Before I started work in the identity and fraud industry, if I ever stopped to consider the mechanisms of fraud, my presumption was of individuals or small gangs engaged in an end-to-end process. On reflection this is a comforting view, such small-scale operations would be self-limiting in the danger they posed.
I now realise that there are very good reasons why fraud often falls into the bracket of organised crime. Fraud is organised and complex. Fraud, particularly fraud fuelled by identity theft, has an ecosystem and indeed a supply chain. Information is traded up through the supply chain, enriched and acted upon. Proceeds are laundered and then ill-gotten gains trickle back through the supply chain to feed future criminal enterprise.
So from the ‘bottom’ up, what stages might you see in a fraud supply chain?
- Data Collection
Criminals use different methods to obtain data on potential victims of identity theft and they are likely to have developed and invested in tools, such as malware to help them do this. They may take the high-tech route of breaching an organisation to steal data but they can also use low-tech methods such as ‘bin-diving’.
- Victim Profiling
From the basic data obtained, criminals may next assess the information they have to decide who their victims could be. They might be looking for those where they have the most information, those that are likely to be the easiest targets or those where they can see the potential for a big return on their investment.
- Data Enrichment
The data obtained in the initial activity may not be quite enough to embark on a criminal attack– now is the time for data enrichment. This is where social engineering comes into play; Vishing where criminals pose as legitimate businesses to telephone and obtain information and phishing, where they use the same methods but with electronic communications are often the methods used. By building up a profile of an intended victim, sometimes over months or even years, when they make their attack, it can be all the more effective.
- Determining the point of attack
Having information isn’t the end of the story. Criminals also need to understand where they can use stolen identities to commit fraud. At this stage fraudsters are looking for points of weakness in an organisation and determining system vulnerabilities. They may re-visit a company’s processes time and time again to determine where the weak points are, the best methods to exploit them and how they can evade security and detection.
- A fraud attack
Only having built a plan, tested their line of attack and obtained the data they need, do the fraudsters move on to actually commit fraud. Opening accounts fraudulently, taking over existing accounts and diverting payments from their intended recipients are just some of the many types of fraud. Fraud is varied and always changing as fraudsters look for new opportunities.
- Legitimising the proceeds of fraud
With proceeds realised the fraudsters now embark on money-laundering to turn their ill-gotten gains into currency they can spend. This money not only funds further attacks but in wide-reaching criminal enterprises, it is funding activities, including drug dealing and terrorism.
Each of these stages could be carried out by a different set of criminals with data, expertise and the tools needed to commit crime being bought and sold. There are specialist suppliers who develop technology, such as malware – as well as mass production techniques, for example call-centres engaged in vishing. It’s a true supply chain with value and risk transferred throughout, what is often a complex structure of criminal activity. By understanding this, we are better placed to combat the risk at every stage and build the appropriate defences to protect businesses, people and society as a whole.