Site icon Easy Prey Podcast

How Cybercriminal Networks Are Organized with Peter Taylor

Easy Prey
“What we need to do is improve what we used to do, but we need to not forget that most criminals will use the most common and familiar methods to steal.” - Peter Taylor Click To Tweet

Virtual networks with anonymous accounts allow cybercrime gangs the ability to work together without even knowing who they work with. This could be how the good guys infiltrate these networks.

Today’s guest is Peter Taylor. Peter is a former police detective and Director of Fraud Management for major UK companies. Ten years ago he set up his own consultancy and has established a reputation as “The Fraud Guy” specializing in research, training, and investigation around organized crime.

“Cybercriminals reach a point of success where it’s no longer about the money. It’s about their ego.” - Peter Taylor Click To Tweet

Show Notes:

“The speed in which cybercrime evolves, there’s nothing like it. It’s very dynamic.” - Peter Taylor Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Peter, thank you so much for coming on the Easy Prey Podcast today.

Thank you for inviting me, Chris. It's a pleasure.

Can you give myself to the audience a little bit of background about who you are and what you do?

I'm Peter Taylor. I'm known as the fraud guy. My history: I'm a former police. I spent most of my time dealing with traditional fraud. That's employee fraud, insurance claims fraud, and that type of thing. I worked for major UK companies.

About six years ago, I got a little bit bored with fraud. I picked up an interest, let's say, in organized cybercrime. I looked at taking some qualifications. I decided not to, and instead spent that money to fund the research projects a bit into organized cybercrime. I want to compare it with organized crime as in drugs, and organized insurance crime, which is things like staged accidents, crash-for-cash type claims. I just wanted to do a comparison.

Without being too long-winded about it, instead of taking an academic approach, which I think is too victim-based, I did it in the same way I would do a police intelligence government operation. It was all around the principles of the intelligence cycle: qualified resources, corroboration, and everything else. That included, I did interviews with former cyber criminals. I did interviews with former fraudsters. I spoke to people with the car fraud industry, the cybercrime industry.

I did look at things like articles in Wired, which is always good. I put together a research paper at the end of it. They are quite peer reviewed by academics in cybercriminals. I'm serving police officers.

Surprisingly, they told me I've come up with stuff that they weren't aware of. There was a bit of different thinking to the standard status quo. Then I've been very, very busy ever since helping people who are developing cybersecurity solutions, having cybersecurity problems, and having fraud problems. I feel like I'm achieved because we really enjoy it.

It's a very interesting, fast-moving, evolving, I hate to say, industry field. Field is the right word for it.

The speed that evolves and develops, I've never seen anything like it. I don't think that's just cybercrime-specific. I think it's the way of life now that we are developing at a faster rate. You know what, how things were changing 20 years now changes in three years. It's very dynamic.

The cybercriminals are applying agile management skills to their organizations.

They are, yeah. They are the epitome of good business. Because again, I've come from the corporate world. They could teach the rest of the world a thing or two.

What were some of the things that stood out in your research that you were saying that when it was peer reviewed by people that are more victim-centric in their approach that stood out and caught their attention?

As I say, most of the time, we ask the victims for information. We record data and we analyze that. We come up with statistics. You'll get such useless information that has been funded such as… I really apologize because I love that particular university. They spent ages researching insurance fraudsters. They came up with a fantastic, useless piece of information that the typical insurance fraudster is a 42-year-old male who wears a tie to work. What rubbish at the end of the day.

What does the typical claimant look like? Oh, yeah, he's a 42-year-old male who wears a tie to work. Absolutely useless information. Where does it really take it? What I wanted to do was actually get into it.

I think a lot of people forget this, is they look at the victim. That's not just the victim of, say, a fraud or cybercrime as in you or I, Chris. They look at the victim, which might be Citibank. That's where all the information comes from.

What I think gets ignored is what can the cyber criminals tell us? What could the criminals tell us? Watch the criminal. That's where I came from—the police background and watching the criminals—so I wanted to watch the criminals.

The most amazing thing I found was we know what they're doing. It's just so few of us know what they're doing, so few people are acting upon it. It's actually out there if you've got the skills to go and find out what they're doing, because it's just so blatant. As I say, because they're a virtual network with anonymous members, you can actually infiltrate the gangs. If you've got a crypto account and you know you're secure or safe, you can infiltrate the gangs anyway.

I keep seeing warnings that the cyber criminals are watching us, and they're really good at it […], and they do. We can actually do that, too, but we don't. We don't do enough of it. That was the first thing that I saw.

The other one was I spoke with—it's OK to mention the name; guy's a good friend of mine—Brett Johnson who, as you probably know, was one of the founders of ShadowCrew, who are the models used by most of the organized cybercrime gangs now. I spent time with him. What I realized was compared to the drug gangs, who were family- or neighborhood-based, cybercrime gangs are marketplace-based.

It's like if everybody used eBay was a criminal, they'd be the eBay gang. If you actually look at the cybercrime gangs, most of it, 80% of it, is built around marketplaces, like Silk Road. Silk Road is free or whatever they are now from Silk Road 33, because he keeps getting closed down and popping back. Dread, Genesis, and all these marketplaces.

You can log onto these marketplaces, and you can look and see what's going on. You can be really smart. You can scrape data. You can analyze that data. There are lots of ways of finding that. 

I have the pleasure of telling a good old American boy, which Brett Johnson is, that he was a communist. He said, “Why don't you be with a communist?” I said, “Because you actually work as a cooperative within these marketplaces.” What you do is, working with Brett, came up with what's called the cyber crime triangle. This is something the police have been interested in, which shows how the cyber crime gangs operate and how it's different to drugs gangs or whatever. They might be involved with these gangs. But certainly, in the early days, it's getting tainted a little bit now.

The cybercrime triangle, three functions. Function one: Steal, hack, or get the data. Put it on the marketplace and sell it. Function two: Buy the data, enhance the data through maybe social engineering and also crime as a service, so teach people how to commit for cybercrime. These are the guys that commit the fraud. Function three: cash out. Turn the goods into legitimate assets. 

It's as simple as that. That’s Genesis. That’s Dread. That was ShadowCrew. Most of the gangs, they're actually structured that way. It's in the marketplace. Obviously, the exception to that and the best rule has exceptions is you've got the ransomware gangs.

One of the things I've seen increasing now, though, is the heist gangs like the old bank robberies. You'd put a team together for a bank robbery. You'd want somebody who could overcome alarms on that team. You'd want somebody who could blow the safe. You'd want somebody to plan all the logistics and armory. Somebody use the armor, provides the armor, and then you want a getaway driver. If you've got to steal gold bars, how are you going to get rid of the gold? To me, that's a heist. That's Ocean's 11, Ocean's 8, or whatever. 

Now, we're getting more and more cyber heists, where you put a gang together to hit a particular bank, hit a particular business owner, or hit a particular organization. But the crazy thing is, sometimes they don't actually know who each other is. It's almost like a terrorist cell, where you’re brought together for a heist. Those are the exceptions that prove the rule.

They are different to the sausage factory—very luxurious and expensive sausages. The sausage factory, that is the majority of cybercrime. Those are the kinds of things that I came up with back in 2017. I also put some warnings out. I've spotted that the cybercriminals were anticipating stronger customer authentication, which has been rolling out across Europe, States, and everywhere else, where banks, guns, societies, longboards, lawyers, are a lot more careful about making sure that somebody authenticates themselves as to online retailers.

In 2017, they were already beginning to create synthetic identities, but they weren't creating it for use in 2017. They would be doing things like creating emails, social media accounts, putting themselves onto electoral rolls and voters lists that nobody would notice. They were all so stupid in all that premises, where lots of people coming and going. 

What that meant was by 2020 and 2021, they would have identities—non-existent or partial identities—that already had a three-year history that would pass lots of checks, and then Covid came along.

And everything goes virtual.

Yeah. Also, they didn't need the synthetic identities. They could just carry on using stolen and cloned identities because there was so much free money about. If you look at one of the gangs, the Nigerian gangs, that were based in the US who took something like $900 million dollars of benefits from the US, they came on stock. Again, you get gossip coming out.

The gossip that came out was that they planned to take $200 million, but they ended up taking so much that their infrastructure couldn't cope. For that reason, they made mistakes. Then the FBI were able to identify them. I think they've been charged in their absence or even convicted in their absence. I'm not sure if any of them are actually in prison.

Some crazy stuff is going on. You can really see now the use of those synthetic identities that have really thought and considered what defenses the good guys have got and what they wouldn't expect to see. I'm going to say, obviously, the biggest advantage the cyber criminals have got is that they get shut down while the good guys go off and have a project meeting, try and raise funding, have another meeting. I've got hampered to a degree by data protection regulation and other laws whilst these guys have got complete free hand. I can get things done in 24 hours. That's a huge advantage.

Isn't that always the rules of warfare with the good guys and the bad guys? The bad guys always have no rules, and the good guys have the rules that they have to fight with?

That's the difficulty when you've got a uniformed army fighting terrorists, isn't it? That's the big advantage terrorists have. There are places in the world where you can look and you can see it's quite easy to take over a nation, but you can't manage it afterwards. That piece is difficult because they don't live by the rules and you do. It's very much so the case.

I do think the good guys—I feel like giving some advice. They're just going to talk to me, Brett, and people like you. There are other mistakes that I think could be made. One is what I call the magpie syndrome of chasing shiny new things. I'm saying lots of things that some marketers or vendors will politely say.

What we seem to be doing is we've created what we call the cyber arms race, or the identity arms race and everything else. People are getting that wrong because the whole point of a race is that you get to the finishing line before the other person. But it isn't a race like that, because what happens is that the cyber criminals are becoming increasingly sophisticated. We good guys, the good vendors, try and become increasingly sophisticated too to keep up with it.

But there's actually a floor to that. What I think the floor is—there are two floors. One is the more sophisticated areas of cybercrime, more elitist are actually a small portion. The largest portion of cybercrime is stuff that's 30 years old or 20 years old.

One of the things that you probably know yourself with fraud and cybercrime is it's weird because when something new comes along, building stuff doesn't stop. It's 2022, and I can go and steal your cookies for a site you purchase on and trick that site into thinking I've passed the login check, the security checks, the bio checks, the behavioral checks. We can do that now.

Five years ago, you'd have to be—I'm not going to name nations, we'd have to be a nation-states—intelligence services, we've got that capability, but the old Nigeria, now the prince from Nigeria, I've got 25 million quid, which the first time I saw all of them, I think, was about 45 years ago. They're still going out there taking those and stuff.

The people are using the most sophisticated, the nation-state standard things. They're quite small. What we have to do is, yeah, we can't ignore that. We've got to deal that, but we cannot stop doing what we used to do. What we need to do is improve what we used to do, which goes on, but we need to not forget that most criminals will use the most common unfamiliar methods to actually steal our money.

There are still people that are buying a username, a password, credit card details, CVV code, and some basic information about you committing fraud. They are still around. What happened is I think people need to put the bases in place first, where the things themselves, they're chasing shadows that aren't that important. If you've got all that in place, then yeah, you need to be working on the risks from bots, ransomware, and everything else.

Again, I do a lot of reviews. I'm seeing people that haven't got stuff. They're putting stuff in now that they shouldn't be embarrassed that they've not had in place for 10 or 15 years. They don't want to embarrass themselves, yet you've got to put that right, but they've got to be realistic about that.

The one that makes me laugh most of all is my actual history, Chris, is behavioral psychology—how criminals work, but also how witnesses work, and how people fool themselves and trick others. The thing that I've noticed is that I sometimes see something and think there's something else going on there. I might be neuro-diverse or I might just be daft, because I don't see the obvious.

The one that made me laugh is that I don't actually know about that. I think it was global, but I'm not sure if it was just the UK. But a few years ago, our sales of vinyl records started to exceed our downloads. I think that might be a global thing. Now, vinyl records went out with the ark. We have vinyl records, and we have cassettes, then we have CDs, and then we have downloads. And downloads killed everything off.

For everybody, obviously, the MP3 player, the iPod, the iPad, DAB radio, and everything else, and then vinyl records came back. There was a big clinging to retro, and then I started to see loads of random social media posts say how good checks were and how people miss checks. Then people will say, “We should pay by a check. It takes a week to clear. It's not an immediate take out from your account. Isn't it cool? You can write with a fountain pen in blue ink and have a […]?” Then the cool kids from certain places in New York, Soho, and what have you, started to ask for checks, because checkbooks never stopped being available, and then we saw the rise of the checks. Straightaway, we've now got the rise of checkbooks, which is the easiest thing.

Now, people are back to stealing mail. They're back to stealing checks. They're back to insisting on checks because it was cool. It just created an old fraud. It's probably back again when it virtually died out.

We have a comedy program. This guy is called Harry Enfield, is a successful British comedian. He's very sarcastic and he has a little shop in one of the posh areas of London. Basically, it's called I Saw You Coming, is the shop. People would go in, they'll sell a twig for £500 because they think it's cool.

I honestly think people like him were behind this, let's make checks cool again or at least encourage this thing about check's being cool. Can you believe it's 2022? Obviously, in loads of alerts, warnings, and everything else about check fraud. Why? It shouldn't exist.

Back to the Nigerian scam. You've known about it for 45 years. It used to be via fax machine, postal mail, and then it migrated to email. Why does it still work? Everybody I talk to seems to know about it, so how does it still work? What's the psychology behind it?

There's a psychology behind it and that it's always been about triggering emotions in the reader. Also, almost like I'm up to some studies at the moment and to spiritualists and mediums on how they do cold reading. We can learn a lot from that. I’m just speaking out for myself, so don't forget that important bit.

We've got the psychology of it, and then there's something that I want to come back to about why it works. The first thing is you create in somebody some form of excitement. That can be a negative excitement or a positive excitement. You create some urgency.

First of all, there's an opportunity there. There's an opportunity to get some money. Or in other ones, there's an opportunity to lose a lot of money, to threaten that. If we look back at the Nigerian scammers, we've got this huge thing at the moment going up: the extortion emails. “I hacked your account. I've got a picture of you masturbating, watching porn, about your contacts list, blah-blah-blah. A thousand dollars will do it and I'll close it down.” They haven't actually count.

It goes back to the other one of picking up on what people are going through. If you send it out to a man, a male, particularly young male, but that doesn't necessarily mean particularly young male, there's the guilt complex, isn't it? I actually was taught by monks. I went through monastic school.

I remember on our first biology lesson. It's an all boys school, and the teacher came in. We started the first lesson around human reproduction. We've asked around with plants, birds, and bees for a while. Teacher said, “Look, we're going to be talking about sex now, and we're going to talk about your sex organs and things.” He said, “So let's just get something out of the way.”

He looks at us also. This is a class of 30 12-year-old giggling school boys. Ninety-eight percent of males masturbate and the other 2% are liars. It hones in on that people have got financial difficulties, or they're just a bit greedy, or they've got some guilt going on somewhere.

What a lot of them do as well is they will then put something benevolent. They want to actually give them money to some other people. Or they will say to you, “I get lots of emails from Gaddafi's daughter.” Here we go. “She emails me regularly with 25 million, then she really regrets what happened in Lockerbie. She'd like me to take that 25 million and decide who deserves it, install and draw anywhere else.” They're holding something.  But then the other one is people's ego that they are important enough to be contacted by that. 

They create some excitement. They hone in on something that is a common personal feeling, and then they might choke on something, it seems of benevolence, that putting some credibility somewhere. I know that it started when Gaddafi was killed. I know that safe. I’ve forgotten the first name, that his children haven't been caught, and knocking about, and might have a few million or billion possibly in their accounts, so it gives it credibility.

Another favorite is lotto winners. As soon as I see a lotto win, particularly a big lottery win, I know that within two hours, people will be getting an email saying, “I've won the lottery, and I want to give you £100,000 or $100,000.” It's just an inevitable fact, because the fraudsters will use the spam lists, the scam lists, and the mobile lists of people that have responded sometime in the past. Especially now that you've got box and everything else, they can just hit so many people so quickly every time with very little effort, so it's going to keep coming. 

The other point I want to mention, Chris, and I think this is really, really important, and this is a message of every cybersecurity person, every counter-fraud person that's out there that is watching this podcast, that is on Twitter, that is on LinkedIn, that's on Telegram. Listen, guys. Most of the people can, and the ones that aren't, we've picked a network of connections and follow us. What we see, they don't see.

We've got this delusion, and I do it. I try and create fraud awareness. That's how you unite them together. I post some stuff or warning people about particular types of crime or fraud. I will always say to people, International Fraud Awareness Week, I said, don't put a postal, warning fellow professionals. Go and talk to your mom. Go and talk to your auntie, go and talk to your uncle, because they won't see these posts. You might actually do more good through that than putting something out on LinkedIn that gets 200, 2000, or whatever likes.

We suffer this delusion of this perception that because we know, everybody knows it. They don't. They just don't unless we tell them. I still think we would do it. As I say, I do concentrate my kids. I'm aware of my kids' friends.

Again, people learn. It was something that only came to me or I only realized about four or five years ago that what we see is very, very narrow. The public will keep falling for it. That's an interesting thing as well as the old stuff. The old people follow the fraud. No, it's not. It's people under 30.

Millennials are now one of the highest targeted groups and falling for certain scams more likely than other groups. I wonder—shifting gears and maybe this is good as a short-term deterrent for cybercrime—has the crypto crash reduced cybercrime? If you had $100 million in cryptocurrency, and that you've scammed out of people, now you only have $5 million, $2 million, or maybe it's worth nothing now. Is turning that into real funds a problem for them?

It's a huge problem for them, and it always has been. I think there are two factors at play. I think you're absolutely on the nose. You're in cybercrime. You've got loads of one of your crypto account, and now it's worth jack shit. Yeah, it's not worth much.

I've always said, I'd rather see somebody lose the money or lose assets than actually go to prison, because I do think it's about the money. We've got that, and I think that is significantly true. It means that they’ve got to think more and try harder. 

The other side to that, though, too, is—and this is really interesting and something that came out again, but this has been a constant thing, it's not just come from what I did in research and to cybercriminals—a lot of criminals will reach a point of success where it's no longer about the money. They don't care about money. It's about their ego more than anything, and then we can break that down into various segments. 

I can give you an example that isn't crypto. I'm just going to mention a drug dealer. A serious drug dealer is now serving a very, very long time who is local to me. He was arrested chasing a man down this local street with a machete, because the man owed him £20. It wasn't about the £20. It was having achieved not to pay him. It's all about his reputation and his ego.

I corroborated this, but I was told by one of the officers on the case that he had a tin full of cash. Now the guy had been arrested. He cooperated with everybody. He's done jobs over. He knows he's going to hell for a long time.

He knows he got his cash, and they say to him, “How much cash have you got in that tin?” He said, “Probably about £30,000.” When they counted it, it was £120,000. They had no reason to pretend it was less, because he got the cash to count. He genuinely didn't know about £90,000 that he had.

He had so much money that he just couldn't keep track of it anymore.

He's like Escobar, isn't it? Wasn't there a room in New York or somewhere in America that was discovered where Escobar stored cash, and the cash is rotted? It actually rotted away. I think that's one thing and because normal people tend to think about money. But when you've got so much, that actually starts to mean so little.

Yeah, you want the trappings, but it's actually about your ego. The biggest thing is that you've got people who could never understand what people do. We've now got a lot of people that are really good at trying to get into fraudsters and cyber criminals' heads, or there is a drawback with that. We put our own standards into their heads, so what we value points to their heads.

What gets in the way a lot as well with investigations is because people think, “Oh, they wouldn't do that. They wouldn't go to that trouble.” The real skill is to get yourself into the fraudster's head and the criminal's head. The other thing, as well, is they don't worry like we would worry about being caught. They don't worry the same way.

There are two factors that I see for that. One is they think they're too smart to get caught, and they're the ones who drive pretty short-term gain. If I can pull £4000 on Tuesday, and go out and take loads of cocaine, and have a really good time, I don't particularly care if on next Tuesday, the bank closed my account or the police come knocking at my door because of a lot of good time.

I think we've got to understand that people's lives are different to ours. I think, also, we do live in different times. I think life's a lot more uncertain than it was 20 years ago. We've got the whole gig economy. I think that's enabling these cybercriminals to recruit in a way like they've never done before.

I think you mentioned in our pre-call of how businesslike they are. They are absolutely the ultimate gig economy. I did jokingly suggest a really good idea would be to just legalize cybercrime. Let them pay taxes and get them to go and teach governments how to make a shitload of money.

That always is one philosophy with a type of crime that if you legalize the underlying issue, then you start getting taxes on it and doing everything above board, then it's easier to address.

I work now globally. You've seen the Twitter app, The Fraud Guy UK, LinkedIn, and The Fraud Guy. Since the UK, like I said, you're about to do loads of work abroad now in Europe, Africa, and places like that. But there are a lot of countries where you're on your own. If you're daft enough to fall for fraud, then that's down to you.

There is no support. There is no help. Sometimes there are even laws against that, but I don't know if you know, in Nigeria, the 419 Scammers who send out the emails and everything else. They can't be arrested unless they're actually caught doing it.

Which they're not going to get caught in the act.

No. If I know you are a 419 Scammer and you did it last week, I can't do anything about it. The laws are very different. Ukraine's one example. A friend of mine works a lot in Ukraine and just basically flee frauds down. Their view on fraud is if you're daft enough, then that's your problem.

If you chose to give away your money, that's your issue, not ours.

Yeah.

Do you see—I'm trying to think how to phrase this—that you don't address the methodology of the crime? You don't address the, was it a ransomware? Was it a Nigerian scam? Was it a phone call? Was it a tech support scam?

The methodology doesn't really matter. But if you focus on how the money gets in the system and how the money gets out of the system, there are only so many ways you can get money in and out. It doesn't make any sense to focus on the actual movement of money versus how the scam is being carried out.

Yeah, there's no point in stealing the data. There's no point in stealing somebody's money if you can't get it. It's like we said with burglaries in my police days. If we were to cut the burglary rate in an area, we take the handlers out. If the burglars didn't have anybody to sell the stuff they stole to, then burglaries drop. That works if it's really successful in a team I was in.

Really, we need to cut the lot out. I think we will, but yeah, the thing that surprised me is if you actually speak to the banks, particularly, they really worry themselves about their ability to control money laundering. But if you speak to the criminals, they really worry about the banks catching them laundering money. It indicates to me that's going to be a priority area.

From my mind, I think of AI and machine learning. I have a very natural pattern of what I buy, how much money I take out of the bank when I get cash, what money flows in and out of my bank account. For most people, that's probably pretty normal. If someone has a job, their pay is their pay. It's not like, hey, this week, they got $100,000. And next week, they don't get paid.

They have a set amount of money that they get paid on a regular basis. If suddenly they've never done a wire transfer, and they start wiring money in and out of their bank account, to me as a layperson, I'm like, immediately that account should be looked at. Someone should call that person and say, “Hey, what's this about?”

I did have that happen once. I had sent money overseas to a family member. Because the bank that I was previously using didn't do international wires, I had opened up a bank account at a bank that did international wires, deposited funds in it. As soon as the funds had […], “OK, let me wire it out,” which as a bank, that should look really suspicious. Account gets opened, money gets deposited and immediately gets wired out.

The bank actually called me and said, “Hey, we noticed that you're wiring out a large amount of money. What's this about?” “Oh, it's a family member.” “Have you met them? How do you know you're wiring it to the….” I was both impressed and annoyed at the same time. I was impressed that they asked all the right questions. “How do you know this? How do you know that it really is your relative's bank account and not someone else pretending to be your relative? When was the last time you saw them?” All sorts of questions. Isn't that the banks just need to get, in a sense, more obnoxious about that thing? And that the grocery store needs to be more obnoxious when someone wants to buy $1000 of iTune gift cards?

Yeah. Obviously, I'm the same as you. I've had it where I had a credit card that I used to pay for all the fuel. That was all I used it for. The business I worked with didn't have fuel cards, so I just used it for that. It was my credit card, not their credit card. I was out and left my wallet at home. The card was in the car, so I used the card to buy a bunk bed.

Obviously, I came up somewhere on their analytics, and you probably speak to that. Honestly, yeah. To be honest, Chris, I wasn't irritated. The person was quite apologetic, especially because they knew that I was a fraud investigator. I just want to be safe. I'm fine with that.

I was once taken off a plane in Los Angeles by the FBI, or somebody, or the US Secret Service, because I've complimented the Air Marshal on the Yukon. I just never thought I like guns, and his gun he’s showing me, which he shouldn't have been. I've actually jokingly said, “We shouldn't be flashing that. It's very nice, but you shouldn't be flashing that gun on the plane.”

I was taken off the plane again because, probably, I scared the guy to death. This guy was really apologetic, because he worked out. It was actually while I was in Los Angeles and no one would see it. I knew who he was. I said, “No, honestly, it isn't a worry, I want to be safe.” So we've got that. I think it's quite lazy to think to yourself, “Well, we have to speak to the right people.” That's the value of quality analytics. 

But the other thing as well that worries me is over-reliance on data. There's a guy called the fix call from Canary who deals with a lot with automotive stuff. He always says no matter how he deals with putting IT-based and automated solutions, there should be human supervision, because computers make mistakes.

The computer supervision are also, again, the quality of your analytics providers, because you and I both know, Chris, you've got data matching, you've got data mining, then you've got machine learning, and then you've got AI. They're all dependent on what rules you should put in. They're all dependent on the data sets that you're using.

Some machine learning is great. Some of it is just you’re similar to client D who will give you their rules. Some AI is machine learning plus an extra couple of questions. The problem is that people are always able to question and ask that. I mean, you want to see proof of concepts, things like that.

Particularly analytics, how do you spot the outliers? The ones that just don't work right is the closest thing I've seen to magic, and I don't believe in magic. It is great to have it, but it's also making sure it's a good company that are using it. They're not just taking a piece of plasticine and [00:46:20]. They've actually created something that is different.

Again, I've seen it at the moment with people now waking up to it. Can we just talk about online retail for a second? There's so much emphasis on the transaction. There are so many checks going on around the transaction, or there's a hell of a lot more to that transaction. What happens before the transaction? What did you know on your website?

We've now reached a point that from a technology point, we no longer need passwords and logins. There are far more reliable things to tell anybody whose website I'm on or any organization that I regularly log onto. Amazon, eBay, work systems, land registry, government site—they know it's me a lot more reliably for me putting in the password.

We'rs finally going to see the end of passwords thinking that's all. Probably the next 12 months, as soon as that, because we've now got the behavioral stuff, and we've actually got behavioral stuff that works because it's behavior, yet the floor I felt where a lot of the bio-behavioral stuff came, and it was only a transaction. It needs to be added to the transaction.

Certainly, you can kill off a lot of refund fraud by ruining the same check. Having behavioral bio-checks where the refunds apply for, as well as when the purchase takes place. A lot of refund fraud is crammed as a service. The person claiming the refund doesn't purchase it. Yeah, and it goes on and on after that.

I think I'm seeing more holistic approaches. It is, what is the lifecycle of that transaction? What happened before the transaction? What happens afterwards? I think there's a lot we can do.

I think the other one we're going to do is, I'm not sure how old you are, Chris, and not actually important, but when I first started in fraud, the reason I started in Florida was I was a police officer. Loads of cars were being stolen in the UK. Now we've got population at the time. We have a population of less than 60 billion. We were having over a half million cars stolen every year.

Oh, my goodness.

It is phenomenal. Now it's about the 100,000. But the time we are 1½ million. The reason that I got into fraud was I realized that a lot of those cars weren't being stolen. They were just cars that couldn't pass on loyalty and were at the end of their economic life. The easiest thing to do was rather than pay to have your car scrapped, you'd put an insurance claim in, get the value of the car paid by the insurance company.

I can see insurance companies are going to get ripped off. Also in the UK, car insurance is completely compulsory. You have to have it, I know. There are no states or whatever, where you just got to have it, as simple as that. It's again for sale. You've got all these people with insurance. Car comes down to this life. It's going to cost them £200 to scrap it or it has been stolen and claimed £3000 or £4000, but I'm talking like 1990.

What happened, though, was we spoke to the automotive industry. I'm going to name a company called Ford. We spoke to them and said, “How much did the locks on a Ford Sierra cost?” They said about £8.50. At the time a Ford Sierra was about £40,000. I spent the £8.50 on locks. They were being stolen, because that's the great thing about Ford if you want to hide behind something that really happens.

This hasn't become a car podcast. Please listen, because this really relates to cybercrime. Various things happened. But eventually, Ford got a reputation that if you had a Ford, it'd be stolen, and people didn't tolerate that. Various devices came out. Again, you might just be able to remember things like crook locks that's connected between your clutch or your brake pedal and your steering wheel. The steering wheel locks, so the steering wheel couldn't be used.

The dead locks on your car door, so that when you get out of it and locked it, nobody could get in without breaking the window and climbing in through the window, because those just wouldn't open again. Then we've got transponders, where you paid for a transponder, which meant that you didn't just need the key. You need to use a chip to start the car as well, and so on and so forth.

We had all these devices. Now the thing that caused the complete decline was when car theft rate started to go down, down, down, the manufacturers include a lock. Back in, again, probably the late 90s and early 2000s, you buy a Ford car, it's got a transponder built into the key, click twice it deadlocks, so you can't just be able to from inside.

The security massively improved on the cars. Car crime went down from one-and-a-half million to 100,000, then less than 100,000 a year. I think the same is starting to happen with technology where it's built in. When you get a laptop, it's going to have anti-malware, various protections, and everything else automatically. And it will have to or it won't pass sales standards, and things like websites.

The security have become obligatory, I think, is the answer. I actually think that will reduce costs massively, because if you will have, I believe in competition, I am a capitalist. There comes a point with competition. If you've got one person doing something, they’ve got a monopoly. If you've got two, they start competing with each other. They're out to do something better. They're out to do something faster, better, cheaper, and you get that with three.

If you've got 3000 people doing the same thing, it then becomes a race to the bottom of price. It also becomes, in order to accommodate that, corners get cut, undervalued, decreases. Capitalism just eats itself at a particular point. I think for these things to be compulsory, I don't mind if it's 3000. But I think we've got to protect the customers, we've got protect people, and we've got to protect ourselves. I think that will happen actually.

I am actually optimistic about the future. I think we'll use intel more. We'll use it in a better way. I think we'll use it better for future planning. What we should be doing with intel, in my view, is we should be using it to improve our products and to develop our products rather than sell what we've got now, instead of coming up with some magic sound bites, these 10.5 trillion […]. I use the same. It's so great.

Cybercrime is heading towards $10.5 trillion if cybercrime was a country with the fifth biggest economy in the world, blah-blah-blah. There are all sorts of really interesting facts. It's not wrong we're saying that. It's not wrong to be selling. But what we should also be dealing with is, well, how can we stop it? With 10.5 trillion, how can we actually add value to our products? I actually think we can't quite need a new deal.

The figure of something new. If you think about it like, OK, if we can reduce that 10.5 trillion down to 1.5 trillion—let’s reduce it by about 90%—if our cost of goods and services went up just by a little bit in order to counteract fraud, I think most people would be OK with that.

The fraudsters are taking five-and-a-half trillion. If we can cut them down to a trillion, we save the world three-and-a-half trillion. We've got about two-and-a-half trillion, but we might lose the crap, and then this data would actually go into the court, so the good guys can get better.

The other one that is interesting is if you look at countries that are impacted by fraud. I've been working with Central Bank of Nigeria and people like that. When you actually meet those people, though, it's easy to laugh about the Nigerian prince and everything else. There are people that have been devastated by the reputation their economy has.

The truth in the matter is it was really about five years ago, and it's improved. I'm sorry, but UK, US, EU, us, we've all got worse. We're nearly as bad as they were. They're trying to improve, but we really destroy their economy. In Nigeria, you cannot get a credit card. You imagine the US and UK without any credit cards and the impact that would have.

It wouldn't work.

No. You can't get credit. It's really hard to get mortgages and everything else. Most of it is because of their reputation and their corruption. What I do know is that they actually did something really good a few years ago. They rebuilt their laws so that they were simple.

The other thing that I like about it is it kind of brought it all together. It isn't just about cyber fraud, money laundering, and everything else. It's also about things like smoke away and anything that hits the economy. Actually, that's actually following the US model of the year of the US Secret Service. It's actually to defend the economy.

That's something we don't really have in the UK. I think we can learn from you. We can also look at the family, the Nigerians, I think copied the US Secret Service model we know. They're doing better out of it.

I sometimes wonder—and this is always one of those liberal versus conservative viewpoints—you talk to a lot of the low-level criminals. It's, “I'm just trying to feed my family. I'm just trying to make ends meet.” What can we do as wealthier countries to help a country like Nigeria bring people up out of poverty, where they can have stable jobs and not have to participate in crime? 

I think most people are inherently good and would rather have a legitimate job working nine to five, paying their bills, and supporting their family, as opposed to participating in a criminal organization.

If you look at parts of Africa with poaching, this is what they do with poaching. They've invested in businesses in areas where people results poaching. Look at the whole problems around Northern Ireland and the troubles. America invested loads of money about a Good Friday Agreement. OK, things aren't perfect. How bad they were before? Yeah, there is that.

The only thing I've got to say, Chris, though, is I still think that there are a lot of criminals who use things as an excuse and that you've got to be responsible for your actions. One thing that I certainly see is I see people who you will think might resort to crime or wouldn't. I see people who would rather let the children starve than commit crime.

Again, I'll never let my children starve. I don't want them to commit crime. You've got to be honest about that. I think that the old excuse, well, society may be a bad guy. I don't accept that because there are loads of people that have had the same things from society and not become bad guys. I do think, yeah, it's a lot bigger. We've got to give people a reason too. There's got to be work.

Certainly I found, again, just going from my policing days, there was a little town called Urmston. It was a bit of a joke that all the police wanted to work in Urmston because it was a crime-free zone. Nothing happened. Hardly any burglaries happened. There was hardly any crime.

The simple reason for it was you could have walked to Trafford Park, which was one of the biggest industrial states in the northwest of England. The people in Trafford Park liked employing people from Urmston because they knew they wouldn't be late for work. There are circumstances and opportunities, and we can do a lot better for people. As I say, it's keeping people's take, isn't it? And things like zero-hours contracts.

The gig economy, that works for some people, but the gig economy is very like self-employment. Did you say that only one in 10 people are suited to self-employment? Imposing self-employment on people that would rather just have a job, a paycheck, come to work, after hours for dinner. There's nothing wrong with that. That is the majority of people.

I think we can do better. I just hope we do better because we can't carry on like we are, which is this constant growth cycle for increased corruption, money laundering, and crime, which we don't want too.

To me, again, somebody from 1999, everything seemed all right. If you've watched The Matrix, one of the things that comes out of the matrix is the—I believe this comes with The Matrix. Everything went wrong in 1999. It just feels that way. 1999, I feel like a little Pete. We just seem to be it. There's so much wrong since.

You couldn't even get it that wrong by design. We just seem to have made so many mistakes, I think. You can't put the blame on any single country, because it is global, isn't it? Even countries like the Nordics who have got this fantastic reputation for honesty, integrity, and everything else, people look up to that. But then some people go around with a golden shoe, like 24 kids on an island. None of us have got it right.

No. We’ve all got to work together to make it better for everybody.

Yeah. School report must do better. All we can do is do our bit and just try our best.

As we wrap up here, if people want to find you online, where can they find you?

The easiest thing is to google Peter Taylor, the fraud guy. I should be on page one or two hopefully, and that's without SEO. I participate a lot in LinkedIn and Twitter. I got me a website. You'll find that by the end of it. The simplest thing is to google me.

The other one is I got people contacting me saying, “I know you're busy, but you never worry about a lot”. I'm never too busy. If I can help somebody or somebody wants to know something, always happy to chat.

Awesome. Peter, thank you so much for coming on the Easy Prey Podcast today.

My pleasure.

 

Exit mobile version