This video is part of a series of interviews between fraudster turned fraud-fighter Tony Sales and Callsign's Ryan Gosling. In this video, Tony explains how fraudsters play on emotions, socially engineering their victims to bypass multi-factor authentication steps such as SMS OTPs.
In society, online fraud has risen massive over last couple of years – I think especially when you think about the pandemic, how we've seen it force businesses to start going online. And I think as an industry, we often think that we need to think like a fraudster. What would a fraudster do in order to get the right solutions in place and prevent the sort of attacks they might do?
So, from your perspective, as a subject matter expert in the fraud space Tony – what's the typical process of how an online fraud happens?
It depends on if you're trying to buy something online, or if you're looking to transfer some money online. Nowadays, with everyone saying that with push payments, you're going to a get text message. So, I'm going to need to socially engineer the person whose money I'm trying to transfer.
As I'm sure we've all seen, there's been many spoofed bank calls out there. It's very easy to do. You can buy a spoof quite easily if you're a criminal. They will play music, they will give you the same music as the bank, believing the customer isn't cautious. If your bank is calling you and saying ‘It's really important that we talk to you, hold, please hold’ and then the music that comes back in. If you're the victim hearing that, you're going to feel ‘Oh, wow’ and that's all part of the script for the fraudster for the build-up. They've already got them in a fear-and-panic state when they just literally take the call and say, ‘Hey, I've just sent you a note. Can you just read back to me what that number is please?’ That's it – automated push payment.
I know, we have device recognition, and we have loads of other stuff going on. But the smarter we get, smarter that the fraudster is going to get. They're going to start looking for other ways to exploit, and that's definitely where they're going to go.
Yeah, it sounds incredibly organized. It sounds like there's processes and people doing different parts of the fraud almost to bring it all together.
The goal for any fraudster would be to get onto a device. Now, let's think back to how this whole thing started. Back years ago – no new frauds, remember? They're all old frauds with a new spin, and you would send someone a link. ‘If you click on the link, I can take your computer over and help you.’
So. I know that someone can make stuff that will stay on your phone you wouldn't see – he can swap malware into one pixel. So how long do you think it is before devices started getting taken over? And automated push payments don't mean anything anymore, because every device Google Store, Play Store, Apple – are they really checking their apps? How many apps have already got malware out there? These are out there for customers to pull down.
These are all massive threats. Because everyone tries to think like a fraudster, but fraudsters always done this stuff from the beginning. They've been harvesting information from day one.
Their harvest of information is now about device recognition. It's funny that we don't think they know what they're doing – yet they're beating us continuously. I find that mad. So, I think we're up against it. I think we will keep adding layers, which is great. That's all we can do. But we're definitely up against it.