First Party Fraud: Vulnerabilities Across the Customer Journey

First Party Fraud: Vulnerabilities Across the Customer Journey

Brian: [00:00:00] Thank you everyone. Welcome fraud fighters and people sitting here who say, I'm not quite a fraud fighter. You are today. So today we're gonna shed some light on first party fraud and I'm honored to be your moderator. But before I introduce myself, love to bring our lovely experts to the stage.

Maria: Good afternoon. My name is Maria. I am a senior threat, threat intel manager at company called Bill. We are a business payments provider. We provide three main payment offering services, so issuing spend management, for business expenses, acquiring for merchants to be able to receive payments and not payable solutions for, for.

Businesses to be able to pay their vendors, and my team is mainly responsible for doing root cause analysis for any fraud attempts that we encounter on our platform and provide a deep, grounded understanding to our remaining risk, strategy and analytics and operations team in terms of how the [00:01:00] per is perpetrated and, all the kind of steps that the frauds go through to make that happen.

Yigit: All right. Hard to beat that., I lead, the fraud and risk products for Secure. secure is an item verification and fraud prevention, platform. We serve, a lot of great names here. I'm sure a lot of you are customers. And hopefully, the rest of you will be customers soon. But, my team is responsible for our, flagship Sigma scores, risk solutions for, Point a risk assessment for email, phone, and address.

Also, device intelligence, behavioral analytics, as well as the data and machine learning platforms for, our internal users. I'm a data scientist by heart and a technical person,

Brian: normally always the battle of data versus everyone else in engineering. I am Brian Davis, head of trust and safety. Your moderator today for Dodgeball Fraud Stack as a service.

So your single integration automation platform bringing together. Lovely vendors all in one place. So non-technical people, me can drag and drop everything. [00:02:00] Today we're gonna talk about a simple but complex topic. it's often overlooked until it's too late first party fraud, and there's nothing friendly about it.

So today there's many different scenarios we can walk through of examples of first party fraud. Today we're gonna talk about. Bust outs. So for the ones that are familiar with or not so familiar with bust outs is when an individual comes to your site, ultimately sets up an account, starts to use it in seemingly normal patterns, behaviors, and ultimately, one day these thought to be good users turn bad.

So Maria, what are you looking out for? In these types of scenarios.

Maria: So it is something that is really hard to discover in the beginning when these businesses would normally sign up. And we're in an [00:03:00] interesting position because we provide services to businesses. So we don't, we don't onboard consumers. every business that signs up has to be operated by an individual.

And so we often don't see, like, you know, this happening right up front in the beginning and it's not really easy to discover. So businesses will sign up. They will pass the K yb because the business does exist. It's real on paper, and it will also be operated by an individual that is associated with this business passes the kyc.

They can provide any requested information upon request because they do in fact, Exist and they do in fact have this information, registered in its field and then they start utilizing the account. And this, again, this scenario is most applicable to our issuing service. And so we would issue a credit line to that business and they would start utilizing it normally, normal business expenses over a period of time that fit with the industry that they're a part of.

And over time they will. Kind of, you know, make their significant footprint [00:04:00] on our platform. They'll, they'll have many, kind of entities that will create, and at some point in time they bust out, they default and they stop making payments. And we, kinda those points in time, that's when we kind do the discovery and we do the retrospective and we do the raw analysis and the.

We learn from these. yeah.

Brian: And Yigit. So is this a credit risk problem, a fraud risk problem? How do you really categorize this to ultimately educate the people you're working with?

Yigit: I think this is an amazing question and I think these things get coupled together quite often. It's easier to write it off as credit risk because there's some

yeah, exactly. And when you, when you do that and when you don't really understand, there is no intention to pay and this was never a question of, an ability to pay. It's an intention to pay. That changes the picture. So if you don't define the problem correctly, if you do not measure the problem correctly after that, you won't be able to mitigate the problem accurately either.

So I think [00:05:00] the first thing I tell, our prospects and customers whenever we are working with them, know what you're up against. Identify the problem correctly, let's measure it correctly, and let's work together to, fix the issue correctly.

Brian: So there's complexities of a user comes through. Your platform.

They, we talk a lot here already. Know your customer. Know your customer. Know your customer. We think we know our customer when they're coming to the door, they pass kyc, they pass kyb, they go through i d V. What are you looking at and how, like what are the challenges at that point of the user journey for you?

Maria: So a, again, it like at the point in time when they're just coming through the door, it's really hard to differentiate them from. What a good, good business is. Good, good prospect versus someone who has got malicious intentions. And in the instances that we've encountered and investigated, again, looking in retrospect, these are not like sole actors.

These [00:06:00] are organized groups working together and they have investments in the scheme that they're orchestrating. So they take time to stage this. They, they time to build it out. But essentially, What ends up bringing them to light is how they end up moving the money around. Right? So they, they, they make payments that.

Appear to be business related expenses, but these payments are going for to towards entities that they operate. So they're essentially moving funds around. And so what does help bring them to light is kind of being able to cluster where payments are being routed by a certain group of companies to a certain number of merchants that are kind of isolate.

No one else is transacting with these merchants. Except for this particular group.

Brian: So you're trying to cluster them in a sense and pull together different data points throughout the user journey to ultimately link them. What are some of those data points? What are you specifically looking [00:07:00] at when you go through a retro and you're going back through that user journey of how did this user one get on our platform?

What were the steps of that? And then how are they actually using our platform? Are they taking, are they. Immediately getting on the platform and spending transactions for a week, six months, two years. What type of patterns are you seeing for this type of life cycle?

Maria: There's definitely a range. And so, you know, going backwards when during their kind of root cause and how that transpired, we see a range from, you know, six months to a year or even more.

And so they come on sets by sets, they bring on companies together. The companies aren't necessarily connected in, in like any sense in terms of like devices or ips, so they're seemingly unrelated. But when they do start to transact, there is pattern forming in terms of. Multiple businesses are peeing to.

A similar merchant, and this merchant is not [00:08:00] receiving, you know, no, no one else is paying to this merchant. I think that's kind of one of the main things that kind of can really isolate them because as, as we mentioned, they're using real information. They're using, they exist on paper. And we're, we're in a digital space, right?

So we can't physically go to the business location and verify is there actual, like business, like if, for example, if it's trucking company, you know, like can, can we go to their garage and see like, do they have trucks? Do they have, you know, do they actually like, Executing are they actually functioning?

So we have to rely on a lot of the like, open source information and open source information. They know what they need to build out to make their profiles look like they're existing and they're real, and they're functional. To to, to make this kind of, to stage an orchestrate, this con,

Brian: it's long going and sometimes feels like it's never going away.

Yigit when you're working with some companies or even in your past life of digging through different data and, and identifying patterns, what are you using and looking at to help educate internal stakeholders or customers and clients?

Yigit: That's a great [00:09:00] question. I think, there are different approaches to looking at this problem and, more coordinated crime ranks are very prevalent and there are more sole actors sometimes that we also see acting out and there are different levels of sophistication.

And I always say, let's categorize the problem and let's collect the low hanging fruit first. So when you were to take a look at, even the email addresses some of these, frauds with create. They would be very open about it. Everything would match. But even you look at the email handle, you would see something like bust out tommy gmail.com and it's so in your face.

It's more like a day or to you that come and get me. Everything matches and my credit score is amazing, so open me an account. But, so all those types of. Things you can, you can do a great assessment for a person, but more sophisticated ranks, you need to take a look at lockstep behavior, as I would call it.

So you would see not direct connections between these individuals or businesses You would see if you were to build a graph and build these relationships between different entities, you would find weak [00:10:00] connections. You would see coinciding events happening. And when you look at different, times the application stage, when you look at a couple days happening, you would see weekly related things coming together and clusters around it.

And you would see transactions colluding together over time. Not the same entity, but it looks like in AML structuring type of a pattern, paying each other and you would see busting out behavior happening all at the same time. So looking at it, You hate the word I know. Holistically and really trying to understand, what's happening in your portfolio.

Not on an individual basis, but as a whole, trying to find those, clustering behavior and lockstep behavior, temporal patterns. That's, what is very important to take a look at.

Brian: Maria, you're an operator, so you're going through these investigations or your teams are going through these investigations.

You find these clusters, you find these patterns tactically. I feel like people wanna know, what do you do with that information? Like, alright, we think we found something's [00:11:00] busting out about to bust out, or similar types of patterns of money moving to these little bits of groups or clusters. What does, what do you and your team do?

Maria: So something that we start, once we have a thread to pull on is we, we would describe it as like kind of sweeps. We sweep our entire platform to see if there are any similar type of entities that are currently existing that we can identify through any of the traces that we found as a result of pulling a single string.

So like when someone started going bad, now we start pulling the thread in and we we start looking by. You know, clusters of companies that are sending up within a particular closed geographic region, because while these are kind of these organized groups, they are organized, they. The, the, the main ones that we've tackled are working closely together.

Like, like they actually know each other in person. They live nearby. And so we start looking at close geographic locations, similar industries. So once they, they kind of, they, they pick certain industries for the type of businesses that they kind of execute this con [00:12:00] with. And so we start looking for location industry.

Time range for signup and the types of transactions we've seen based on the merchants, do I see if we can kind of identify additional entities and utilize this information that we uncover to subsequently catch them as they continue trying or catch similar type of vectors. But again, the important point that you kind of important point you made earlier around kind of like identifying this and.

I isolating. This is like a fraud related activity because you need to look deeper. Some, it's very easy to miss if you are gonna write this off as a credit loss because then you may not look deeper to see what's the actual malicious criminal intent, which based on everything that we are able to combine together there, there is, there appears to be

Brian: when do you know the good users go bad?

When, how do you figure out that there is. Actual some type of malicious intent or that they never had intent to pay back.

Maria: That's not always gonna be blatantly, obviously in front. Like, oh, [00:13:00] okay, this one's gone bad. They stopped paying. They're bad, they're fraudster. Definitely not as, kind of black and white as you would like it to be.

But again, when you start looking deeper at an account that's defaulting and start looking at. Like what was their behavior like before? Who were they transacting with? You find connected entities based on the things that I just described. It forms a picture, and then you start doing a little bit of ENT research and you find that.

They went after American Express and they went after pnc, and PNC had sued them and as a public lawsuit against one of their associates. This may not have been available to you when they were onboarding because maybe that suit was still in process or maybe that associate never opened a business credit line with you.

But, you just, again, forms that picture that this is not, The chance of, I lost my job, my business closed. I can't pay

Brian: Yigit. Same goes for you. How do you start to understand when good users go bad? You come from a little bit of a different perspective today of seeing the breadth of your customers, so your perspective, similar to Maria's, [00:14:00] but kind of a different type of scope to it.

Yigit: Yeah. I think there are, again, two, two ways of looking at this, being proactive versus reactive, and finding, to your point, a, the first, threat of what's going on. Really what we see is these actors might be acting out in different. Different places. So we might be seeing these actors, running a malicious activities in one company, and they're doing that in another one at different times in coordinated times.

Really trying to triangulate those points and really try to see what else is going on, not just looking at one bad event. When we catch that, looking at it, okay, what more can it be running our investigations? And running our models around the holistic view of what's going on is the most important thing that we are trying to do.

Really having a consortium of seeing all this behavior going together is an amazing reactive measure. It doesn't always help being proactive, but [00:15:00] first part, the fraud problem is such a difficult problem, complex problem to solve in some very sophisticated cases. It's really. Hard to become proactive. So the best thing you can do is to react as soon as possible and cut the losses sometimes.

Brian: So this happens throughout the user journey, and there's different teams that work. Marketing, product engineering payments, you can kind of name almost everyone, but they care about different parts of the user journey. How do you work with them to ultimately, they're your stakeholders. You need their support, you need their influence, and that's one way that I do see of.

Helping try to transition a little bit more to proactive versus reactive. We can't do it alone. So do you have any examples of working with some of those other stakeholders internally to help kind of push that through to get a little bit more closer to the proactivity?

Maria: Yeah, so I think. That's an interesting challenge because what happens is we are trying to [00:16:00] balance our growth.

And again, these are seemingly legitimate clients coming in, looking up, you know, to sign up, bring us business, and so. One of the focuses is for education and awareness that this can happen, this, this, this can happen. And this does not always, this is not always gonna translate into a good, customer that's gonna gonna contribute to our growth instead of causes harm.

And so, ensuring that their teams are aware of this happening, educating of like, If you've got customers coming in and they're all coming from the same area, they're really pushing for higher credit limit. And, you know, you're, you're seeing this kind of back to back, definitely be weary, beyond the lookout, in, in the conversation.

Brian: So on the education side of things, that's one piece. Internally, externally, especially when it comes to first party fraud, it's almost set up that sometimes merchants are. Guilty until proven, and you really have your backs against the wall. So what can you do for the people who come to your platform?[00:17:00]

Either, let's start with you of like, how do you work with customers of helping them educate their end users that this ist a type of abuse, this is, and can be considered fraudulent and criminal, to prevent them either being used by these organized crimes or just the ignorance and naiveness that they're, they think circumvention is okay.

Yigit: We approach this from both a qualitative and quantitative perspective. Really there's, a way of really showing our customers how these events are happening, what the signals are, and how these signals are not really related to a, a enable to pay. Really, if we were to take a look at some of the indicators about ability to pay, there is nothing to do with it.

And, when you look at some of these things coming together, That story becomes very obvious, to, to people, okay, there's something funky going on. Not at first sight, but when we look at this from when we take a step back and take a look at this activity, there's something going on that's the [00:18:00] qualitative aspect and quantitative aspect of things, but really quantifying after defining, quantifying how big of an impact there might be.

This doesn't happen very often, especially very sophisticated ones. That's why this might be under the radar, but when it happens, it is, it is massive. When it's massive. When you think about how it can hurt your business and it can hurt it, in a very, very bad way, let me say, then you get your attention.

You need to, we try to arm our, customers with information so they can go and tell the story and really warn the business against what they're up against.

Brian: Definitely an easy way to find some budget. Internally when things like that happen, we are running up to the end of our time. I appreciate you all coming to our panel of fighting first party fraud and uncovering the vulnerabilities across the rest.

Thank you, Yigit. Thank you, Maria. I appreciate it.