October 14, 2009, 10:34 AM — We are not paying enough attention to how to defend against fraud. That is: against existing fraud. When it comes to likely future fraud, we are pathetic. It is hardly an exaggeration to say that nothing is done at all.
What? How can we protect ourselves against things we do not even know about? Does that make sense? Yes, it does.
It is possible to predict the likely trends in fraud. Some trends depend, quite simply, on very evident developments. Do you see more cellphones out there? Then you should worry about mobile malware. Do you think email spam will be eradicated soon? Then you should suspect a rise in unwanted messages, distributed using SMS and voice, and by malware.
Other likely trends are simply a matter of human ingenuity among fraudsters. What new tricks and variants of old tricks will they develop? Those that are successful will become common. If you can think of new types of fraud and assess their likely success rates, you will be able to predict which ones will flourish.
It is important to predict the likely trends in fraud. If you can predict what will hurt in a few years, you have time to prepare yourself. If you represent a financial service provider, that might mean limiting your liability. If you develop technology, you may be able to build the product that everybody soon will need. To protect themselves. And if you represent government, you may have time to develop laws and policies to limit the financial incentives for criminals. No matter who you are, knowing the likely future is helpful.
Now, predicting the likely future does not have to be difficult. Let me give you an example of a type of fraud that does not yet exist, but which I hope to convince you is not so unlikely.
Fraud typically depends on a combination of psychological vulnerabilities and technical or systemic weaknesses. Unrealistic optimism is an example of a psychological vulnerability. Poor spam filters is a technical vulnerability. An example of a systemic vulnerablity is the fact that fraudulent checks may appear to have cleared before they eventually bounce. (This is due to what computer scientists call a "time-out", which means that if the check does not clear within a certain time, then the bank will tell you that it cleared and let you access the money … but of course ask for it back when the check eventually bounces.)
Criminals rely on combinations of psychological and technical/systemic vulnerabilities. Anti-fraud experts worry about exactly these combinations … but very few worry about potential fraud techniques that consist of new ways of putting together these building blocks! Here is one:
First part. Assume that the fraudster contacts his victim, and convinces him to invest $100 in some plausible-sounding venture. That should not be difficult … the typical losses to investment fraud are orders of magnitudes greater than that. Very soon after the victim makes the investment, the fraudster sends him a forged check -- for $2500, say. (How would you like that type of return on investment?) If the victim were the least worried that he had fallen for a scam, he would be at peace now -- or at least when the check clears! And you bet his friends would hear about this windfall!
Intermission.
Second part. The criminal contacts the victim again. "See, I was right? And this time I have a much bigger opportunity. Like the last one, I can guarantee a ten-fold profit, or more. How much do you want to invest this time?" Even a careful investor would be likely to invest those $2500 he just "made", but probably much more.
Analysis. Why would this be so powerful? Because the risks will seem very low to potential victims, due to the positive reinforcement. After all, he thinks that he just made $2500! An because the fraudster won't have to work hard to find people willing to part with $100, and later on, much more. And the fraudster won't have any real costs.
