Think Like A Fraudster; Protect Like A Pro

1 hour ago 2

Yair Tal has over 20 years of leadership experience in payments, fintech and localization services and is the CEO of AU10TIX.

getty

​When it comes to fraud, there are many fraudster personas. Each has its own agendas, goals and methods of operation. Some are opportunists, looking for a quick buck. Others are surgical, investing in a big reward. Sometimes they’re loners, and other times, they’re one link in a fraud chain.

Despite their differences, they have some things in common. They all use the most advanced technology, and they all learn fast in order to beat fraud protection and reach their various goals.

Fraud protection and authentication teams are challenged to think like fraudsters, stay ahead of them and be consistently proactive and lightning quick when they need to be reactive.

I was fortunate to be invited to speak at Money 20/20. In my presentation, I shared some fraudsters' typecasts. I focused on three personas, who are all fictional, but unfortunately, based on reality.

My point was simple: You can’t defend against something you don’t understand, and you can’t understand fraud if you only ever look at it from your side of the table.

So let me introduce you to the fictional fraudsters: Victor, Sammy and Adam.

Victor is a businessman.

He has never personally submitted a fraudulent document in his life. He doesn’t need to. He builds tools. He sells access. He provides some support, and his customers do the rest.

Victor runs fraud-as-a-service. His starter package costs less than your monthly coffee budget. His strategy is volume. He floods platforms with synthetic identities, accepts a high failure rate and relies on the math: One success covers the cost of every attempt around it. His best customers aren’t hackers. They are opportunists with a Telegram account.

What stopped Victor wasn’t a smarter document check. It was a system that stopped treating each submission as an isolated event. Serial fraud monitoring connected the repeated faces, devices and behavioral signatures across sessions and organizations. Victor's customers churned. He moved on.

The lesson: Volume-based fraud isn’t a document problem. It’s a pattern problem.

Sammy is an engineer.

Most fraudsters fake documents. Sammy faked the moment of capture. She injected manipulated images directly into the verification flow, bypassed the live camera entirely and wrapped each image in spoofed device metadata to make it look like a legitimate iPhone 14 Pro Max capture.

She got the device right. She got the lens wrong.

A real iPhone 14 Pro Max captures at 24mm. Sammy’s image showed 66mm. And the resolution was a perfect square: 3024 by 3024. No legitimate verification capture produces a perfect square. These two details are individually easy to overlook, but together, they're impossible to explain innocently.

Sammy wasn’t caught by a system that checks documents. She was caught by a system that checks physics.

The lesson: Precise, targeted attacks require layered defenses. Document authenticity checks are necessary, but they aren’t enough.

Adam is a ringleader.

He doesn’t have a plan. He has a process: probe, analyze the response, adjust, scale what works and leave before the door closes.

Day one started with a question. Day two was a follow-up question. By day six, Adam had his answer: a specific document configuration that the platform's verification flow was not catching: a 75% pass rate. This is reliable, repeatable and scalable.

On day seven, he scaled with hundreds of attempts in hours. He knew the window would close. That is why he moved fast. That’s when the alert fired.

No single submission was wrong. Each one looked like the others. What gave Adam away was the shape of the campaign itself: a long flat line of low-volume probing, then a sudden vertical spike the moment he found what worked. The escalation was the signature. The breakthrough that made the attack viable was the same moment it became visible.

The lesson: Adaptive fraud leaves an escalation signature. The breakthrough moment that makes an attack viable is the same moment it becomes detectable.​

​What can you do?

None of these fraudsters is slowing down. The infrastructure they operate on—off-the-shelf AI tools, Telegram marketplaces, spoofed device metadata—is cheaper and more accessible than ever. The barrier to entry for fraud is lower than it has ever been. The sophistication ceiling is higher.

The meaning of this isn’t complicated. The execution is. Defense must be faster, smarter and stronger than all three attack profiles combined. This means layered detection across documents, physics, behavior and session history. It means connecting patterns across organizations, not just within them. It also means raising the cost of fraud at onboarding so the economics stop making sense for operators like Victor before they ever get started.

The fraudsters I described aren’t hypothetical future threats. These types of people are operating now, at scale, against organizations that ​are doing their best with tools designed for a simpler problem.

The good news is that when you understand how they think, you don’t just defend better. You can win, beating them at their own game.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Read Entire Article