When we launched Trust & Safety in Numbers last year, we set out to interview people on all sides of the fraud fight. Since then, we've sat down with an FBI agent, a former FBI Most Wanted hacker, fraud analysts, and security experts. We've learned a dizzying array of information: stories about diabolical fraud nemeses, tips for dealing with chargebacks and holiday fraud, and much more. We've had guests from Amazon, WePay, LinkedIn, Google, Square.
For our twentieth episode, we're looking back on what we learned. How do you build an international trust & safety team? What's it like to live your life on the run from the FBI? And what on earth is a chocodile? This episode has it all.
Evan: Welcome to Trust and Safety in Numbers, presented by Sift Science. I’m your host, Evan Rampizoor. Last year we set out to interview people on all sides of the fraud fight: hackers, white hat hackers, FBI agents, fraud analysts, and since then we’ve produced 19 episodes. For our twentieth, we’re looking back on what we learned from our guests, including a few surprising things we didn’t get to included in the episodes themselves. So for the next 10 minutes or so we’re gonna hear 20 things we learned from our guests. For the less mathematically minded listeners out there, that’s about two things per minute – a lightning round of fraud, trust and safety, and shocking stories – maybe not so shocking but surprising.
So instead of warming up with a quick fraud fact like we usually do, since we’re going to be hearing about 20 fraud facts over the next 10 minutes, let’s jump right in and see what our guests had to say. Number one, fraud can wear an invisibility cloak, especially chargebacks. Here’s more from Denise Aptekar, Senior Director of Global Payments at Upwork.
Denise: We all get chargebacks and when we get chargebacks the first thing we tend to do is separate them into is this a service problem? Is this person upset with the service they got? Or is this a fraud problem? Is this a stolen credit card and the card owner is saying, “I didn’t do this transaction.”
Evan: But Denise says this may be a false dichotomy – something that registers as a fraudulent charge back may not actually be the result of a stolen credit card.
Denise: It was not lost and the cardholder either actually did do the transaction or they know who did.
Evan: Number two, when you’re hiring fraud analysts it isn’t always about relevant experience. Rona Ruthen, Head of Global Operations at fintech startup Curve, has more on that.
Rona: So being generally interested in identifying and understanding the topologies, finding creative ways to stop these fraudsters, and getting really angry when they manage to get through. So for me, it’s a personal thing, and I also think that’s really well connected with a mindset that’s required for working in a startup – so being very open to change, open to having to do new things all the time, deal with new experiences, and adapting quickly. And that’s true for any role in a company like ours, and definitely when fighting fraud.
Evan: Number three, earning and keeping your customers’ trust is one of the most challenging and important parts of running an online business or community. Sejal Monterroso, VP of Customer Success at Zoosk, teaches us how to do that. A certain large social media corporation, I’m not gonna name any names here, should probably listen up.
Sejal: Actually putting protection of our customers, the privacy, treating their data with respect, you know, not retaining data longer than we need to, all of those things, I think, play into building trust with customers.
Evan: Number four, white hat hackers or bug bounty hunters go around looking for security vulnerabilities on websites, but when it comes time for them to alert a website about that vulnerability they may not be able to. Alex Rice at HackerOne has more on that.
Alex: They would become aware of a potential problem in a website. They don’t have clear protections under US law to actually come forward and tell somebody about that. If the company doesn’t proactively welcome those type of security reports, the individual hacker is actually placing themselves at significant risk by telling you about a problem.
Evan: Number five, how on Earth do you manage a large, international fraud team? Thankfully, Paul Rockwell, Head of Trust and Safety at LinkedIn, has some experience with that.
Paul: Not just taking stuff reactively, we’re also looking proactively for potential attacks. So what are some of the things that are being discussed in hacker forums or things of that nature that we need to really be tuned into because those could be a problem?
Evan: How are we doing so far? Are we ready for number six? All right, here we go. Number six, around the holidays from around Thanksgiving through the New Year, businesses can expect to be inundated with fraud. Courtney Bode, who was at the time the Head of Marketplace Operations at Wanelo and just founded a company called OpsTales tells us just how bad it can get.
Courtney: We actually see our [inaudible 00:04:17] sometimes up to tripling. We also can see our dispute rate doubling if we’re not really careful about it.
Evan: Number seven, fortunately there are things you can do to manage. Maritza Dominguez, Head of Trust and Safety at Patreon, has a great suggestion.
Maritza: To become friends with fraud fighters at other companies. It’s super helpful to share tips and things that you’re doing and finding out trends that are happening in other places. They may not be the exact same as yours, but it can spark an idea of something you can try that might be helpful for you.
Evan: Number eight, we actually learned a lot of interesting stuff from Brett Johnson, the former FBI Most Wanted Hacker who’s currently head of AnglerPhish Security and a friend of mine, I’m excited to say. Take a listen. Here he’s talking about what happened after the Secret Service caught him doing a bunch of illegal stuff.
Brett: So they finally found out that I was warning some friends of mine and doing all this illicit activity, not only as a part-time side offer from outside of their offices but from inside of their offices as well. I was actually breaking the law from inside of their offices. After 10 months they gave me a polygraph. I failed that completely. They threw me in the county jail. I was not under federal charges at the time. I was just under state charges. The state judge reinstated the bond. Nobody told the Secret Service, I took off on a cross-country run. I was out for four months, stole another $450,000 out of ATM machines, made the United States’ Most Wanted list, got caught, sent to prison, escaped from prison, got caught again, served out the time in west Texas where, let me tell you something, Texas knows how to do two things: barbecue and building prisons. So served out my time there. Took about two years for me to really understand the damage that I had caused and to really regret my life choices.
Evan: Number nine, Fred Sadaghiani, CTO here at Sift Science, predicts that machine learning will become fundamentally ingrained in the way we operate online.
Fred: I think five years from now we may not be talking about machine learning anymore, and the reason is it’s just gonna be so ingrained in the fiber of all of the technology and systems that we have. Right now we’re kind of at this peak of machine learning and AI as top subjects, but in the same way that today we probably don’t talk about big data because it’s, kind of, just at a given, yeah, you’re a company. You’re online and you’re dealing with many, many different users. Well, you have big data. Well, in five years from now we probably won’t be talking about machine learning anymore, and so what does that mean? I think it means a couple of different things.
Evan: Number 10, halfway through. When you’re first starting out as a fraud fighter at a new company, it can be difficult to know where to begin. Security expert Robert Lee starts with a simple reminder.
Robert: You know, realizing that these attackers are extremely motivated. They have more time invested and spent on this than your organization probably has. Anytime they started a program at a new organization, I try to put a heavy amount of emphasis in our ability to have complete logs and be able to detect what these user accounts are doing. You know, who is doing what and from where?
Evan: Number 11, why is it so important to have a Trust and Safety team at all? Our Trust and Safety Architect, Kevin Lee, gives us a pretty clear illustration.
Kevin: Any risk team is pretty clear, whether it’s a financial mandate or a customer experience mandate. Really you are empowered to build trust between your company and that end user.
Evan: Number 12, Michelle Arguelles, Product Marketing Manager here at Sift, goes into more detail.
Michelle: Fraud can really be an existential problem for a business. So the work that you do as a risk analyst is really impactful in making sure that your company isn’t getting hurt by fraud but, you know, speaking from my experience at WePay, where we actually were processing payments on behalf of other businesses, we were protecting a lot of small businesses from fraudulent chargebacks. You know, your mom and pop store might not know what fraud looks like or how to protect themselves from it. So we could step in and really do that for our customers.
Evan: Number 13, this is actually from the first interview I ever did, which seems a thousand years ago at this point. Account takeover has experienced a steady rise for the past few years, but FBI agent M.K. Palmore says there was a recent slight dip in ATO. Here’s why.
M.K.: I would say that that tapering off was mostly because of an awareness campaign that I think not only the FBI but other entities that push word out about fraud schemes were successful in getting the word out. So I think we saw the height of the fraud takeovers, as it relates to business email compromises in early 2016 and although, again, we’ve seen a downtick or we don’t get as much in the way of calls about successful fraudulent attempts, I do know that it still goes on.
Evan: Number 14, content fraud is everywhere these days. By some estimates, we’ll be seeing more fake content than real content online by the year 2022. Oggie Nicolic, an engineer at Google with a background in risk management – says ad fraud is particularly rampant.
Oggie: The users can be fictitious in that, sort of, you know be it ad spam and bots that generate ad clicks, as well as from the other side the advertisements themselves might be misleading or inappropriate.
Evan: Number 15. Okay, so I know I mentioned Brett Johnson before but, like I said, we’ve learned a lot from him on the podcast and, by the way, stay tuned to hear even more from him in the future. But here listen as he teaches us about a type of fraud that’s become more relevant since Equifax.
Brett: Here’s what synthetic fraud is. So basically you’re taking and creating your own social security number or you’re using a child’s social security number or an inmate’s social security number. The idea is that you’re using a number that has never applied for credit before and here’s the way this works. So as a person, you have three credit bureaus. You have Equifax, Experian, and TransUnion. They don’t know you exist until you apply for credit. All right, so what happens is now criminals are taking advantage of that and thankfully, for them, the United States government even helped that out.
Evan: Number 16, with the advent of cryptocurrency people are starting to wonder how these alternative coins are going to pose new fraud challenges. A researcher Patrick Presto says some things just might not change all that much.
Patrick: Transacting online for the future really still comes down to this idea of trust. Trust is fundamentally at the core of everything. So when I look at fiat currencies, you basically trust your government and that it will be stable. When you think about internet companies, so like at Square, if I’m a merchant am I gonna trust Square’s gonna be up and running? Or with Sift Science, am I gonna trust Sift Science is gonna, like, catch fraud like they say? So it’s not so much how do we rethink this but how do we continually think about trust with how we do anything online.
Evan: Number 17. Almost there. Let’s bring back Sift CTO Fred Sadaghiani, who shares some valuable insights he picked up at large businesses like Amazon and small startups.
Fred: So very early on, I kind of learned this lesson that it’s kind of naive and premature to assume that you understand what the true pain or what the true need of the customer and end user is, and you really have to iterate. And you have to set yourself up from a systems and engineering perspective to allow yourself to iterate, test, and evaluate what you’re doing.
Evan: Numbers 18 and 19. Now let’s bring back two more guests from Sift: Kevin Lee and Michelle Arguelles, who have a little something to teach us about how challenging and, well, bizarre the life of a fraud fighter can be.
Kevin: I once shut down someone who claimed to be the personal shopper of Kevin Durant and he was not legitimate.
Michelle: For me, one of my biggest headaches was actually a guy who sold chocolate covered Twinkies. They’re also known as Chocodiles. He was a huge pain in the butt, especially because at one point in time a few years ago now, Hostess, I think, is the correct company announced they were no longer going to make Chocodiles. So he just got a huge influx of sales of Chocodiles and that was a mess to deal with.
Evan: Number 20, this is something that I learned in hosting this podcast – that there are far more strange and enlightening stories in the world of fraud than I even knew was possible. Thanks for joining me on Trust and Safety in Numbers. Until next time, stay vigilant, fraud fighters.
Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.