This is a guest post from Zack Pumerantz, fraud prevention manager at FanDuel. At FanDuel, Zack is responsible for proactive investigation, chargebacks, reporting and training his quickly growing team of cyber crime specialists. Zack’s team brings to the table a ruthless drive to catch criminals, a focused approach and team chemistry reminiscent of the ’96 Bulls. Connect with Zack on Twitter @zpumerantz.
Everyone’s favorite cousin Vinny once noted that when you “look at the bricks from the right angle, they’re as thin as this playing card.” While he was specifically referring to the bogus case the prosecutor had put together against Billy Gambini, he was most importantly highlighting illusion – and illusion is the very essence of cyber crime.
It’s been my experience that conversations with potential cybercriminals start off calmly, with both parties speaking professionally, and everything seems smooth. But as soon as you poke a bit and some open-ended questions, essentially looking at the bricks from different angles, you soon realize that there’s nothing there. This is not uncommon with today’s infamous cybercriminal.
With the rapid popularization and development of the Internet, a cesspool of online possibility has opened for nefarious individuals with an eye for rampant security gaps. They seek out both consumer and merchant vulnerabilities, featuring but not limited to basic computer infections, software designed to encrypt an individual’s data until a ransom is paid, brute-force denial of service attacks that cripple websites, and Trojans – programs appearing benign yet masquerading as viruses.
It’s becoming increasingly clear that even the most sensitive data and darkest global secrets can never be truly safe. Because of all this information availability and sharing, cybercrime is a blossoming industry; one that is clearly lucrative and superficially repercussion-free, given most merchants’ lack of understanding, manpower, and data, along with somewhat arbitrary jurisdictional restrictions.
On the victim side, the “online” universe has helped mold an “instant gratification” mindset geared toward quickly obtained, albeit not always accurate, information. This mindset can lead to innocent clicks of bad links (phishing) or taking the bait in scam swamps. Even extortion using online tactics is an attractive possibility for criminals who face little resistance or potential repercussions.
But to catch a criminal, one must think like a criminal. This has never been more true, especially when it comes to understanding how emerging technology affects human behavior and the decreasing need for quality interactions. Now that fraudsters have settled into the comfort of crime over the Internet, they’ve lost some of the human wit needed to deal with actual human interaction when faced with adversity. That’s where merchants and their fraud prevention experts can gain an edge: Communication and interrogation.
To protect the e-commerce world, forensic psychology, or the application of psychology to the law, is still very much in play when handling potential fraudsters and understanding criminal behavior.
Knowing the Flags and Catching the Criminal:
We’ve reviewed the flags in our previous post, “Lock It Down and Smarten Up – Best Practices for Online Security,” but now we put them to use. It’s time to wrap our net around potentially bad actors by first partaking in off-site due diligence to get a sense of who the individual is versus what he or she says.
Once you’ve deemed an individual or transaction to be potentially fraudulent, you take the next step in shutting the user out until you can come to a truer conclusion. However, what if there’s no trace on this individual away from your site and you can’t pull any information on said individual?
This is the point where we contact the individual and any potential partners in crime and ask professional and straightforward questions to request verification and clarification. We use questions and make statements such as “Please clarify this for us,” “Can you confirm these actions for us?” and “Who does No. 2 work for?”
Now it’s time to pull on the strings of our inner psychologists and start digging for more. But not only do we dig, we start asking the individual to fill in the blanks and complete the same story for us in various ways. To best assist with this conversation, here are several useful tips:
- Be sure the information and previous correspondences with the user are documented appropriately – It’s important to provide accurate information and be sure you have the whole story (i.e. linked individuals, payment(s) used, emails used) – if unsure of the risk involved, do not provide details that the user hasn’t first mentioned or confirmed.
- Do thorough research – I want to call this one ‘conviction’ since it’s essentially confidence in what you’ve found. Not to be confused with stubbornness, thorough research helps confirm beliefs that you have about this individual from their behavior. When engaging in discussion/questioning of a potential fraudster, you need to make sure you have the facts to back up what you say. (Note: this also helps when dealing with false positives because if the individual turns out to be “good,” they still understand what was perceived on the merchant end and understand the action taken was to protect, not inconvenience).
- Be patient – Once you start steering the discussion and asking for more relevant detail or clarification, you’ll soon see bits of strangely exaggerated frustration. This is not to be confused with normal customer frustration, but instead an almost threatening tone of impatience. Don’t be accusatory or arrogant; be patient.
When confronted with honest information, thorough research, and a line of questions they may not have expected, fraudsters will show their true colors. They are always in a rush trying to improve their return on investment and maximize their time, so once they’ve exhausted their first level of explanations, they’ll likely be running on fumes and be out of energy/substance. Here’s where their frustration and belligerence sets in – seen through responses with random capital letters, run-on sentences, misspellings, and aggressive punctuation (often exclamation points!).
So be like the Marcus Allen-led Los Angeles Raiders in 1991 and slow the pace down. Patience is the road to understanding, and understanding the mind of your fraudsters is one of the best ways to make them hit the road.