Synthetic Fraud, Data Breaches, and Other New and Evolving Scam Techniques
Many of us are aware that scams, fraud, and cyber threats are out there. We may even be aware of some specific scamming methods, such as catfishing, hacking your accounts or devices, or even pretending to be your bank. But scammers and fraudsters are always coming up with new ways to get your information, steal your money, and defraud you. In addition to classic techniques like encouraging fear and urgency, they also come up with new methods like synthetic fraud.
See Synthetic Fraud with Mike Cook for a complete transcript of the Easy Prey podcast episode.
Mike Cook currently works for a company called Socure, which is a venture capital-backed identity verification company. Secure has been around for a decade and has served over fifteen hundred customers. Mike can’t name names due to non-disclosure agreements, but if it’s a big bank, a card issuer, a FinTech (financial technology) company, or a company offering loans online, they probably work with Socure.
Mike has been working in fraud investigation and prevention for over thirty-five years. He started in a company called Chrysler Credit doing auto credit. That role piqued his interest in understanding fraud. From there, he took a job with American Express working on fraud and never looked back.
An Interest in Fraud
Mike first became interested in fraud when he got to speak with someone who defrauded his company. When he worked at Chrysler Credit, a woman stole five cars. Her name was Carol Jones, but she purchased the cars under similar names (like Carolyn Jones and Carolyn A. Jones) and used fake social security numbers. She had five different cars delivered to the Astrodome, a sports stadium in Houston, before the company caught on.
Chrysler Credit never did find the cars or get them back. But Mike did have the opportunity to talk to her. He found the whole conversation intriguing. She thought the car theft was funny. In her mind, the company were fools for delivering the cars to the Astrodome in the first place. It got Mike thinking. If it was so easy to commit fraud, why can’t people stop it? It sparked Mike’s interest in fraud of all kinds.
A Passion for Fraud
It’s one thing to have an interesting conversation with a fraudster thirty-five years ago. It’s another thing to have someone close to you defrauded. In the past six months, Mike’s daughter was the victim of a Zelle scam. Scammers called her pretending to be a government agency. They knew all her information and talked to her for two days. Eventually they convinced her that if she sent all the money she had – about $900 – the problem would go away.
She sent the money, and only later realized it was a scam. When she contacted her bank, they said because it was sent through a peer-to-peer (P2P) money transfer method, it didn’t fall under consumer fraud protection. That money was lost.
It fueled a new passion in Mike. Not just because the money was lost to her, but because she was fearful and upset. They had a bunch of private information about her, which convinced her that they must be from the government. She didn’t think she owed the money, but they kept talking about how it was going to be embarrassing. She was going to get fines and go to court and her parents would have to be brought in. At that point, she completely believed that she was in trouble. She was afraid and upset and agreed to send everything she had in her bank account to fix it.
Scammers are Finding New Methods
What happened to Mike’s daughter wasn’t a random call. The scammer wasn’t cold-calling and hoping to convince whatever person who picked up the phone that they owed the government money. It was targeted. They did their research and found information about her to make the story convincing.
If you’ve been working in fraud for as long as Mike has, you’d know how good the fraudsters have gotten. In the past, fraudsters weren’t paying that much attention to who they targeted. Now, they can buy information from a data breach and know a lot. They can get an email address and password and use credential stuffing to try to get into your bank accounts. Or they can get your social security number, birthday, email, and all sorts of other information to target people specifically with very convincing stories. With the information available from data breaches, they can do a better job convincing people they should pay to avoid getting in worse trouble.
Years ago, fraud was easier to stop. They weren’t as good … [but] now with all the data breaches that have happened, most everybody’s data is out there on the internet.Mike Cook
Scammers also adapt fast. Years ago, consumers would figure out what scammers were up to and they would have to change their methods every six to eight months. Then it started changing every month. Now we’re seeing intraday changes – scammers will adapt their methods in the middle of the day. Mike thinks they’re using advanced machine learning and data science to get ahead of tools protecting consumers. Fraud has never been smarter, quicker to change, and harder to stop.
The Danger of Data Breaches
For the vast majority of us, our information is out there and available online. Some data breaches have been massive, with more than two hundred million people’s personally identifiable information exposed. Personally identifiable information includes names, addresses, and social security numbers – the kind of thing that you don’t want to be public.
With all of these data breaches, the data doesn’t go away, so it’s fairly available.Mike Cook
Once that information is exposed in a breach, it’s put on the internet. From there, it’s sold and copied and sold and copied over and over again. It never goes away. If you think about it, most of our personal information doesn’t change. Our names, our birthdays, and our social security numbers don’t tend to change over the course of our lives. These days, email addresses and phone numbers tend to stay the same, as well.
It makes things easier for us, but it also makes it easier for scammers. If they want to get information to target you specifically, they just have to go to the dark web, find a marketplace, make a purchase, and download. Then they can use that information to scam you or commit synthetic fraud or other kinds of fraud.
How Scammers and Fraudsters Use Synthetic Fraud
Socure recently put out a report on synthetic fraud. Mike has been watching the evolution of synthetic fraud for over twenty years. Twenty years ago, fraudsters were about getting money fast. They would get that phone and ship it to Europe, or get that credit card number and run up the charges. Then they got smarter and started going something called “bust out,” which required them to be patient. They would run a card up and work the system so they eventually could steal twenty thousand dollars on a ten thousand dollar credit line.
Since the coronavirus pandemic, though, synthetic fraud patterns changed drastically. Stealing money is still important, but they’re also focused on moving that money around. These changes were so drastic that Socure did their three-year study on how synthetic fraud is changing, trying to figure out what exactly was going on. They looked across different industries and found fraudsters were using synthetic fraud in deposit accounts where they couldn’t make a lot of money. But what they could do was move money around fraudulently.
A money mule is an important part of any kind of fraud or scam. Money mules are people or entities who have money sent to them, then send the money somewhere else. Basically, it’s moving money around for fraudulent purposes. In the past, money mules used to be actual people. Either they would be scam victims who didn’t realize what they were doing, or they were being paid to move the money. But now scammers have figured out how to use synthetic fraud to make their own money mules.
How Synthetic Fraud Works
With synthetic fraud, the scammer creates a fake identity. They’re not stealing the full identity of a real person. They may take some information from one person and some from another to make a composite person, or they might make up most of the information. But they put together enough information to make a fake identity.
To turn that fake identity into a money mule, it creates a bank account. It’s a real bank account, but owned by this fake individual created through synthetic fraud. The scammer can then move money through this fake account and use it as a money mule. If you’re going to do something illegal that could get you in trouble, like money laundering or drug trafficking, you don’t want to do it under your own identity. And synthetic fraud is often easier than getting a real person to move your money for you. So creating a fake identity with synthetic fraud is scammers’ new favorite way to move money around.
Mike has done some research with Socure. They found that anywhere from 1% to 3% of open and active bank accounts in the United States are synthetic fraud accounts. That’s a frighteningly large number.
Think about that. In a group of a hundred people, you have three people working against you and they’re not telling you they’re doing that.Mike Cook
Synthetic Fraud and Banks
Synthetic fraud has become especially big since the coronavirus pandemic. It doesn’t impact consumers directly, because it’s not stealing their identity. But synthetic fraud is still moving money around for fraudsters and helping them get paid for defrauding people. And banks haven’t done a great job at stopping it.
The easiest place to stop synthetic fraud is at the very beginning, when the scammer is trying to open an account with a fake identity. But once a synthetic fraud account gets in, it can be hard to detect. You might think it would be easy to spot an account with a hundred small transactions going in and out each day. But 91% of businesses in the US are small businesses with less than three employees. Someone with a legitimate Etsy business doing moderately well might see that many transactions. A synthetic fraud account can look like a commercial account and be hard to spot. And banks don’t want to crack down too hard on accounts like that because they don’t want to risk angering legitimate account holders.
Regulations to Protect Consumers and Stop Synthetic Fraud
There are some regulatory changes coming, and some more that are needed, to protect consumers and stop synthetic fraud. Mike is particularly excited about a new Consumer Financial Protection Bureau initiative. They are pushing for banks to accept loss for P2P fraud. If you Zelle someone money for a dog you found on Craigslist and never get the dog because you’ve been scammed, right now you have to eat that loss. If this new regulation goes through, your bank will be responsible for that loss. Mike’s friends who work in banking don’t like this initiative, and Mike doesn’t blame them. But it’s good for consumers. It puts more stress on banks to keep synthetic fraud and scammers out.
If the government changes regulations to make the banks responsible, it’s worthwhile for banks to make the effort to identify synthetic fraud accounts and other money mules. In 2023 and 2024, we’re likely going to see banks working harder to stop P2P fraud on behalf of consumers. With the changing regulations, keeping consumers from getting scammed will help banks avoid financial loss.
Protecting Yourself from Scams and Fraud
There are many different ways to perpetrate fraud. The most dangerous scams, though, aren’t the high-tech ones. People think about fraud and think a scammer is going to hack into their accounts or hack their computer. But most of the time, a scammer uses social engineering to talk you into something. Romance scams, IRS scams, charity scams, and more rely on talking you into sending money.
There are some warning signs to watch out for. If it sounds too good to be true, it is. If they’re trying to pressure you by saying things like, “You need to pay immediately,” they’re trying to scare you and it’s probably a scam. If they claim they’re a government entity, it’s likely fraud. Don’t ever be afraid to hang up on something you think is fishy.
Even if you literally hang up on a real person who works for the IRS, you just hang up on them. Just keep hanging up on them.Mike Cook
Fraudsters try to push you to respond right there and then. But you don’t need to react immediately. If it’s a real issue, you can address it over time. If they’re genuine, they will be okay with you taking some time to verify their claims. A scammer, though, will push you to respond – and pay – right away.
Be Careful when Clicking – and When Checking Your Mail
By now, most of us have heard about phishing links in emails. We know that if we get a link in an email, we should be suspicious. But it’s not just emails. Links can be sent through other mediums, as well. You might get a text saying to click the link to win. Or the text might claim to be Bank of America and you should click the link to see an important fraud report. Mike has almost clicked on things because they look reasonable. Any time you get a link, be suspicious.
It can come to you through a social network. It can come through text. It can come through your phone on a phone call. There are so many different ways.Mike Cook
Scammers are even going old-school now and sending fraudulent mail. Mike got a piece of mail three days ago that looked legitimate. He called the number, and got a very frustrating process. He spent a long time navigating through an automated menu. At the end, it got to a new things that asked for his social security number to get him to an agent. That’s when he realized it was fraud. Mike has been working with fraud for over thirty years and still almost fell for a fraudulent piece of mail.
For consumers, it’s very difficult. Be hesitant to click on things and be hesitant to give out information. Never feel bad about hanging up the phone. If you don’t click on a link or return a phone call, the world won’t stop. And it might just keep you safer.
Learn more about Socure on their website, socure.com. Mike Cook is also on LinkedIn, and you can connect with him there.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses: Archives - WhatIsMyIPAddress
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
What Is Email Spoofing – And How Does It Work?
Cyber criminals and spammers use email spoofing to trick email recipients into believing that they have received…[Read More]
What Is XSS?
The threat of a cyber attack can strike terror in the hearts of anyone who spends time…[Read More]
Protecting Kids from Online Predators: A Mutli-Factor Approach
As the world does more and more online and our kids are ever more connected, protecting kids…[Read More]
What SQL Injection Is & How It Works
SQL injection is a mechanism that cyber attackers use to interfere with application queries to a database….[Read More]
What Is Wireless Application Protocol (WAP)?
Wireless Application Protocol (WAP) is a packet-switching protocol that was designed for micro-browsers. Most mobile wireless networks…[Read More]
Using Artificial Intelligence in Cybersecurity to Assess Risks
Artificial intelligence technology is growing and evolving rapidly. That presents challenges. With generative AI creating text and…[Read More]