What if we fought back? What if the fraud industry adopted methods and mechanisms to actively disrupt fraud as well as defending against these threats?
Disruption is an area which I believe has largely been untouched in the anti-fraud and financial crime world as the main focus has tended to be on prevention, outside of recent messages trying to discourage individuals from becoming a mule. Apart from a message regarding how data will be shared and used as part of an application – are enough resources used to discourage fraudsters from attacking an organisation?
It is noted that there are efforts to investigate and prosecute fraudsters with successes commonly published in the press, for example the Dedicated Card and Payment Crime Unit (DCPCU) and Insurance Fraud Bureau. But, there is only so much expensive resource that can be deployed for an investigation. With increases in fraud across various areas, removal of geographic boundaries and increased sophistication, are resources able to scale to disrupt effectively?
What if we were up front and not covert about what measures are in place to prevent and detect fraud? Would this reduce the risk and increase perception of being caught or would it simply provide the fraudsters with more information regarding customer journeys and potential weak points? Some of these could and probably work without our thinking about it as a disruptive mechanism. If an organisation were to implement a fingerprint capture within branch for all customers and applicants who were perceived to be risky, would that discourage criminals or simply be seen as an organisation over-reaching their data collection? Disruption in crime is obviously nothing new and active policing such as stop and search are parts of such a strategy – although the human element has introduced potential unconscious bias here.
In information security, there do appear to be some interest in “hacking the hackers” and disrupting their organisations – going on the offensive. This is an incredibly grey area and potentially falls foul of the law (and reputationally) but let’s imagine this was a valid disruption tactic. An organisation starts being hit for fraud, suffers losses and starts to recognise patterns in data, IP addresses, devices and email addresses which are unique to that fraud.
Imagine an extreme scenario where for any applications linked to the organised crime ring, that instead of the usual email they receive with a link to sign documents, they instead are sent a link to a piece of software. This encrypts the fraudsters computer and their wider network and shuts down the technology being used to commit fraud. What would the impact of such an exercise be? Would this result in the shutting down of a criminal organisation (albeit short-term), loss of their data and infection of other parties and their disruption? Or would all of their data be backed up in a cloud and easily retrievable?
By proactively defending by targeting those that seek to attack us and disrupting their criminal organisation, even if the process is installing keyloggers, retrieving data, enumerating the target and so on, rather than wholesale destruction. These approaches though highlight a number of questions:
- Is it legal and in which jurisdiction?
- What if we got it wrong and targeted an innocent party?
- What if the fraudster complained to the FCA (however unlikely)?
- Is this tipping off, disrupting investigations and perverting the justice system?
While Experian do not condone the aggressive nature of the actions illustrated above, the article provides some thought-provoking questions to the nature of fraud and disruption. Can organisations disrupt fraud more than today?
For my latest blogs on current identity and fraud market issues and challenges please click here.