Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Deceptive Practices: A Deep Dive into Online Scammers’ Behavior, A conversation with David Maimon, Professor at Georgia State University
25 Plays30 minutes ago
In this episode, we explore the groundbreaking research of Prof. David Maimon, a leading expert in cybersecurity and online fraud. Prof. Maimon discusses his innovative methods for studying the cybercrime ecosystem, including embedding in fraudsters' digital environments, analyzing business email compromise scams, and uncovering the use of deepfake technology in modern fraud. Learn how his evidence-based approach bridges the gap between academic research and practical applications, providing actionable insights to combat online scams effectively.
You can find his research here: https://www.researchgate.net/profile/David-Maimon
Connect with Prof. David Maimon on LinkedIn: David Maimon LinkedIn
About the Host:
This podcast is hosted by Ayelet Biger-Levin, who has spent the last 15 years building technology to help financial institutions authenticate their customers and identify fraud. She believes that when it comes to scams, the story starts well before the transaction. Ayelet created this podcast to talk about the human side of scams and to learn from those dedicated to advocating for scam victims and taking action against fraud.
Be sure to follow Ayelet on LinkedIn: Ayelet Biger-Levin: https://www.linkedin.com/in/ayelet-biger-levin/
Learn more about her work at RangersAI: https://www.rangersai.com/
Recommended
Transcript
The Role of Politeness vs. Urgency in Scams
00:00:00
Speaker
So let's switch to the Craigslist research. What I really liked about this is the question, what is more effective, politeness or urgency? In the process of deception, you have a sender and receiver. The receiver constantly send messages or cues to the deceiver, so to speak. And the deceiver, based on the cues you're going to get from the receiver, will change their behavior, so to speak. So if I'm telling you a story,
00:00:28
Speaker
And i'm I'm trying to pick up the cues coming from you. i'll I'll try to figure out whether you're buying what I'm telling you or not. And if you're not buying what I'm telling you, then I'll probably will change gears, shift gears and sort of try to come up with a different strategy to use with you in order to defraud you from whatever I'm trying to defraud you from.
Introduction to Scam Rangers Podcast
00:00:49
Speaker
scm rangers a podcast about the human side of fraud and the people who are on a mission to protect us. I am your host, Ayere Figuero Levine, and I'm passionate about driving awareness and solving this problem.
00:01:09
Speaker
Hello, Scam Rangers! I'm incredibly excited about today's episode where we dive into the behavior of cybercriminals with David Maimon, a professor at Georgia State University and Head of Fraud Insights at Centrelink. David's groundbreaking research focuses on cybercrime, including the progression of cyberattacks, vulnerabilities in computer systems, and decision-making processes in the cyberspace.
00:01:35
Speaker
This episode is brought to you by Ranger's AI. As we close out 2024, remember that scams don't take holidays, but neither do we. At Ranger's AI, we're committed to equipping organizations with the tools they need to empower customers to stop scams before they happen. With ScamRanger, we help you put fraud prevention in your customers' hands, building trust and creating a safer environment for all.
David Maimon's Research Journey
00:01:59
Speaker
Hi, David. Welcome to the podcast. It's so great to finally have you here on ScamRangers.
00:02:04
Speaker
Thank you so much for having me Ayala, I really appreciate this opportunity and excited to talk to you. Great, so there's so much to dive into. Obviously we're gonna focus on scams. I know your work is much, much broader than online scams, but actually some of your earlier research than what we're familiar with today focuses on psychological aspects around scams. So I'm excited to dive into that today. Many of you know David from LinkedIn and all the research, the great research that he and his team are doing in terms of looking in the e ah dark web and underground and looking for
00:02:39
Speaker
Different types of information so I wanted to start by asking you to tell us a little bit about you your background and what your team is currently doing and then we'll take a dive back into some previous research which is so relevant I think to what is happening today with online scams.
00:02:56
Speaker
Sure. ah so So I am originally from Israel. I came here to the United States in 2005 to pursue a PhD in sociology. And back then I was interested in a different area of research. ah But then comes 2010. I got my first or second professorship position in the University of Maryland. And you know I kind of gotten tired of doing the same thing in the context of that area of research and looked for something else to do.
00:03:24
Speaker
And you know one of the things that I really like is is to explore and be out there in the wild. And I had some ideas at the time to actually just quit everything and go and ah chase the giant squid in Australia, because I really like to sort of explore things. ah That didn't work out for me. So instead, I switched gears from studying neighborhood effects to studying cybercrime. And in that sense, starting 2011 or so, I started diving into the ecosystem, the cybercrime ecosystem, and looked for cool ways to collect data.
Data Collection on Cybercrime
00:03:59
Speaker
We started with hackers, we moved to fraudsters, and we kind of stayed in the realm of fraud during the last 10 years or so.
00:04:09
Speaker
uh simply because there's there's so much there and the ecosystem changes on a pretty much daily basis and and and you know if you think about it in the context of what i wanted to do originally which was to be in a submarine in the deep and in chase you know creatures we're not really familiar with in a way we're doing the same thing in the context of online fraud and the darknet and text message applications and and so on so Yeah, I'm pretty pretty excited about what we do and and ah appreciate the fact that folks find it relevant. So tell me a little bit about the type of research that you currently do with your team. um So what I try to do ah in my academic research as well as ah my in the context of my applied research is to just find ways I'll be able to
00:04:59
Speaker
get into the ecosystem, the online fraud ecosystem, deploy tools, which will allow me to understand how the fraudsters, how the targets, how the ah guardians essentially think, as well as take into consideration the circumstances in which they exist and which impact the progression of a criminal criminal event.
00:05:23
Speaker
So you know there's a lot of research, a lot of academic research about trying to answer why people engage in crime and fraud and so on. ah Less about the progression of those ah events. and and And the reason for that is that if you think about studying crime in a traditional way, where you sort of complete a survey or you work with police reports, it's it's very difficult to understand the progression of the event simply because you get the file you get the the data after the event occurred.
Evaluating Cybersecurity Measures
00:05:51
Speaker
Right. And what interests me is really the progression of the criminal event. And and one of the reasons why I really appreciate cyberspace and and research around cybercrime is the fact that if you know what you're doing and you're familiar with the tools and you're happy to study how to integrate technical tools with social science ah models, you'll be able to embed yourself in interesting junctions across the ecosystem.
00:06:18
Speaker
ah collect data, run experiments, and then actually study the progression of the criminal event. And so you know I have a lot of you know research that we conduct right now in the context of grooming, in the context of you know hacking, but you know most of what I do, like my area of expertise focuses on fraud. And in that sense, I embed myself in all environments you can think of that fraudsters essentially use,
00:06:43
Speaker
collect data systematically and try to find ways in which I i can ah disrupt the ecosystem. And that requires some innovation and and sometimes some guts. Right. and And one of the things that one of the terms that you mentioned to me, and I ask you, what does that mean is evidence based? So can you explain a little bit or maybe give an example of what you mean by evidence based research?
00:07:06
Speaker
When you started my academic career in Georgia State, I created this evidence-based cybersecurity research group. and And the whole point of the group is essentially was essentially to identify what works and what doesn't in the context of online crime prevention. A lot of policies out there that we are deploying in the context of our organizations, a lot of tools, we pay a lot of money ah hoping that ah that at the end of the day they will be able to deliver and protect us, but unfortunately not a whole lot of evidence with respect to the effectiveness of the tool. So ah what I'm trying to do in the context of my academic research is is ah create some
00:07:44
Speaker
ah knowledge base with respect to the effectiveness of tools and policies in in achieving their goals. We're trying to do that in the context of cybersecurity, but you know of course in the context of ah online fraud prevention and mitigation. ah So in that sense, we test the effectiveness of, for example, 2FA, the effectiveness of um you know warnings, the effectiveness of different policies and tools, simply try to produce some kind of a baseline knowledge, which then policymakers and ah chief fraud officers, chief cybersecurity officer will be able to use in the context of their decision making process when they consider to adopt specific policy and tool.
Intelligence Gathering Techniques
00:08:26
Speaker
And the approach suggests that in order for you to produce this evidence, what you need to do is
00:08:30
Speaker
need to be out there in the field like we are yeah and conduct scientific experiments and engage in rigorous data ah collection which will be um objective as possible, um not biased.
00:08:47
Speaker
And, you know, available, you know, once once the findings are um available, make them available to essentially everyone in the ecosystem in order to help them guide decision making process. That's essentially what we're trying to do. Make it accessible to everyone to implement. That's amazing. So we're going to start diving into details. Just wanted to add one comment.
00:09:06
Speaker
And you talked about the perspective of a crime scene and crime scene investigator after the fact that needs to collect the evidence and everything that happened um versus what you're doing is actually tracking within during the the progression, which we'll definitely talk about in our first topic of discussion, which is going to be business email compromise. But there's also an intelligence aspect here of not intervening, even if you were able to identify that a scammer is now in play. If you are able to wait and learn the methods and not interject in the middle, but actually take a step back and observe the whole ecosystem and drive conclusions, then you can more effectively combat that.
00:09:50
Speaker
in the future. So it's really like it's really like collecting intelligence on a military scale just in this ecosystem.
BEC Research and Insights
00:09:57
Speaker
If if you think you're 100% correct, I mean, if you think about what we do, I mean, and this this is how we got into collecting intelligence in to the scale that we're we're collecting at this point.
00:10:06
Speaker
um because we ah you know the the the vision was to simply be out there with ah the main actors the guardians the enablers the fraudsters the ah targets find ways in which we can deploy our tool collect data and simply understand what works and what doesn't.
00:10:23
Speaker
But then when we started to do that, especially in the context of fraud, we realized that we're looking at some really powerful intelligence, which some of our partners could actually use in the context of their fraud fighting operation. So you know in 2021, for example, when we I mean, we spent a lot of time on Darknet, then we pivoted to text message applications, and then we started to see all those checks and all those ah screenshots with identities. And and you know at some point, we we try to figure out whether what we're what we're looking at is really real.
00:11:00
Speaker
or just noise, because you know we had a lot of experience in the darkness. And in in the darkness, there was a lot of noise at the time. yeah And so we had to sort of engage with folks in the industry in order to test what we're seeing. And and unfortunately, or fortunately, depending on which side of the coin you're're you're sort of looking at, it ah most of what we found out there was and know real real information.
00:11:22
Speaker
And so in that sense, because we were out there sort of doing academic research, but we also had no deliverables. So it wasn't just academic research that we were out there. We simply were there to learn. ah We realized that there's a lot of data out there that then we can use, we can collect, and then we can share with some of our partners. And that that's how we got to to do some of the things that we were working on today in the context of threat intelligence. So you 100% correct in that sense.
00:11:48
Speaker
And when we talk about noise in the underground, it's really scammers scamming scammers with false data to, or what what what is the noise there? Yeah, I mean, you have a lot of people ah saying they can deliver commodities the other day they can. Yeah, so scammers scamming scammers that want to scam other people. Most scammers, right? I mean, you have, I mean, I remember in the Darknet at the time, there were a couple of people offering hitman services.
00:12:17
Speaker
Now, you know it's it's problematic for me to test whether these guys are legit. That's true. Because at the end of the day, you know look in order for me to determine, I have to engage and I have to get some evidence that what the but they're talking about is legit or not.
00:12:31
Speaker
ah But there were a lot of people like that, and I assume that many of those individuals were just bluffing. Then you had a lot of people saying, I can give you amazing drugs. And then you purchased the drugs and you got a rat in a box in the mail, so to speak. So this is some of the noise I'm talking about. And of course, you had all those rippers and scammers who came, scammers, and there's really a lot going on. But yeah, you're correct in that sense.
00:13:00
Speaker
So I like your um you know your point of view on the head man because that brings kind of the point of what are the boundaries and the ethics around your research. So let's start with the first topic, which is business email compromise, because I think it attach it touches a lot of those questions. And you also talked about ethics in one of the articles that you published on this topic.
Fraudsters' Versatility Unveiled
00:13:20
Speaker
So tell me a little bit about this research. The topic is business email compromise, which is ah essentially Cyber criminals using emails in order to defraud individuals who work in organizations and ah most commonly and you can talk ah obviously more to this, but most commonly asking people who are able to move money so like controllers or treasurers of I think nonprofits is something that you looked at as well.
00:13:47
Speaker
and convincing them that the CEO or someone in the organization or a vendor that changed their payment address, and we've seen a lot of that when the SVB collapse or and Fiasco happened, that a lot of business email compromise was it was a big outcome of that. So tell us about the research, what the goal was, and I have a lot of questions to ask you, so I'll just let you go and So so this this is one of the reasons why I really love my academic career, right? Because I don't have any deliverables I have to sort of meet on a daily basis. I can just be out there and swim and do any type of research which you I care about and then that gets me excited. The ah research that you're referring to is is a really cool one. I mean, essentially what we've done on this one was we partnered with this company
00:14:43
Speaker
which offered um spam filter services. And you know the research took place a couple of years ago, and what the company essentially was supposed to do was prevent all spam filters from actually getting into ah their customers' inboxes. And back then, there was a lot, and to an extent today as well, there's a lot of interest around business email compromise.
00:15:08
Speaker
you know The MO is similar to, of course, what you just mentioned. And the company was very sort of... um excited right about the opportunity to actually understand the MO better. So what we decided to do ah with the help of the company was to try to engage with therosters um some of the Some of the things that the company did at the time was to sort of prevent those business email compromises from sipping through. But once they saw those ah emails, they sort of let us know.
00:15:41
Speaker
And you know what we've done was ah we pretended to be ah the intended recipient of of the emails, of the business email. So the company that the fraudster is essentially targeted. And we sort of played along with ah with the fraudster, so to speak. So they told us, hey, I mean, we needed to send the money here. So we told them, OK, we're going to send the money. Just do me a favor. you know Before we send the money, you have to sign this Iola.
00:16:10
Speaker
and you know click on that in order for us to be able to route the money to your account. An end-user license agreement, yeah. Exactly, right? And and in in the IOLA, what we essentially told the fraudsters was that once they click OK on the on the email, they allow us to take over their inboxes. And of course, you know the fraudsters did not read vi vi yola And so many of them clicked in. And that essentially allowed us access to their inboxes, which was a really interesting experience. right You can think about it. We we got access to around 77 inboxes of fraudsters active fraudsters.
00:16:48
Speaker
ah which were very very much active and and we were able to see what's going on you know under the hood of the operation, ah which which was really amazing. We were able to do some you know cool preventions and alert some banks that um we've we've seen some transactions and and checks that these offenders received.
Exploring Long-term Scam Operations
00:17:08
Speaker
We were able to understand the modest operandi and the relationship between some of them. ah we were We were able to learn you know how often they're using the inboxes, the age of the inboxes, the level of activity of the inbox. there was It was really cool operation um and yeah i'm I'm really glad I was part of it.
00:17:28
Speaker
so One of the things that I saw while reading an article about that research was, and you mentioned it earlier in our conversation today, the concept of scammer progression over time. and one There's an image there that shows that, um yes, there's a classic BEC, but they also engaged in other types of scams and romance scams and job scams. and and One of the things that I like this is the duration for each scam that you were able to figure out by monitoring these inboxes so tell me a little bit about those. Findings and and what were you looking for and what was what surprised you maybe.
00:18:04
Speaker
we so So one of the things that I was very much interested in at the time was how versatile these guys are. ah you know in In the criminological literature, there's this ah discussion between versatility of offending versus ah being specific with your offending or specialized offending.
00:18:22
Speaker
I was very much interested in ah understanding whether the f fraudsters are ah versatile in their offending and so whether they engage in different types of fraud simultaneously or not. And so to do that, we dived into the inboxes and we knew we're going to get a lot of business email compromised because essentially that was the hook that got us, so to speak.
00:18:42
Speaker
But then reading through the the emails, we realized quite quickly that these guys were involved in um various types of fraud. We're talking about online romance fraud, for example, that these criminals were involved in. We're talking about um you know, Craigslist real estate ah fraud. We're talking about ah different types of fraud that we haven't really mentioned in the paper because they they were too sensitive. And, you know, yeah in hindsight, I kind of, um'm I'm kind of disappoint disappointed we we haven't mentioned those because, you know, nobody but us essentially knows about them, right? ah But, you know, like ah frauds, like ah we called it,
00:19:28
Speaker
um You know, the the escort girl fraud, right? The escort girl scam, so to speak. I mean, and and essentially, I don't know if your listeners are familiar with this, but this is a type of scam where, you know, someone um pretends to be a customer of, you know, one of the adult service provider. um They look for specific providers to work with.
00:19:53
Speaker
they promise the provider They promised the providers to, you know, send a lot of money once they spend some time with them. And then, you know, they send them the money and essentially hope the providers to help them launder the money.
00:20:09
Speaker
ah scams like that, which we don't hear too much about, but we've seen evidence for those in the inboxes. Another really interesting fraud we haven't really talked about is ah focused on ah folks with dis disabilities. ah you know A lot of really cool scams that ah folks were working on simultaneously, which at the end of the day proved us that those fraudsters are versatile.
00:20:35
Speaker
And they constantly think about new types of fraud to engage in. They constantly look for new targets to target with different plays, sometimes even using the same play, just a different audience and a different story. um and that and that and And that was tremendously interesting. One of the interesting things that we were able to see Observing the emails and and investigating the the email addresses we were working on was you know the the age of the inboxes. And we've we've seen that those inboxes were...
00:21:11
Speaker
we're We're used for for a long period of time. We're looking at an average age of an inbox of around two and a half years or so with some of the email inboxes going back to 2002. So just imagine how much fraud you can have done, right? I mean, if you've been engaged in this business since 2002 in all kinds of fraudulent operations and targeting so many people. and I mean, so you know ah really interesting findings there that we have from from this type of research.
00:21:39
Speaker
So one of the questions that comes to mind is how do they pick for a certain recipient that they're engaging with? How do they pick their scam?
Target Selection by Fraudsters
00:21:49
Speaker
for that one. How do you they select what will be most effective for a certain potential victim? so it's Which they call customers, right? Yeah, high-end customers. yeah So it it really depends, right? I mean, it truly depends on the on the ah ah the play. It really depends on the type of fraud. I mean, in the context of business, they will compromise. you know Folks are looking for companies and CEOs. They collect as much information as they can about the company and then they
00:22:14
Speaker
um target those companies. In the context of online romance fraud, I mean, we all know what they do. I mean, they simply, they cast a net, so to speak, and then they try to sort of ah find find find their targets by ah engaging with them over Facebook or other dating apps. ah You know, we've seen that at the time as well.
00:22:34
Speaker
um Craigslist, you know, they're simply out there constantly looking for folks to work with, being very creative about very innovative and innovative, of course, um thinking about, you know, different ways to sort of engage with folks. um So I wanted to spend a couple minutes also talking about the methodologies that you use in this research, because you're talking about tracking huge amounts of data.
00:23:01
Speaker
And I hope you didn't read all those emails yourself and you know do that manual work. So tell me a little bit about the methods that you use to analyze the data. you know we We work closely with professors and and students from ah and NYU on this specific project. um you know We use some of the automatic tools that they developed in order to ah find what we were looking for at the time. and We're talking about machine learning ah ah you know ah processes that we implemented in that sense. But also, I have to tell you that I spent a lot of time working with the data manually.
00:23:37
Speaker
you know We're talking about very large volume of threads ah email threads that that we got and because some of the tools we were using at the time were able to pick some of the words and sort of help us understand whether we're looking at business symbol compromise or online romance fraud or or other types of um frauds, ah the scams I just shared with you ah would have been like under the radar unless someone would have have looked at them manually.
Craigslist Experiment on Scammer Strategies
00:24:06
Speaker
So you know I find a lot of value in spending time with the data, manually reading through what we we're seeing there, um in addition to using all those sophisticated tools that folks were using at the time, right?
00:24:19
Speaker
Yeah, I 100% agree. At the end of the day, machine learning is as good as the data we put in, but we need to really understand and and and train the model. So manual manual is definitely part of that. That's what we do at Rangers AI as well. We we learn the scams and do that type of analysis as well.
00:24:42
Speaker
So let's switch to the Craigslist research. What I really liked about this is the question, what is more effective, politeness or urgency? So tell me a little bit about that. And to me, it opens a bigger question that I'm not sure it's not really part of the research, but kind of opened a bigger question. What's more effective, fear or opportunity? What are people, more what is more successful for scammers? But tell me about this research and we'll take it from there.
00:25:09
Speaker
Yeah, as and again, so as a professor, you can jump from one area to another quite quickly without anyone giving you any any trouble. right i mean So so you know the business it was compromised was was a really cool operation. But then, as as i as you mentioned, i mean i'm I'm very much interested in the progression of ah of of online fraud event. And at the time, and I think you know we're going to start seeing a comeback of that in in in the in the near future or so ah you know conversation based on conversation that I'm having with people in the industry as well as what we're seeing out there.
00:25:41
Speaker
um Craigslist has become ah ah one of the major platforms for folks to use in order to defraud individuals. We're talking about, at the time, people who were advertising all kind of commodities, um you sending the money in and at the end of the day getting nothing ah in return. No offense to Facebook Marketplace that is right up there. post understood Right. So you have those types of individuals, but then you also have a lot of individuals who ah you know sent money to vendors but never never received anything. So um at the time, I was really interested in in in this process and I was really interested in this type of scam. And so ah what we decided to do with my teams at at the University of Maryland back then was to um create honeypots with ads
00:26:31
Speaker
ah on Craigslist, over Craigslist, which advertised jewelries and and phones and auto parts and you know other stuff. um we We deployed the ads, the honeypot, so to speak, on Craigslist, um the items we listed were listed for inflated prices. So you know if you, I yell it, would have seen an iPhone, like used iPhone for $800, our assumption was that you will never contact us. And and yeah that that was true to an extent. But you know if you were a fraudster, on the other hand, you don't really care about the price. right i mean and
00:27:12
Speaker
essentially what we have is ah is is a bot which constantly send emails or help you sort of find you know the victims responding to their ads and try to engage in a conversation with with the owner of the item. And so that's what we had in mind. We deployed ah you know several hundreds ads like that over Craigslist in 20 cities here in the United States and we simply you know, waited for criminals and the fraudsters to engage with us, right? We deploy that. And, you know, of course that we got a lot of relevant, ah a lot of interest ah from fraudsters. and And the reason why we know that, you know, the majority of them were fraudsters was that, you know, at some point during the conversation we were having with them, ah they told us that they actually sent money to our PayPal account. But guess what? We didn't have any PayPal account.
00:28:05
Speaker
So that was ah that was a very strong reason to with it that gave us a really strong reason to believe that you know those 600 individuals we were talking to were essentially fraudsters. So you know ah in this process, because folks, you know they saw the ad, they contacted us over email, and we started sort of talking to them, we really tried to understand ah you know, the modus operandi of of the
Fraudsters' Consistent Strategies
00:28:34
Speaker
criminals. Essentially, what are they trying to do and what kind of, um ah you know, how are they trying to lure us to send send the item, so to speak. And and what are what are some of the approaches that they will take in order to make us send the item to them?
00:28:51
Speaker
And in that sense, we drew heavily on ah some psychological, you know so social psychology models, um which suggests that in In the process of deception, you have a sender and receiver, and the you know receiver um constantly sends messages or cues to the deceiver, so to speak, and the deceiver, based on the cues you're going to get from the receiver, ah will change their behavior, sort of so to speak. If I'm telling you a story,
00:29:26
Speaker
And i'm I'm trying to pick up the cues coming from you. I'll try to figure out whether you're buying what I'm telling you or not. And if you're not buying what I'm telling you, then I'll probably will change gears, shift gears and sort of try to come up with a different strategy to use with you in order to defraud you from whatever I'm trying to defraud you from. So in that sense, we were really interested to see whether fraudsters will be consistent in their strategy to defraud us throughout the progression of the event. So in that sense, there were two oh behaviors, two strategies that we ah ah tested at their consistency, the first urgency.
00:30:05
Speaker
So, you know, I'm telling you, umm I'm willing to pay you this amount of money, but right now, I mean, if if you're not making a decision right now and sending the item, then I'm running away, right? Yeah. And I need i need the item right away. So, you know, I need the item in in the next day or two. If you can send it to me, fine. If you don't send it to me, you know, no business.
00:30:24
Speaker
So that was one of the strategies we we were looking at, urgency, and you know we know that people are prone to to error once one once they're nudged to make decisions urgently. The other behavior or strategy we were looking at was politeness. So you know if I'm polite with you,
00:30:41
Speaker
ah Will you be more sort of Will I be able to defraud you? more easily right so we're looking at these two approaches and We also try to figure out whether if if you don't show the fraudster that you're suspicious of whether um or not the behavior will change their strategy of trying to defraud you during the progression of the event. And so what we did was we had those email communication with the fraudsters. And yeah to make long story short, what we found was that if you did not if you did not send any signs of suspicions to those fraudsters, they were very much consistent with their behavior.
Human Biases and Fraud Exploitation
00:31:24
Speaker
ah So it was urgency throughout like the three or four or five emails we were having With with the fraudsters if we didn't really express any concern or any suspicion same thing with respect to politeness But when you take this strategies and sort of you compare it to interaction you're having with legitimate customers sort of speaking and those are essentially Emails we got from individuals who did not tell us that they sent us the money on on PayPal you've seen that It did not exist. There was really no ah strategy there. I mean, nothing was consistent in terms of their expression of urgency or politeness. And that was really interesting if you think about it ah in the context of fraud and the strategic behavior that the fraudster engage in.
00:32:08
Speaker
ah you know when you When you and I talk and you know we have no reservation in respect to our intentions, we don't engage in strategic behavior. Everything is non-strategic. We don't think and we don't sort of plan ahead what we're going to say. But if I'm trying to defraud you, I'll definitely have to think a lot about how I communicate myself, what I send your way, how are you sort of thinking and receiving what I'm telling you, and how I'm going to respond to that. and That was fascinating to me.
00:32:38
Speaker
i That's really, really fascinating. And one thing comes to mind, though, because when you're two individuals that are not sales experts engaging with each other and just trying to, you know, one is getting rid of something, one is interested in something, then maybe. But I was immediately thinking about sales, sales process. You're right. That is intentional. And that I'm not going to say it's a deceiving. yeah It's not about deception. It's about how do I get to the heart of the person and convince them. But it is about convincing.
00:33:07
Speaker
Oh, yeah. ah Very similar strategy. So it's hard to to decipher. And I think in in this type of engagement, there at times, there is a strategy. um But I think one of the really interesting things about criminals is the a lot of them work with a playbook. But many of them, and especially those, I think there's the supply chain of the you know the spammers and the deceiving. This is also something that is maybe in in the other research. But It's the very sophisticated emotional in emotional manipulation capabilities that the cyber criminals have. um They have a lot of experience, I guess, in deceiving. And when you deceive all day long, you just get really, really good at it. yeah And it just makes me wonder,
00:33:54
Speaker
if If human behavior is limited in our, you know, people without um without biases or without just regular people who are being scammed or do we have a kind of limited set of responses that enable criminals to get so good at what they do?
00:34:13
Speaker
They're really good books around this. i you know I can recommend a few if you want later, but you know and unfortunately, ah human beings are... Predictable. ah I mean, they are prone to be defrauded, right? I mean, and the fraudsters, I mean, with time and even in the beginning of the, I mean, what once once you know that you're trying to defraud someone, you you will engage in strategic behavior, which will be very planned.
00:34:41
Speaker
And if you have a lot of experience doing that, then you will sort of be able to expect what the other party will say and how you will respond to that. I mean, this this interaction is something folks essentially study right and understand and and sort of have a lot of experience, the more they do that. um And we know that even not intentionally, even they don't do it intentionally, fraudsters latch into biases in our decision-making processes. We're all human human beings are prone to biases in their decision-making processes. We're not as rational as as we as we think we are. And, you know, Daniel Kahneman talked a lot about this and in a lot of his books. You know, this yeah behavioral i not behavioral economics is essentially the science, right, of
00:35:28
Speaker
of, ah you know, biases in decision-making
Deepfakes in Scams
00:35:31
Speaker
processes. And so... Dan Ariely. Dan Ariely, yeah, yeah, yeah. All these guys, I mean, they they they they conduct a lot of really interesting research in that sense. And essentially they prove that human beings are not 100% rational. And in that sense, even though the criminals, and I wouldn't say they they intentionally aim to understand those biases in our decision-making process, they aim towards specific ah biases that they know that essentially exist by working on this area, try to latch into them and try to convince us to ah do what they want us to do.
00:36:06
Speaker
Okay, so these were really, really interesting research papers and and examples, and we'll try to link whatever we can in the in the show notes. um I wanted to ask if you, kind of bringing us to more ah recent times, ah have you noticed now with your current research still focused on online scams,
00:36:27
Speaker
ah Different methods of operation around the world, in different places around the world. and We talk a lot about Nigeria and Southeast Asia. Do you see different patterns or different modus operandi in different places around the world? um I think the plays are overall very consistent, very similar. i mean You mentioned these two sort of regions, Nigeria and um Ghana. and then ah ah South Asia. I mean, we we see that the modus operandi is very similar. I mean, there are changes and few differences, right, respect to how folks do what they do. So for example, in the context of pig butchering, um you have those compounds, right, in South Asia, where people actually sit and try to defraud people by engaging romantically with them and convincing them to invest.
00:37:16
Speaker
While in Nigeria, on the other hand, it's pretty much the same operation engaging with people and getting involved with them romantically and and and trying to send them. money because they are hospitalized and don't have money to pay the bills and and so on and so forth. I think the modus operandi is very similar in that sense. But it's different, right? That's exactly the question I asked before. Is it like, they're both they're both relationship based and caring, but one is talking about an opportunity. And the other one is talking about something bad that happened and creating like fear.
00:37:47
Speaker
so so So that's what I'm saying. I mean, the structure is is very similar, right? I mean, the baselines are so, you know, online romance fraud, that's essentially what it's all about. but You know, you can take it to, you know, opportunities to invest with me versus I need your help. So the story is different kind of speaking, but the baseline is pretty much the same, right? um yeah It's like the ransomware, for example. Ransomware is ransomware. I mean, the the the malware can encrypt your computer or you can encrypt specific files on your computer. ah But at the end of the day, it's ransomware. So in that sense, based on my understanding, and you know I might be wrong about this, I think that you know the the the structure or or the basis for the fraudulent activity is similar, but then you have different plays. So hopefully that makes sense. Yeah.
00:38:38
Speaker
I am wondering if one or the other is more effective in the um for criminals in the in the outcomes. I think that's an maybe another interesting point of research, um what works well.
00:38:51
Speaker
so ah can't I can't summarize this conversation without giving a few minutes to deepfakes. And you've recently uncovered a lot of deepfakes. So maybe share with those who, with the listeners who have not learned about ah what is happening and what you've seen when looking at in romance scams or others, how are criminals using deepfakes today?
00:39:15
Speaker
The deepfake is really interesting ah simply because instead of a mask, which folks may or may not be able to detect when they talk into you live, ah they allow you to sweep as as essentially swap faces with any image, any character, any any face that essentially would like to ah that you would like to use.
00:39:37
Speaker
And ah the deepfake technology has been around for quite a while. The criminals started using it, I think, during the last couple of years or so. And the problem is that they're using this technology in order to both engage with individuals ah using sort of other faces and other identities, but also um opening bank accounts and cryptocurrency wallets and um even submit unemployment benefits ah using ah other people faces once they engage with it. And you know I actually posted about this earlier this morning. It's fairly easy to create those images. And there's a lot of softwares right now which allows you to um inject the deepfake images to the computer camera or the or the smartphone camera in such a way that will allow you to bypass identity identity verification requests from your bank or from the government or for or from you know whoever organization you're trying to defraud.
00:40:34
Speaker
um Gen AI in that sense plays a very important role in it because we've seen that criminals ah create images, steal images ah in many cases, and then use gen AI technology to bring those images to life. And once you bring the image to life and you inject the image into the computer camera or the smartphone camera, ah it's currently very difficult for ah the different inventors out there to detect that issue. And you know identity verification, unfortunately,
00:41:05
Speaker
um will be successful for the criminals. So in that sense, yeah, deepfakes ah is is a major issue that we are experiencing right now. and Unfortunately, I'm not seeing the industry like the fraud preventing industry dealing with it at least in the moment in an effective way.
00:41:22
Speaker
And one aspect is identity verification. Like you mentioned, that's going to be really interesting to see how we tackle that. And another one is we always said if if if they're not willing, you know, when it comes to romance scams or romance, if they're not willing to have a video call with you, then then it's a scammer. But if now they can have a video call with you and they can still pose as that individual, and that's a very scary reality.
00:41:45
Speaker
it's It's scary and we we're seeing them using this technology to communicate with their targets. We're seeing them in that sense and and you know I think I showed you in the past this video of this older lady who did not believe she was talking to the person who She wanted to believe she's she's talking to, ah because it was a scammer and he pretended to be her lover. um They had this video call where they used deepfake technology. And after the video call, she was so remorseful. So she sent a criminal a video of himself of herself getting undressed. And the criminal, of course, being a criminal, being a fraudster, um you know felt comfortable enough to share the video online and even engage in sextortion.
00:42:31
Speaker
and Yeah, so fortunately folks are using this technology for um malicious purposes. Yeah, that's you presented that at the global anti scam Alliance summit. Yeah in Washington DC Yeah, that was very
Call for Government-led Scam Prevention
00:42:45
Speaker
very hard to watch. Of course, you didn't show the whole video yeah But we it was enough to understand what's going to happen and and definitely the first thing that comes to mind is then sextortion Which is horrible. Yes extortion You build relationship with someone right and and at the end of the day you're talking to them all
00:43:02
Speaker
over video and and you're seeing someone faces, I mean, the rapport, you're simply building rapport with individuals, right? And they believe that, you know, you as a fraudster, you know, you are that person, right? that that That they want to believe you are. And so in that sense, once you're talking to them online, using that videos, using that deep fake technology, you can bring victims to ah way dark darker places than, you know, if it was only a phone call or something. so you know Okay, so we're trying to get out of this darkness now and with a little optimism, um you mentioned earlier that you have this flexibility to do research and just go wherever you're interested, but you are also talking about setting policy.
00:43:47
Speaker
And one of the things that at least in the BC research that you did is you identified kind of the supply chain of everyone who's involved in the process. It's not just the scammer and but the victim. It's the way they communicate. It's the different technology platforms that they use. It's the email filters. It's it's everything there. So if you could suggest a few low hanging fruit actions that the industry could take with everything that you know to maybe Make a dent in the world of online scams. What are some ideas that you would have? Yeah, I think I think again and a great question I think I think awareness first of all is the most important thing like doing what we do right now making sure fraud fighting Professionals are aware of the type of work that we in academia do is is is extremely important
00:44:39
Speaker
and in the same token making sure that ah targets like everybody is aware of the fact that the criminals are essentially out there to get them and that this technology exists and that those scams are out there um and that they need to be extremely vigilant. um i think I think that goes without saying I mean at this point awareness is something that is extremely important for us to have out there. In addition, I think that we need to have some kind of an entity which will um be able to connect the dots, so to speak.
00:45:12
Speaker
This is something that we're missing right now here in the United States. We're seeing more and more signs of it beginning to happen in in Australia, some signs in the UK. Yeah, it's it's really important to understand that you know when we look at those societies, those are societies with smaller population size, smaller volume of banks, so it's maybe easier to do that in in those contexts. um But you know still,
00:45:37
Speaker
We need to make sure that we have one entity which allows us to connect the dots in a way that will allow us to respond to this issue ah in a more comprehensive and and effective manner. An entity which will allow us to ah educate fraud fighters in a more effective manner. An entity which will allow us to lobby for new role new new laws and regulation. An entity which will allow us to ah help law enforcement and share information with law enforcement. An entity which will be able to take data from FIs and the government and ah you know health providers bring it all together in order to make sure that ah we We share information that is relevant to fraud. This is this is this this essentially what needs to happen the criminals You know share information with each other. They teach each other. I mean, this is how I know what I know about fraud I mean they the frauds essentially taught me
00:46:28
Speaker
um We need to make sure that we have a similar entity here in the United States that does the same and and allow us all to share information in a way that will allow us to fight fraud in a more efficient manner. These are the two major sort of things that I have in mind. and I know that the second the first one is easier. All we have to do is just talk about fraud and educate and educate and educate. The second ah you know The second suggestion or policy sort of suggestion that I have is more complicated, ah but you know in order for us to be there, we need to start working on it.
Episode Wrap-up and Insights
00:47:03
Speaker
That's critical. I could not agree more with everything that you said about needing to have this government-led entity that can help facilitate collaboration and information sharing across multidisciplinary stakeholders across the industry, private, public sector.
00:47:21
Speaker
And the nice thing is that we do have a lot of kind of self-initiated organizations that came up and ah we had a lot of them on the podcast come and talk about their activity, but hopefully we'll see a government entity at some point in time. Well, David, it was so nice to have you on the podcast. Thank you so much for everything. This was such a fascinating conversation for me, and I hope the listeners enjoyed it as well. Thank you so much for having me. I really enjoyed this conversation and and diving into the type of research we were doing in the past and what we're doing now, so I appreciate this. Great. Well, hope to have you again soon.