRC (Internet Relay Chat)
and ICQ, an acronym for “I Seek You”.
So when fraudsters sell these
databases of names and credit card
numbers online, where are they
coming from?
The answers to this question could
form a whole separate report. There
have been plenty of high profile
examples of organisations losing
data which leaves their customer
Screen showing a post from an illegal forum
details exposed, many of these cases
specialising in sharing stolen card details.
have been attributed to human error
or in some instances poor security
processes. In reality though, the majority of the identity data that is available online
is provided by hackers that have illegally gained access to databases, usually from
attacks on the servers of poorly defended companies, and then sold on to the fraud
market via sites such as this.
Page 4 | Understanding the fraudster’s modus operandi
“It makes burglary easier and more worthwhile ‘cos
before it was a gamble that people had anything worth
having, you had to get it out without looking suspicious
and then you had to find somewhere to flog it. Its easy
now cos everyone’s got cards and it fits in my pocket and
I get a good price for it.”
Julie, Fraudster #E19, convicted
“The going rate for a freshly stolen credit card was
about £250 with the price rising beyond £500 if it was
accompanied by a PIN number or if the victim was at
work for the day or, better still, on holiday ”
Ian, Fraudster #E17, unconvicted
Fraudsters have people on the inside
“They work in bars where the pay’s crap and they get
treated like crap by the boss and the customers so it’s
like Christmas for them when I come along and offer
them a way to make shed loads without any risk. “
George, Fraudster #B14, unconvicted
“The workers at our call centres are stopped every day
on their way out of work by the fraudsters bribing them
to buy customer identities from inbound calls. They just
brazenly hang around outside the office complex gates”
Security & Risk Manager at leading online computer
retailer
An Experian white paper | Page 5
The fraudster is direct in their approach to identity theft and is not afraid to
approach those working in jobs where there is easy access to customers’ personal
and/or financial details. These jobs are often poorly paid so the financial incentive
that the fraudster offers is generally very attractive and frequently overcomes any
concerns that the employee has about collusion with the fraudster. Fraudsters who
use this approach report a high level of cooperation and note that more employees
have qualms about getting into trouble with their employer than they do about the
legality or morality of their conduct.
Fraud begins at work!
“I decided to enter the world of work and got a job at
a call centre. In a grimy, freezing room, a few dozen
miserable people sat in front of computers with headsets
on, muttering into mouthpieces with their eyes stuck on
their screens. Every day dozens of people were using
their cards through me to pay. There had to be a way for
me to take this information and make use of the cards
myself.”
Elliot Castro, prolific fraudster & author of “Other
People’s Money”
“I have their address and credit card details from the
booking so all I need is the number from the back.
When they turn up, I say I’ve got to check their card
against the list in the office so I go and get the list and
look at it so the card isn’t ever away from them. I take
the form straight back into the office so that I can write
the number down before I forget it and they’re none the
wiser.”
Chris, Fraudster #E6, convicted
Page 6 | Understanding the fraudster’s modus operandi
Fraudsters play dead
“I might sound a bit cruel but I read the obits in the
local paper. If it says ‘sadly missed by her husband’ or
‘survived by his wife’ then its odds on that the house
won’t be empty. But if it is all children and grandkids,
you’ve got a good chance that they lived on their own
so you see if you can find the address to scoot round
and have a look… Lots of these oldies, they’ve got great
credit ratings because they’ve spent a lifetime saving
and paying their bills on the dot… Credit is easy to get
and you’ve got long-standing residency on the electoral
register too … The bonus is that you know that nobody is
going to have to foot the bill because grandma’s dead so
it’s not like anyone’s getting hurt.”
Douglas, Fraudster #C5
Fraudsters get up close: Mail interception
“So I pose as a small-time property developer and ask
for lists of executor sales. Some estate agents will let
you take keys and go and look yourself but most take
you round. If I’ve got the keys, I take a copy but if I’m just
looking round I can slip a window latch open sometimes
or just work out whether or not there’s an easy way
to break in – looking at whether the back garden is
accessible and not overlooked, that sort of thing. Once
I’m sure I can get in, I can get the applications in for
credit cards… [and] wait for them to come rolling in.”
Ben, Fraudster #C16, unconvicted
“Outside letter boxes are great too. You’d be surprised
how many people have them … You have to watch a bit
to see if they leave for work before postie arrives. All that
sitting around is a bit tedious but worth it when it pays
off.”
Catherine, Fraudster #D11, convicted
An Experian white paper | Page 7
Fraudsters have a variety of strategies for accessing post once it is delivered,
whether this is by targeting properties that have mail that is easier to access,
such as external letter boxes or flats with multiple mail boxes in a secure area, or
by gaining access to the house itself. More sophisticated fraudsters will have a
range of safe addresses to use and will arrange for particular items of mail to be
redirected, e.g. by advising the bank of a change of address and then ordering a
duplicate card.
“Provided you sound official, people will tell you
anything.”
Michael, Fraudster #E5, unconvicted
“A little bit of knowledge goes a long way. Knowing who
[the victim] works for or banks with is all that it takes.
You’d be surprised but ‘I’m calling from Lloyds, there’s
a problem with your account’ still works despite the
publicity telling people not to believe it. But the thing
is that banks, insurance companies, Sky all still do it
anyway. They phone up and ask customers to identify
themselves so there’s no point in telling people not to fall
for it until the companies stop doing it.”
Rob, Fraudster #E2, unconvicted
“Email’s the best way. Quick. Can’t be traced. Once it’s
mocked up to look like eBay or whatever, it can go out to
hundreds of people a day.”
Sam, Fraudster #A8, convicted
Page 8 | Understanding the fraudster’s modus operandi
“It isn’t hard to copy – look at the real Amazon and
copy it. If it looks like Amazon, people accept that it is
Amazon. They log in as a returning customer so we’ve
got their password too and plenty of people use the same
password for everything so that can be handy. Then they
get a screen that says they need to put their details in
again for security purposes, they press ‘click’ and that’s
their name, address, bank details and everything else that
we needed sent straight to us.”
Sam, Fraudster #A8, convicted
“I use dating chat rooms as people are keener to talk
about personal stuff. I never ask anything outright. After
a bit, I say ‘you know, I can’t believe how easy you are
to talk to – I bet you’re a Cancer’ and that always gets a
response, like, ‘oh no, I’m Pisces’. So then I say ‘oh wow,
6 what are you?
what a coincidence – so am I. I’m the 10th,
They give you the date of their birthday and you can work
out the month from the star sign. I’ve got all sorts of
things that I can do.”
Michael, Fraudster #E5, unconvicted
“[Chat rooms] give me a way to spot potential victims. It
takes a while to build up trust but that’s ok, its worth the
effort in the end. As time goes on, people give out more
and more stuff …I mean, to start with, I can be a man or
woman online. I use sex-free user-names like ‘Filmlover34’
so I can be whatever sex I need to be.“
Michael, Fraudster #E5, unconvicted
An Experian white paper | Page 9
In a widely publicised scam a group of fraudsters set up a bogus website claiming
to sell a variety of electrical goods at reasonable prices and which stated that it
had stock of the ‘must have’ Christmas gift: a Sony PSP. Over two thousand orders
were placed, all providing personal identity information and bank details. Once the
details were obtained, prospective purchasers were sent an email advising them
that their order could not be processed due to lack of stock. As no money was lost,
there seemed to be nothing amiss to alert the victims to the theft of their identity
details particularly as the fraudsters waited several months to undertake fraudulent
transactions in order to minimise the risk that the victims would make the link with
the website.
Site cloning involves the replication of the look and style of a genuine and trusted
website that leads victims to input their personal or financial details in the belief
that this is part of a genuine transaction. Sham sales websites are a similar way of
harvesting information from the unwary consumer as they purport to offer items for
sale, often ‘must have’ items at a very competitive price, in order to obtain personal
and bank details of the victim.
Fraudsters are hi-tech and run card cloning scams
Identity theft often takes place by cloning a credit card rather than stealing or
intercepting one. This is most often done by fraudsters installing a false front to
cash point machines that contains some clever kit that can clone all the relevant
card details necessary to then go and use that card as if it were the original.
Their typical cashpoint cloning kit consists of:
• A scanner which reads the magnetic strip on the reverse of the card to capture
the card data. This equates to the 16 digit card number, the card start and
expiration dates, the cardholder’s name and the three digit CVV code on the rear
of the card.
• A small digital camera which is configured to capture the card owner entering
the PIN number as an mpeg file
• And a memory stick which records all this information for fraudsters to recover
and use at their leisure
Of course, this method of capture means that fraudsters have to return to the
cashpoint to recover their data to complete the identity theft. As a result they are
often caught red-handed thanks to the good work undertaken by the economic
crime departments of local police forces, in particular the City of London Police
and the Metropolitan Police Forces. Specialist organisations such as the
Dedicated Card & Plastic Crime Unit (www.dcpcu.org.uk) sponsored by the UK
banking industry are also at the heart of fighting this hi-tech means of Identity
Theft.
Worryingly, the latest trick that the fraudsters employ is to add the latest
generation mobile phones to their box of tricks. The result? The cloned card data
is packaged up and messaged to the fraudster’s HQ leaving less opportunity for
law enforcement to run intervention operations.
Page 10 | Understanding the fraudster’s modus operandi
One of the most effective methods used by the fraudster to obtain personal
information from victims is by conversation. This may be in person, by telephone
or even online. Fraudsters are often adept at creating an appropriate persona
to induce disclosure whether this is impersonating a bank employee to obtain
account details or creating an aura of easy intimacy in an internet chat room and
eliciting personal details from the victim.
Fraudsters work with counterfeiters
“Once I’ve got someone’s details, I want some sort of
photo ID to support it. A driving licence is great. I used
to take a driving test to get one but it takes too long to
do and I used to fail sometimes too which was a real
nuisance so now I used one of these websites where you
upload a photo and they make it into a driving licence
for £25 … I’ve compared it with mine and I can’t see the
difference.”
John, Fraudster #D8, convicted
“We’ve got all the gadgets and can do most documents to
a passable standard.”
Brian, Fraudster #B16, unconvicted
Technological advances make the replication
of genuine documents a relatively
straightforward matter. The quality of
these varies but many would stand up to
close scrutiny although not, of course,
referencing with official records. For example,
a counterfeit driving licence could be used
to authenticate identity and address for the
purposes of store credit but would not be
supported by details on the DVLA computer
if it were produced to the police following
a traffic offence. However, whilst the DVLA
database would be a great verification
tool, it’s not available to fraud prevention
Screen showing numerous fake identity
professionals as a verification resource.
documents that are available online.
Sites such as the one in the example shown
are commonplace on the internet where
counterfeiters serve ID thieves as a preparatory stage to fraud or other crime.
Again, we’ve chosen not to publicise the precise URL of this site, but if you want to
find out more about this site and others, please contact us.
An Experian white paper | Page 11
Fraudsters work the circle of identity theft
“So I get bank info from purchasers and sort out
duplicate cards, either me or the wife goes out and uses
the cards to buy anything we want or that we’ve got
orders for and then we just buy stuff that sells well on
[auction websites]. You learn what goes well by trial and
error. My missus does the selling. Then she’ll tell the
buyer that she needs payment by cheque because of bank
problems and offer them a discount for the inconvenience
of not using PayPal. The cheque comes and gives us
bank details and the name and address of the buyer
so its easy to use that to get duplicate cards and so it
starts again… It was a bit of a sideline at first but its so
lucrative that we do it full-time now.”
Peter, Fraudster #B2, unconvicted
It is often the case that goods are actually supplied to avoid drawing attention
to the transaction. Some fraudsters sell items on genuine auction websites in a
cyclic enterprise to dispose of property obtained by fraud and to obtain identity
information of fresh victims in a single transaction.
Fraudsters play the substitute card
“We’ve got it down to a fine art over the years. Stolen
cards get picked up by banks looking for unusual
account activity or by people checking their statements
online which they can do now so its far more risky than
it used to be so we get fresh cards that the account
holder doesn’t know about … How? Well, like I say,
I don’t want to give all our secrets away … [the] best
way is to apply for an additional card for a husband or
boyfriend or whatever … Yeah, you’ve got to sort the
change of address first but its no problem if you know
what you’re doing.”
Ian, Fraudster #E17, unconvicted
Page 12 | Understanding the fraudster’s modus operandi
Many fraudsters shy away from the actual theft of cards and they prefer to obtain
cards themselves but without stealing them. One means of achieving this is known
as account takeover. Here, the fraudster obtains sufficient information about the
victim to impersonate them in dealings with the bank, either personal, by telephone
or in written form. The fraudster changes the address associated with the account
so that all mail is delivered to an address of his choosing and then obtains a fresh
card on the account; this may be done by reporting the existing card lost or stolen
or simply by requesting an additional card on the account as if for a partner.
Once the card arrives, the fraudster is able to use it without fear of detection as its
loss is not detected by the victim, nor can transactions be noted on a statement as
these are delivered to the fraudster (although there is some prospect of detection
if the victim uses internet banking). A further advantage of this strategy for the
fraudster is that any PIN number associated
with the card will also be delivered to him
thus giving him all that he needs to make
purchases on the substitute card.
Perpetration
In this section we examine how the fraudster
commits the act of CNP fraud once they
have committed the initial identity theft.
What have we learnt as an industry that
we can share to make for a more effective
defence against the fraudster?
Fraudsters select their targets carefully by
looking for the point of least defence
Once fraudsters have obtained identities that
they can use to perpetrate fraud, they need
to be confident that their false identities will
beat the merchant or the financial institution
that they are trying to defraud. As such, it
pays for fraudsters to know what defences
the merchants and financial institutions
have (or haven’t) got in place, and fraudsters
Screens showing members exchanging
information in an illegal card sharing forum.
happily share this information with each
other, partly for bragging rights, and partly
to become a vouched-for member of the fraud community. Of course, recognised
members of the carding scene are more likely to be trusted as a vendor or a buyer
of stolen identities with which to perpetrate further fraud.
The fraudster strikes late at night
In a recent industry survey, the UK’s leading ecommerce operators revealed that
their peak fraud period was 9pm to 12 midnight. In fact 28 percent of the companies
surveyed cited this period in which most fraudulent orders were put through their
site.
Worryingly, one Fraud Manager survey respondent revealed that fraudsters had
recently begun to cram their orders into the period of 4pm to 6pm Friday. This
is when he and his team had the occasional practice of finishing work early on
Friday to go to the pub! Needless to say, their local barman stopped enjoying their
company on Friday afternoons before long.
An Experian white paper | Page 13
Screen showing a member of an illegal card sharing
forum requesting assistance to test card details.
Fraudsters are aware that it’s a numbers game
“You don’t always get lucky first, second or third time. As
long as there’s a good supply of card details and rubbish
websites, sooner or later you’re going to get a result. That
makes the waiting more than worth it.”
Gavin, Fraudster #B17, convicted
With thousands of sites to defraud and thousands of institutions offering credit,
it’s no great loss to fraudsters when they do get beaten by the fraudster defences
that companies put in place. Fraudsters simply move onto the next site in the list.
All they’ve lost is a little bit of time and the sad truth of the matter is that they are
highly unlikely to be prosecuted for fraud. Industry estimates from Fraud Managers
at internet retail operations suggest that around 70 percent of retailers don’t report
fraud to the police. If some of the identities that fraudsters use are compromised
or are recognised as being fraudulent by more prudent online merchants who
subscribe to fraud alert systems, then they just open their next identity with the
name, address and credit card number that they have all ready to go.
Fraudsters test the water before they go in for the kill
“I carded $800 per order, but I try a first order of $100 or
$150”
Gavin, Fraudster #B17, convicted
Before fraudsters place an order for a laptop, or for the latest designer couture, they
want to be sure that their order isn’t going to be detected as fraud.
Since the growth of CNP fraud following the introduction of Chip and Pin,
companies have been forced to improve their fraud defences. Tools such as
identity checking, shared fraud alert databases and IP address validation are now
commonly implemented in retail ecommerce websites. As a result, fraudsters have
recently begun to use charity or porn websites to test the water before they go for
it and place the fraudulent order for the goods or services that they really want to
obtain.
Page 14 | Understanding the fraudster’s modus operandi
Fraudsters call the call centre with claims of “Oops I pressed the order button
twice”
Retailers need to watch out for this trick from the fraudster’s playbook. Typically
fraudsters will deliberately press the submit button twice in the web transaction
process. They then ring into the call centre with a plea not to charge their card
twice. With this air of legitimacy inferred by their wish not to be overcharged for
their mistake, their next request is to change the delivery address and call centre
staff unwittingly comply believing that they must be on the phone to the real
customer.
Fraudsters fly under the radar
Fraudsters tend to go for the mid-range fraud that doesn’t arouse suspicion or
merit careful scrutiny by the company’s fraud team or by the card owner’s card
scheme or bank. Evidence from fraud managers suggests that around 43 percent
of attempted fraudulent transactions were in the £250 to £500 range and that 29
percent were in the £500+ range.
This supports the view that fraudsters work a stolen credit card across a range
of ecommerce operators and retailers to elicit maximum value from the card. Of
course, this throws an interesting light on the view that law enforcement should
only intervene in large scale frauds.
It’s a fair conclusion that investigating a £500 fraud against an ecommerce operator
selling laptops would be highly likely to also lead to similar sized frauds against a
range of other mail order, travel, or audio and TV retailers.
Fraudsters are virtually in your office
It’s not just consumers that need to guard against fraudsters gaining access to
their wireless network. Fraudsters have in the past been able to steal a retailer’s
database by driving into the car park of one of the stores and connecting to that
store’s wireless network. The identity thieves then simply browsed that store’s
servers and downloaded their customer database, complete with credit card
numbers.
Similarly fraudsters with access to a retailer’s wireless network have been known
to place orders within the order processing system, change the delivery address
and approve the order. All whilst sitting in the car park of a store whose wireless
network was poorly protected.
An Experian white paper | Page 15
Fraudsters hit the window of opportunity
“I hit the shops fast and hard. There’s a window of
opportunity to really hammer the card but it isn’t big and
the longer I use it the greater the risk there is that the
card’ll come on top.”
Gavin, Fraudster #B17, convicted
“I only ever take cards that won’t be noticed missing for a
while so there’s usually at least a couple of days of life in
it.”
Ian, Fraudster #E17, unconvicted
Stolen or cloned credit cards will only last until the unlucky owner reports them
as lost or reports transactions against their account as not being their own. At this
point the fraudster simply moves onto the next identity/set of card details that he
has in his armoury.
Fraudsters take the card into a physical fraud environment
“I do the sort of shopping that I’d do if it was my own
money. Clothes and stuff, you know? And some short
supermarket visits too so that I can get
cash-back. I’ll do, say, four supermarkets for about £25’s
worth of stuff that I can grab quickly and then get max
cash-back at each … It’s the best way to get cash out of
the card.”
Gavin, Fraudster #B17, convicted
Fraudsters will maximise the value of each set of card details, particularly if they
have the card in their possession. Of course, there is a higher level of risk in
perpetrating face-to-face fraud with a stolen or a cloned card and it’s likely that this
is more the MO of casual fraudsters rather than focused CNP fraud rings.
Page 16 | Understanding the fraudster’s modus operandi
“You’ve got to have balls to do it but you take your stolen
card, stand there in the shop with your flat screen TV and
let them offer you store credit. They get a cut on it so they
always will. A quick form with questions where you know
the answers because you’ve done your homework and
you’ve got your TV and poor blokey’s got the bill.”
David, Fraudster #A7, unconvicted
Sometimes, fraudsters who are maximising the value of each card will only use the
possession of a physical card as an entry point to be offered further credit when
in-store. Keen salespeople, who often automatically earn higher commission on
goods sold on credit, will often try to persuade a customer about to spend on their
credit card to take advantage of the store’s own credit facility.
Fraudsters play the long game
Some fraudsters expend a great deal of effort in establishing an effective strategy
for maximising the financial return from their fraudulent activities. This may
involve a series of fraudulent transactions that are all directed towards the longterm objective of draining the victim’s creditworthiness, even though this very
creditworthiness may have been established by the fraudster in the first place.
For example, highly organised fraudsters own or rent a series of properties that
can be used as residences for the victim in whose name bank accounts are
opened, using a range of supporting documentation. There then follows a period of
seemingly exemplary account activity that involves regular income and the regular
repayment of small loans and credit card bills designed to build up the victim’s
credit with a view to making an application for a large loan which, once obtained,
will be withdrawn and no repayments made. In the period after the loan has been
obtained but before the lack of repayment is noted by the lender, the fraudster will
take out as much other credit in the victim’s name as possible in order to maximise
the gain.
An Experian white paper | Page 17
Delivery
How do fraudsters take delivery of the goods, services or money that they
have fraudulently obtained?
In this section, we look at how the fraudster operates once they have stolen the
identity and placed an order with someone else’s credit card. How do they get the
goods? Where do they have them delivered?
Fraudsters pretend to be the friendly neighbour
“I park my car outside the house next door and either
tinker with the engine or give it a wash. When the van
turns up and the courier knocks at the door, I shout over
‘they’re out mate’ and tell him that they work all day then
I offer to take the parcel. It’s never failed yet. It means
quite a bit of waiting round sometimes plus you have to
move about it bit so that couriers don’t recognise you but
that’s a small price to pay.”
Jonathan, Fraudster #C5, unconvicted
Fraudsters use a range of methods to secure delivery of fraudulently obtained
goods at an address that cannot be traced to them. For example, homes with
external mail boxes may be used as a delivery address for credit cards or smaller
items. Any address that is habitually empty during working hours may be used as
a delivery address, as fraudsters wait nearby pretending to be a neighbour to offer
assistance to a courier whose primary interest is to find someone to take delivery of
the parcel to save taking it back to the depot.
Fraudsters use empty houses
“All you need is an address where you’re going to be left
to your own devices and you’re laughing.”
Fraudster #C16, unconvicted
Empty houses offer a potential delivery address to the fraudster. This may involve
gaining access to the house, either by breaking in, by posing as a purchaser to
an estate agent or by collaboration with an estate agent. Alternative measures
include adding an external mail box to an empty property or leaving a sign on
the door advising that all deliveries should be left behind a wall or in the shed
(as appropriate). Some fraudsters trawl the obituary column of local newspapers
in search of properties that are left vacant as a result of the demise of the sole
occupant with a view to assuming both the identity of the deceased and using their
house for the delivery of goods.
Page 18 | Understanding the fraudster’s modus operandi
Fraudsters have multiple addresses
Some fraudsters rent several properties simultaneously to deal with the scale of
their operation with many paying for the full rental period in advance on the basis
that the owner or letting agent may be less concerned about what is happening at
the property provided that they know that they will be paid.
Fraudsters use and abuse their own address and then move on
“I’m as sure that I can be that whoever moved into the flat
after me was responsible for the debt. All the companies
that I’ve talked to say that my old address was where the
stuff got delivered so it must’ve been whoever moved
in but the police said that this wasn’t enough proof and
didn’t do anything so they got away with it.”
Jane, Victim #C12
“I never stayed more than six months. Long enough to
use and abuse the address and the credit of whoever lived
there before me.”
John, Fraudster #D8, convicted
Many fraudsters use rented accommodation as a delivery address. Some favour
renting a room in a shared property to minimise the cost involved whilst others rent
flats or houses for periods of six months; just enough time to build and destroy a
credit rating. Fraudsters using this approach tend to move every six months and
then commit fraud in the name of the previous tenant in each new property.
Fraudsters set themselves up for business
For ambitious large-scale fraudsters, the purchase of property is part and parcel
of the fraudulent enterprise. Properties may be purchased in the fraudster’s own
name and put back on the market immediately, being used for delivery purposes
in the interim period. One fraudster who deploys this method explained that he
purchases houses and rents them out for a six month period during which the
tenants are advised that mail and parcels might arrive for the ‘previous occupants’
which they are asked to pass to the owner of the property for redirection.
The house is then used for fraudulent purposes whilst generating income from
the rental and, ultimately, appreciating in value ready to be sold on once it has
become associated with fraud. Other fraudsters use fraudulently obtained
mortgages to purchase property which they then convert into multiple occupancy
accommodation, giving each room a separate number and registering these as
flats for the purposes of council tax. Each room can then be used as a separate
address for the purposes of fraudulent transactions. The fraudster may either
pay the mortgage or default, safe in the knowledge that the time taken to effect
repossession proceedings provides an ample opportunity to benefit from the
property.
An Experian white paper | Page 19
Distribution
How do fraudsters profit from goods that they obtain through fraud?
In this section, we look at how the fraudster operates once they have stolen the
identity and placed an order with someone else’s credit card. How do they get the
goods? Where do they have them delivered?
Fraudsters sell on the web
“I buy stuff online and flog it online on [auction websites]
so it isn’t traceable back to me. When people pay, I’ve
got a head start on their details so I usually don’t have
a problem in getting enough info to get a card in their
name. I do that online too so there’s no comeback.”
Ian, Fraudster #E17, unconvicted
“My missus does the selling. She’s got four or five
[auction website] accounts and lists stuff as if it’s a
private sale – not a commercial seller, people don’t like
that as much – and that way she can bid the prices up
from her other accounts so we get the best price.”
Peter, Fraudster #B2, unconvicted
“[Online auction sites] are the way forward. Before, I was
selling stuff in pubs and that’s well risky in case someone
reports it and you never know who’s watching.”
Jason, Fraudster #B17, convicted
“[Online auction sites] mean that the whole world is my
customer”.
Ian, Fraudster #E17, unconvicted
Page 20 | Understanding the fraudster’s modus operandi
Many fraudsters make use of online auction websites to distribute property to
unwary purchasers whilst others establish web-based businesses to facilitate
distribution. The relative anonymity offered by the internet is seen as a major
advantage when it comes to disposing of goods. Online distribution has to a
great extent taken over from the traditional means used by fraudsters in the past:
markets, car boot sales, advertisements in local newspapers and second-hand
shops have dwindled in popularity as a means of disposing of goods obtained by
fraud.
Fraudsters fraud to fund their material needs
“We live off it. Me and the missus. We do all of it
ourselves and nobody else knows or is involved so there’s
no risk. We live like kings really but cash can be short
because we don’t sell the stuff on. It’s too risky.”
Ken, Fraudster #E16, unconvicted
For many small-scale fraudsters, there is no need for distribution as the goods are
purchased for personal use and benefit. This tends to be the case in relation to
individuals acting alone or with a few others. For example, one couple adopted their
fraudulent activities involving the acquisition and use of stolen credit cards in order
to generate income as a family. They purchase clothing, food and household items
for personal use only. They travel a great deal to avoid being recognised and report
that their friends and family think that they both work in sales.
Fraudsters fraud to order
“People tell me what they want and I get it kiting the
card. I charge between half and a third of the cost price.”
Mary, Fraudster #D1, unconvicted
“So I usually buy anything that I need or stuff that people
have ordered but then I just get stuff to sell on. I’ve got a
couple of different people that I use for that and I usually
check with them to see if there’s anything in particular
that they want”
Simon, Fraudster #D17, unconvicted
An Experian white paper | Page 21
This also tends to apply to smaller scale fraudulent enterprises. In addition to the
purchase of goods for personal benefit, the fraudsters ‘buy to order’ for friends,
customarily charging between half and one-third of the retail value of goods. In
this way, the fraudster transfers the goods into cash. This appears to be a relatively
high-risk means of distribution as several fraudsters adopting this strategy reported
that disclosure by ‘customers’ often led to detection.
Fraudsters put their feet up and get their fence to finish the job
“The woman where I get the cards sells stuff on for me
too but she takes a pretty big cut so I tend to use the
others if I can.”
Ben, Fraudster #C16, unconvicted
Despite the obvious possibilities offered by the online retail environment,
many fraudsters still prefer to use a fence to distribute property, often citing the
convenience of a speedy cash sale to a trusted source as the primary attraction
of this approach. This is a particularly popular approach with fraudsters working
within a cooperative network.
Page 22 | Understanding the fraudster’s modus operandi
Conclusions about the fraudster’s modus operandi
Here’s our conclusion on what we do know about the fraudster...
Whilst this is only a partial insight into the fraudster’s modus operandi we hope
that it helps you understand how fraudsters operate. Here is our summary of the
tools and the tricks of the trade commonly used by the fraudster.
The fraudster is opportunistic
If we leave the window open they will come through it. Lock down your business
and make your defence against the fraudster.
The fraudster is well equipped
They have credit cards, CVV codes, full identities and the tools to back-up these
identities. There are a number of ways to mitigate against fraudsters that have
obtained genuine customer details, these include the use of trusted data sources
to identify intelligent questions that only the legitimate owner of the identity will
know. As we have seen throughout this report, the fraudster is well prepared and is
likely to know the common security questions that are used, therefore variation of
questions can help identify potential fraud.
The fraudsters can be based in the road outside or on another continent
Businesses that have products and services available online should be using an
IP address validation tool to work out whether customers are where they say they
are. The ease at which credit card information can be distributed means that the
threat of being hit by the online fraudster is truly global. Simple checks such as
geographical distance between billing and shipping addresses, geographical
distance between IP address web connection and billing addresses, or the
geographical relation of the card’s country of origin to the delivery address and IP
address can quickly and easily identify suspect activity.
The fraudster evolves and learns their way around the defences that organisations
put in their way
Employ a series of identity technologies, much like a set of hurdles to trip up the
fraudsters. Use as many or as few hurdles depending on the value or the risk in the
transaction.
Tools that automate monitoring for suspicious behaviour can also help quickly
identify patterns of behaviour, ensuring that you can limit any potential exposure to
the fraudster.
The fraudsters share information as they ply their trade
Join a fraud forum and learn from your fellow fraud prevention professionals. Share
fraud alert data so that fraudsters cannot use the same email, credit card, address
and IP addresses to commit fraud at multiple retailers. The more information that is
shared the more powerful your defences against the fraudster are.
An Experian white paper | Page 23
Law enforcement
What are law enforcement agencies doing to prevent fraud on a global scale?
In this section, we look at how law enforcement agencies from around the world
are working to combat fraud.
In April 2012 a worldwide operation involving police and intelligence agencies from
seven different countries resulted in the closure of 36 website domains. These
websites had been identified as specialising in selling stolen debit and credit card
information, as well as identity information and online bank account details.
The websites used e-commerce type platforms known as Automated Vending Carts
(AVCs) allowing criminals to sell large quantities of stolen data quickly and easily.
Visitors trying to access these sites are now directed to a screen indicating that the
web domain has been impounded by law enforcement.
The joint operation involved security services including the Australian Federal
Police, the BKA in Germany, the Korps Landelijke Politiediensten (KLPD) in the
Netherlands, the Macedonian Ministry of Interior Cyber Crime Unit, the Ukraine
Ministry of Internal Affairs, the Romanian National Police, the UK’s Serious
Organised Crime Agency (SOCA) and the United States’ Federal Bureau of
Investigation (FBI).
Security services have been tracking the development of AVCs and monitoring
their use by cyber criminals, who support payment card and online banking fraud
on a global scale. Working together these agencies have recovered over 2.5 million
items of compromised personal and financial information over the past two years.
Ongoing threat of fraud
Whilst law enforcement agencies are working hard to dismantle these high-tech
illegal operations, the scale of problems they face is alarming. Closing down
websites that offer illegal information can be a long process that involves chasing
huge paper trails and digital footprints that often lead nowhere. As many copyright
owners have found in the past, particularly from the entertainment industries,
domain names and server technology has advanced to the point by which it can
be almost impossible to tell which servers are supporting a site and where they are
physically located.
Technology
The recent advances in technology have allowed both individual fraudsters and
organised criminal gangs to sell and obtain huge volumes of personal data.
Usually the vast majority of the data that has been harvested has done so without
the knowledge of customers, which means that both businesses and consumers
need to be vigilant, monitor transactions and guard against unauthorised
access. Yet with the rapid rise of smartphones, consumers in particular, are often
exposing themselves to unsecure communication channels and giving application
manufacturers access to data. This is obviously a situation that fraudsters will
look to take advantage of and as mobile security takes time to catch up with other
computer technologies it represents a vast window of opportunity for fraud.
Page 24 | Understanding the fraudster’s modus operandi
Jurisdiction
Added to the issues of fraudsters hiding behind technology is the challenge
of jurisdiction, with many legal systems still struggling to adapt their existing
legislation to combat the challenges of frauds that are orchestrated on a global
scale. Conflicting legislation exists which means that for some systems the crime
is committed in the country where the fraud takes places, others where the card
holder or card issuer are based, all of which leads to inter-agency negotiations
which takes time and resources to resolve.
Distribution
The huge volumes of financial and identity data that are available to fraudsters
can also be used in a wide range of ways to generate funds. As we have seen
throughout this paper, auction sites, fences, buy to order schemes and other routes
all offer potential sources for fraudsters to turn transactions into cash. Given the
scale of commerce just for auction sites the challenges law enforcement face in
determining the fraudulent activity against the genuine transactions is vast.
Geography
The diverse geographies involved and the relative anonymity of the internet mean
that the market for personal data and financial information is strong and therefore
the threat to both consumers and businesses that do not take sufficient steps
to combat fraudulent activity is great. As technology has brought about a global
marketplace where a single card can be used almost anywhere, the challenge for
law enforcement is mammoth. For example, a stolen card could be used in one
location whilst the details of that card are simultaneously used on the other side of
the world to purchase goods online.
An Experian white paper | Page 25
Evolution of the industry
As fraud continues to rise, it is clear that businesses which take effective steps to
tackle it are also directly taking steps to safeguard their cash flow and protect their
profitability. At the same time protecting customers from the threat of fraud will not
only ensure regulatory compliance, but will also help underpin your reputation.
While the fraudster is continuing to indiscriminately use traditional routes to attack
financial institutions and organisations, the fraudster also continues to be fast,
flexible, inventive and willing to quickly adapt to new technology and opportunities.
Threats are also continuing to evolve and develop in line with the proliferation of
mobile channels, interfaces and platforms that consumers can choose to use.
As technology advances we are racing towards a tipping point en-route to full
mobile interaction and transaction, which will see traditional payment habits
change forever.
It’s a trend that will affect every sector of society – from personal banking, to retail,
telecoms, insurance, to the way we directly interact with government departments.
It is clear that hand-held devices will become more and more important to
transactions in the future. Their success also hinges on ensuring fast and secure
access to personal data, which is the key to keeping customers safe and engaged.
The penetration, relative ease and convenience of mobiles and other hand-held
devices means they will soon play a fundamental role as our new virtual identity
cards, available for use at anytime, anywhere and by default creating a virtual
wallet that replaces consumers’ current stack of plastic credits, debit, loyalty and
membership cards.
During most transactions we’re actually only obliged to prove that we’re entitled to
complete it – rather than disclosing the complete picture of who we are. As a result,
our identity will instead be encapsulated within our mobile wallets and hand-helds,
proving our authority at any point of purchase that we are entitled to complete
transactions.
But as the volume of transactions completed via virtual wallets rises, safeguarding
our identity, personal privacy and data will become more critical than ever in
validating payments and tackling fraud. As a result, they will become our personal
firewalls.
Fortunately advances in real-time data-sharing technology mean virtual identities
can be protected without disclosing critical and sensitive information every time an
electronic transaction takes place.
Mobile platforms and hand-held devices offer huge opportunities given their
enormous convenience, constant evolution and exponential development that has
continually improved every stage of the consumer’s journey – from acquisition,
with quick and easy sign-up procedures, to secure validation, maintenance
of regulatory compliance and reduced exposure to fraud for both users and
businesses.
Page 26 | Understanding the fraudster’s modus operandi
Fraud consultancy services
Experian Decision Analytics has a deep understanding of the dynamics of fraud
prevention and has developed a proven methodology for controlling risk by reducing
our clients exposure to fraud. Our history of partnering with some of the world’s
largest institutions, in a variety of industries, enables us to leverage global best
practices to solve a diverse range of business challenges. Our team of consultants
engage closely with clients to advise on a range of fraud prevention and identity
verification issues. These can cover aspects such as organisational and process
design, investigations training, fraud typologies, and effective fraud management
strategies, as well as assessing different analytical techniques.
Through gaining a detailed understanding of our clients’ business challenges,
processes, data and systems architecture we work in partnership to ensure that we
recognise the latest industry trends. This understanding enables us to optimise our
products and services so that our clients can overcome new obstacles and protect
themselves against emerging threats, such as organised fraud rings. For more
information about our fraud consultancy services contact us.
About Experian’s Decision Analytics
Experian Decision Analytics enables our clients to make analytics-based customer
decisions that support their strategic goals, so they can achieve and sustain
significant growth and profitability. Through our unique combination of consumer and
business information, analytics, decisions, and execution, we help clients to maximise
and actively manage customer value.
Meaningful information is key to effective decision-making, and Experian is expert
in connecting, managing, interpreting and applying data, transforming it into
information and analytics to address real-world challenges. We collaborate closely
with clients to identify what matters most about their business and customers, then
create and implement analytics-based decisions to manage their strategies over time.
In today’s fast-paced environment where developing, implementing, and sustaining
an effective strategy is imperative, Experian Decision Analytics helps organisations
unlock a wealth of benefits immediately—and set the stage for long-term success.
Increased revenue: Our products and services enable clients to increase revenue
by providing the insight and agility they need to find and engage the right customers,
target products more effectively, and grow market share.
Controlled risk: A broad range of risk-management products and services help
our clients to verify identity and manage and detect fraud, optimise collection and
recovery, and balance risk and reward.
Operational efficiency: Experian Decision Analytics helps our clients to quickly
integrate various information and processes to enhance operational efficiency
and boost agility. Our flexible, collaborative approach helps organisations increase
speed to market, enhance business agility and improve the quality of customers’
experiences.
Compliance as differentiation: Proven expertise lets clients use compliance
as source of competitive advantage. Experian Decision Analytics helps ensure
compliance with essential regulations, while helping organisations better understand
customers.
An Experian white paper | Page 27
www.experian.com
© Experian 07/2012. The word ‘EXPERIAN’ and the
graphical device are trade marks of Experian and/or
its associated companies and may be registered
in the EU, USA and other countries. The graphical
device is a registered Community design in the EU.
All rights reserved.