Who Performs Anti-fraud Continuous Learning?

George W. Bush is an anti-fraud expert.

“There’s an old saying in Tennessee—I know it’s in Texas, probably in Tennessee—that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”

President George W. Bush.

Because when a cyberattack is successful, it often leaves a trail. You can analyze this trail after the fact, as IBM notes.

“AI-powered machine learning models trained on historical data may use pattern recognition to automatically catch and block possible fraudulent transactions from being executed….

“AI systems used in banking fraud prevention are highly tuned for specific tasks. AI models are trained using large amounts of carefully curated data through a process called supervised learning. This method teaches the model to recognize specific patterns for specific tasks.

“In contrast, unsupervised learning allows AI systems to draw conclusions from previous data without directed training materials.”

This continuous improvement of fraud detection models benefits us all.

Google Gemini. Altered picture.
Won’t (Not Can’t) Get Fooled Again.

“KYB Fraud Failure” Failure?

I haven’t run into a lot of ViVi Contras Belleville Brown 429 scammers lately. Though you have.

I don’t think I’ve used my “KYB Fraud Failure” response in over a week.

Have the scammers finally figured out that an anti-fraud specialist isn’t the best target for their scams?

Or have I just been lucky?

Bid Evaluation Criteria Disregarded

If you’ve ever responded to a Request for Proposal for a technical product, you know that the RFP often has mandatory criteria. If you don’t meet all of the mandatory requirements, you’re not going to win.

Unless you do.

I am not going to name the vendor who submitted this proposal for two reasons:

  • The alleged corruption in this bid may not have affected the vendor in question, but the vendor’s in-country agents. And yes, I know you have to select your agents carefully, but sometimes it’s impossible for vendors to know what the agents are doing.
  • As the article indicates, the vendor in question was not the only one to receive corruption allegations. And that’s all I’ll say about that.

Back to the bid, which was for an identity system in Nepal. At least two foreign companies bid on the system. The article describes the bid from one of those companies.

The technical sub-committee found that [THE VENDOR’S] bid for both packages failed to meet the required technical criteria. Specifically, in Package 1, [THE VENDOR] did not satisfy any of the 238 required technical specifications. In Package 2, the company fell short of 50 of 297 listed technical requirements.

Normally, if you meet exactly 0 out of 238 mandatory requirements, you don’t get an award.

Despite these findings, the evaluation committee overrode the technical sub-committee’s recommendations and allowed [THE VENDOR] to advance to the financial round. This directly contradicts Nepal’s Public Procurement Act, which mandates that only technically compliant bids may proceed. One member of the technical sub-committee withdrew his signature from the final evaluation report two weeks after it was submitted, indicating internal dissent within the department’s own review process.

The non-compliant vendor actually won the award…but there were a lot of questions. And action was subsequently taken.

The department’s latest procurement, a five-year contract worth approximately Rs 7.66 billion awarded to two…firms, triggered a prolonged legal and regulatory battle before culminating in the arrest of the department’s own director general on June 15, 2026.

Yes, arrest.

Specifically, of the Director General of the Department of Passports, Tirtha Raj Aryal, who also chaired the five-member evaluation committee that waived the technical non-compliance.

For the entire messy story, see here.

And remember that when a proposal evaluation process is thoroughly documented, shady evaluation decisions will be found out.

Underwriting the Ghost: Synthetic Borrowers Disappear Without Paying

When a lender receives a loan application, it endeavors to ensure that the applicant will pay the lender back.

But even with the proper controls, a certain percentage of loans go unpaid.

Especially if the applicant looks really good on paper, but isn’t…and doesn’t even exist because it’s a synthetic identity.

PYMNTS describes the threat from deepfake borrowers:

“Across the lending industry, a new category of fraud is emerging that combines deepfake video, cloned voices, synthetic identity creation, fabricated employment histories and AI-generated financial behavior into a single engineered persona. These synthetic borrowers are not merely fake identities in the traditional sense. They are algorithmically optimized consumers designed to survive onboarding checks, satisfy underwriting models and disappear once loans are funded.”

Disappearing borrowers is not a good thing.

Know your customer.

“Underwriting the Ghost.” Synthetic man gets the loan, then he disappears. Google Gemini/Lyria. Public Domain.

Despite the Friction, I Read This Message Anyway. And Wished I Hadn’t.

I simplified my social life a few months ago by no longer posting on Instagram. I don’t even have Instagram on my phone any more.

But Instagram Meta-relative Facebook is “nice” enough to inform me when I receive Instagam messages, as well as unsolicited Instagram message requests. Which I obvously can’t read on my phone (in part because I also removed Meta for Business).

Joining the “brand ambassador” inner circle

So one day when I happened to be on my laptop, I brought up my Instagram account. I wanted to see the latest message request, reportedly from “Navin Nandra”…even though I already knew it was in a languge using the Cyrillic alphabet. And probably wouldn’t bring Bredemarkeet a ton of business.

So here’s what I had to do:

  • Go from my phone to my laptop.
  • Log in to Instagram.
  • Find my message requests.
  • Translate the message request that I received.

After translating, I was right in guessing that this was a waste of time. Here is how the message began:

“Good day! This is the brand manager for the clothing brand PRIME Wear

“I’m messaging you from a tech/alternative account—we use these to avoid getting blocked by Instagram Direct limits.

“We absolutely love your style and the content on your blog!

We would love to invite you to join our inner circle of PRIME brand ambassadors.”

Um, no. These “we love your style” messages are always amusing to me. Especially when account number one tells you to contact account number two. Because reasons.

Google Gemini.

Yeah, “ambassador.” My last name isn’t Jenner, and my look isn’t Jenner either.

Google Gemini.

The underlying scams

So I asked Google Gemini about the scam behind these amazing offers, because I suspected a scam. To please me, Google Gemini said that there are scams related to this. I could have fact-checked this on a live web page, but I had already wasted too much time on this.

Here’s one of Gemini’s reported scams:

You are told you have been “hand-picked” to represent the brand. They offer to send you jewelry, sunglasses, or clothing for “free” so you can take photos with it.

  • The Catch: They give you a discount code that brings the item’s cost to $0, but you have to pay $10 to $15 for shipping.
  • The Reality: The brand is usually a front for a dropshipping operation. They buy the items from bulk wholesale sites for less than $1. Your “shipping fee” actually covers the cost of the item and gives the scammer a profit.
  • The Outcome: You paid full retail price (or more) for a low-quality, cheap item, while giving them free advertising.

Bad enough, but it could get a lot worse.

Some requests are much more malicious. A “talent scout” or “brand manager” will message you offering high-paying sponsorships ($500+ per post), even if you only have a few hundred followers.

  • The Catch: To “set up the partnership” or “verify your account,” they send you a link to a portal or ask for your 2FA (Two-Factor Authentication) code.
  • The Reality: The link leads to a fake Instagram login page designed to harvest your password. If you give them a 2FA code, they will immediately change the email associated with your account, lock you out, and hold your account hostage or use it to scam your friends.

So “Navin Nandra” is now blocked. And I can avoid Instagram again for a while.

“Accept Without Posting” Issue Resolved…Even Though I Appeared To Be Very Evil

Here’s the resolution to the “Accept Without Posting” issue that I discussed on Saturday.

You’ll recall that I initiated a Zelle transfer to my account at “the blue bank,” but the blue bank “placed this transfer on hold so they can conduct further review.”

With no word on what the blue bank was reviewing. And the “blue bank” representative whom I spoke with on Saturday didn’t know either.

  • I had already ruled out the simple explanations, such as either the sending Zelle account or the receiving Zelle account didn’t exist.
  • I figured that perhaps my use of Zelle was the issue. The day before I sent the “on hold” transaction, I had sent another transaction. I figured that two transactions in two days tripped up some odd alert of possible account draining.

Neither of these turned out to be the issue.

On Monday (just after I had rated the “blue bank” 5 out of 10 for its handling of the issue; coincidence, or no?) I received a call from someone at my local “blue bank” branch.

Turns out that the issue was the COMMENT that I attached to the Zelle transfer.

My comment referenced another individual. Without revealing this person’s personally identifiable information (PII), I will state that his first name begins with a K, his last name begins with a P, and he is a “Junior.” So because acronyms are wonderful, I referred to this person as “KP2” in the Zelle transfer field.

Which was an extremely evil thing to do, because that tripped up an anti-money laundering check.

“AML.” Google Lyria. Public Domain.

Basically, anti-money laundering checks verify that a person isn’t transferring money for a sanctioned person.

And I didn’t trip up just ANY anti-money laundering check.

This one was bad.

AML catches evil people.

Really bad.

AML catches evil people.

How bad?

  • Let’s look at ISO 3166 country codes. The alpha 2-digit country code for the Democratic People’s Republic of Korea (North Korea) is…KP. KP-02 is the specific administrative code for South Pyongan Province (Pyeonganbuk-do).
  • And the Korean People’s Army includes a II Corps that is sometimes abbreviated as…KPA II Corps or KPA 2nd Corps.

Back to the call I received from my local “blue bank” branch. The representative didn’t go into all that, but just said that my comment about “KP2” looked like a reference to North Korea.

I burst out laughing.

I gave the “blue bank” representative the full name of K[REDACTED] P[REDACTED] Junior, explained that there were five “KP”s, and that I used numbers to tell them apart.

Ironically, both “KP2” and “KP4” are veterans. I wonder if they realize their initials associate them with this guy.

Kim Jong Un. By Mil.ru, CC BY 4.0, https://commons.wikimedia.org/w/index.php?curid=177498377.

Anyway, my answer satisfied the banker, the hold was removed from the Zelle transfer, and I received the money within minutes.

And I know to be careful when using acronyms beginning with the letter “K” in financial transactions.

Accept Without Posting (I may be a fraudster, June 2026 edition)

Remember in March 2022 when I searched my (then) Twitter profile picture against TinEye and found 0 matches, indicating that I may be a fraudster because TinEye didn’t have a history on me?

Taken 2019, in case you’re curious.

Well, I found additional evidence of my supposed shady nature.

For purposes of this discussion, I will refer to the two banks in question as the “red” bank and the “blue” bank. (No political implications here.) I’ve previously referred to the blue bank as Wildebeest Bank, but today I’m sticking to the color scheme idea.

Both banks use Zelle to support instant transactions between member institutions, and I have Zelle-enabled accounts with both banks. For the record:

  • I frequently perform immediate Zelle transfers from the blue bank to the red bank.
  • On Wednesday, I successfully performed an immediate Zelle transfer from the red bank to the blue bank.

So on Thursday, I thought nothing of sending a second Zelle transfer from the red bank to the blue bank.

Until the red bank emailed me.

“The recipient bank [the blue bank] has placed this transfer on hold so they can conduct further review. Upon completion of the review, they will either complete your transfer or [the red bank] will contact you with more details. No further action is required from you at this time.”

Now why would a bank conduct further review? Three possible reasons.

  • The recipient isn’t enrolled in Zelle. Not a problem here.
  • The recipient bank is conducting a technical check. This shouldn’t be a problem here, since both Zelle accounts have been successfully used before.
  • The recipient bank is conducting a fraud check. This, perhaps an anti-money laundering investigation, seems the most likely scenario, especially since this was launched one day after another transfer. Even though the second transfer is SMALLER than the first transfer, perhaps the one-day timeframe looks like someone is trying to drain the red bank account.

So this happened Thursday, and as of Saturday (two calendar days and one business day later) I hadn’t heard a thing.

So I called the blue bank, reached a helpful representative, and waited for her to research the issue. I heard her mutter over the phone:

“Accept without posting”

Then, a minute later:

“What does THAT mean?”

While I waited for her to officially talk to me again, I performed some online research and confirmed that “accept without posting” is another way of saying that the transaction is under review. Here’s what the Cleveland Federal Reserve says about FedNow, one bank transfer method:

“[T]he FedNow Service sends the payment information to the receiver’s financial institution and asks that bank to confirm that it intends to accept the payment message. It can accept, or reject, or accept without posting, which means some of the pre-checks of the transaction are pending or delayed.”

Then when the blue bank representative did speak to me, things got even more confusing as she said that there were notes from Monday involving “the green bank” that wasn’t even involved in the transaction. Wisconsin Travel Federation?

The representative didn’t have access to the group that put my Zelle transfer on hold, so for now I wait.

Technically it’s only been one business day.

The Bangladesh Identities Weren’t Synthetic Identities, But They Failed The “Somewhat You Why” Test

Andrew Austin at Sardine has written an eye-catching blog post that discusses a fraud ring exhibiting unusual patterns.

  • Some fraudsters use synthetic identities to fool systems, but good systems can catch the synths.
  • But other fraudsters use mules and other techniques that pass identity verification checks, because the people are REAL people.
Google Gemini.

Austin’s post discusses an example of the latter.

Sign-up patterns in Bangladesh

In this particular case (Example 3 of 3), a gig economy company had discovered a fraud ring operating out of Bangladesh, but the identities were those of real people. The investigator noticed something right off the bat:

“When we looked into it, something was off: all of the locations seemed to be clustered in a few small towns.”

But wait…it gets better.

“The fraudsters were going door-to-door and signing up anyone who was willing to share their information….

“Dozens of routes snaked through neighborhoods where new accounts were being created, each of them running from North to South and then back to their starting point on the next street over.”

It turns out that the fraudsters were going down each street, paying people to borrow their identities, and then moving on to the next street.

Google Gemini.

How identity factors (in the plural) identified the fraud

In Bredemarket’s view, this raised alarms surrounding two factors of identity verification and authentication.

  • The first was geolocation. Once the identities were plotted, it seems strange that all of the identities lined up down each street and on to the next street.
  • The second is what I call somewhat you why. It’s reasonable to believe that if person A signs up for a service, their neighbors may sign up also. But it’s NOT reasonable to believe that people would sign up for the service in address order, moving from street to street. “No, Jim, 158 1st street can’t sign up for the service! 156 1st street hasn’t signed up yet!”

Now even if you don’t believe that “somewhat you why” is a real factor (Sardine prefers to talk about “device and behavior intelligence“), it’s clear that fraudsters were using the identities of real people to engage in a massive fraud scheme.

Look at the patterns, and you can discover from unusual ones.

And now a word from our sponsor

And if you’re wondering why I discuss SIX factors of identity verification and authentication (rather than five or three), check out my ebook “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket. Click on the image to purchase.

The Continuing Adventures of Will and Chad

Technically Chad Smith engaged in identity fraud on Saturday Night Live when he started giving Will Ferrell’s monologue.

But no harm was done.

And while the face modality fooled many of us, the voice modality gave Chad away. Score one for multimodal authentication.