Business fraud protection isn’t just about tech tools, or even having the right fraud prevention people on your team. While those things are important, other components also make a difference. Educating your people, creating internal trust, and aligning your fraud prevention with your business goals can all help you stay ahead of scams.
See How Fraudsters Choose Targets with Brian Davis for a complete transcript of the Easy Prey podcast episode.
Brian Davis is the Head of Fraud at Dodgeball Fraud Orchestration Platform. His job is to build fraud teams and fraud strategy to take companies from zero to protected. He is also the person behind House of Fraud, an invite-only network for fraud leaders to share knowledge, test ideas, and get ahead of fraud trends.
Brian’s career in fraud started over a decade ago. He was an accounting intern helping a company digitize their finance system. While spending all day typing invoices into a computer, he noticed one contractor had an overlap every week. He pointed it out to his supervisor, who took the invoices to look at them. It turned out that Brian had uncovered a pretty big double-dipping scheme. His interest was piqued. He got a Master’s degree in accounting, but took a lot of fraud courses. It was hard to get a job in fraud, because it wasn’t an entry-level job. But after working in accounting for a year, he found a ecommerce company willing to take a risk on him.
That jump-started a career joining growing companies to build fraud prevention teams and tools from the ground up. Brian has worked with a lot of different business models, and fraud protection looks a little different for each. But at the core, it’s a business problem. It benefits everyone to help solve it.
Even Experts Can Get Caught
Brian works in fraud and scam protection for businesses. He knows a lot about how scams and fraud work. But a few years ago, he fell for a classic scam. He and his wife wanted to get tickets for a sporting event, and they found some on an online marketplace. Brian looked at the seller. They had sold quite a bit and their ratings weren’t bad. The tickets were reasonably priced, so it didn’t seem too good to be true.
The seller ended up taking the conversation off the platform and asking them to send gift cards. Brian and his wife knew that was weird. Moving the conversation to a different platform and asking for payment in gift cards are two major red flags of a scam. But they really wanted to go to the game with their friends and everything else was sold out or way overpriced. They decided to risk it. Of course, once they sent the money, the seller disappeared and they never got their tickets. Since they didn’t submit any card details, they were only out money.
Business Goals and Fraud Protection
In Brian’s experience, most people are willing to work with him when he comes into a business to start a fraud protection program. Most companies were doing “fraud by committee” up to that point, with a team of people across different areas working on fraud in their specific area in addition to their regular duties. Working with Brian helps get them what they want. They teach him what’s going on in their areas, and then he takes over and gets fraud off their plates.
Especially early in the process, there’s a lot of buy-in. But sometimes people become more resistant as time goes on. Brian becomes the guy who says no, who keeps bringing up objections, and who wants to limit things. He’s found that they key to that is making sure what he presents aligns with the business’s goals. He can’t ask people to drop everything and care about what he’s doing without a lot of pushback. But if he can explain how it fits into the grand scheme of things and aligns with business goals, it’s easier to show how he’s helping everyone.
Often people who don’t know a lot about fraud and haven’t been personally impacted don’t care that much. With education and awareness of fraud, along with being clear on how fraud protection helps everybody, people are more willing to cooperate.
Starting a Fraud Protection Team
When he comes into a business to start fraud protection initiatives, Brian is looking to collaborate. Before he came in, there were probably a lot of different people involved. Brian’s goal is to build relationships and create allies, not delegate and give orders. He starts with understanding the company. How do they make decisions? Who’s involved in decisions? Who’s involved in fraud? The better the understanding he can get of how the company operates, the easier it is to foster collaboration.
Before fraud risk, how does the company make decisions? Who’s involved with these decisions? Who’s been involved with fraud? And is there any alignment there? – Brian Davis
He likes the phrase “onboarding.” It’s not just looking at org charts, it’s understanding dynamics and learning what key people care about day-to-day. While doing that, he starts to create a surface map. How do customers come into the business, what do they do, and what does the company provide? This works for any industry. Once you have the user journey, you can identify risks. Brian’s surface maps are just a piece of paper with lines and X’s showing how a customer can interact with a business and where risks might be.
The next level from there is determining what signals there might be. Opening an account is a risk point. Stolen devices, identity theft, and synthetic identities are possible. What signals would the company be able to see if any of these were happening? At the end, Brian has a piece of paper with a list of potential vulnerabilities. From there, the business can prioritize and build a roadmap to better protection.
[It] starts with understanding your baseline, where you’re really vulnerable, and what that type of fraud really would look like. – Brian Davis
Business Value for Fraudsters
To some degree, you can predict if and how fraudsters will go after your business if you understand the entire ecosystem. The criminal journey can find different types of value on different platforms. What they want from you depends on what you have available.
Do you have a product that could be resold? Do you keep customer’s payment information or specific personal data that could be useful for completing a profile? Are there business funds in an account that they could steal? Could they use your systems to test stolen credit cards? Figure out what value your business has that a criminal might want. Then you can put up more fraud protection and defense in those areas.
It’s understanding where I fall in the criminal’s journey and what I can do to best be the most annoying at that point. – Brian Davis
It’s never going to be perfect. There is always going to be a balance. But if you can be more annoying to target than your competitor, criminals are probably going to target your competitor instead. The reality is thinking about protecting your platform and your customers or users. It’s essential to figure out your most valuable asses, why you might be a target, and where you’re vulnerable.
Protecting Business Assets from Fraud
The most important step in business fraud protection is figuring out what your asset is. Say you’re a new fintech company that offers bank accounts. Bank accounts aren’t giving out money. But if you offer tools to move money quickly, criminals like that. They’re going to see how many accounts they can create with fake identities and synthetic profiles and what kind of information you ask for.
They often stress test a lot of this right when you start. Whatever avenue they can find to exploit, they will. Your service could be a tool to move funds around, obscure the sources of funds, and launder money. Or they could spot a method to take over other people’s accounts and steal their money. This varies depending on the service you offer. If you’re a digital subscription site, you’re probably not going to have a problem with criminals taking over people’s accounts. But you may see them testing stolen credit cards by buying a subscription.
It really depends on the company you have, the industry you’re in, the asset you’re protecting, and why it would be valuable to a criminal. Criminals don’t care what you’re trying to do, only what they can get out of you. Once you understand what they could do with that, you can protect it better.
The Challenges of Building Too Late
Some companies don’t care all that much about fraud. That’s changing, but there are still businesses who consider, for example, some credit card chargebacks just a cost of doing business. Business owners who have been hurt by fraud know how hard it is to build fraud protections too late.
There are multiple reasons why some companies put themselves at risk by not caring enough about fraud protections. Sometimes it’s just lack of awareness. People don’t know what they don’t know. And especially in small and growing businesses, many people don’t have the time to spend learning about it. Egos can be another aspect, too. If someone points out a fraud issue, some business owners take it as a personal attack. And some companies are open to learning more about it, but don’t understand why they should prioritize spending money on fraud prevention instead of spending money on directly profitable things.
These days, more people are aware of fraud. And some teams are starting to recognize the far-reaching implications, such as making bad decisions because the metrics are based off systems bloated with fake and fraudulent accounts. Additionally, the rise of AI has made people less trustful of things in general. Brian has a personal hypothesis that this mistrust of AI has led people to question other things as well and be more concerned about fraud.
Sharing Intelligence for Fraud Fighting
People who work in fraud protection have always been willing to share their knowledge. But most often they would share it on a limited basis. Usually it was with people they already knew or with people they saw in person at conferences. Smaller communities have sprung up for small groups of fraud fighting professionals to share their knowledge.
Brian runs the House of Fraud, which is one of these communities. The challenge is that everyone wants to learn, but not everyone wants to share. The goal of House of Fraud is to encourage people to share and learn from each other. Lots of people want to help but nobody wants to be the first to ask. But once the first person shares and the wheel gets turning, it becomes more organic.
We still have a long way to go. Fraudsters are much better at collaboration than we are. That’s a huge disadvantage for the good guys. But in Brian’s experience working across industries, a lot of the core problems are the same. The information and specific assets you have are different, but the process is similar. Having an attitude of “You work in a different industry, you wouldn’t get it,” does everyone a disservice. Helping the fraud community collaborate better will go a long way towards business fraud protection.
Fraudsters work better together than we do still today … that’s a huge disadvantage for our side. – Brian Davis
You can connect with Brian Davis on LinkedIn. He also writes the newsletter Diary of a Fraud Leader with notes of the good, bad, and everything between on building fraud careers, getting strategic about fighting fraud, and getting people to care.
