From Lambs and Wolves: Keeping Pace With The Evolution of Fraud

From Lambs and Wolves

The classic fraudster targeted brick-and-mortar banks and was a lot like a lone wolf; he would take a high personal risk and howl in delight over his spoils. But because the fraudster could not show his face in the establishment again, the typical risk for a bank was a one-time loss. Fake identities did occasionally appear, but most of the fraud seen was soft fraud — fraudsters using their own identity and disguising the missing creditworthiness.

With the introduction of the internet and the digitalization of application processes, things got wild. Digitalization has eliminated personal risk, and the new fraudsters are methodical in their attacks and don’t stop until security gaps are closed. Furthermore, fraudsters work much better in packs, which the Internet supports. In the online world, fraud can be organized and labor can be divided so the packs can quickly suss out and then share security vulnerabilities. Just like packs of wolves, organized fraud rings are able to viciously attack businesses that have gaps in their security processes. And just like hungry animals, they come back if the business defends an attack, searching the territory in an attempt to discover if a new hole appears in the fence in conjunction with a process change or a new fraud prevention product.


The Call of the Wild: Recognizing Patterns

Victims of these aggressive, organized attacks will likely notice that the fraud appears in a wave. Fraudsters first test the processes and learn, which often results in a string of small losses. They then share the learned information about a company’s fraud parameters and weaknesses with others — either with their fraud organization or within a bigger community over the darknet. The main attack then leads to massive losses until the security gap is closed, at which point the wave subsides. In extreme cases, the attack isn’t recognized and completely destroys the business or a business line. Several financial institutions were forced to close down business lines or sell portfolios within the last few years because they didn’t recognize the first signs of an attack or they reacted too late to the initial wave. The lesson learned: In the past, it typically wasn’t a problem to overlook some small fraud cases. But today? A few small fraudulent transactions could signal the beginning of a series that has the potential to wipe out a business.


Following Tracks

Analyzing fraud to protect a business is like tracking down a predator: first you have to know what you’re searching for. Defining fraud is crucial in order to apply simple and helpful labels. A dark-field-analysis is able to manually label fraud, add new labels for each product defined and search for detection patterns like connections between labeled fraud cases and inconsistencies between connected applications. If possible, declined applications should also be part of a company’s fraud analysis, as they often show early fraud tracks.

The outcome of a fraud analysis is a new picture of the fraud universe within a company that highlights the real loss of fraud within all applications and orders. The business case for a new fraud protection system or new services like device fingerprinting solutions will typically be based on the reduction of losses. However, they may also be based on the reduction of manual work, as these solutions often optimize the false/positive rate of rules.


Best Practice: What To Look For In Fraud Prevention Solutions

Best practice fraud systems examine three different kinds of rules to determine fraudulent activity:

  • Reuse of resources like name/address/DOB, device, telephone number, account, credit card number, etc. — wherever there is a clear connection
  • Inconsistencies like the content of a shopping basket not fitting to former orders or device configuration that doesn’t fit to a standard customer
  • Fraud profiles: the transaction or application looks completely normal, but the combination of data often signifies fraud. This kind of rule includes scorecards and complex algorithms.

A training document that fraudsters were using to learn more about their illegal craft was leaked from the darknet in December 2017. Analysis of this document showed that the device is the most difficult element for an organized fraudster to change — much more difficult than changing the identity, for example. Therefore, using device identification as part of the data set and being part of a device data pool is also extremely helpful in the detection of fraud.

Other things to consider when reviewing inconsistencies and fraud profiles are experience, amount of data and analytics — as well as which rulesets are best for your specific enterprise. Classic fraud scorecards work only within some industries and attack vectors. Scorecards require constant updating because fraudsters can and will change their parameters until they are able to successfully break through. A main problem is that pure score fraud scores contain no helpful information for the investigator. They are, however, quite helpful as additional information to sort cases, especially to optimize manual interaction.


Hunting Basics: Choosing The Perfect Tool

The most effective way of detecting organized fraud is to work with a fraud detection tool that filters out conspicuous transactions in real time. The best tools combine rulesets and machine learning to deliver information about suspicious activity and patterns. They also include a fraud-case-management GUI (graphical user interface) that presents the transaction or application information in a variety of easy-to-decipher formats for deeper investigation, labeling and reaction. Typical elements include: customer information, graphs, heat maps, Google maps and the street view connected to the associated address. The use of such fraud management systems has been proven to increase fraud detection and reduce manual effort.

It’s important that when choosing a fraud management system, expertise and experience are examined. This ensures that the software incorporates the most efficient rules and algorithms to accurately identify connections. RISK IDENT products, for example, were built on the experience of the Otto Group, one of the world’s largest e-commerce websites, as well as many other large e-commerce sites, payment service providers, telecommunication companies and banks.

In short, fraudsters are predators — but they are not protected, and they are not endangered species. In order to prevent full blown fraud attacks, it’s imperative for companies to utilize device identification and other effective fraud prevention methods. Doing so can help keep the proud howling of successful wolves to a minimum.

For more information, please visit or contact us at

Ellipse 40

Noch Fragen?

Felix Steinmann – Managing Director

Scroll to Top