How to Identify Fraudulent Activities

It is becoming difficult to identify and prevent wire transfer fraud (WTF). Recently, a threat actor was able to steal $25M by using Deep Fake AI to impersonate a CEO and other management on a video call.  See https://lnkd.in/ermje-5j. In an even more challenging example, a small bank's ACTUAL long-time CEO was dupped, and caused his employees to make ten wire transfers equaling more than $47M. See https://lnkd.in/eh-Xqagv. If we can't trust a real looking/sounding fake CEO and we can't trust an ACTUAL CEO, how can we ever prevent WTF? Here are some tips:   1. INDEPENDENT RESEARCH: At least one employee involved in an "unusual" wire transfer (i.e., unusual considering size, payee, payment method, situation, need for speed, new wire information, etc.) should independently research the transaction to confirm its validity. This employee should fill out pre-prepared worksheets to document that all of the steps below were taken. Such investigation might include: •  Speaking directly with the person requesting the wire or the change in the wire to understand: (a) the purpose of the wire; (b) the origin of the request; and (c) how the request was made (e.g., by email). Always call that person directly using his or her known contact information. Also, consider speaking directly with the originator of the request, if that is someone different than the requestor.    •  Independently looking up the payee (perhaps on a personal device, in case the network is infected) to understand what the payee does, whether the payment makes sense, and whether there are any reputational issues with the payee (e.g., check the BBB website, State AGs, or other sites.)     • Independently finding the true phone number of the payee, and calling the payee to verify the wire transfer information is accurate.    • Speaking directly with someone more senior than the requestor to confirm the transaction is legitimate. If the requestor is the CEO, and the transaction is significant enough, speak with someone on the board or outside counsel.  In advance, create a contact list with the relevant approvers.        2. DUAL CONTROL: At least two employees should approve every significant transfer. Ideally, there are technical controls (e.g., two separate MFA approvals) to ensure both employees have approved.   3. WRITTEN PROCEDURE:  Your procedure should be documented and updated annually. Written validation logs should also be retained.   4. TRAINING: Everyone involved should be trained on the procedure upon onboarding and at least annually.   5. TABLETOP EXERCISES: This is another big one. Consider conducting "WTF tabletop exercises" at least annually. Test your procedure with challenging situations, such as a deep fake CEO or a real CEO who has been dupped.    6. ESCROW OPTIONS: For significant transactions, consider whether there are options to transfer the funds into an escrow or other safe account until you can fully validate the payee or the transaction.    

Being in the fraud prevention industry gives me an insider’s view of how fraud attacks work - including seeing new patterns emerge. Here are recent insights on how fraudsters are increasingly targeting people to take control of their bank accounts and initiate unauthorized wire transfers. 📞 The Phone Call Scam: Scammers exploit the vulnerability in PSTN to spoof caller IDs, making it seem like the call is coming from a trusted bank. A number of well-known VoIP providers make this possible. 🔓 Remote Access: Once they establish contact, scammers mention there is some suspicious activity or other important reason behind their call. They then persuade victims to install remote desktop applications like AnyDesk, or to turn on WhatsApp or Skype's screen sharing. This allows them to access banking apps and initiate transfers. This helps them to intercept login data and one-time passcodes. Banks also don't insure against such scams, leaving victims exposed. 🤖 AI in Voice Scams: Imagine combining voice recognition with GPT-based text-to-speech technology. Scammers scale their operations massively, this is a future risk we must prepare for now. So what proactive measures can banks and digital wallets take? 1. Customer Education: Many banks already do this; keeping their customers informed about official communication channels and the importance of calling back through their verified numbers. 2. One-Time Passcodes for Payments: OTPs aren’t just for logins but also useful for transactions, with detailed payment information included. 3. Being On a Call During Transactions: The top FinTechs are already looking into, or developing technology to detect if a customer is on a call (phone, WhatsApp, Skype) during banking activities. 4. Detect Remote Access: Implement detection mechanisms for any remote access protocol usage during banking sessions. 5. Behavior and Velocity-Based Rules: Sophisticated monitoring should be used to flag activities in real-time based on unusual behaviour and transaction speed. 6. Device, Browser, and Proxy Monitoring: This is a quick win, as there are many technologies available to flag unusual devices, browsers, and proxy usage that deviates from the customer's norm. 7. Multiple Users on Same Device/IP: Ability to identify and flag multiple customers who are using the same device or IP address in one way to detect bots. 8. Monitoring Bank Drops and Crypto Exchanges: Pay special attention to transactions involving neobanks, crypto exchanges, or other out-of-norm receiving parties, to identify potential fraud. Some of them might not ask for ID and even if they do, it can be easily faked with photoshopped templates. Hope you find that useful, and in the meantime, I’d love to hear what other emerging threats you’ve seen or heard of. Fostering these open conversations is what enables us all to unite together against combating fraud 👊 #FraudPrevention #CyberSecurity #DigitalBanking #ScamAwareness #AIinFraudDetection

How a fraudster stole $2.5m from Doordash with a simple 5-minute attack loop: The USAO just revealed how a fraudster stole $2.5m from doordash by posing as a delivery driver Here's how they did it: 1. Create fake customer orders (high-value items) 2. Use stolen employee credentials to access backend systems 3. Assign orders to fraudulent driver accounts they controlled 4. Mark orders as "delivered" (triggering payment) 5. Reset orders to "in process" and repeat hundreds of times Stolen credentials are a weakness we keep seeing appear. It took only 5 minutes per cycle. They ran this loop over and over, eventually stealing $2.5 million before being caught. What keeps me up at night as a fraud prevention leader: - The attack was entirely "mechanical" - no sophisticated hacking - The fraudsters could scale rapidly by repeating a simple process - It exploited a fundamental business logic flaw, not a security weakness This is why rule-based fraud detection often fails against determined fraudsters who understand your system's weaknesses. The most dangerous attacks often don't look like "attacks" at all - they mimic normal business operations. Three critical lessons for protecting your platform: - Monitor anomalies across your entire estate, not just individual transactions - Seeing the same device (or devices) making a high volume of orders should trigger alerts - Seeing the same order recycled multiple times should trigger alerts Look for unusual patterns in HOW your system is being used, not just WHAT is being processed One of the reasons we built our anomaly-to-rule feature, was to close the loop as fast as possible on new attacks and catch them early. What's the most concerning fraud pattern you've seen in your industry? I'd love to hear how you're approaching these challenges.

"We need more data to catch fraud" is usually wrong. You need better questions. I once inherited a fraud team drowning in data: • 100+ insights per transaction • 6 different risk tools • Terabytes of historical data Their chargeback rate was 1.5%+ Six months later, with the same data but different questions, we hit 0.6%. Instead of asking "Is this transaction fraudulent?" We asked "Why would a fraudster choose us?" That revealed a lot.... • We had instant payouts (fraudster candy) • Our refund process was automated (easy to exploit) • New account benefits were stackable (hello, farming) The framework that cut fraud 75%: 1. Map your honeypots    What makes your business attractive to fraud?    List your top 10 fraudster benefits.     2. Price the exploit    Calculate the ROI for each attack vector.    Fraudsters are ROI-driven. Make their math not work.     3. Break the economics    Don't block the fraud. Make it unprofitable.    Add delays. Require deposits. Limit stacking. Example: We had fraudsters creating 50+ accounts for new user promos. Instead of better detection, we made promo codes single-use per payment method. Simple. But effective. Fraud farms started to disappear. You already have the data. You're just asking it the wrong questions. BD²¹

Is KYC Broken? Here’s the latest...(you need to know) Most companies think KYC is a bulletproof line of defense. The reality, it can be a giant blind spot. Fraudsters have figured out how to bypass identity verification at scale. AI-generated deepfakes, emulators, and app cloners make it easy to create synthetic identities that can pass KYC checks. KYC system's aren’t failing because they are weak, they're failing because they were never built to catch fraud in an AI world. Here’s the exploit: ▪️ Deepfake Technology: AI-generated videos that bypass facial verification. The KYC platform sees a “real” face but its not! ▪️ Device Spoofing: Emulators and cloners create multiple fake devices, masking fraudulent activity and enabling scaled attacks. ▪️ Hooking & Tampering: Fraudsters manipulate verification apps to inject fake data directly into the process. The result? Fraudsters can pass KYC undetected. Fake accounts skyrocket - Payment fraud and chargebacks escalate. Most companies don’t have a good grip on this yet. So what’s the fix? You have to start analyzing devices and behaviors in real time. ✅ Device intelligence: Identify syndicates tied to the same device, accurately. ✅ Behavioral analysis: Detect session anomalies in real-time before fraudsters can cash out. ✅ Continuous monitoring: Fraud doesn’t stop at onboarding or only happen at payment - think "anytime fraud" and monitor accordingly. Fraudsters know KYC is just a checkpoint. They know what you are checking for and how to fool the process. What do you think #fraudfighters?

This article highlights a St. Louis federal court indicted 14 North Korean nationals for allegedly using false identities to secure remote IT jobs at U.S. companies and nonprofits. Working through DPRK-controlled firms in China and Russia, the suspects are accused of violating U.S. sanctions and committing crimes such as wire fraud, money laundering, and identity theft. Their actions involved masking their true nationalities and locations to gain unauthorized access and financial benefits. To prevent similar schemes from affecting you businesses, we recommend a multi-layered approach to security, recruitment, and compliance practices. Below are key measures: 1. Enhanced Recruitment and Background Verification - Identity Verification: Implement strict verification procedures, including checking legal identification and performing background and reference checks. Geolocation Monitoring: Use tools to verify candidates’ actual geographic locations. Require in-person interviews for critical roles. - Portfolio Validation: Request verifiable references and cross-check submitted credentials or work samples with previous employers. - Deepfake Detection Tools: Analyze video interviews for signs of deepfake manipulation, such as unnatural facial movements, mismatched audio-visual syncing, or artifacts in the video. - Vendor Assessments: Conduct due diligence on contractors, especially in IT services, to ensure they comply with sanctions and security requirements. 2. Cybersecurity and Fraud Prevention - Access Control: Limit access to sensitive data and systems based on job roles and implement zero-trust security principles. - Network Monitoring: Monitor for suspicious activity, such as access from IPs associated with VPNs or high-risk countries. - Two-Factor Authentication (2FA): Enforce 2FA for all employee accounts to secure logins and prevent unauthorized access. - Device Management: Require company-issued devices with endpoint protection for remote work to prevent external control. - AI and Behavioral Analytics: Monitor employee behavior for anomalies such as unusual working hours, repeated access to restricted data, or large data downloads. 3. Employee Training and Incident Response - Cybersecurity Awareness: Regularly train employees on recognizing phishing, social engineering, and fraud attempts, using simulations to enhance awareness of emerging threats like deepfakes. - Incident Management and Reporting: Develop a clear plan to handle cybersecurity or fraud incidents, including internal investigations and containment protocols. - Cross-Functional Drills and Communication: Conduct company-wide simulations to test response plans and promote a culture of security through leadership-driven initiatives. #Cybersecurity #HumanResources #Deepfake #Recruiting #InsiderThreats

Fraud grows unchecked without anyone noticing? That's exactly what happened to one of my clients. Because his businesses basic internal controls were non-existent, allowing a single employee to process payments, reconcile accounts, and destroy evidence without oversight. Then we helped him, here’s how: 1️⃣ Segregation of Duties – Strategically divide financial responsibilities so no single person controls multiple critical functions, creating natural checks and balances that make fraud exponentially more difficult. 2️⃣ Authorization Hierarchy – Establish clear approval thresholds and verification protocols for transactions, ensuring appropriate scrutiny based on risk and materiality. 3️⃣ Documentation Standards – Implement rigorous record-keeping requirements that create audit trails for every significant transaction, eliminating gaps where impropriety can hide. 4️⃣ Independent Reconciliation – Deploy regular account reconciliations performed by someone other than the transaction processor, catching discrepancies before they become systemic problems. 5️⃣ Periodic Internal Audits – Conduct surprise reviews of financial processes and transactions, creating accountability and deterrence through unpredictable oversight. The results?  ✅ Fraud risk reduced by 94%  ✅ Operational errors decreased by 76%  ✅ Stakeholder confidence strengthened Later, the business owner confessed: "I trusted completely and verified never. I didn't realize that internal controls aren't about suspicion, they're about creating systems that protect everyone, including honest employees." Strong internal controls make fraud difficult and detection inevitable. Weak controls create temptation and opportunity. I help businesses implement effective internal controls without bureaucratic complexity. DM "Controls" to safeguard your financial future. #internalcontrols  #finance  #accounting 

I saw some troubling behavior on a customer call recently - fraudsters used legitimate salon business practices to rack up $1,000+ in stolen fees from customer credit cards. It's scary how easy it was 👎 The process is simple. 1 - Salon takes a customer for an appointment 📅 2 - They store the customer's credit card in their system 💳 3 - After a few weeks, they make a fake appointment for the customer, cancel it, and then charge the card a "cancellation fee" ❌ 4 - They do this dozens of times, and collect thousands in no-show fees 👎 5 - The software platform facilitating all of this is left holding the bag 😬 Fraud detection is messy! Customers can legitimately create appointments, and legitimately cancel them all the time. This is a seemingly normal business, using normal practices, still scamming platforms 😣 A few signals I would use try to detect this early:🤖 - Unusual spike in no-show fee velocity 🔎 - High ratio of no-shows to actual appointments 👀 - No-show charges from manually created (vs customer-created) appointments 📉 (All possible to detect through Coris BTW 😎) Fraudsters rarely do this for an extra $20 a month - they get greedy, and want more. Those spikes are where I'd look first to start to combat this special fraud. And remember, anywhere a merchant can collect payment, there's a possibility for risk 🧠

𝗜𝗻 𝗝𝘂𝗹𝘆, 𝗮 𝗡𝗼𝗿𝘁𝗵 𝗞𝗼𝗿𝗲𝗮𝗻 𝗵𝗮𝗰𝗸𝗲𝗿 𝗽𝗼𝘀𝗲𝗱 𝗮𝘀 𝗮𝗻 𝗜𝗧 𝘄𝗼𝗿𝗸𝗲𝗿 and duped a cybersecurity company into hiring him. 𝙉𝙤𝙬 𝙩𝙝𝙚𝙮’𝙧𝙚 𝙪𝙨𝙞𝙣𝙜 𝙚𝙭𝙩𝙤𝙧𝙩𝙞𝙤𝙣 𝙖𝙨 𝙖 𝙛𝙤𝙡𝙡𝙤𝙬-𝙪𝙥 𝙖𝙩𝙩𝙖𝙘𝙠. 𝗛𝗶𝗿𝗶𝗻𝗴 𝗳𝗿𝗮𝘂𝗱 𝗷𝘂𝘀𝘁 𝗿𝗲𝗮𝗰𝗵𝗲𝗱 𝗮 𝗻𝗲𝘄 𝗹𝗲𝘃𝗲𝗹. North Korean hackers are no longer satisfied with just infiltrating your company—they’re holding your data hostage and demanding ransoms to keep it from being leaked. It’s a sophisticated evolution in cybercrime, and Western companies are the primary target. 𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀: Hackers pose as highly qualified IT professionals, using fake resumes, AI-generated identities, and stolen credentials. They go through the hiring process unnoticed, secure a job, and gain access to sensitive company data. But instead of just stealing it, they’re now threatening to expose it—unless you pay up. 𝗦𝗼, 𝘄𝗵𝗮𝘁 𝗰𝗮𝗻 𝘆𝗼𝘂 𝗱𝗼 𝘁𝗼 𝗽𝗿𝗲𝘃𝗲𝗻𝘁 𝘁𝗵𝗶𝘀? 1. 𝗧𝗶𝗴𝗵𝘁𝗲𝗻 𝗬𝗼𝘂𝗿 𝗛𝗶𝗿𝗶𝗻𝗴 𝗣𝗿𝗼𝗰𝗲𝘀𝘀 Use multi-layered identity verification tools and require video interviews with real-time identity checks. Look for red flags like unverified recruiters or unusual interview behaviors (e.g., candidates refusing to turn on their camera). 2. 𝗦𝗰𝗿𝗲𝗲𝗻 𝗝𝗼𝗯 𝗢𝗳𝗳𝗲𝗿𝘀 𝗖𝗮𝗿𝗲𝗳𝘂𝗹𝗹𝘆 Whether you’re a hiring manager or candidate, scrutinize job application invites and offers, especially those from email or messaging services like WhatsApp. Verify the recruiter’s identity and check if the company they represent is legitimate. 3. 𝗠𝗼𝗻𝗶𝘁𝗼𝗿 𝗡𝗲𝘄 𝗛𝗶𝗿𝗲𝘀’ 𝗕𝗲𝗵𝗮𝘃𝗶𝗼𝗿 Even after onboarding, monitor new employees for suspicious activity, such as unexpected access requests or attempts to install unauthorized software. Keep access levels restricted for new hires until they’ve been fully vetted. 4. 𝗨𝘁𝗶𝗹𝗶𝘇𝗲 𝗦𝘂𝘀𝗽𝗶𝗰𝗶𝗼𝘂𝘀 𝗘𝗺𝗮𝗶𝗹 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀 𝗧𝗼𝗼𝗹𝘀 Before clicking on links or opening attachments in unsolicited job offers or other suspicious emails, make use of tools like Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they’re benign. The rise in this type of extortion shows just how advanced cybercriminals are becoming. Protecting your business goes beyond cybersecurity—it’s about reinforcing every layer, 𝗶𝗻𝗰𝗹𝘂𝗱𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗵𝗶𝗿𝗶𝗻𝗴 𝗽𝗿𝗼𝗰𝗲𝘀𝘀. 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆: The next IT hire you make could be a undercover cybercriminal, but you can minimize the risk by staying vigilant, verifying identities, and implementing strict access controls. Intelligent Technical Solutions Mike Rhea #Cybersecurity #HiringFraud #DataExtortion #HRSecurity #RiskManagement #BusinessProtection #EndpointSecurity #ITSecurity #RemoteWork #Leadership #CyberRisk #RiskMitigation #BusinessLeaders #HR

Here's how Stripe detects frauds with a 99.9% accuracy in 100 milliseconds (that too by checking over 1000 parameters for one transaction) Fraud detection in online payments isn’t just about stopping bad transactions it’s about doing it fast, at scale, and without blocking legitimate users. Stripe’s fraud prevention system, Radar, evaluates 1,000+ signals within 100 milliseconds to make decisions. Here’s how it works and why it’s so effective: 1. ML Models That Learn and Scale Stripe started with simple ML models (logistic regression) but quickly scaled to hybrid architectures combining: –XGBoost for memorization (catching known patterns). –Deep Neural Networks (DNNs) for generalization (handling unseen patterns). –Key Problem: XGBoost couldn’t scale or integrate modern ML techniques like transfer learning and embeddings. –The Solution: Stripe moved to a multi-branch DNN-only architecture inspired by ResNeXt. This setup allowed it to memorize patterns while staying scalable. It reduced training times by 85%, enabling multiple experiments in a single day instead of overnight runs. 2. Learning From Real Fraud Patterns Radar doesn’t just rely on static rules, it learns from data across Stripe’s network. –Engineers analyze fraud attacks in detail, e.g., patterns of disposable emails or repeated card testing. –Features like IP clustering and velocity checks were added to detect suspicious activity. –Fraud insights are shared across the network, so lessons learned from one business protect others automatically. Example: Analyzing IP patterns helped detect high-volume attacks where fraudsters used multiple stolen cards from the same source. 3. Scaling With More Data, Not Just Smarter Models Stripe realized that more training data could unlock better performance, similar to modern LLMs like GPT models. It tested scaling datasets by 10x and 100x. Result? Performance kept improving, confirming that larger datasets and faster training cycles work better than complex rules alone. Key Insight: Bigger datasets help uncover rare fraud cases, even if they occur in only 0.1% of transactions. 4. Explaining Fraud Decisions Clearly Fraud systems often act like black boxes, leaving businesses guessing why a payment failed. Stripe built Risk Insights to provide clear explanations: –Shows features contributing to fraud scores like mismatched billing and shipping addresses. –Displays maps and transaction histories for visual context. –Enables custom rules to fine-tune fraud checks for specific business needs. Result: Businesses trust Radar’s decisions because they can see why a payment was flagged. 5. Constant Adaptation to Stay Ahead Fraud patterns evolve, so Stripe built Radar to adapt in real time: Uses transfer learning and multi-task learning to generalize better. Incorporates insights from the dark web and emerging fraud tactics. Continuously retrains models without disrupting performance.