Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
Demystifying Scam Fog: You Can’t Fix What You Don’t Measure, A Conversation with Peter Tapling, Managing Director PTap Advisory image

Demystifying Scam Fog: You Can’t Fix What You Don’t Measure, A Conversation with Peter Tapling, Managing Director PTap Advisory

S1 E38 · Scam Rangers
Avatar
0 Plays2 seconds ago

🎙️ Episode Title: Demystifying Scam Fog: You Can’t Fix What You Don’t Measure
👤 Guest: Peter Tapling, Managing Director at PTap Advisory
🎧 Host: Ayelet Biger-Levin, ScamRangers

🔍 Episode Overview:
How can you solve a problem you’re not measuring?

In this episode, we tackle one of the biggest blind spots in scam prevention: data classification. Peter Tapling — identity and fraud prevention pioneer — joins Ayelet to unpack why “just calling it a loss” won’t cut it anymore. From romance scams to investment cons, if we’re not labeling the type of scam, we’re missing the patterns that could help us prevent them.

We also explore:

  • The difference between authorized and unauthorized fraud — and why it matters
  • Why financial institutions must own their phone numbers like intellectual property
  • How social engineering beats traditional education
  • The power of slowing down payments — and the psychology behind it
  • Detecting mule accounts, synthetic identities, and spotting patterns
  • The role of scam classifiers and information sharing models

📌 Resources Mentioned:

  • [Scam Classifier Model – Federal Reserve Bank of Boston] https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/scams/scamclassifier-model/
  • [Scams Information Sharing Work Group – Fed Boston] https://fedpaymentsimprovement.org/news/blog/sharing-information-on-scams-to-improve-fraud-mitigation/
  • [Biocatch blog: 9 Types of Mule Accounts] https://www.biocatch.com/blog/the-mules-among-us
  • [Aspen Institute Financial Security Program] https://fraudtaskforce.aspeninstitute.org/

🔗 Connect with Peter Tapling: https://www.linkedin.com/in/ptap/


🎙️ More from RangersAI: https://www.linkedin.com/company/rangersai/
🌐 Learn More: https://www.rangersai.com/

This podcast is hosted by Ayelet Biger-Levin, who has spent the last 15 years building technology to help financial institutions authenticate their customers and identify fraud. She believes that when it comes to scams, the story starts well before the transaction. Ayelet created this podcast to talk about the human side of scams and to learn from those dedicated to advocating for scam victims and taking action against fraud. 

Be sure to follow Ayelet on LinkedIn: https://www.linkedin.com/in/ayelet-biger-levin/ 

Learn more about her work at RangersAI: https://www.rangersai.com/

Recommended
How Australia Slashed Scam Losses by 30% & What’s Missing in the U.S., A Conversation with Ken Palla, Former Director, MUFG Union Bank image
How Australia Slashed Scam Losses by 30% & What’s Missing in the U.S., A Conversation with Ken Palla, Former Director, MUFG Union Bank
S1 E37 · Scam Rangers
00:49:44·1 month ago
Deceptive Practices: A Deep Dive into Online Scammers’ Behavior, A conversation with David Maimon, Professor at Georgia State University image
Deceptive Practices: A Deep Dive into Online Scammers’ Behavior, A conversation with David Maimon, Professor at Georgia State University
S2 E36 · Scam Rangers
00:48:32·4 months ago
The Australian Formula for Tackling Scams: A Shared Responsibility Approach, A conversation with Toby Evans, Head of Economic Crime, Australian Payments Network image
The Australian Formula for Tackling Scams: A Shared Responsibility Approach, A conversation with Toby Evans, Head of Economic Crime, Australian Payments Network
S1 E35 · Scam Rangers
00:45:12·6 months ago
Empowering Customers Against Scams: The Power of Storytelling, A conversation with Kathelijne Swaak and Niels Vink, Fraud prevention leaders at ABN AMRO Bank image
Empowering Customers Against Scams: The Power of Storytelling, A conversation with Kathelijne Swaak and Niels Vink, Fraud prevention leaders at ABN AMRO Bank
S1 E34 · Scam Rangers
00:46:14·7 months ago
Sextortion: The Evil Scam Targeting our Teens in Their Bedrooms, A Conversation with Paul Raffile, Senior Intelligence Analyst image
Sextortion: The Evil Scam Targeting our Teens in Their Bedrooms, A Conversation with Paul Raffile, Senior Intelligence Analyst
S1 E33 · Scam Rangers
00:42:09·10 months ago
Getting in Front of the Scam: How to Build Trust With Your Customers, A conversation with Hailey Windham, a Credit Union Fraud Fighter image
Getting in Front of the Scam: How to Build Trust With Your Customers, A conversation with Hailey Windham, a Credit Union Fraud Fighter
Scam Rangers
00:43:54·11 months ago
Coordinated Action: The Key to a National Strategy Against Scams, A conversation with Ken Westbrook, CEO and Founder of Stop Scams Alliance image
Coordinated Action: The Key to a National Strategy Against Scams, A conversation with Ken Westbrook, CEO and Founder of Stop Scams Alliance
S1 E31 · Scam Rangers
00:40:20·1 year ago
Is Fraud Prevention the New Customer Service? A Conversation with Karen Boyer, SVP Financial Crimes and Fraud Intelligence, M&T Bank image
Is Fraud Prevention the New Customer Service? A Conversation with Karen Boyer, SVP Financial Crimes and Fraud Intelligence, M&T Bank
S1 E30 · Scam Rangers
00:41:58·1 year ago
Will Regulation Drive Action? Reimbursement and Liability in Online Scams, A Conversation with Ken Palla, Retired Director, MUFG Union Bank image
Will Regulation Drive Action? Reimbursement and Liability in Online Scams, A Conversation with Ken Palla, Retired Director, MUFG Union Bank
S1 E29 · Scam Rangers
00:53:42·1 year ago
Online Scam Awareness That Sticks: How to Get Marketing on Board, With Gabriel Friedlander, CEO of Wizer - Free Security Awareness Training image
Online Scam Awareness That Sticks: How to Get Marketing on Board, With Gabriel Friedlander, CEO of Wizer - Free Security Awareness Training
S1 E28 · Scam Rangers
00:41:54·1 year ago
Crypto Investment Scams: How it started. How it's going, with Cezary Podkul ,Reporter at ProPublica image
Crypto Investment Scams: How it started. How it's going, with Cezary Podkul ,Reporter at ProPublica
S1 E27 · Scam Rangers
00:35:31·1 year ago
Identity Theft Forever - The Real People Behind Fake Profile Pics, with Bryan Denny, Co-Founder, Advocating Against Romance Scammers image
Identity Theft Forever - The Real People Behind Fake Profile Pics, with Bryan Denny, Co-Founder, Advocating Against Romance Scammers
S1 E26 · Scam Rangers
00:42:48·1 year ago
Standing Boldly Against Romance Scams: Empowering Victims on the Path to Recovery, with Cecilie Fjellhøy and Anne Rowe, Co-Founder of LoveSaid image
Standing Boldly Against Romance Scams: Empowering Victims on the Path to Recovery, with Cecilie Fjellhøy and Anne Rowe, Co-Founder of LoveSaid
S1 E25 · Scam Rangers
00:47:01·1 year ago
Hearts Exposed: Navigating the Boundaries of Free Speech and Scam Crimes, with Kathy Waters, Executive Director and Co-Founder, Advocating Against Romance Scammers image
Hearts Exposed: Navigating the Boundaries of Free Speech and Scam Crimes, with Kathy Waters, Executive Director and Co-Founder, Advocating Against Romance Scammers
S1 E24 · Scam Rangers
00:30:25·1 year ago
Mind Games: The Psychology Behind Scams, A conversation with Alan Castel, Professor at UCLA Psychology, Expert in Memory, Cognition and Aging image
Mind Games: The Psychology Behind Scams, A conversation with Alan Castel, Professor at UCLA Psychology, Expert in Memory, Cognition and Aging
S1 E23 · Scam Rangers
00:39:21·1 year ago
Defying Romance Scams: Cracking the Seductive Script, A conversation with Ruth Grover, Founder of Scam Haters United image
Defying Romance Scams: Cracking the Seductive Script, A conversation with Ruth Grover, Founder of Scam Haters United
S1 E22 · Scam Rangers
00:42:04·1 year ago
Unveiling Deception: Business Email Compromise Crusaders Unite., a conversation with Ronnie Tokazowski , founder of the BEC Working Group image
Unveiling Deception: Business Email Compromise Crusaders Unite., a conversation with Ronnie Tokazowski , founder of the BEC Working Group
S1 E21 · Scam Rangers
00:43:48·1 year ago
Scam-Proofing Social Media: The Good, The Bad, and The Reality , A conversation with Assaf Kipnis, ex-Facebook Integrity Team lead image
Scam-Proofing Social Media: The Good, The Bad, and The Reality , A conversation with Assaf Kipnis, ex-Facebook Integrity Team lead
S1 E20 · Scam Rangers
00:48:46·1 year ago
The eLegal Challenge of Online Scams - Fighting New Crimes with Old Laws - A conversation with Erin West and Alona Katz, District Attorneys and scam fighters image
The eLegal Challenge of Online Scams - Fighting New Crimes with Old Laws - A conversation with Erin West and Alona Katz, District Attorneys and scam fighters
S1 E19 · Scam Rangers
00:47:49·1 year ago
Hang Up on Fraud: Tackling Robocalls and Scam Calls, A conversation with Alex Quilici, CEO of YouMail image
Hang Up on Fraud: Tackling Robocalls and Scam Calls, A conversation with Alex Quilici, CEO of YouMail
S1 E18 · Scam Rangers
00:37:39·1 year ago
Transcript

Introduction to Scam Classifier Model

00:00:00
Speaker
The scam classifier model is really important because we manage what we measure. If the only thing we can tell about an event is that it was a loss, how do we know what kind of loss is it? If a board member comes to you and says, how much money are we losing to romance scams?
00:00:18
Speaker
Can you answer that question? And if you can't answer that question, then you're not measuring the things you need to be able to measure.

Welcome to Scam Rangers Podcast

00:00:30
Speaker
Scam Rangers, ah podcast about the human side of fraud and the people who are on a mission to protect us. I'm your host, Ayedit Bigger-Levin, and I'm passionate about driving awareness and solving this problem.
00:00:46
Speaker
Today's Scam Ranger has many years of experience in identity protection and fraud prevention, and I'm really excited to have him join us today.

Peter Tapling on Fraud Prevention

00:00:55
Speaker
Peter Tapling from P-TAP Advisory I wanted to, first of all, welcome you to the Scam Rangers podcast, Peter.
00:01:03
Speaker
Well, thank you for having me, Ailet. And I, too, am really excited.
00:01:10
Speaker
Well, we had a call a few days ago, and i think I was really, although know your background, or I read your background, hearing it from you really gave me a lot of insights infusing the conversation.
00:01:25
Speaker
So I wanted to start with maybe you sharing your background um in the identity and the fraud detection space, in cybersecurity in general, and then from there, we'll go to scams.
00:01:38
Speaker
Yeah, I won't do the entire background because that's a little bit too long, but I mean, suffice it to say, i was doing information security back when we called it data security 40 plus years ago.

Challenges in Identity Protection

00:01:51
Speaker
um That kind of, as I was in application development and moved into building applications for banks and payment service providers that kind of turned into um fraud management i don't know if you remember but it used to be that the fraud guys lived under somebody whose title was data security um and so i've been doing it for a very long time i yeah spent four or five years in the space that is that we call pki the public key cryptography space so
00:02:23
Speaker
Back in the late 90s, early 2000s, we thought the problem of identity would be solved by issuing digital certificates um to all the citizens of the United States, as an example.
00:02:34
Speaker
Clearly, that's not how it's going to work, but it gave me a great introduction into the complexities of managing identities and vetting identities for um remote access type situations. um Eventually, founded a company called Authentify.
00:02:49
Speaker
We're the guys that invented out-of-band authentication as you know it, so you can personify your hatred for those six-digit pins that you get by SMS to support a login. Sold that company to Early Warning um and was the chief revenue officer for Early Warning during the launch Zelle.

Understanding Unauthorized Payment Scams

00:03:07
Speaker
and have been doing independent consultancy as PTAB advisory since 2018, helping financial institutions as they go to buy technology in and around payments, fraud, identity, risk management, and helping providers as they try and sell those solutions to the financial institutions.
00:03:27
Speaker
Great. Thank you. So for four years, you've been thinking about how to solve the identity problem or how to answer the question, are you who you claim to be?
00:03:39
Speaker
Which is a big problem when it comes to fraud, account takeover fraud. How do we ensure that the legitimate user is performing the transaction. and um I think that's been our focus in the fraud industry for many, many years. How do we prove that it is not account takeover, that the new account is created by legitimate individual?
00:03:58
Speaker
And you also mentioned, you know, providing the certificates, that point of providing the certificate or how do we distribute

Preventing Social Engineering Scams

00:04:05
Speaker
it securely is a big fundamental and problem to solve when it comes to authentication and and providing the credentials or the most vulnerable location or point in time in which identity can be compromised ah initially.
00:04:23
Speaker
So I think the biggest question when it comes to unauthorized payment um today, what do you think? So start let's start with unauthorized.
00:04:34
Speaker
So when it comes to scams, there's still a point of social engineering, um If we're talking about phishing, if we're talking about credential theft, that OTP that you talked about, how do we make sure that it's not an individual that's being socially or a consumer that's being socially engineered to provide their OTP?
00:04:53
Speaker
What are some of the challenges that you've seen in this space and what are some of the approaches that you think are are successful in preventing? We can start with phishing and then go to OTP theft. There are slightly different things, obviously.
00:05:10
Speaker
Yeah.

Customer Protection Strategies

00:05:11
Speaker
oh Well, you know, you backing up a little bit, we have 35, 40 years of experience as a fraud fighting community fighting unauthorized fraud.
00:05:22
Speaker
And we're actually pretty good at it now. If you look at the card space um and if you see me squeezing the ball, this is my fraud fight club to squeezy ball. um But, you know, if you look at the credit card space, particularly, we used to worry about things like bad guys taking newly delivered credit cards out of mailboxes. um we've We've gotten pretty good about protecting that kind of stuff.
00:05:43
Speaker
The challenge that we have with scams is that the bad guy doesn't live on my side of the transaction. The bad guy does not live with my customer. The bad guy lives somewhere else.
00:05:54
Speaker
And if I'm going to initiate a transaction on behalf of my customer, I know my customer, I know their account, I know their behaviors, but I know nothing about the party on the other side of the transaction.
00:06:06
Speaker
And so we're really reliant on our customers doing things in their own true best interest. um I think you counseled me earlier that we're not allowed to call our customers idiots.
00:06:19
Speaker
um But sometimes everyone does something that you hit the button and you stop and you say, oops, I shouldn't have done

Urgency in Scams and Bank Responses

00:06:26
Speaker
that. Right. And so how is it that we kind of protect our customers in some in some cases from themselves?
00:06:33
Speaker
We've tried education um and education works. I don't. It's important. It's important that people understand. It's important that people, um you know, inside an organization, we probably have our regular phishing test that we send out to all the employees to see if they can recognize a phishing email versus a not phishing email.
00:06:56
Speaker
All that awareness, all that education is necessary, but not sufficient. And so we need to figure out ways that we can go beyond um understand, you know, we have to believe our customer for 50 years in the financial services industry. We've had what I call the Aunt May problem.
00:07:16
Speaker
Aunt May shows up at a bank and says, I need a $50,000 wire sent to my new husband in the Philippines. And For wire transactions, we have a wire room. We have built in delays in the process. We made Aunt May come into the bank.
00:07:31
Speaker
We had haded her speak with a bank manager. The bank manager called a son or a daughter or a brother or a sister to try and slow things down. And when we look at scams today,
00:07:43
Speaker
bad guys really focus on urgency. um You have to do this right now. If you don't do it right now, the white puppies go away. You're going to miss it. You're not going to be a Bitcoin billionaire. um I'm not going to marry you, whatever the thing is. Right.
00:07:57
Speaker
And so i think that, you know, the, the, we need to figure out ways to not inconvenience our customers. But when we, when we see something wobbling in a transaction, we have to have the confidence to slow that transaction down.
00:08:13
Speaker
Yeah. And so 100%. a hundred percent This episode of Scan Rangers is brought to you by Rangers AI. Rangers AI helps financial institutions empower their customers to protect themselves against online scams.
00:08:27
Speaker
ScamRanger can identify high-risk messages across all platforms and provide education and context as well as guidance to consumers about high-risk messages and also provides insights to financial institutions about top scams targeting your customers.

AI in Scam Detection

00:08:45
Speaker
For more information, go to rangersai.com.
00:08:50
Speaker
So let's start with authorized was unauthorized, where it's the customer is not really performing the transaction, but they're doing something to provide criminals with either credentials through a phishing attack or that OTP as part of the transaction. So In this scenario, to your point earlier, the bank does have visibility into who's performing the transaction. They can look at different, as as you said, we've become really good at account takeover fraud. So we look at risk signals like device, unusual behavior, location, and time of day, all these different things, these indicators, behavioral biometrics, all these different indicators that we look at um to detect. But in particular, I wanted to touch on the social engineering aspect.
00:09:33
Speaker
um How can we help customers ah not become victims of that type of social engineering that makes them click the link or ah provide the OTP beyond education? What are other tactics you think?
00:09:46
Speaker
We were just at Fraud Fight Club and one of the speakers there was a woman by the name of Jamie Zetterstrom from Sonos. And Sonos runs the, for instance, the caller ID database. And one of the questions she gets all the time from financial institutions is, why can't you stop bad guys from sending out text messages that make it look like they so they come from my financial institution?
00:10:11
Speaker
And the answer to that question is they can. But you, the financial institution, need to be able to tell them every single phone number that you use and register all those phone numbers.

Social Media and Telecom Coordination

00:10:21
Speaker
That's where it becomes difficult, right?
00:10:24
Speaker
And I think she even asked the people in the audience if they can provide that. And I think there was like, ah well, maybe. Yeah, almost nobody raised their hand. And I think that that so and that raises a couple issues, right?
00:10:38
Speaker
You commented earlier, we've tried education. Education doesn't seem to work. one of the things that bad guys are really good at bad guys take our education too right whatever education we're providing out to the public they're taking the education they're saying and they're saying oh okay well they're being told to behave this way so i'm going to ask them to behave this way or i'm going to support that they're yes you should be careful and i agree you should be careful and gee why don't you call me back at this number um so
00:11:09
Speaker
You know, this is a war of escalation. It always has been. um We do need to continue. As we commented earlier, education is necessary, but not sufficient. I think we do need to get better. We fraud fighters, financial institutions, payment service providers need to try to cooperate with telecom to be as careful as we can with ah registering all of our numbers and and protecting our treat.
00:11:34
Speaker
Treat telephone numbers and SMS shortcodes and things like that like intellectual property, manage them like intellectual property. um And if you do that, you have a better chance of coordinating with telecom to be able to stop that.

Shifting Liability to Banks

00:11:47
Speaker
We have a big hole in our defenses, which is social media. So as much as possible, we need to engage and keep engaged social media platforms so that we can On the one hand, we need the social media platform so we can do the kind of education we were just talking about.
00:12:05
Speaker
On the other hand, we need to make sure that um that customers our customers are aware of the vector that that can be for getting them introduced to nefarious actors.
00:12:18
Speaker
100%. We'll talk about social media more in in just a few minutes. So i wanted to, i wanted to you know before we jump into authorized payments, I did want to touch on unauthorized because I think it's it's something that, you know, there's there are data breaches and there are men in the middle attacks and men in the browser attacks and all these ways in remote access tool attacks. There are all these ways where criminals will perform a account takeover fraud, but there's some some of them are um are still
00:12:51
Speaker
they still get data from individuals by socially engineering them. So in that sense, I thought it was important to to stop for a moment. and And I think those are great recommendations, especially when it comes to phone numbers and impersonation and all that to still credentials. So those tactics, of a course, are also used for authorized payments. So I wanted to dive into that. That is a really...
00:13:16
Speaker
big shift in how do we as a financial institution protect our customers from scams that are socially engineering an individual to take their money and transfer it to a criminal, be it you You know, you have multiple transactions on your account. Let's move your money to safety, which is one use case. You can win big and investing in crypto romance scams. I'm in trouble. I need your help. I'm your grandson. They're they're crazy scams. I think people are less familiar with like the Muse scam.
00:13:49
Speaker
which is really an advance fee or or fake check scam at the end of the day where someone sees someone else's profile on social media and says, that's so cool. I wanted your profile. I want to make art out of it and I'll pay you and blah, blah. And then it's, you know, fake check or advance fee or something like that.
00:14:06
Speaker
So the question is how can we rethink the way we protect people? our banks and our customers against unauthorized payments and rethink that to look at the authorized payment problem.
00:14:23
Speaker
Do, are there things we can take from ATO protection to scams and are there new things that we need to consider?

Fraud Prevention Accountability Measures

00:14:30
Speaker
So yeah I think the answer to the question is yes, there are things that we can take from the toolkit that we have today, redeploy them likely in some sort of different way help help address the issue of scams and authorized payment push payment fraud, APP fraud.
00:14:47
Speaker
You commented earlier, we just had a conversation about how do we get people to stop reacting to text messages, emails for business, email compromise, things like that. um and And we kind of treat that as unauthorized fraud, but those exact same tools and those exact same approaches are applicable for authorized fraud.
00:15:05
Speaker
Right. um So it's interesting, the bad guys, they don't care. They don't care if it's unauthorized or authorized fraud. They just want to get the money and they're going to get the money. However, they can get the money. um I do think that we, the,
00:15:17
Speaker
we the Payments industry, this includes both banks and payment service providers, app developers, wallet providers. We've put an enormous emphasis on immediate, on instant gratification.
00:15:31
Speaker
Tap, go, right? Whatever it is, i'm just it's just all going happen instantly. um Take that at the same time with we've created two generations of people who believe it's not my fault.
00:15:46
Speaker
Back at the dawn of e-commerce and the internet, circa 99, 2000, 2001, we created e-commerce. And when we created e-commerce, we were asking people to take their credit card numbers and punch them into the web.
00:16:01
Speaker
People rightfully thought, well, gee, I don't feel comfortable doing this. And so we solved this problem. We said, ha, zero liability. No matter what happens, pick up the phone and call me and I'll give you your money back.
00:16:12
Speaker
And so in an era where we have two generations of people who grew up thinking, if I do something digitally, it's not my fault. I always get to go get my money back. They stop being critical thinkers. They stop thinking, does does this feel too good to be true?
00:16:28
Speaker
Something that feels too good to be true in the street where I was going to hand you a $100 bill, I might not do. Something that feels too good to be true online where I'm going to do this $100, but I might get it back if it doesn't work out, maybe I will do it, right?
00:16:42
Speaker
And so I think that um we we we need to coach people that they they do have a level of responsibility. ah So in addition to all the other education, hey, by the way, you're still responsible for these payments. um And we have to we have to be willing in certain circumstances to slow things down. um I wanted to bring something up here um because you're absolutely right. When credit cards, we we have the liability or or financial institutions have the liability.
00:17:11
Speaker
And when it comes to regular transactions online that are not covered by credit cards, there is still liability with a consumer today in the United States.
00:17:22
Speaker
But then there are other countries like the UK where there have been liability shifts to financial institutions.

Detecting Mule Accounts

00:17:29
Speaker
And still, I would say even that is why liability has shifted. So banks do protect, step up and protect customers even more because they need to pay them back. okay there's I don't think there's any bank in the world that doesn't want the consumer to think that a payment is safe.
00:17:47
Speaker
Right. So we're not arguing about are we are we making payments safe or not? i think One of the things that you can see a lot of pushback in the UK around the um the shift of liability is that this one of the things they did in that shift of liability is it's 50 50. It's a recognition that the bad guy lives on the received side of the transaction.
00:18:11
Speaker
And so if you're a financial institution that's receiving one of these payments, whatever happened to the money, typically we expect that this money would have gone into some sort of mule account but whatever happened to the money you as a financial institution on the receive side bear some responsibility for what for the negative um outcome for that particular consumer um so i think that you know the there's good news there the good news is we are recognizing that the bad guy lives on the received side of the transaction i think doing
00:18:43
Speaker
Reimbursement models, which are way after the fact, are, again, nice, but that's I don't think that's where we want to end up. I think we want to be in a better position where we're able to identify synthetic identities, identify mule networks,
00:19:01
Speaker
um kind of stop these things before they go on too long. I mean, in any kind of fraud, it's always hard to stop the very first one. But once you see a pattern, you should be able to detect that pattern and interrupt it.
00:19:15
Speaker
So you're talking about the receiving banks, detecting mule accounts, can maybe double click into that a little bit um in terms of one, the MOs or the modes of operation of ah scams and the receiving side and how we can see patterns

Policy and Support for Fraud Fighters

00:19:29
Speaker
there. And two, what can banks pragmatically do to detect that?
00:19:33
Speaker
Yeah. So, uh, this story dates a little bit and I, and I won't name names, but there was a very large us financial institution that had a hip, cool new model. And they thought we're going to run this model against our, against our existing customer base and see if we have any synthetic identities. Um, they ran the model and they found out that not only did they have them, but they had many, many thousands of them.
00:19:57
Speaker
Um, and so, you know, and and synthetic identities by the way they um they take many different forms it's everything from tony soprano who's got the garbage company in new york and the family in new jersey to somebody who is a law enforcement officer that's operating undercover right and so synthetic identities look very different and when it comes to mule accounts um there was a uh There's a blog post by, yeah can I name a vendor? There's a blog post by Biocatch.
00:20:31
Speaker
I just, you're on. yeah well yeah yes a blog post by biocatch that actually outlines nine different forms of what a mule looks like yeah some of them are in synthetic identity some of them are sleeper accounts somebody bad guy created created an account years ago explicitly for this purpose um some of them are rightful customers they're good customers of yours they have a car loan they have a mortgage but they also agreed to do something for air quotes, a friend, right? I'm going to take in a thousand dollars. I'm going to send them $500 and I'm going to do that 50 times a week or month or whatever period of time.
00:21:12
Speaker
And so I have a link to that in the show notes. Okay, perfect. And, and so one of the challenges, so, so first of all, for you asked, ah you asked another important question, which is what are, what are things that a financial institution could do?
00:21:28
Speaker
Thing number one, Do not close your eyes and say, i don't have a synthetic identity problem because I'm here to tell you, you do have a synthetic identity problem. There's no one listening to this podcast who does not have synthetic identities on their books.
00:21:43
Speaker
And if you're just ignoring them, then the problem is only going to get worse. So that's that's number one.

Collaboration Between Fraud and Product Teams

00:21:50
Speaker
Number two is what do you do when you find one?
00:21:54
Speaker
So for instance, when you find something that you suspect is a synthetic, when you find something you suspect is a mule, what do you do? And so frequently, fraud fighters, I hear this all the time, fraud fighters will say, I'm looking at this, I know that it's fraud, but I'm powerless to do anything about it.
00:22:14
Speaker
And so for a financial institution, in the case of a mule account or synthetics, it's about having a policy. Look, we have a policy that if we see these kinds of behaviors in an account, these are the actions that we take.
00:22:27
Speaker
And that gives the fraud fighters high air cover with the commercial bankers and the digital the people who run digital and with the customer themselves to say, this is why we slowed your payment down. This is why we want to have you sign a piece of paper or whatever, right?
00:22:42
Speaker
um I think in terms of, you know, go to the um go to the link that we're going to post and take a look at the different characterizations of mule accounts and begin to educate people to look for these.
00:22:56
Speaker
Because I think one of the challenges we have inside financial institutions is that there's somebody who's paid to bring as many new accounts into the financial institution as possible.
00:23:07
Speaker
but they very rarely give any thought to, could this potentially be a mule account, right? And so just educating people and saying, look, you know, we want to have, now i'm I've been in financial services for so many

Risks in New Account Monitoring

00:23:20
Speaker
years.
00:23:20
Speaker
I probably have more accounts than the average person. And I have some accounts that probably look like sleeper accounts because I opened them for a purpose. Many years ago, I put a thousand dollars in them.
00:23:31
Speaker
They don't charge me any fees. They don't do any transactions, but nobody's ever called me. which to me is a little bit weird. Like I would think that someone would pick up the phone and say, are you even still alive? um One of the things you just mentioned, the promotions and someone is getting compensated to open as many accounts as possible.
00:23:50
Speaker
And then my question is, and I know for some financial institutions, the answer is yes, but for some, no, is there a fraud person working together with that and product manager who's responsible for opening as many accounts as possible?
00:24:05
Speaker
In collaboration saying, here are the risks we need to take to consider when pro providing this promotion, and here are the things that we need to look out for so we make sure that these are real legitimate customers. And is that compensation provided with the guardrails of taking that into account and not just blank compensation?
00:24:27
Speaker
Great point. I am certain that in every financial institution, when this program comes up, we're sitting around a conference table virtually, we don't do this in person anymore, but we're sitting around a conference table.

Bank Responsibility and Industry Efforts

00:24:39
Speaker
We have a conversation about, hey, we're going to run this advertising. We're going try and drive X number of people to our 5.6% CD, whatever the program is, right? And somewhere in the room is a fraud risk person who says, hey, wait a minute.
00:24:54
Speaker
Like, how are what are we doing to make sure that we're not bringing we're not attracting bad people? I'm almost certain that the first reaction is going to be, well, we have AML KYC. We have onboarding. We're going to do the same onboarding we do for everybody else.
00:25:09
Speaker
Again, necessary, but not sufficient. um And so i think that... One of the things that that um but programs tend to um amplify is they tend to amplify awareness in customer sets that aren't your favorite customer set, right?
00:25:27
Speaker
um So if somebody says, hey, show up today, $50, I'll open an account for you. If I'm a bad guy, I'm like, huh, I'm going to try this 100 times. And if they only open 20 accounts for me, that's okay, because now I have 20 accounts, right?
00:25:43
Speaker
um So it's it's it's a difficult conversation. And um they the it's not just about opening the account. It's how do you monitor it? what do What do you look for in terms of behavior once the account's been opened?
00:25:57
Speaker
Right, because I'm sure one of those mule personas is legitimate people who are paid or tricked or everything about the around the account opening is actually legitimate, right? So the monitoring post-account opening is is a critical piece of that as well. yeah So we talked about youal accounts. So we see that money is moving or we see characteristics of a a payee account that are...
00:26:20
Speaker
malicious and first how how do banks share this data with the sending banks uh so that's a big part of that and then what else on the payment rails and then we'll get off the payment rails in just a second too yeah well so i i have to lean back into some work that i uh participated in last year um the scams information sharing work group and the scams classifier model both of these were efforts that were um undertaken by the federal reserve bank of boston and

Information Sharing in Fraud Prevention

00:26:50
Speaker
hopefully you can put the link in for those as well but there there's there's those are two separate efforts the scam classifier model is really important because we manage what we measure um if the only thing we can tell about an event is that it was a loss how do we know what kind of loss is it if a board member comes to you and says how much money are we losing to romance scams can you answer that question
00:27:16
Speaker
And if you can't answer that question, then you're not measuring the things you need to be able to measure. One of the things this scams classifier model gives you is it gives you a touchstone. It gives you a baseline of here are all the categories of types of scams.
00:27:31
Speaker
And in your case management system, if you are not already tracking things by some type of categorization, go look up that document, take those categorizization categorizations and work them into your your case management system.
00:27:45
Speaker
And I think it's there's one one question, how much money are we losing as a bank and how much money are customers losing too? Yeah. Yeah. Or the industry, right?
00:27:56
Speaker
So again, we when when we say we, we're using the royal we, we could be our financial institution. We could be our financial institution with our customers. We could be a community. We could be all financial institutions writ large.
00:28:09
Speaker
So we can't we can't measure... We can't answer the question how much money is being lost to romance scams unless we're categoriz things categorizing things as romance scams, as an example.
00:28:22
Speaker
um And then, you know, the second work effort there was the scams information sharing work group, which was the objective was to create a taxonomy of information, which would be kind of the minimal amount of information that a receiving side could share with a sending side to allow that sending side to make some sort of risk evaluation at the time of the transaction.
00:28:47
Speaker
That work, we did write a paper at the end of that. I wouldn't say that it's anything executable. um If Mike Timoney is listening, i'm I'm hoping that he hears my request again to reinstitute that group to continue the work because I think we were making very good progress.
00:29:05
Speaker
But I think that as an industry, we need to do more than just write a white paper. We'll definitely call him out. So one of the things that we saw is, at at least for Zelle transactions, is implementation of confirmation of PAYE who registered for this account. So that's that's kind of some of the types of information sharing that I hope to see more and more of for other transactions as well.
00:29:26
Speaker
Yeah. In fact, I'm going to give a little bit of a shout out to my friends at Early Warning, but Zelle has had confirmation of PAYE for a very long time. um They also put in a rule somewhere along the line, this is quite a while ago, that puts some responsibility on the financial institutions to not allow the name associated with account to be Wells Fargo NA.
00:29:50
Speaker
One of the other things that is in that June 2023 change is when is it is some sharing of signals. there's I can't go into it, but there's there are a few data signals at the initiation of a transaction that a receiver sends back to the sender that allows the sender to make some sort of risk evaluation.

Regulatory Changes and Data Sharing

00:30:09
Speaker
um And so all of that stuff has proven to be very effective. um But it's Zelle. It's within the Zelle network. Right. And so clearly authorized push payment fraud happens all over the place.
00:30:22
Speaker
um It's not just related to any one payment rail. And, you know, again, that one of the challenges we have is ninety nine point. whatever percent, some five, six, seven, eight, nine percent of transactions are valid.
00:30:38
Speaker
And so we want our good customers to have great experiences, but at the same time, we have to take that that small percentage where we think things are gonna wobble and be willing and able to slow them down.
00:30:50
Speaker
Yeah, and I think one of the things, again, to distinguish between account takeover fraud, ah where there is liability, and it's not just a liability thing, it's also, I didn't do it myself.
00:31:03
Speaker
It was done by a criminal. I think it's much more when, as ah as humans, to classify account takeover fraud as not my fault versus authorized payment scams as, oh my God, it's my fault.
00:31:17
Speaker
And I think that is, that input is critical. I don't think we understand yet the emotional toll here, not to mention the financial. um What else could we do on the payment rails, Dan, besides confirmation of paying your account, besides the receiving side, maybe the sending side? Sure. one One comment on something you just said first. So, you know, you commented on, you know, authorized...
00:31:38
Speaker
unauthorized push pay unauthorized payments versus authorized push payments and how an unauthorized payments you know we are protecting the consumer well without turning this into a regulatory conversation we do have reggie sitting out there that was created 40 years ago um that provides very specific protections for consumers in the event of unauthorized transactions and much as some current leaders of the country have tried to take that rule and push it in the direction of, un ah of, of authorized push payments today. There's nothing in the law about that.
00:32:15
Speaker
And so i think that we, you know, there's no regulation that requires a financial institution to give you your money back. If you walked into the bank and said, i instruct you to take my money and send it to this destination that's on you.
00:32:32
Speaker
Um, and so, yeah it's It's going to be interesting to see how that unfolds in the coming in the coming years. But I do think that this is not a problem we can regulate our way out of. I think a regulatory solution for this will result in fewer services and more limited services being available to consumers.
00:32:55
Speaker
Yeah, and I also think that we lean a lot on regulation, whereas, you know, when it comes to why we can't share data. And I would advocate for not just financial institutions, everyone in the industry, if we don't step up and take charge and think about what we can do versus stand behind what we can't do,
00:33:14
Speaker
it's not going to be pretty. So we don't we don't need to wait for regulation. We need to each think about how we can step up.

AI and Customer Engagement

00:33:20
Speaker
And one of the initiatives that is happening is the Aspen Institute Financial Security security Task Force, I hope I'm not messing up the name, really focused on providing, they're going to launch a policy recommendation towards the the end of the year. And I hope that different players that are part of the Aspen Institute initiative will think about how they can step up and take a self-accountability to implement some of the policies because we really need to step up.
00:33:47
Speaker
So I wanted to maybe go beyond the payment rails because just like you said, most of the transactions are legitimate. There are some transactions that are not. And if we if someone who's now, but we're talking about authorized push payment, is instructing the bank to make the payment, they are already under the social engineering manipulation and play. And we see many cases where someone is even contacted by the real bank fraud team saying, you know, you're under an influence of of a scam and and trying to figure out how to say it properly so people really understand. And it's really hard. It's it's really psychology in there.
00:34:26
Speaker
But it's often too late. And they're guided by the criminal. They know the bank will call. They know what to say. They're saying we're buying solar panels. They're saying... you know different, we're moving, we needed to rent a U-Haul, whatever. And the question is from a prevention perspective, you have on one hand catching it at the point of payment and on the other hand awareness.
00:34:49
Speaker
But What can we do in between? And obviously I've been talking about stopping the emotional manipulation and its tracks with what we do, but would really be curious from your conversations and your thoughts about prevention and catching the scam in the moment. and So it's interesting. So we, we, again, Royal, we fraud fighters, financial institutions, when we see something going on and we're going to try and stop it, but we create a case.
00:35:20
Speaker
And even if we're going to have someone from the fraud team pick up the phone and call this party and try and resolve the situation, they're on the clock.
00:35:31
Speaker
Somebody in the organization has a ah KPI that says we want our interactions with customers to be on average less than 90 seconds, right? The bad guys will invest hours, days, months in cultivating trust with this customer and cultivating um a belief in the customer that what they're doing is rightful.
00:35:55
Speaker
um There's one of the large banks in the US, I saw a speaker who talked about a program that they had in the call center where they actually put psychologists in the call center.
00:36:08
Speaker
So that when they had these calls come in, they would have the psychologist engage with the customer. And they had a very high success rate for conversations that lasted 45 minutes to an hour.
00:36:21
Speaker
So anybody he listening to this um podcast, imagine in your organization, one of your fraud services representatives sitting on the phone with somebody for 45 minutes. That's just like we it's just not it works, but we can't make it production.
00:36:36
Speaker
Right. And so now the question is, can we create AI models, as an example, to engage the customer, keep the customer engaged in a truly realistic way um counteract what the bad guys are doing, which sometimes involves AI, but frequently

Innovation in Scam Interception

00:36:54
Speaker
doesn't it?
00:36:54
Speaker
Frequently involves a ah real person, right? So I think that we have to we have to take advantage of the same tools that they're using in order to put people on a bad path. to interact with those same people and try and drag them back onto the good path.
00:37:11
Speaker
Really interesting concept with, them because yeah Kit Boga has the solution to waste scammers time and multiply himself with ai But what you're talking about is how do we multiply those so and psychology experts ah into assisting as many customers as possible. Very interesting.
00:37:31
Speaker
um But again, this is, this is maybe a little too late because they're already manipulated. They're already under the spell. And a lot of times our, the financial institutions first interaction with them is either because they've had a payment stopped or because they've already lost money and just realized it. Oh my gosh, I just lost money.
00:37:55
Speaker
You need to help me get it back. Um, again, by then it's, it's a little bit too late. So we'd love to be able to do things earlier, And again, this is where we get into awareness and education and things like that. But I do think that pattern matching and being able to to slow things down when we see things that are starting to wobble and force the customer to come to us to interact, that gives us the opportunity to do that engagement.
00:38:23
Speaker
Mm-hmm. And i would I would encourage financial institutions to think outside the box a little bit. and Yes, there are a lot of things, just like you said, that we could take from account, take over fraud protection and implement.
00:38:36
Speaker
ah Looking mutual accounts is a big part of this as well. And in addition, let's think how we can interject before before the scant before the payment, before the point of payment. So just like you said, maybe that...
00:38:51
Speaker
insertion of, you know, maybe the first payment is gone, but maybe the subsequent payments we can't stop by detecting these patterns and and communicating with the individual. And maybe we can go even earlier and and before, and you know, between that education, which is still, I believe is important because at least you, they know these things are happening if they read the emails.
00:39:11
Speaker
um There are maybe more effective ways of education, fun, playful, that, We've been talking about here as a marketing opportunity to create trust with a financial institution, but also between that and the actual scam, I think there are opportunities as well.

Future of Payment Systems

00:39:29
Speaker
um So any additional thoughts you have? I always wrap up with... Fight. Maintain your energy. Maintain your energy. We're going to be... This is a marathon, not a sprint. True.
00:39:40
Speaker
So used to wrap up these conversations with what are you hopeful about? And I just realized that in the last few episodes, I've stopped asking that question.
00:39:54
Speaker
But I feel like here we we can ask this again. So in your recent... I would say in the last two, three years, the fight has been hard and we have a lot of work in front of us.
00:40:06
Speaker
What are you hopeful about still with the scam with with regards to fighting scams in this industry? Yeah, i'm I mean, I'm still I'm not hopeful. I am confident that we will we will have it. We do have a very safe payment system here in the United States.
00:40:22
Speaker
um We will figure out ways to protect consumers as much as we can. That does not mean that no consumer will ever lose a dollar because we can't stop all consumers from doing things against their own best interest.
00:40:36
Speaker
um That said, I'm very confident, you know, we're having this kind of conversation. The Federal Reserve is standing up things like scam classifier model. We're having conversations about how do we do information sharing.
00:40:50
Speaker
We're expressing a willingness as an industry to slow things down, to slow down customers when we look at those customers and think that they're doing something that might go down a bad path. um So I'm confident things will continue to get better.
00:41:05
Speaker
Great. Well, Peter, it was so great to talk to you. Thank you so much for joining the conversation. Always a pleasure. Can't wait to do it again. Okay, great.