Digital Tells A BioCatch Podcast

BioCatch
  • 5.0 (4)
  • TECHNOLOGY
  • UPDATED MONTHLY

BioCatch presents a podcast on cybercrime and financial fraud, and how Behavioral Biometrics identifies the tells that tip the hands of cybercriminals – and flip the tables on fraudsters. We explore the origins of behavioral biometrics, and applying innovative tech to account take overs, new-account fraud, and scams and mule activity.

Episodes

  1. 08/31/2022

    New Account Fraud with Javelin’s Suzanne Sando

    In Episode 8 of Digital Tells we speak with Suzanne Sando, Senior Fraud and Cybersecurity Analyst at Javelin Strategy and Research. BioCatch recently published a report written on our behalf by analysts at Javelin Strategy and Research titled New Account Fraud A Threat Down Every Avenue. In this discussion, Suzanne discusses many aspects of new account fraud, including identity theft and synthetic identities, stimulus fraud, the rise of Buy-Now-Pay-Later (BNPL), money laundering and anti-money laundering compliance, and opportunities for financial institutions to address these increasingly hot challenges. Peter Beardmore BioCatch recently published a report written on our behalf by analysts at Javelin Strategy and Research. It's titled New Account Fraud A Threat Down Every Avenue. There's a link to the report in the show notes. And in the run up to the report's publication, I had an opportunity to talk with its principal author, Javelins Suzanne Sando. We talked about a range of topics from scams to mule accounts to buy now, pay later, and identity theft, all relating to the challenges institutions face when it comes to new account fraud and strategies for dealing with these challenges. If you're a regular listener to the podcast, you know that normally I script a narrative infused with clips from conversations I've had in preparation for each episode. But for this episode, we've decided to switch it up a little, mostly because I don't think there's really anything to improve upon Suzanne's commentary on all the topics we discussed. So here it is, my complete discussion with javelins. Suzanne Sandow, thanks for taking the time to talk with us today. Suzanne Sando Absolutely. Peter Beardmore So, Suzanne, let's get started with just some introductions. Can you tell us what you do and what your origin story is, how you got to where you are? Suzanne Sando Sure. I wish it was interesting in some of these Marvel movies I've been watching, but. So my name is Suzanne Sando. I am a senior fraud and cyber security analyst at Javelin Strategy and Research. And I've been there about two years prior to getting into the analyst role. I was actually doing a lot of behind the scenes coding work. So I worked for a major financial institution in the U.S. and I did a lot of payment systems, back end coding, worked a lot of personal information, a lot of private data. So I kind of have that technology background that I bring to this new analyst role. Peter Beardmore So you've been working on a number of reports. Javelin just released, a fairly large identity related study, and you're also soon to release. Probably by the time this podcast comes out, we will have released a paper that you've done that's been sponsored specifically by BioCatch can you tell us a little bit about both pieces of research? Suzanne Sando Sure. So the main identity fraud report, the larger report that you referenced, that's something that's in its 19th year and that we've been putting out. And, you know, we kind of take a look at all aspects of identity fraud, both traditional identity fraud and identity fraud scams. And we kind of look at the losses to financial institutions, the consumer impact. Where are the pitfalls? What are the things that some of these industry verticals can be doing better? What can consumers do better to try and mitigate some of this loss that's happening in tandem with what's going on in the world? You know, because obviously we've had a lot going on with the pandemic. I mean, that has just changed every single facet of life. And the report that you mentioned, that's kind of an offshoot of that larger report that I wrote for you guys for BioCatch that's more specifically targeted to new account fraud and how that has sort of taken off between 2020 and 2021. Peter Beardmore Okay. So let's jump right into new account fraud, which is going to be the focus of our conversation today. What are the overall trends related to new account fraud? What are the highlights? Suzanne Sando So 2021 was unfortunately just another year of record losses across the board. Overall, consumers lost 52 billion between identity fraud scams and traditional identity fraud, like, you know, account takeover, existing card fraud, and then, of course, new account fraud that we're going to talk about. And of that, 52 billion, 7 billion is attributed to new account fraud. So if you compare that with last year's losses of 3.2 billion, that's like a 109% increase in new account fraud losses for consumers. You know, I think new account fraud is so attractive to criminals because just the nature of our world and e-commerce and, you know, digital banking activities, it's not going to go away. We continue to get more and more digital centric as that technology advances. So that means that that, you know, attack surface for new account fraud just keeps growing, especially as our daily activities evolve from both, you know, like a necessity and a convenience standpoint. So once you give consumers that convenience, like opening accounts online, applying for loans online, it's so hard to take that convenience away without impairing the customer experience. Peter Beardmore Or impairing your revenue. Suzanne Sando Exactly. Exactly. Peter Beardmore As a as a lender or as a credit card issuer or what have you, for sure. Suzanne Sando You know, we've also noticed that, like, it's not just checking and savings accounts and, you know, credit accounts that are driving this growth. Criminals are going to be motivated by any single thing that puts more money in their pocket. So payday loans, mortgages, even car loans are appealing to criminals. They don't need to know every single piece of a legitimate account holders information. It's just enough to get that application approved and get that fast cash. And of course, like, you know, I mentioned the pandemic, and that's a part of, you know, what we do for these reports. We look at what's going on in the world. The government is not immune to these problems. You have government assistance programs like the Unemployment Assistance Paycheck Protection Program. They're all facing huge issues with fraud. I read recently, I think that it. The Department of Labor reported 163 billion had been, quote, improperly dispersed, which could mean many things. But one thing it for sure means is fraud. It means that a lot of these funds went to fraudulent sources and there's a high chance that this money isn't going to be recovered. So I think the thing to take away from this is that criminals are so crafty in their exploitation and the techniques and the lengths that they're going to go to commit fraud. Peter Beardmore Out of curiosity, you mentioned the Paycheck Protection Program and the unemployment assistance. I just saw a headline recently that talked about the DOJ was had been appropriated some X hundreds of millions of dollars for an investigation related to, I believe, unemployment fraud. Is that good money chasing, bad? I mean, is there anything that's going to come of that, given that those programs are effectively over at this point? What's to be gained by even chasing that do you know? Suzanne Sando You know, part of me thinks that it's sort of a goodwill type of situation where we're trying to make good on these funds that were supposed to go to consumers who were really in need, small businesses who really needed that aid. But the fact of the matter is, if you you know, there's that 163 billion I mentioned, there's a full report from the testimony from the Department of Labor about that, you know, those missing funds. And I believe they mentioned that 4 billion at this point had been recovered, but 4 billion out of 163 not great. So, you know, like I said, I think it's it's a goodwill we're trying, but it's probably going to come to a very not great ending. Peter Beardmore Just for clarity, you didn't mention those numbers, 52 billion and 7 billion in new account fraud? Are those global numbers or those? Suzanne Sando Those are good. Thanks for for asking that. Those are United States. Those are U.S. numbers. Peter Beardmore Okay, good. I just want to be sure. Suzanne Sando Sure. Peter Beardmore And so with the new account fraud, the identity specific new account fraud, do you have any sense for are these legitimate ID legit, these stolen IDs? Are these synthetic IDs? You know, what what are the what are the sources? Suzanne Sando Criminals are using all types of identities between actual stolen identities and synthetic identities to carry out this new account fraud. Some are legitimate consumers. They, you know, have had their information exposed in the data breach. And then it's sold on the dark web for extremely high prices. And then other identities are pieced together using some real consumer PII. And then fake information is kind of thrown in the mix to create that synthetic identity, which then ideally, ideally for the criminal (chuckles) ideally is untraceable back to a real person. So, you know, when it comes to. What… What it is that they're using? I think it always goes back to what's available. You know. Peter Beardmore Let's shift focus here a little bit. One of the big trends we hear a lot about in the news lately and there were mentions in in your reports was related to buy now pay later and also I guess there's some other related fintech type offerings that are out there with respect to making credit more available to consumers in different forms. Can you talk a little bit about what buy now, pay later is and why it it is so attractive to fraudsters? Suzanne Sando That's a great question because I think that there's a lot of gray area around bnpl for consumers. So the main difference between Bnpl and, you know, a traditional credit card like a store credit card is that, you know, your site, you're getting these products by signing up for installments, but there's typically no interes

    30 min

  2. 08/26/2022

    Vulnerable Customers and the Evolving Responsibilities of Financial Institutions

    In Episode 7 of Digital Tells we speak with Iain Swaine, Director of Global Advisory for BioCatch in the EMEA region. Iain reviews four different drivers of vulnerability as defined by the Financial Conduct Authority in the UK, how different regions’ authorities are approaching financial institutions’ responsibilities when it comes to vulnerable customers, the challenges that faster payments present, particularly when dealing with scams perpetrated on vulnerable customers, and how institutions can help identify and protect vulnerable customers by leveraging behavioral biometrics. Peter Beardmore When I was first married in the mid-nineties, my wife at the time was a part time bank teller while she was finishing college. She'd often come home with stories, often heartwarming stories about interactions with all sorts of people elderly clientele. There was a regular in her branch who was cognitively impaired, who worked at a grocery store across the street. He'd come in every week to deposit his paycheck. There was another regular who was visually impaired, and it was evident from her descriptions that she really liked and cared about these people. In all the tellers there, looked out for them, took extra time with them, and cared about their well-being. According to the Financial Conduct Authority definition, a vulnerable customer is someone who, due to their personal circumstance, is especially susceptible to detriment, particularly when a firm is not acting with appropriate levels of care. In the era of digital banking, identifying and caring for vulnerable customers isn't as straightforward as it once was. And arguably, in an age of increasing scams and other financial crimes, these populations are increasingly at risk. The topic of vulnerable customers has continued to gain in frequency and momentum over the past several years. The aforementioned Financial Conduct Authority in the UK, the Consumer Financial Protection Board in the US, the Monetary Authority of Singapore, the Royal Banking Commission in Australia and many other regulatory and standards organizations around the world have been looking at what classifies a banking customer as vulnerable and what sorts of obligations do banking institutions hold with respect to safeguarding vulnerable cohorts within their customer base and the population at large? I recently had a conversation with Ian Swain, who has served as director of Global Advisory for BioCatch in the European Theater for about six years. All the while, the narrative of what makes up a vulnerable customer and how to take care of them has evolved. Here's Iain. Iain Swain The Financial Conduct Authority, which guides the UK bank to put out an advisory last year about vulnerable customers. And it wasn't explicitly looking at fraud. That was one of the things they was looking at, treating them fairly, making sure that they were not left out in this digitized world. And it looked at everything from potential disability. So hearing vision, cognitive impairments, people where English wasn't the native language. It looked to age on their very young teenagers then into the twenties where they might not have the knowledge about the financial world. But of course, the one which is, I think, showing more traction with promoted statutes that the older generation, the non digital natives, you know, the 65 plus where particularly with COVID, they were being forced into a digital world which maybe they were ill prepared for. Peter Beardmore So I learned from speaking with Ian that the FCA had actually gone into some greater detail defining vulnerable customers by various drivers health, life events, resiliency, and capability. So I asked Ian to offer some insight into each of these areas, starting with health. And he started by making the point that vulnerability is not a binary concern. The degree to which someone is vulnerable may evolve over time. Iain Swain I think vulnerability we need to say, is not just a binary vulnerable or not vulnerable could be a trendy thing on health. You could have, say, a chronic condition which might be going to end to life that might actually make you more vulnerable due to that. Or you could be a temporary vulnerability with a health where it could be a short term illness rather than a terminal one. They may not be able to make the same level of choices. And again, that that could be everything from someone who needs a carer to look after them and do that, or someone who's actually who previously been in good health and then have an accident where they're no longer capable of making decisions or the decisions they make can be quite full. Peter Beardmore Okay, so there's health. Let's talk about life events. Iain Swain Okay. Well, life events can be something that happens. It could be similarly, you know, a longer term or shorter term thing. So one life event could be that you and I retired, annihilated another life event could be bereavement. So you have a bereavement and you've just lost a mother, father, child, partner. Where does that leave you? In an emotional state on there. And it covers really things which might cause you not to be capable of dealing with stuff that otherwise it would be in your stride. And I think that that's more of the transient species thing where it's a temporary period of vulnerability. Peter Beardmore So tell me about the resilience category. Iain Swain The resilience. Most of it is around financial resilience. So have you got the fact that you're in debt, you can't actually cope with any financial shocks? Have you got low savings? Have you got your outgoings exceeding your income? Is it erratic? I think resilience is one of the things you have vulnerability, which is going to rear its ugly head globally by Q3, Q4 of this year unfortunately. In Europe we've seen the awful spike in gas and electricity prices because of events. Peter Beardmore Ian touched on a topic that I think will be fodder for a lot of future conversation. If you believe global markets are heading into recession as a result of world banks trying to head off inflation, large segments of the population may soon become less financially resilient than they may have been in recent years. What does that mean in terms of their susceptibility for financial fraud and scams? Finally, I asked Iain about capability as a category of vulnerability. Iain Swain Capability really looking at how well people can actually look after the financial side of their life, both digitally and just in the real world. So do they actually have the knowledge to manage their finances? Have they actually got the numeracy skills to even go back and look at the money flow and looking and understanding where money is going in and out? We've got people who don't have English language skills, but we've considered things like the Ukrainians coming in as a refugee there. They don't know the English. How are they going to cope with some of this? What does the bank need to do to make sure that they are looked after and they can deal with it? Peter Beardmore And so clearly, when you look at health, life, events, capability, resiliency, there can be some overlapping circumstances. And it may lead one to ask, well, how could a financial institution even tell when a customer may be vulnerable and what's their obligation to do anything about it? We'll get to the how in a few minutes. But the what is just as important? What are the obligations? I asked Ian about how governments and standards organizations are looking at this, and not surprisingly, this is an area that seems to be evolving and there are similarities and differences in different countries and regions. Iain Swain Okay. So I think it depends where in the world you are. As I was saying earlier, the UK has taken the lead, the Financial Conduct Authority put out the guidance for its in that to quote, they’re were obliged to treat vulnerable customers fairly with a level of care that is appropriate given for the characteristics of the customers themselves. The Australian Commission put something out there which is more around the mis selling of it, but I think what I've seen, it's not become a regulation yet. They're actually guidances and they're trying to say to the banks, get your hands is in order. If you don't, you're going to get regulation. Peter Beardmore Iain went on to explain that other regions have come at it differently. In Australia, for example, the financial industry has been more proactive, recognizing the effects of hyper digitization and the dangers of faster payments on vulnerable populations. In the U.S., the Consumer Financial Protection Bureau has been slower to act, partially due to political hurdles, but also because the dangers of faster payments and peer to peer payment apps are just coming to the forefront of public awareness. I asked Ian about faster payments. In the U.S. systems like Zelle in Cash App and Venmo come to mind. But while this is a fairly new phenomenon in the U.S., it's been an ongoing issue in Europe and Asia for some time. Iain Swain I think when we look at faster payments, it's literally that instantaneous, real time payments. So that money comes out of your accounts. You press the confirm button and there's a certainty of fate within less than 60 seconds in most of the faster payment systems around the world. And that certainty of fate means that that money is debited from your account real time. It'll go across from a bank to bank network, or in the more advanced ones it will be a hub and spoke mechanism on there, which then routes it through and then it's at the other end they to the other person to actually get access. When we look at that compared to other things, we've got the traditional clearing day cycle, clearing cycle. It was three days, it was more batch driven. I think one of the things about faster payments is that it closes what would have been a gap for people to rea

    17 min

  3. 11/08/2021

    Market Opportunities for Behavioral Biometrics

    The sixth episode of Digital Tells: A BioCatch Podcast examines the market for behavioral biometrics. What are the top challenges in preventing fraud in digital channels, and what technologies are on the radars of fraud practitioners? How do organizations like BioCatch partner and innovate with financial institutions to identify and isolate the Digital Tells that can help detect fraud? And how may behavioral biometrics evolve in the metaverse? Digital Tells’ host Peter Beardmore opens with an account of his recent conversation with Billy Beane from The Oakland A’s baseball organization. His discussion draws parallels between the evolution of baseball in the 21st Century with the game-changing digital analytics that have changed nearly every industry. Tom Field, SVP of Information Security Media Group, discusses the 2021 Fraud Transformation Survey: Detecting and Preventing Emerging Schemes. BioCatch Chairman, Howard Edelstein and BioCatch Co-founder, Uri Rivner share stories of innovating with customer development partners. And Peter Beardmore reflects on future opportunities for gleaning emotional insights in impassive online transactions. Transcript: Peter Beardmore When first introducing the concept of Behavioral Biometrics back in episode 1 of this podcast, we drew a parallel to the story of Billy Beane - the Oakland Athetics baseball team general manager whose adherence to Sabermetrics, a statistical and analytical approach to the game, revolutionized the sport. A few weeks ago, shortly after recording episode 1, I actually had the opportunity to speak with Beane in an event BioCatch hosted. I blogged about it shortly thereafter, there’s a link in the shownotes.  Anyway, I took the opportunity to challenge Beane a bit. Because while he became famous following multiple division championships, a best-selling book and a hit movie (starring Brad Pitt) ~ there’s been a lot of criticism about Sabermetrics kind of - well ruining the game of baseball. There’s this pace of play problem, games are running longer, attendance is down, the fan base is older than those of other sports. And Beane was - unapologetic. He said look - data analytics is revolutionizing everything. It’s not just baseball. It’s every industry. And the game is different. Everyone has access to the same data he has. So a part of the game is now the analysis of every minute decision he and his in-game managers make / on the internet, on sports talk radio. And while Beane didn’t mention them - there’s also fantasy sports and sports betting. In fact in 2019, the last full season before the pandemic, Major League Baseball earned record revenues ~ despite the complaints of purists that attendance is down 14% from its highs.  The game of baseball didn’t end in the early 2000’s and start anew. It evolved, and continues to. And so too does human engagement with the digital world continue to evolve. In this, the final episode in Season 1 of Digital Tells - we’re taking a look at how the market that BioCatch serves - the business of preventing fraud - is evolving. What are their greatest needs? How are their needs changing? And how is BioCatch innovating to meet some of those evolving needs? And finally, how might behavioral biometrics be applied to future opportunities and requirements that stem from the metaverse. That’s a lot to do, so let’s jump right in with a recent discussion I had with Tom Field. Tom is head of editorial operations with Information Security Media Group. Since launching their original property, Bank Info Security about 15 years ago ~ ISMG has expanded to 34 media properties and an audience of 950 thousand security leaders. ISMG recently published a study that BioCatch sponsored, there’s a link in the show notes, about the latest fraud trends, and the top priorities and challenges for fraud practitioners. I asked Tom about the challenges fraud practitioners are dealing with ~ particularly around choosing and implementing technology that prevents fraud ~ while ensuring that that same technology isn’t also preventing business.  Tom Field Well, great question, because we asked, what are your top challenges in preventing fraud attacks, particularly in the digital channels and tied for number one, were the lack of resources or budget to be able to adopt new fraud prevention tools? And that's no surprise. Nobody ever has enough financial resources and there are more tools out there now than anyone could can hope to account for. So lack of resources, number one. Tied with that limited visibility into the risks introduced by new digital technology, for instance, faster payments platforms. And again, so much of this comes back to the digital transformation where your employees and your customers alike are more remote, more digital than ever before, and you're just challenged to be able to understand which users, which devices, which applications you're dealing with. So no surprise with visibility that's consistent. But coming right behind that, a percentage point behind that was increased customer friction due to multifactor authentication or other controls. And it tells the story that our respondents are challenged because they do want to add extra controls, but they're extremely concerned about putting off their users to the point where they abandon a transaction or abandon the company altogether. So it's a top three challenge. Peter Beardmore So that friction issue is a recurring one, right? We seem to be at this point in the evolution of our digital lives where it’s easy to apply technology to stop the bad stuff, but if you can’t apply it with some degree of surgical precision, you can easily kill the patient / or perhaps to be less dramatic / ruin the relationship. Tom Field You know what doesn't come out in the survey, but we understand is that the landscape has changed considerably. Customer expectations now are whether I'm dealing with my bank, whether I'm dealing with my grocery store, whether I'm dealing with my favorite Chinese restaurant. I expect the same digital experience I get from Netflix, Hulu and Amazon. Peter Beardmore So are these problems insurmountable? Are financial institutions confronting the challenge? Tom Field You know, I think there's a couple of things you can be encouraged about. One is that of all the respondents we had, only three percent reported that they would see a decrease in funding for anti-fraud in 2022. So 97 percent of respondents are expecting at least level funding, if not significant increases. So I celebrate that, first of all. Next, when you look to what they want to add in the next 18 months, transaction analysis and monitoring tools, behavioral biometrics and analytics, device ID and intelligence, cross-channel fraud detection, physical biometrics, voice, facial fingerprint. And so that tells me that there's a much smarter approach to anti-fraud controls, looking less at what somebody knows and more who somebody is.  Peter Beardmore Financial institutions are moving forward. They are confronting challenges. They’re looking beyond the limitations of historically binary account data and credentials (what somebody knows - inherently stealable information) - and bridging that data with ‘who somebody is’ - for purposes of preventing fraud - yes - but there’s much more opportunity that comes with understanding your customer. Speaking of customers ~  How do organizations like BioCatch evolve to meet customer needs? How can behavioral biometrics evolve to identify new opportunities and solve new problems for financial institutions and digital channels. You may recall meeting Uri Rivner in our first few episodes. Uri is one of BioCatch’s founders. When I interviewed Uri he told me a story that illustrates how BioCatch and our customers collaborate, share relevant data, and use that information to zero-in on the Digital Tells that indicate out-of-the-ordinary behavior. In this case, BioCatch was working with a new customer, a big online payments provider, It was the early stages of implementation, and we were fine-tuning behavioral biometrics on an ecommerce platform servicing small business websites. One of those businesses was a manufacturer of paper straws. Here’s Uri. Uri Rivner This was an e-commerce company in San Diego selling paper straws. And of course, in California, you have to use paper straws rather than plastic straws. Right? Normally you buy a pack. You know, if you're a restaurant, you can buy a crate. Full crates, OK? Ten thousand straws. There was a huge order that was made using that platform. I'm talking about twenty five thousand dollars worth of straws, all sorts of straws. Sixty two crates. And all of these crates had to be shipped very urgently with a huge shipping bill. Ten thousand dollars of shipping to the island of Tuvalu. Where is Tuvalu? It's an island in the Pacific Ocean. It is eleven thousand people. They don't need that many straws. Peter Beardmore Ok, so once you know where and what Tuvalu is, any human being can deduce that there may be fraud afoot, right? But for non-intelligent IT and ecommerce systems, not so much. And, well, I should cut to the chase, this wasn’t a success story, initially anyway. The transaction went through. Uri Rivner They allowed the money to move and then they actually were curious about that specific case. So they called the merchant and asked the merchant, this paper company can tell us about this interesting order to Tuvalu said, yeah, the guy told us that they have like a resort in this Pacific Ocean Island and they need a lot of straws. And, you know, the shipping bill was like crazy, like ten thousand dollars. But they give us a corporate credit card and it went through. So once the money was inside their accounts, our account, the merchant account, we got a phone call from from that person. And they were saying that they made a mistake, a terrible mista

    21 min

  4. 10/26/2021

    Are You a Mule?

    The Fourth episode of Digital Tells: A BioCatch Podcast dives into the phenomenon of online money mules. What is a mule? How does one become a mule? Why do or why should financial institutions care about mule activity? And what can be done to detect mules? We open with commentary from Julie Conroy, Head of Risk Insights and Advisory at Aite-Novarica Group. Julie discusses the role of money mules inside criminal organizations and introduces some different mule back-stories. Digital Tells’ host Peter Beardmore digs deeper into 5 mule personas. BioCatch’s Raj Dasgupta explains the regulatory and reputational risks that mules represent to financial institutions. And John Paul Blaho, Senior Director of Product Marketing, shares a look at how behavioral biometrics can enhance mule account detection. Transcript Peter Beardmore Are you a mule?  So, the title of this episode is admittedly a bit preposterous. If you’re listening to this podcast, it’s doubtful you're a money mule (or a drug mule, or an actual mule for that matter). But the point I’m attempting to make with this title is that there are different kinds of mules out there ~ ranging from the completely complicit (let’s just call them criminals) to the vulnerable / gullible victims of scam activities that we’ve discussed in previous episodes.  The FBI defines a money mule as > Ok, that makes sense, right… I mean if you’re going to make money scamming people, stealing, selling drugs, human trafficking ~ that money’s got to get someplace where you can eventually retrieve it, right? ~ ideally below the radar of authorities ~ or even better ~ laundered sufficiently so the proceeds can be spent or invested without drawing the attention of law enforcement.  In episode 2 Tom O’Malley walked us through all the specialized functions in a cyber criminal syndicate that the U.S. government prosecuted a few years back. Remember there were malware developers, crypters, spammers, bulletproof hosters, account take over specialists - and then there were these cash-out specialists. These were the people who ran the money mules - they had these networks of accounts where money could be moved quite quickly - beyond the reach of the direct victims, their financial institutions, investigators, and authorities.  On this episode of Digital Tells - A BioCatch Podcast - we’re taking a look at the mules themselves. What is a mule? How does one become a mule? Why do or why should financial institutions care about mule activity? And what can be done to detect mules? Act 1 Julie Conroy is the head of risk insights and advisory for Aite-Novarica Group. She advises financial institutions, vendors, and merchants about risks relating to fraud and financial crime ~ strategies and tactics to mitigate those risks ~ and what that all means for customer experiences. I spoke with Julie recently about how financial institutions are struggling with mule accounts, and I asked her specifically about the spectrum of mule personas that I mentioned earlier. Julie Conroy You have this organization of functions in financial crime, just as we do on the side of the good. And so you do have some people that are specifically leveraging stolen identities, synthetic identities to open up your accounts with the express purpose of exiting these funds. You also have folks that have been brought over on visas, and they're using their identities for a period of time to open up accounts. And then after those accounts have been used to serve their muling purpose for a while, they go back to their country and there's no consequences, really. Somewhere in the middle, you have people that respond to the make money in your sleep signs. They know ultimately that this isn't quite right, but they are still using their own identities in order to help facilitate the mewling. And then at the other end of things, you have people that truly have been duped by romance scams or other things into opening up these accounts, facilitating the sending of funds and truly don't know that what they're doing is facilitating financial crime. Peter Beardmore At BioCatch, we’ve actually developed personas to help us bring some clarity to the spectrum of mules – from the more complicit to less complicit – we’ll share a link in the shownotes. OK, so let’s briefly discuss these personas: There’s The Deceiver – who opens an account specifically to perpetrate fraud – The deceiver is obviously the most complicit on the spectrum. Then there’s The Peddler – who sells their genuine bank account to a criminal There’s The Accomplice – a willing participant who’s chasing an “easy money” opportunity. There’s The Chump – who executed a transaction believing the money is clean – this is your prototypical scam victim. And then finally there’s The Victim – a victim of credential theft, unaware that there’s even been a break-in – The Victim obviously the less complicit persona. As I started to research these personas, a couple things struck me. First – with the exception of The Deceiver – the most complicit, and The Victim – the least complicit –  the others – The Peddler, The Accomplice, The Chump,  – they’re all kind of Sad, right? I mean, these aren’t societies winners… people basking in their own success? ‘living the dream’ so to speak? More likely – they’re desperate – They’ve fallen for easy money or get rich quick schemes – or romance schemes – and they’re either desperate enough to knowingly sell their own identity and accounts – or desperate enough to live with the ambiguity that they may have involved themselves in a criminal enterprise – or their just gullible – I mean, if you’re gullible enough to execute a transaction for a stranger on the internet - believing nothing is wrong – could that possibly be the only time someone has taken advantage or exploited you?  I’m reminded of that Clint Eastwood character in his movie The Mule that came out a few years ago. This very old man, clearly he’d made a slew of bad decisions in his life, and realizing in his final years that he was destitute – his home was foreclosed - and he’s alone / his family had lost faith in him and his x-wife (with plenty of justification) was rubbing his nose in his failures – but with just a glimmer of hope for redemption with his family and friends - he made a naïve decision to earn some money – and then around the time he realizes what he’s doing and who he’s involved with – the draw of all that money takes over – and the bad decisions just spiral.  And then the second thing that struck me, when I thought about the actual online behavior of money mules. Well, there are elements of the account take over problem we discussed in episode 2 – there’s some of the Account Origination and identity theft issues we discussed in episode 3 – and the scams we explored in episode 4 are pretty thick here too. So as complex as the mules themselves are, so too will be connecting the dots through a continuum of online activity.  What are the digital Tells of mules? Well, before we get to that, there’s another important question we need to ask.  Act 2 You may recall meeting Raj Dasgupta in an earlier episode. He’s director of fraud strategy at BioCatch. I asked Raj – Do Banks even care about mule accounts? And if so, why? Raj Dasgupta The banks do care and they're required to care because of regulation. So if there is money laundering activity going on within their account base, they're responsible for it because by law, they're required to look into suspicious activity and report that activity and take action. If they're not there, then inadvertently playing a role in money laundering and money laundering can be used to fund a variety of fraudulent activity, criminal activity, including terrorism. So there is a very strong responsibility on the part of the banks to make sure that money laundering is not happening within their account base. It's against the law. And if they are not following the law, there can be heavy penalties and fines levied on them. And then, of course, there's a reputational issue. If you are known to not pay attention to mule activity going on and it's all bringing you a lot of negative press, you wouldn't want that. But that's on the softer side and the hard side. If you've not followed the law, there will be real dollar value impact in terms of fines and fees. Peter Beardmore So there’s regulation and reputation. And those are good reasons – reasons that have been around for a while. But as Julie Conroy explains – there are market dynamics at play that have accelerated the urgency for financial institutions to focus on mules. Here’s Julie: Julie Conroy It was something that we at Aite group had been seeing building even prior to 2020, as you have faster payments spreading across countries across the globe. And so, as we've seen faster payments hitting large markets like the US and Canada, even in 2019, we were seeing a greater emphasis on desire to invest in mule detection technology in those countries. Then you bring 2020 and add a massive global pandemic and the hundreds of billions worth of stimulus that were pumped into ecosystems around the world and the fraudsters quickly responded. And what we saw was as you were stealing hundreds of billions of dollars from things like unemployment claims from small business loan programs, you need a very robust new network to exit those funds from the system. And so we have a couple of bodies of research that just showed market increases in mule activity during the pandemic and carrying into 2021. And with that, you know, that only further emphasized the importance from a financial institution perspective to start building. More robust controls to detect this activity, both because many believe that there is a moral obligation to be stopp

    19 min

  5. 10/19/2021

    Falling Victim to Scams

    The fourth episode of Digital Tells: A BioCatch Podcast focuses on scams and social engineering. Why is there so much scam activity these days? Why are these scams so successful? And what, if anything, can financial institutions do to help protect themselves and their customer? We open with a first-hand story of a brilliant social engineering, told by Coby Montoya. Tim Dalgleish discusses some of the Digital Tells that may indicate scam activity. And Ayelet Biger-Levin explains the layers of machine learning and analytics that converge to detect scams.   Transcript Coby Montoya  Sometime in fall in 2019, I was working from home. Middle of the workday, I received this text message from it says it's from Capital One. It says, Hey, there's been a charge on your card at this Wal-Mart in California. Is that you? Yes or no? I said no. I responded back. And I immediately took out my Capital One card and looked at the back, called the phone number in the back to report this, you know, hey, this definitely was not me. Peter Beardmore  The voice you were just hearing if from a gentleman I met recently. He’s a professional, in his late 30’s, lives in Arizona.. and the scenario he’s discussing not uncommon. It’s happened to me. It’s likely happened to you… but this story gets interesting…. Coby Montoya  So as I'm on hold, I receive additional texts. Says, OK, this wasn't you type one if you would like someone to call you instead of having to call and sit on hold. So again, middle of my workday, you know, this is much easier for me than having this on hold. So I said, Sure, have someone call me back a few minutes later, actually, probably less than a minute. I receive a call back and the phone number was, you know, same phone number for my Capital One card. And so I let them know, Hey, this was not me. You know, I identified myself. I authenticate myself, providing some basic information, and they say, OK, well, we can send you a replacement card. We'll deactivate this one. It's going to take about three to five business days to receive this card. It's actually a card I use very frequently. So I ask them, Hey, is there any way you could send this out sooner? They said, Well, we can. There's a fee that comes with that, but you know, you just experienced fraud. So we're going to go out and waive that fee for you, right? All right. Great. Good experience. And I appreciate it. And so they said before we send this replacement card out, however, when to need you to verify the address we're going to send it to. We're also going to send you a one time passcode just to ensure that it's really you were speaking with. And so I said, OK, you know, waited for the code. Thirty seconds later, I receive a one time passcode to my phone number. I read it back to them. They said, Great, thanks. We're going to go ahead and send this card out to you. And that was that. So I thought, All right. Minor annoyance. You know, no one likes fraud on their card, but it took me about 10 minutes, three songs. So I thought, All right, I'm good to go. Later that evening at home watching TV with my girlfriend and all of a sudden I received a notification from my Capital One mobile app that says there's been a charge at a Wal-Mart in California. So I'm based in Arizona, right? So this is definitely not me. It's kind of annoying that, you know, I was like, Hey, we just talked about this. I just resolved this with Capital One. Why are they approving charges on a card that has been reported as compromise? So I called CapitalOne ready to be, you know, just explain to me, Hey, guys, you shouldn't be approving these these charges. I reported this as a as. And as I speak to someone, they say we don't show any sort of interaction, so we contacted you at all today. I go, Are you sure about that? Yeah. Let me check a different system. They check a different system. No, no interactions. And so I'm a little skeptical. I just talked to someone hours ago. This, you know this. This can't be the case. I know I spoke to you guys. So I ask, Okay, I know you're doing the best you can do, but can I please talk to a supervisor? Maybe they have access to a different screen that you don't have access to, you know, respectfully. And so I'm, you know, hold for another 15 20 minutes, but not speak to a supervisor. Same situation. So I go, OK, is there someone in like a security risk fraud department? OK, yep, I'm transferred there. Same thing. So I learned that they actually didn't contact me. So I'm really puzzled by this, and I realized sort of in real time that actually a fraudster, you know, a bad actor or criminal actually contact me to essentially social engineer me. Peter Beardmore So, obviously, this was a pretty good scam. And, I mean, stuff like this happens every day right? But here’s the really interesting part… That voice you were just hearing is Coby Montoya and well, let me let him introduce himself… Coby Montoya My name is Koby Montoya. I work in fraud and security, and so I've been doing so forabout 15 years now, and I've worked on the merchant side. The card issuer, side,payment network side and the front vendor side. So I have a fairly broad lens when itcomes to fraud risk management. Peter Beardmore Coby’s actually being modest. He’s a fraud expert, who’s worked for some of the biggest financial services companies in the world, helping them to manage risk and fight fraud.  So the next time it happens to you – or when your elderly mother tells you she got scammed again – go easy on her. It happens to even the best. In fact social engineering scams are on the rise globally. According to the U.S. federal trade commission, imposter scams were the #1 type of fraud reported by consumers last year. And most of these scams were carried out over the phone – with losses reported around $30 Billion. A few weeks ago I registered some domain names in preparation for launching this podcast, and for some reason I didn’t get the privacy settings right. About a week later my phone started ringing off the hook – at least a dozen calls every day – about half from would-be web developers looking for work – the other half, dire warnings about my fraudulent payments made from my accounts, messages of accounts past due, a lottery win, and a few were for what would apparently be life changing opportunities. Why is this all happening? In some cases it’s pandemic related. But mostly, it’s just because it works. And as evidenced by Coby’s story – scammers are convincing and very clever. And they prey on human nature and emotions. And for financial institutions this is a major problem. Because in some cases they’re liable to refund losses to consumers – in other cases they’re not, but might still make refunds anyway… just to protect their brand and their relationship with the customer – and in some cases the guidance from regulators is changing. In this episode of Digital Tells we’re focusing on scams and social engineering. Why are they so successful? And what, if anything, financial institutions can do to help protect themselves and their customers. In previous episodes you met Tim Dagleish from BioCatch – he’s been working with financial institutions throughout his career, and has a deep understanding for what’s crucial for banks when dealing with reported scams.  Tim Dalgleish So, yeah, there's a whole remediation process with a financial impact operation impact and customer experience impact because its customer life cycle. When you're a victim of fraud, it can go one of two ways. As a banking customer, as a bank, if you do a great job in looking after that victim and getting them back to to normal or protecting it, then that's the storey they tell at every barbecue for the next six months and tell their friends. If you do a bad job of it, that's a bad story that they're going to tell to their friends and they might even change banks. So it's a really, you know, life cycle with a relationship with a customer. If you get from right or wrong, you can typically go one or two ways. So it's really a critical, critical point in the relationship. Peter Beardmore So I want to stipulate for a moment here, particularly with respect to scams and social engineering that there are hundreds, if not thousands of angles that scammers can take. And they’re constantly iterating and improving. Some are better than others, you just heard one – we could share dozens of others, but this is supposed to be a twenty minute podcast – but what I’m getting to here is there’s a myriad of cash-out schemes from scam to scam. In some cases the scammer may literally lead their mark to transferring money, maybe even coach them how to do it – without ever getting a credential or gaining direct access to an account. In other cases – those credentials or account numbers are exactly what the scammers are seeking – and then that leads to the Account Take Over Fraud and Account Origination fraud issues we discussed in previous episodes. And in still other cases… the scammer convinces the victim to give them control over their account, in the middle of the session, after they’ve already legitimately logged in. Maybe get them to download a Remote Access Tool or malware – giving control of their phone or computer to the scammer ~ essentially giving them free reign ~ but following a perfectly legitimate log-in, from a known device, and probably from a known IP address.  With all these potential combinations of interactions and outcomes, you it might be hard to believe that there’s some magical algorithm to throw the brakes on any of it. And you’d be right. But let’s think a little more deeply about this. About what the victim actually experiences. Let’s say you’re on the receiving end of a scam? Maybe someone’s contacted you, they say they’re from your bank, it’s about some suspicious payment activi

    19 min

  6. 10/12/2021

    Detecting Account Opening Fraud

    The third episode of Digital Tells: A BioCatch Podcast tackles the global epidemic of identity theft, and the resulting fraudulent accounts that ruin personal credit ratings, perpetuate mule activity and money laundering, and drain institutions of $Billions annually. Tom O’Malley joins us again to discuss why most account opening fraud occurs online. Raj Dasgupta from BioCatch, discusses the peculiar online behaviors exhibited by cybercriminals, versus those of genuine account applicants; The Digital Tells that help Behavioral Biometrics distinguish between criminal and genuine activity. Ayelet Biger-Levin discusses BioCatch’s newly-announced Age Analysis Capability. And Howard Edelstein shares a story of account opening fraud detection that has become BioCatch lore.  Tom O’Malley, a retired U.S. Department of Justice financial crimes prosecutor, founded a website, FrozenPII.org, which helps consumers protect their identity. Check it out! Transcript Have you ever been the victim of identity theft? Ever applied for a loan or a credit card, only to find out someone else has masqueraded as you and negatively effected your credit standing? Identity theft and new account fraud is a global problem. If you live in the United States, chances are you’ve been a victim – and if not ~ it’s likely someone close to you has been. I was chatting with Tom O’Malley, the former federal financial crimes prosecutor you met in Episode 2, and we were discussing identity theft. The U.S. federal trade commission reported recently that $3.3B was lost in 2020 due to identity theft – that’s nearly double the $1.8B lost in 2019.  And where are those stolen identities put to work? well, online of course – in the form of new accounts – credit card accounts, lines of credit, deposit accounts, you name it. Here’s Tom O’Malley Tom O'Malley Most often they're being opened remotely because it presents a little risk to the person who's opening an account. I mean, if you show a physically token something besides whatever documents you present, which are going to be fake driver's license, et cetera, you put yourself as a criminal at risk because there surveillance cameras. Nowadays, there's the ability to match surveillance footage with driver's license, facial recognition, driver's license. So typically criminals are not going to do this physically in a branch bank. They're going to do it remotely and they can do it remotely from anywhere in the world and depending on a bank's processes and fraud methods to detect fraud, it can be done from anywhere in the world, even though they're supposed to be a customer in the United States, opening up a bank account. This is interesting, unlike the scams and account take over stories that we discussed in earlier episodes – crimes that disproportionately target older folks – Identity Fraud victims are more likely to be young… like under 40. In fact, in 2019 of the 1.6 million identity fraud reports in the U.S. – 44% were from people between the ages of 20 and 29. According to Equifax Canada, nearly half of all suspected fraud applications are for those between 18 and 24.  Ok – so – somebody gets ahold your personal information, enough to open a credit card account in your name. Maybe they obtained your personal info on the dark web – maybe it was originally stolen in some big corporate data breach. And then that info, your data, is applied to an online form to open an account. Oh, by the way – it might not be a credit account – it could be just a bank account, so instead of obtaining false credit in your name – is used for shuffling money between accounts – for scams – or mule activities – both issues we’ll be taking a closer look at in later episodes.  For this episode of digital tells, we’re taking a close look at the act of opening fraudulent accounts. Which, for those of us who have been victims, happens silently in the background… Before that heart-in-your-throat moment when you realize your credit rating has been ruined… or perhaps even worse, you’re contacted by law enforcement about scams or mule activities perpetrated in your name. Also – very important note here – your credit rating – or mine for that matter – isn’t the only fall-out of identity theft. Financial institutions, credit issuers, they’re the ones usually taking the hard financial losses. A study released earlier this year by Javelin Strategy & Research, reported that combined fraud losses climbed to $56 billion in 2020 globally. Of that, traditional identity fraud losses totaled $13 billion.  Well, back to that initial account opening, in episode 2 we got a glimpse into the sophistication and scale of cybercrime syndicates…. Scale meaning LOTS of accounts and lots of victims. It’s sendom just one account, rather it’s usually hundreds or even thousands of accounts opened in each campaign.  And therein lays an opportunity for institutions to differentiate between legitimate and fraudulent applications. The Digital Tells of fraudulent applications – if you will. Act 2 My colleague Raj Dasgupta and I were recently talking about what typically happens during the act of applying for fraudulent accounts. Raj is the Director of Fraud strategy at BioCatch, and has two decades of experience in the trenches – dealing with identity fraud issues at organizations like TransUnion, HSBC, and Symantec, among others.   OK, so before I go to Raj – for just a moment – think about what you do when you open an online account… maybe your taking advantage of a great credit card deal with lots of hotel rewards points. Then put yourself in the seat of one of these highly specialized cybercriminals we discussed in episode 2 – how would you go about your job of applying for multiple fraudulent accounts – hour after hour – all day long? OK – here’s Raj -   Raj Dasgupta Yeah, sure, I think copy pasting in online interaction can be on two different scenarios. One is account opening where you are copy pasting stolen information or made up information onto a form which is used for a new account opening. And it can be copy pasting the name, address or certain parts of the PII, quite likely from an application like an Excel sheet where you have all the stolen data. And within that copy pasting behavior. One is it's unusual for somebody applying for a new account to be copy pasting their own data. And the other is there can be copy paste and then erasing the pasted data, putting it in another form. As I was saying, it could be that the first name, last name are together in the Excel sheet. It's copied over to the first name field and then you cut the last name and place it in the last name for you. Very, very unusual scenarios or online behavior.  Peter Beardmore Let's transition to somebody actually reading this information. Right. So it's like long term memory versus short term memory. Can you can you talk about that a little bit? Raj Dasgupta So again, imagine in the context of account opening, you're typing in your name and address, Social Security number. You've been doing it for many, many years. It comes very fluently. You can type all the nine digits in at a steady cadence without stopping or without having to delete any digit and retype it in because you're essentially pulling it out of your long term memory and typing in the fraudster has stolen that information from somewhere else. That information does not belong to them. And they're either copy pasting the Social Security number or the name or address or typing it in. But because they're not familiar with that data, they'll make mistakes and they'll correct those mistakes. And then there type it again.  Peter Beardmore So that behavior – cutting and pasting – the pace and pauses exhibited when entering personal information – those are just some of the Digital Tells that are the underlying indicators for behavioral biometrics to distinguish between genuine and fraudulent online account opening. In episode 2 we met Ayelet Biger-Levin, VP of Market Strategy at BioCatch. Later in the conversation we featured in episode 2, she went a little deeper into some of these indicators, and how BioCatch technology can make those distinctions. Ayelet Biger-Levin Some classic examples of the way that with this type of technology, we can distinguish between cyber criminal activity and genuine activity is by looking, by profiling the population and detecting differences between activities that correlate with fraud or correlate with genuine activity. So, for example, one thing that we observe when we track account opening activities is that there is a big difference between a cyber criminal and a legitimate actor and their familiarity with the process. A cyber criminal will be very, very familiar with the account opening process because they open many, many accounts every day. So they'll be very familiar with what are the mandatory fields. When you have a dropdown, they don't stop to select fields. They just go really quickly. They don't read the Ts and Cs, they won't select a credit card design. They'll just go very, very quickly and fill out the form, whereas the legitimate user will read the terms and conditions, will select their favorite credit card design, will think about their annual income, will select their interest rates and make decisions and selections. The process will be much longer. So that's one example.  A second example is familiarity with data. A legitimate actor will be very, very familiar with their personal data. And when someone uses the data that they're familiar with, they will display use of their long term memory. So when they type, they will type continuously without pauses and they will, of course, know the data they might have Autofill, which is legitimate, and they'll enter the data fairly quickly. However, cyber criminals, when they need to enter personal

    23 min

  7. 10/04/2021

    Facing Account Take Over Fraud

    The second episode of Digital Tells: A BioCatch Podcast looks at how sophisticated cybercrime networks perpetrate mass account take over fraud. Former U.S. federal prosecutor and consumer identity expert Tom O’Malley shares an overview of the GozNym cybercrime network, from which three members were prosecuted in 2019. We also talk with Jonathan Barnes, a retired attorney who discovered while on vacation that his personal bank account was being drained by cybercriminals. Finally we speak with Tim Dalgleish and Ayelet Biger-Levin, both of BioCatch, to discuss both the tactics of cybercriminals and the ‘Digital Tells’ that may help to identify account take over fraud.  Tom O’Malley founded a website, FrozenPII.org, which helps consumers protect their identity. Check it out!

    20 min

  8. 10/04/2021

    Discovering Behavioral Biometrics

    The inaugural episode of Digital Tells: A BioCatch Podcast explores the origins of behavioral biometrics with BioCatch founder Uri Rivner and Chairman and CEO Howard Edelstein. The episode begins with host Peter Beardmore’s visits with his elderly mother and aunt, both having recently been targeted by scammers. Their stories illustrate the prevalence of cybercrime and scams throughout society, and the need for innovative solutions to help protect consumers and financial institutions alike.  The concept of technology that can use the ‘Digital Tells’ of online behavior (mouse movements, typing habits, etc.) to validate users or determine fraudulent intent may seem like the stuff of science fiction. In fact, it initially did to some of the leaders of BioCatch. But today, it’s real, preventing over 6 million fraud incidents per year and protecting hundreds of millions of people.

    21 min
  • 8 Episodes

Ratings & Reviews

5
out of 5
4 Ratings

About

BioCatch presents a podcast on cybercrime and financial fraud, and how Behavioral Biometrics identifies the tells that tip the hands of cybercriminals – and flip the tables on fraudsters. We explore the origins of behavioral biometrics, and applying innovative tech to account take overs, new-account fraud, and scams and mule activity.

Information

  • Creator
    BioCatch
  • Years Active
    2021 - 2022
  • Episodes
    8
  • Rating
    Clean
  • Copyright
    © Copyright 2026 Digital Tells A BioCatch Podcast
  • Show Website
    Digital Tells A BioCatch Podcast