A fraudster's guide to improving payments security

Register now

Credit card fraud is on the rise in the U.K. with more than $2 billion being stolen from credit and debit cards over the past 12 months, an increase of 38% on the previous year. But while large-scale data breaches have been heavily blamed for this surge in crime, ex-fraudster Tony Sales says one of the most pertinent reasons is a persistent lack of understanding within the financial industry of how criminals operate.

Sales is better placed than most to offer that perspective. A former professional criminal who was once dubbed "Britain’s greatest fraudster" by the U.K. press, experts says Sales once committed somewhere between $13 million and $38 million in credit card identity fraud, before the law eventually caught up with him.

“There are lots of people working in fraud prevention who have only ever defended against fraud,” said Sales, who now advises financial institutions on how to fend off fraudsters for the U.K.-based security firm We Fight Fraud. “But actually knowing how a criminal would look at things is increasingly important in today’s market.”
In particular, Sales says that companies typically underestimate how savvy fraudsters can be.

“As an example, companies switch their fraud control on and off, on a fairly regular basis, because it costs them money to have them on,” he said. “Fraudsters realize this, and so they will search for patterns in a company’s financial performance which indicate whether the fraud controls are turned off. Then they’ll target that company at that time.”

Much of Sales’ work involves trying to change the perspectives large companies have regarding fraud, and in particular, urging them not to accept fraud losses as being inevitable.

“All companies have what they call an acceptable loss, which they try to restrict to around 2%,” he said. “But that’s a problem, because it shows you must be vulnerable somewhere. All fraudsters are doing is searching for weaknesses in any system and hammering it. I’ve been saying this for seven years, and at first, everyone laughed at me. But now, there’s more of a demand from customers to not accept loss, because they understand that losses will directly affect them.”

With machine learning being increasingly implemented into fraud detection systems across both fintech and e-commerce industries, many are hoping that technology can ultimately keep criminals at bay. In 2019, many majors banks will begin rolling out their new confirmation of payee system to try to combat the rise of advanced push payment fraud. According to the U.K. Finance 2018 half-year fraud update, these scams cost U.K. consumers nearly $200 million in the first six months of 2018 alone. However, Sales explains that even the most advanced technology is always fallible to human weakness.

“You see over and over again that technology stops fraud for a while, but then the fraudsters become aware of what’s actually happening,” he said. “The main problem is that even with the latest artificial intelligence, fraudsters still only need to get to a staff member and socially engineer them into giving away information which allows them to hack the system. Fraudsters are very good at understanding how the psychology of a lie can influence someone to do something. And this is how banks have been hacked: by people calling up, claiming to be from the IT department, and then getting into the IT system. The only way around that is raising awareness and training staff through the company to be alert to this kind of thing happening.”

One of the major problems is companies continuing to avoid discussing the scale of fraud and problems posed by fraudulent activity in the public domain, because they are frightened of scaring off consumers and losing their competitive edge, according to Sales.

“All the time we have that, the fraudster wins,” he said. “By talking about it, more people are made aware of what can and can’t happen. The current culture needs to change, because ultimately fraud affects all of us, whether we are compliant in it or not, because we end up paying more on our insurance policies, electrical services, security services, everything. On the high street, we all pay roughly 15% more that we should, because the company’s losses due to fraud are factored in.”

For reprint and licensing requests for this article, click here.
Payment fraud Security risk Payment processing U.K.