Tag Archives: fraud

Francesco Fabbrocino’s Five Rules of Fraud Prevention…and Bredemarket’s Caveat to Rule 2

Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)

The five rules

In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:

1. Nearly all fraud is based on impersonation.

2. Never expose your fraud prevention techniques.

3. Preventing fraud usually increases friction.

4. Fraud prevention is a business strategy.

5. Whatever you do, fraudsters will adapt to it.

All good points. But I want to dig into rule 2, which is valid…to a point.

Rule 2

If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.

In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.

But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.

Biometric time cards

One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.

Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.

The four-letter word

Unless you’re an employer in Illinois, or a biometric time clock vendor to employers in Illinois.

Illinois state flag. Public domain.

And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.

Because that’s a violation of BIPA, Illinois’ Biometric Information Privacy Act. And you can be liable for damages for violating it.

In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.

But if there’s no law to the contrary, obfuscate at will.

Communicating your anti-fraud solution

Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.

That’s where Bredemarket can help.

As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.

And I can help your firm also.

Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.

Stop losing prospects! Use Bredemarket content for tech marketers

More information:

Bredemarket: Services, Process, and Pricing.

The Latest Know Your Employer Case

I was messaged on LinkedIn by Jenniffer Martinez, purportedly from HS Hyosung USA. She wanted my email address to send information about a job opportunity.

Why? 

“After reviewing your resume and relevant experience, we believe your management experience, professional background, and career stability are a strong match for Yaskawa Group’s current talent needs.”

(Only now did I notice the reference to Yaskawa Group, whatever it is.)

Eventually I told “Jenniffer” that I had contacted her employer directly.

By 11:30 she had deleted her entire conversation, which is why I took screen shots immediately.

And I never even got around to asking her for HER corporate email address.

No word from HS Hyosung USA, but it knows all about Jenniffer now (see final screen shot).

Know Your Employer.

Jenniffer, 1 of 3.
Jenniffer, 2 of 3.
Jenniffer, 3 of 3.
Jenniffer’s purported company.

Ontario Travel Blog Ripped Off One Post Too Many

This is too funny.

Apparently Ontario Travel Blog is ripping off Bredemarket’s posts, including my December 8 post “‘Tis the Season to Be Scammy.

Ontario Travel Blog’s version tries to cover its tracks by changing key words in its verison of the post, leading to hilarious results.

“However earlier than you reply to that mysterious “secret Santa” and ship that reward (or these reward playing cards) TODAY to obtain a highly-valued reward in return…know your corporation.”

Reward playing cards?

Know your corporation?

Wisconsin Travel Federation?

Well, at least it has a privacy policy.

“Welcome to [Your Blog Name]! Your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your information when you visit our website.”

Clowns.

Step Into Christmas: Deepfake?

Deepfakes are not a 21st century invention. Take this video of “Step Into Christmas.”

But here are the musician credits.

Elton: Piano and vocals

Davey Johnstone: Guitars and backing vocals

Dee Murray: Bass guitar and backing vocals

Nigel Olsson: Drums and backing vocals

Ray Cooper: Percussion

Kiki Dee: Backing vocals (uncredited)

Jo Partridge: Backing vocals (uncredited)

Roger Pope: Tambourine (uncredited)

David Hentschel: ARP 2500 synthesizer (uncredited)

The video doesn’t match this list. According to the video, Elton played more than the guitar, and Bernie Taupin performed on the track.

So while we didn’t use the term “deepfake” in 1973, this promotional video meets at least some of the criteria of a deepfake.

And before you protest that everybody knew that Elton John didn’t play guitar…undoubtedly some people saw this video and believed that Elton was a guitarist. After all, they saw it with their own eyes.

Sounds like fraud to me!

Remember this when you watch things.

Detecting Deceptively Authoritative Deepfakes

I referenced this on one of my LinkedIn showcase pages earlier this week, but I need to say more on it.

We all agree that deepfakes can (sometimes) result in bad things, but some deepfakes present particular dangers that may not be detected. Let’s look at how deepfakes can harm the healthcare and legal professions.

Arielle Waldman of Dark Reading pointed out these dangers in her post “Sora 2 Makes Videos So Believable, Reality Checks Are Required.”

But I don’t want to talk about the general issues with believable AI (whether it’s Sora 2, Nano Banana Pro, or something else). I want to hone in on this:

“Sora 2 security risks will affect an array of industries, primarily the legal and healthcare sectors. AI generated evidence continues to pose challenges for lawyers and judges because it’s difficult to distinguish between reality and illusion. And deepfakes could affect healthcare, where many benefits are doled out virtually, including appointments and consultations.”

Actually these are two separate issues, and I’ll deal with them both.

Health Deepfakes

It’s bad enough that people can access your health records just by knowing your name and birthdate. But what happens when your medical practitioner sends you a telehealth appointment link…except your medical practitioner didn’t send it?

Grok.

So here you are, sharing your protected health information with…who exactly?

And once you realize you’ve been duped, you turn to a lawyer.

This one is not a deepfake. From YouTube.

Or you think you turn to a lawyer.

Legal Deepfakes

First off, is that lawyer truly a lawyer? And are you speaking to the lawyer to whom you think you’re speaking?

Not Johnnie Cochran.

And even if you are, when the lawyer gathers information for the case, who knows if it’s real. And I’m not talking about the lawyers who cited hallucinated legal decisions. I’m talking about the lawyers whose eDiscovery platforms gather faked evidence.

Liquor store owner.

The detection of deepfakes is currently concentrated in particular industries, such as financial services. But many more industries require this detection.

Are You a Marketer Who is Contributing to Identity Theft?

I still receive “snail mail” at home. And every time I look at it I get enraged.

In fact, I’m this close to opening most of the pieces of mail, removing the postage-free reply envelope, and returning it to the originator with the following message:

Thank you for contributing to rampant identity theft.

How do companies, possibly including YOUR company, contribute to identity theft? Read on.

Snail mail, a treasure trove of PII

Let me provide an example, heavily redacted, of something that I received in the (snail) mail this week. I won’t reveal the name of the company that sent this to me, other than to say that it is an automobile association that does business in America.

John Bredehoft

[HOME ADDRESS REDACTED]

John Bredehoft…

You and your spouse/partner are each eligible to apply for up to $300,000.00 of Term Life Insurance reserved for members – and with Lower Group Rates ROLLED BACK to 2018!

… SCAN THIS [QR CODE REDACTED] Takes you right to your personalized application

OR GO TO [URL REDACTED] and use this Invitation Code: [CODE REDACTED]

So that’s the first page. The second page includes a Group Term Life Insurance Application with much of the same information.

And there’s the aforementioned return envelope…with my name and address helpfully preprinted on the envelope.

What could go wrong?

Google Gemini.

Dumpster divers

Now obviously the sender hopes that I fill out the form and return it. But there is a very good chance that I will NOT respond to this request, in which case I have to do something with all these papers with personally identifiable information (PII).

Obviously I should shred it.

But what if I don’t?

And some dumpster diver rifles through my trash?

  • Perhaps the dumpster diver will just capture my name, address, and other PII and be done with it.
  • Or perhaps the dumpster diver will apply for term life insurance in my name and do who knows what.

Thanks, sender, you just exposed me to identity theft.

But there’s another possible point at which my identity can be stolen.

Mailbox diverters

What if this piece of snail mail never makes it to me?

  • Maybe someone breaks into my mailbox, steals the mail, and then steals my identity.
  • Or maybe someone breaks into a mail truck, or anywhere on the path from the sender to the recipient.

Again, I’ve been exposed to identity theft.

All because several pieces of paper are floating around with my PII on it.

Multiply that by every piece of mail sent to every person, and the PII exposure problem is enormous.

Email marketers, you’re not off the hook

Now I’m sure some of you are in a self-congratulatory mood right now.

John, don’t tarnish us with the same brush as junk mailers. We are ecologically responsible and don’t send snail mails any more. We use email, eliminating the chance of pieces of PII-laden paper floating around.

Perhaps I should break the news to you.

  • Emails are often laden with the same PII that you find in traditional snail mail, via printed text or “easy to use” web links.
  • Emails can be stolen also.
Google Gemini.

So you’re just as bad as the snail mailers.

What to do?

If you’re a marketer sending PII to your prospects and customers…

Stop it.

Don’t distribute PII all over the place.

Assume that any PII you distribute WILL be stolen.

Because it probably will.

And if you didn’t know this, it won’t make your prospects and customers happy.

When Fraud Is Too Obvious, the TSA Edition

On Tuesday I will write about a way to combat document signature fraud, but today I will focus on extremely obvious fraudulent activity.

You probably haven’t tried to alter your appearance before going through an airport security checkpoint, but it’s hard to pull off.

Um…no.

The most obvious preventive measure is that airport security uses multi factor authentication. Even if the woman in the video encountered a dumb Transportation Security Administration (TSA) expert who thought she truly was Richard Nixon, the driver’s license “Nixon” presented would fail a security check.

But not all fraud is this easy to detect. Not for job applicants, not for travelers.

If Only Job Applicant Deepfake Detection Were This Easy

In reality, job applicant deepfake detection is (so far) unable to determine who the fraudster really is, but it can determine who the fraudster is NOT.

Something to remember when hiring people for sensitive positions. You don’t want to unknowingly hire a North Korean spy.