HOW TO WEED OUT ONLINE FRAUDSTERS
Story by Emma Woollacott & Photos by Douglas Fry
A mother found a reasonably-priced phone for her son on an online classifieds site. She was reassured to be given a phone number and email address in case of any problems. She met the seller face-to-face and was happy to hand over her cash.
“I got home, put it on charge and immediately knew there was a problem. It wouldn’t charge. It was completely dead, and when I got it checked out at a repair shop, they said it wasn’t cost-effective to repair,” she says.
“I was disappointed that somebody could blatantly lie to me, even when I had my son with me and explained it was a present for him.”
The smartphone scam she describes is not an isolated case.
It was issues like these that led Gumtree, the leading UK classified platform, to partner with LexisNexis® Risk Solutions, which is part of RELX, to improve its ability to detect fraudulent accounts.
Research from Gumtree has revealed that the average victim of an online marketplace scam loses $83.72 (£63.76). Fraudsters know we’re less likely to be suspicious when the sums involved are smaller.
According to the latest Cybercrime Report from LexisNexis Risk Solutions, millions of dollars are exposed to fraud every month as a result of huge global fraud networks, with more than 400 million human-initiated attacks and well over a billion bot attacks worldwide in the second half of 2019.
Since its founding in 2000, Gumtree has grown considerably, from small beginnings as an online site for Australians, South Africans and New Zealanders moving to London for a new life. It was bought by multinational e-commerce site eBay in 2005, and is now the number one classifieds site in the UK, used by one in three adults every month.
“We are twenty years old, which is quite old in the age of e-commerce platforms, and, over the years, the model that we set up hasn’t changed. I’m a backpacker from Sydney moving to London, and I need to find a flat, a flatmate, a car, a temporary job, stuff to furnish my flat and everything in between,” explains Gumtree’s Head of Stakeholder Engagement, Fergus Campbell.
The site has since expanded to include a dizzying array of goods and services, from sofas to iPhones, maths tutors to wedding planners, cars and even pets. “About 14m people use us every month in the UK alone,” Campbell says.
But the busier a site becomes, the more popular it is with scammers — and as Gumtree started to expand, it had to increase its security measures. With fraudsters discovering the opportunities that e-commerce sites presented, users needed to have confidence that buyers and sellers really were who they said they were — and with all payments made off-site, this was tricky.
“Twenty years ago, there weren’t the cyber and fraud issues or online scams there are today, and back then you could be relatively anonymous at the point of use on Gumtree, so we didn’t have a high ‘know your customer’ threshold like the banks do,” says Campbell.
“Historically, that meant that in the early growth phases of Gumtree there were challenges in making sure that we kept the bad ads or advertisers off the platform, so that a person shopping online wasn’t duped into something like sending money for an item that doesn’t exist.”
E-commerce fraudsters have two common ways of separating buyers from their money. One is to open a new seller account; the other is to take over the account of an existing, genuine user. This is easier than you might think: many people use the same username and password across multiple platforms, and the dark web is awash with sites selling tried-and-tested login combinations that have been stolen from elsewhere.
Gumtree’s challenge was to detect this happening before any harm could be done. With its own reputation on the line, the company wanted to ensure trust and safety for its users as well as prioritize a frictionless customer journey.
The answer was LexisNexis® ThreatMetrix®, a sophisticated platform that uses crowdsourced intelligence from global digital businesses to better identify good users from potential fraudsters. It helps clients such as Gumtree to understand the legitimacy of new users, ensuring that good user accounts are safe and secure, and importantly, allowing organizations to detect fraud before it happens.
“A fraudster might try to set up a new account on Gumtree and post multiple ads for high value electronics in a short time,” says Campbell. “Previously, we would have been none the wiser, but what we can see now through ThreatMetrix is the account has triggered some other warning sign elsewhere.”
The ThreatMetrix solution leverages the LexisNexis® Digital Identity Network®, which collates intelligence from billions of global transactions, across thousands of global websites. Individual identifying characteristics are never revealed: instead, components relating to the user’s ‘digital identity’ and online behavior are checked to understand whether they are trustworthy or potentially risky.
“ThreatMetrix is built on this concept of a shared network, where all the companies that use the platform contribute data in an anonymous and secure way: essentially it’s a vast repository of crowdsourced information relating to every single transaction that we process on a yearly basis. To give you an idea of scale, that was over 35bn transactions last year,” explains Stephen Topliss, vice president of fraud and identity at LexisNexis Risk Solutions.
The information includes, for example, the user’s connecting device, identity intelligence, behavioral patterns and more, with all this going to create an anonymous ‘digital identity’ that can be accessed by Gumtree and other LexisNexis customers in near-real time. Sophisticated tools allow the system to detect when a user is trying to conceal their location through IP spoofing, a proxy or a virtual private network.
“So, for example, a new customer with Gumtree registers a new account. Gumtree may have never seen that customer before but, using our crowdsourced, contributory network, that new customer’s digital identity may have already been seen by another customer in the network,” says Topliss.
“It’s a really unique way of being able to say to our customers that even if they haven’t seen that persona before, we may well have done within our network.”
A range of tools allows organizations to customize just how strict their policies need to be. “It really varies with industry: with private banking, for example, if you try and interact with their service using a phone that has been modified to allow unauthorized software to run, they will actually take a very harsh view and say you can’t transact with them,” says Ian Spanswick, Senior Vice President of Global Services for LexisNexis Risk Solutions.
“They have the ability to do that thanks to a small ratio of customers to account managers, so they can reach out proactively and explain. But if you contrast that with a retail bank with 11 million logins a day, there’s no way they can have that very strict policy.”
The platform and solution continue to evolve just as the fraudsters do, becoming more advanced and giving customers access to more intricate data points in order to make better fraud decisions. As users have moved to mobile devices, for example, fraudsters have followed suit, meaning changes to the way the algorithm evaluates different devices and locations.
And, says Campbell, “We probably have richer data because of that, because we have phone numbers, we have email addresses, and other information streams.”
And even more data points could be added, says Topliss, “At the moment we’re having discussions with telco companies. Being able to work hand in hand with the mobile operators could potentially link two separate sets of data that could be much more powerful.”
“I’m calling from your bank: we’ve detected a problem. Would you mind answering a few security questions?” We’ve all had phone calls like this, and the scammers can be surprisingly persuasive. But the ThreatMetrix system is now even able to distinguish when a user is being put under pressure of this sort.
“We can tune the models in a different way, to look at timings in the data as you’re banking online,” says Topliss. “If a fraudster is trying to mislead you, you actually interact a bit differently — there’s hesitation, you’re questioning whether there’s something wrong here — and so that gets into this behavioral interaction. It’s data that we had, but we’d never tuned the models to look for it before.”
But these constant improvements, says Campbell, aren’t just reactive: they mean that Gumtree’s ability to pick up fraudsters is increasing all the time.
“There was a 50 percent decrease in fraudulent ads from the first half to the second half of 2019; account takeovers were down 26 percent in the same period and spam was 89 percent down — and those numbers were largely driven by the ThreatMetrix integration last year,” says Campbell.
“Bad ads as well have decreased from 1.65 percent to 0.49 percent — which is another good step.”
These improvements come as the volume of attacks on new account creations rose by 293 percent from last year, according to the latest LexisNexis Risk Solutions’ Cybercrime Report.
One big trend is the use of automated bot attacks.
“This is a fraudster controlling an army of computers and using that army of computers to automate a huge, high-velocity attack on particular organizations, either new account opening, account login or payment processes,” Topliss explains.
The team’s research reveals that bot volumes have seen strong growth from key regions, as fraudsters use automation to maximize success. The number of account creation bot attacks increased globally during the second half of 2019.
Bot attacks can be as dramatic as they sound. Spanswick points to a chart showing the number of fraudulent visits to the platform.
“Here, we’re looking at an underlying rate of 3 percent of our global traffic identified as fraudulent — and then it spikes up to 13 percent,” he points out.
“Some of these attacks seem to closely correlate to when big data breaches occur, and fraudsters go onto an e-commerce platform and test credentials that they’ve just stolen.”
Breached credentials are used in automated bot attacks that impact cybercrime attack volumes across all industries
The charts below show the percentage of attacks per day across the LexisNexis Risk Solutions Digital Identity Network. These attacks are often driven by automated bots mass testing identity credentials.
While tools such as ThreatMetrix can go a long way to protect businesses from cybercriminals testing stolen identity credentials, it’s important that people take basic security measures themselves too.
People should use secure passwords — and consider using a password manager. Users should also turn on two-factor authentication where available — such as a text being sent for confirmation — and keep software and apps updated. They should beware of links in emails and texts, and check they’re genuine before they click.
And don’t allow yourself to get carried away by a bargain, says Spanswick.
“Fraudsters tend to feign knowledge of a consumer’s account and play on either a time pressure or worry that consumers might have. So, they might ring up and say, ‘we think that your account has been compromised, we need to take immediate action to protect your details and / or money’,” says Topliss.
“But a genuine company employee would never ask for your password and user name, they would never ask you to do something where they can see your personal data, they would never ask you to do anything in a hurry — all of those things tend to be red flags.”
For those whose identity is stolen, the consequences can be severe — and can extend well beyond the financial into the personal. “Protecting the physical, mental and social wellbeing of the people using the site is really important, and a key thing that we want to support.”
CREDITS
Story: Emma Woollacott
Photos: Douglas Fry for Piranha Photography
Design and layout: David Roberts
