Expert cybercriminal gaining illegal access to computer network in data center

AU10TIX report goes inside the mind of the professional fraudster

A look behind the numbers in AU10TIX’s Q2 2023 Global Identity Fraud Report gives clear insight into the mind of the professional fraudster. The report analyzed millions of global transactions from April through June 2023 to identify industry-specific patterns.

Organized ID fraud in North America surged by 44% in Q2, growing from 1.8% of all attacks in Q1 to 2.6% in Q2. AU10TIX speculates this is driven by economic recovery and inflationary pressures. But as we will see, only certain fraudsters focus on North America.

Asia-Pacific is a ripe target, with more than 4% of transactions flagged as an ID fraud attack. Some Asian countries employ good fraud defences, but others are notoriously poor. Attack rates in Europe and South America are 1.5% and 2%, respectively, thanks to their crosschecking of identification against government databases.

Crypto is extremely low-hanging fruit

Cryptocurrencies remain easy targets, with 47% of attacks happening in that sector. AU10TIX’s chief business development officer, Ofer Friedman, said that the high rate is due to many factors, including high-profit prospects and perceived anonymity. Add many new companies and exchanges with questionable defences, and you get many prime targets.

An ominous warning for payment service providers

Payments, at 32%, and commerce, at 12%, are the following two most popular sectors, with banking far behind at 2%. Like cryptocurrencies, payments have many young companies with varying abilities to invest in security. Banking invests more in security and has closer regulatory scrutiny than payments.

Ofer Friedman said the entire payment service provider industry is vulnerable to fraud.

“An undeniable indicator of the flourishing success within the realm of payment service providers (PSPs) is the heightened susceptibility to financial crimes,” the report states. “If left unaddressed, this susceptibility could jeopardize the very existence of PSPs. Regulatory scrutiny is inevitable as perceived vulnerabilities in the controls implemented by electronic payment platforms draw regulatory attention.

“Rather than passively awaiting new regulatory mandates, PSPs can take proactive steps by assimilating insights from the banking sector’s experiences and leveraging AU10TIX’s technological expertise.”

Friedman speculates that most payment service providers don’t know how to detect professional-level fraud.

“I think there is ignorance in the market,” he suggested. “I wouldn’t be much mistaken if I said the same about regulators about what technology can do.”

Permanent residency cards are the trendy choice for fraudsters. In Q2, 22% of all permanent residency cards submitted for verification were deemed counterfeit. They are easier to forge due to more straightforward security features than passports and other sophisticated IDs. Some verification systems are less familiar with permanent residency cards, meaning they could face less scrutiny.

The top 10 pieces of identification and their fraud rates are:

  • Permanent residency card 22%
  • Passport card 18%
  • Residence card 17%
  • Passport 15%
  • Visa 13%
  • Voter card 12.5%
  • Business card 12%
  • Drivers license 9.5%
  • Social Security card 9%
  • Id card 8%

Organized fraudsters rapidly embracing AI

While finance is working feverishly to incorporate AI, their zeal may be topped by fraudsters, who have quickly deployed it for excellent results. Malicious actors increasingly use automation, with AU10TIX’s Serial Fraud Monitor seeing telltale signs of organized criminal activity. Friedman said liveness detection is beginning to be compromised by deep fake technology.

Also read:

“It’s not because of the technology but its usability,” Friedman said. “Soon, there will be off-the-shelf tools that will allow you to do that.”

How large can organized crime act? AU10TIX stopped one attack involving 7,882 individual attempts by the same organization using the same credentials mixed and matched in every conceivable combination.

“Gartner has identified fraud and identity risks as one of the top emerging security risks within Generative AI,” the report states. “LLMs (Large Language Models) and chat interfaces have enhanced malicious actors’ ability to mimic genuine sources and complicate the task of differentiating between forgeries and the real thing. This underscores the necessity for solution alignment that focuses on detecting and defending against a surge in prompts and injection attacks on LLM and API interfaces.”

How organized fraudsters are different

Friedman said everyone catches amateur fraud. These cases can be identified individually by noticing cut and pasted photos, multiple fonts, poor spacing, and bad grammar.

Professional fraud is undetectable by those means, and AI makes it even harder, especially when combined with other technologies.

“You’re talking about professionals and measured technologies,” Friedman said. “They don’t repeat themselves and keep using AI to make it perfect.

“That nature, which has everything different, is still detectable. If you know how to find it, to see how forces behave, not what they manipulated, but how they behave, you now have a second layer of defence.”

How fraudsters pick their spots

While North America sees a high volume of attacks, it is a small share of the overall volume of transactions. Contrast that with Asia, where almost 7% of the activity is organized, professional attacks.

Why is the difference so stark? While the USA is more lucrative, it is also more protected. Companies deploy more defences, and regulators pay closer attention. If you want to succeed in the States, it takes more work.

“This reflects that those taking on America know the level of sophistication that’s waiting out there,” Friedman explained. “They are creating multiple iterations of non-recurring combinations of face, number, name, et cetera. As long as they have a very good image, they can play with it, and they have the tools to do that.”

Contrast that with parts of Asia, where identification documents could be better in quality, and KYC checks are minimal to non-existent.

“In other words, professional fraudsters are into the volume of it to attack,” Friedman said. “Not where it’s located, but where it’s vulnerable. Because it’s easy money. 

“One attack might be less lucrative than in America, but you will penetrate much more. You’ll do an easy job and still win a lot of money.”

  • Tony Zerucha

    Tony is a long-time contributor in the fintech and alt-fi spaces. A two-time LendIt Journalist of the Year nominee and winner in 2018, Tony has written more than 2,000 original articles on the blockchain, peer-to-peer lending, crowdfunding, and emerging technologies over the past seven years. He has hosted panels at LendIt, the CfPA Summit, and DECENT's Unchained, a blockchain exposition in Hong Kong. Email Tony here.