The Business of Fraud: What I Learned Tracking A Credit Card Fraud Ring

I made an abrupt career change about ten years ago during the first dot-com recession, moving from a marketing role to working on credit card fraud detection projects. At the time I thought I was basically treading water – my old client was going away and I needed a job that would let me stay in Atlanta while my girlfriend and I got married. They needed an analytics guy and I needed a job.

Before I started working on the credit card fraud team, I imagined the fraudsters were unsophisticated criminals – high tech purse snatchers. What I discovered that summer surprised me.

First, the average gang wasn’t a bunch of creeps in a basement. These guys had a global supply chain! Eastern European hackers were one of the primary sources of customer data and stolen credit card numbers – much of which was acquired through various forms of social engineering, phishing, and IVR hacking. Fake plastics and bank forms, of perfect quality, could be procured from rogue managers at several Asian plastics plants. American street gangs assembled these elements into a working product, handed it off to “mules” who carried out the dangerous act of purchasing goods, and moved these goods through  fences and liquidation channels to turn the proceeds into cash.

At the 50,000 foot level credit card fraud was a business – with it’s own ecosystem, much like the business ecosystem in many other industries. Data and physical goods flowed from suppliers to end-users who ultimately collected cash for their services. It was a fast, dangerous industry – and totally focused on generating a profit…

While I suspect you aren’t about to have the FBI bang down your doors anytime soon, we can still learn a lot from their operations. Here are five lessons that a business can take from a successful credit card fraud ring:

1) Know Your Path To CA$H (Monetization Strategy): You don’t make money by taking over a credit card account. You make money when you sell the stuff you bought using those stolen credit card numbers to someone who pays you cold hard cash. We always knew where these guys were going to strike: at merchants and products where a very high fraction of the account’s credit line could be converted into cash (*cough* gift cards *cough”). They almost never bothered with merchants where the merchandise was bulky, low-value, or difficult to fence. This kind of stuff wasn’t worth the risk and cost of stealing it.

The Tip: Free Users are always nice, but find us some paying customers. While building software is unlikely to land you in jail, it’s nice to be able to pay for bourgeois luxuries like food, shelter, and health care.

2) To Make Big Money, Find A New Revenue Model (Monetization Strategy II): We’re not idiots. Want to set off a credit card fraud alert? Go buy four computers at an internet retailer using those stolen credit card numbers. Go buy $750 of gift cards from Sears. We will shut that account down before the sale clears. Thanks for playing, do not pass go, wait here for a few minutes until the police officer can give you a new bracelet. Your earnings will be very limited if you steal the same stuff that everyone else does.

However, the credit card company pays a cost when we aggressively manage risky transactions. First, my merchants start to howl when I stop customers at the register.  Second, you’re cutting off my revenue stream and forcing me to pay for a lot of manual processing. The economics here indicate that I’m going to have to approve a lot of my lower risk transactions without manual reviews.  Basically, I’m playing the odds. The cost of policing low risk transactions is greater than the expected fraud. These are often items that can’t be easily fenced, removing the incentive to steal them (see above).

This is where the really ugly schemes were born – when someone figured out how to take a “worthless product” and fence it for more than a few cents on the dollar. The “cost” and risk associated with compromising lightly protected transactions is lower (think of this as the cost of acquiring a customer). The stories about our worst losses always started with “why they heck would anyone bother to steal that?” Why indeed…

The Tip: There’s tremendous power in being able to make more per user than your competitors. Always be testing, especially when it comes to pricing and revenue model options. Got an ad supported site? Try affiliate marketing. Got a product? Find a way to add accessories, complementary items, or a service / support plan into the deal.

This is particularly relevant for businesses which expect to acquire traffic via PPC ads – if I can make $5 per click and everyone else makes $1 per click, I can bid you into the ground.

3) Knock Enough Times, Someone Will Let You In (Sales Tactics): Enough about fencing stolen goods. Why should I get 10 cents on the dollar for my stolen credit card numbers? How about this scheme:

  • Use check kiting to build up a credit balance (warning: don’t do this, it is illegal)
  • Call me up and have me to send you a check
  • Now you’re banking 100 cents on the dollar!

Again, we’re not idiots. Every credit card company probably has guidelines against actually giving you a check. My trained customer service team will refer you to our fraud team, who will shut your stolen account down. If someone doesn’t make a mistake…

Which I why I caught several fraudsters dialing for dollars – make 20 calls, wait for someone to make a mistake. When people ignored policy, the fraudster had a payday. We ultimately had to hardwire compliance checks into the system to make them stick.

The Tip (Sales): Nothing takes the place of persistence. No isn’t forever. Keep dialing. Someone will eventually open a door and you can step through to make a sale…

Bonus Tip (Operations / Compliance): Humans will make mistakes; if one of these mistakes can put you out of business, invest in automated monitoring and oversight tools.

4) It’s Hard To Deceive A Network (Partner Credentials): Identity theft was the second horseman of our fraud apocalypse. These cases were initially tough to manage: our early models were very imprecise, indicating a vague suspicion that a customer was an above average risk based on their zipcode or recent credit bureau inquiries. If you lived in Beverly Hills and recently opened a couple of credit cards, the computer freaked out and called for help! From a merchant perspective, this was unacceptable and we risked annoying a number of high potential customers.

These guys actually turned out to be pretty easy to beat, once we learned to validate the information they gave us against a network of sources. You can fake a short credit card application – but it is very, very hard to pass deeper questions. Particularly when I ask a whole bunch of them. Quickly. There’s no time to Google it…

The Tip: Don’t be afraid to “go deep” into the history, allegiances, and interests of a potential partner or investor to understand where they are coming from. Look for inconsistencies and significant omissions. Leverage your network to see if anyone else has dealt with them. The best way to catch a lie is to check it against multiple sources. Even the best fraudster will eventually make a mistake…

5) Nothing Lasts Forever (Product / Market Development Strategy): The two years I spent in this job were a never ending battle with an incredibly innovative group of criminals. There were at least three major shifts in fraud tactics over this period. A scheme would be introduced, with initial success, until they gained enough attention for us to fix the problem by stealing a lot of money. We would unleash the hounds and redesign our process to block the hole within a few weeks. Every “fraud strategy” had a definite life cycle – requiring the gang to identify new ideas…

The Tip: Never forget your pipeline of product and market development programs. Especially when things are going well – these profitable / valuable cash flows will dry up. Make sure you have something else to take it’s place…

On a related note, the value of a your niche can have a large influence on how fast your competitors arrive.  In the fraud prevention world, I’m going to move a lot faster against a $1MM per month scam than a $100K per month hole. The same concept applies to niche marketing – more people will be looking at the larger niches and will consider spending more money to build a presence. If you’ve found an unknown goldmine that’s quietly making you a river of cash, by all means keep it quiet.

Granted the source is a bit unusual, but these ideas seem pretty relevant to our world….

If you like this article, please share it!

Leave a Reply