X

Easy Prey Podcast

Their Loss is Another's Gain

How Fraudsters Choose Targets

“If you're really good at your job, you're punished by the invisibility of what could have been. It just sounds made up.” - Brian Davis Share on X

It’s easy to think of fraud prevention as a technical problem with a software solution. But according to Brian Davis, effective fraud defense is just as much about people, trust, and communication as it is about tools and data. With over a decade of experience, Brian has built fraud teams from scratch, shaped company-wide strategy, and helped growing startups shift from reactive to proactive risk management.

Brian is the Head of Fraud at Dodgeball, where he’s helping bring their orchestration platform to market, and the founder of House of Fraud, an invite-only community where top fraud professionals collaborate and share intel. He’s seen firsthand how fraudsters adapt quickly, and how internal misalignment or a lack of education can leave companies vulnerable. His layered approach focuses on understanding how business systems are abused and using that knowledge to design smarter defenses.

In this episode, Brian shares his journey into the fraud space, explains why internal politics often matter more than policy, and offers a real-world breakdown of how fraud teams can gain traction and build trust. Whether you're running a digital subscription business, a fintech platform, or an e-commerce store, this conversation will help you think more clearly about why you’re a target and what you can do to make your organization harder to hit.

“A small incident is not that different from a big incident. It's just the level of stress and visibility that comes with it.” - Bryce Austin Share on X

Show Notes:

  • [00:50] Brian is the head of fraud at Dodgeball Fraud Orchestration Platform. 
  • [01:15] We learn how Brian noticed something was off about 10 years ago when he was working for an accounting client.
  • [02:01] He loved accounting, but as he got his master's degree, he started focusing on entrepreneurship and fraud.
  • [02:45] He worked in accounting for a year and then became the first fraud hire of an e-commerce company.
  • [03:30] Then he built out teams to help businesses combat fraud.
  • [04:07] He's now on the vendor side of fraud prevention, and he does consulting and runs The Fraud Space community.
  • [05:18] Brian likes the dynamic aspect of always having to solve a problem. Micro patterns pop up that can be connected to bigger patterns.
  • [06:47] Most people are willing to help the fraud department, because it gets them what they want.
  • [09:20] Issues that arise when doing a really good job in the fraud department and justifying the expense.
  • [11:05] When coming into a new company, the areas where Brian starts looking for fraud.
  • [12:04] The first step is to understand how the company makes decisions. He then begins with a surface map. How does a user interact with your site for an outcome?
  • [16:29] Where the larger threats are coming from.
  • [18:49] Understanding the fraudster's criminal journey and where they choose to attack.
  • [25:25] Founders who have previously been hurt by fraud asked more questions.
  • [28:20] Behaviors that might actually attract fraud.
  • [30:58] How referral programs can attract fraud.
  • [40:29] There are many similarities between the different types of fraud and the tools used across multiple industries.
  • [41:23] Has Brian ever been the victim of a scam?
  • [42:28] A fraud story purchasing sporting tickets through marketplace.
  • [49:12] The pitfalls of passwords and password hygiene.
“We need to quickly identify and assess the impact of an incident to determine whether it requires escalating and mobilizing the team during off-hours or can it be managed through standard security operations and monitoring.” -… Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Brian, thank you so much for coming on the podcast today.

Thanks for having me. I’ve been looking forward to this.

Awesome. Can you give myself and the audience a little bit of background about who you are and what you do?

I am Brian Davis. I’m the Head of Fraud today at Dodgeball Fraud Orchestration platform. My career in fraud started a little over a decade ago with an invoice that just seemed weird. I was an intern.

At this point, it was all paper, so we were in the digitalization of I had to take the invoices and type them into the computer. I was in accounting and finance. That’s where I noticed one contractor had an overlap every single week.

I pulled them back and then I looked at all of them. I raised my hand, our controller came over, just took it off my plate, and never saw it again. Ended up being a pretty large double-dipping scheme. That was what piqued my interest.

I finished my undergrad in accounting, got really deep into the course before I realized I really like accounting. Sorry to the accountants out there. I was just good at it. I got this paper that said I’m really, really, really good at budgeting.

In my master’s—I did a five-year program—that’s where, even though I got a master’s in accounting, I placed out all my accounting classes. I only took entrepreneurship and fraud courses. Despite me having an MSA, I didn’t take any accounting courses in my master’s degree. That’s where it piqued my interest.

It was really hard for me out of school to get a job in fraud because, at that point, that’s not an entry-level job. I wanted to get into e-commerce. I felt like, “Hey, if you’re in e-com, you’re a startup.” I didn’t really know what that meant, and I wanted to work in fraud.

Again, I didn’t really know what that meant. Maybe the real world is a little bit different than college space. I gave accounting—because that was the only job I could get—one year. I said, “I’ll give it a year and exactly that. Not a day more. Not a day less.” I was out.

I found an e-commerce company to take a risk on me to be their first fraud hire. At that point, my main pillar has been payment risk, the risk of moving money depending on the platform.

I’ve done the same thing over and over again. Instead of doing the traditional step ladder, I joined growing companies who have this fraud by committee. A whole bunch of people that ended up with a fraud responsibility and said, “I want nothing to do with this. Get this off my plate. I’m marketing, I’m finance, I’m operations, I’m product.” “I’m in. Let me do my job.” I’m the sucker that comes in, says, “I’ll do it for you guys.”

What that has really meant is I built a team, the tools, the rules, the structure, really understand who we want to become, what are the types of broad risks and vulnerabilities we have as a company, and ultimately build out that foundation. I’m the zero-to-one person with building out fraud teams. Then from there, I had a couple of different stops.

My weird little quirk is I like to see how different business models are abused by fraud. Weird, I know, but it’s brought me across a lot of different unique types of fraud that you might know, can learn and read about, but there’s this different level experience when you’re actually responsible for putting in protections and uncovering what it is, and if you don’t, you’ll get fired.

So I’ve done digital subscriptions, physical goods, marketplace, FinTech, and now on the vendor side. I’ve done a little bit of consulting, and I run a community for the fraud space. That’s my, I won’t say TL;DR, but my medium version.

I like it, though. It’s really interesting that the ways different people have gotten into the counter-fraud, counter-scam space. A lot of people have come up through the e-commerce side.

I spent a number of years working for companies that had affiliate programs. Everyone’s always trying to exploit an affiliate program. “How can I make more money without sending real orders?” in and that sort of thing. It was always fun to try to figure out, I don’t know if you’re the same way, but you just start to see patterns like, “Hmm, this just doesn’t feel right.”

I think that sticks with a lot of the mentality of what is it at the core of it? It’s a business problem. A lot of people, whether altruistic or non-altruistic, depending on where you fall on the spectrum, it is just the desire to solve a problem.

A lot of people, whether altruistic or non-altruistic, depending on where you fall on the spectrum, it is just the desire to solve a problem. -Brian Davis Share on X

I imagine you hear this a lot coming through, like, “I just happened to fall into it. It’s a problem, and it’s always changing. I like the dynamic aspect of it.” But what that really means is there are all these micro-problems and these patterns that pop up, and you ultimately have the chance and opportunity to say, “What’s today’s problem that I can connect to a bigger pattern to help diagnose and make it a little bit easier and safer?” I think they go hand in hand with a lot of the core simplistic mentalities of the people who end up in this space.

Let’s not talk about the problem just yet. Let’s talk a little bit about the process of when you’re coming into a company and, “Hey, we want to start a fraud department.” I think, like you said, there are a lot of people who are like, “Get this off my plate. I don’t want to deal with it.” But then are they willing participants in helping to establish the department?

To a certain extent, yeah. My first job, I came in to take over chargebacks. I didn’t know if chargebacks were a good thing, bad thing. Do we want more? Do we want less?

Nonetheless, it just happened to work out that we were blocking all the legitimate customers and letting through all the fraudulent customers, that felt like. So we are super rule-based at that point. It just was, “This is bad, this is good. OK, how do I switch these based on our rules?” So it came into a little bit of the pattern recognition.

When it comes to your question, specifically, most people are very willing to help you because in that situation, it helps them get what they want. If I can teach you to do this, you won’t ask me questions. I’ll never have to think about this again.

Usually in that early honeymoon phase, people are overly helpful to get it and release it. But then once you set yourself into what does it really look like when you’re leading a team, not necessarily building a team, when you’re into the projects and the initiatives, fighting for roadmap, now when you’re entering the internal politics, those people that passed things off, maybe all our incentives don’t really align.

And now here comes Brian being the guy that says no. Or, “Have we thought about this?” Or, “Why didn’t I find out about this? Why am I just finding out about this now?” Because our investigation queue, our team can’t handle this volume for the next week or two. We’re going to be in a backlog now. Now that’s a hard conversation for me.

I have found, for myself personally, people who have worked with fraud teams before, understanding the impact of fraud, are a little bit more willing to work with you if you’re able to find the alignment and not just always say, “We have a huge ATO problem. We have a takeover problem. Everyone should drop everything and care.”

When you come in with this business mindset of how does this fit into the greater scheme, how does this align with the goals and everything of the sort, how does Chris in marketing’s goals align to this? Is there anything I can show that this helps Chris in marketing? Yes or no? It won’t always work, but that’s how I start to think about it.

It’s a lot easier in that situation than if nothing aligns and someone’s never worked with fraud before, they don’t really get it. They don’t really care if they’ve never been impacted by fraud. There’s not that emotional piece to it, a story to tie to it. It really falls on that education and knowledge spectrum of how aware they are of the fraud and impact of fraud. Because If you’re really good at your job, you’re punished by the invisibility of what it could have been. It just sounds made up.

It really falls on that education and knowledge spectrum of how aware they are of the fraud and impact of fraud. Because If you’re really good at your job, you’re punished by the invisibility of what it could have been. It just… Share on X

People that I know that have worked in compliance and fraud, the two challenges that they run across is they’re often viewed as the department of no. You’re preventing sales from happening, or nothing bad is happening. “Please justify your existence because nothing bad has happened.” And you’re like, “Well, but I stopped the bad stuff.”

Yup. I might have been a little spunky in one situation. I had an executive come to me and said, “We’re turning off our fraud tool. We’re just going to not re-sign this contract.” I just kind of like, “Great, but I don’t want to be the one to sign off on that.”

Of course, they wrote an email to CYA and said, “Hey, based on our conversation, I highly recommend we don’t do this X, Y, Z. I wouldn’t want to be the one to sign off on this,” and sent it to appropriate stakeholders. Understandably, private conversation came back saying, “We’ve reconsidered. We’re not going to cut this budget. We understand.”

The implementation process of a fraud team. OK, we’ve now decided that our organization needs to take fraud more seriously. We’re seeing either account takeovers or we’re paying vendors where we shouldn’t be paying vendors. We see that there is a financial cost to not addressing. “Hey, if it’s $10 a month and you’re making $10 million, what do you care?”

But if it now starts to become paychecks worth of money is disappearing or slipping through your fingers, you’ve got buy-in, marketing says, “Yeah, we’d love to see fewer fake accounts created because that makes our numbers look better.” The accounting department says, “Hey, we don’t want to be paying invoices that we shouldn’t be paying.” The CFO says, “Hey, more money is coming in, less money is going out. We’re all happy.” OK, implementation. You’re coming into a new organization. What are the buckets that you look at as potential areas to start looking for fraud?

The first thing that I’m really doing is I’ll use this to collab in multiple ways. A lot of people come in with a 30-, 60-, 90-day. I’ll come in with a 7-, 14-, 21-day plan of what I really need to get going. In my situation specifically—keep in mind, I’m not necessarily joining a giant conglomerate with multiple teams and silos, so my experience is a little bit different—works well with smaller, growing companies, the way I think about.

I’m taking over a trial by committee. I know a lot of different people are involved with it. These people, more often than not, one will understand even at the base level what they did, what the problems are, and how it impacts them specifically. I at least have my little hooks there to really build an allyship versus, like, just delegating to me and then we won’t talk again. For me, I use that as relationship builders.

My first bit is to understand, again before fraud risk, how does the company make decisions? Who’s involved with these decisions? Who’s been involved with fraud? And is there any alignment there? This will help me get a better understanding of how the business operates internally, so if I do need support or if we do need to have hard conversations, who really are the people.

It’s not necessarily always titles. It could be levels. It could be, “Hey, this person’s still good friends with this person, even though you wouldn’t think that they’re involved. They’re always bouncing ideas off and around as they get coffee, as they go out to lunch.” So understanding the dynamics.

I use that phase of onboarding. I’m learning the snapshot of what we think we care about today. That’s my baseline. All I’m trying to figure out is, “If you guys didn’t hire me, what does it look like today? What’s the baseline?”

While I’m doing that now—this is where I’ll start to answer your questions directly—I’ll do a surface map. I’ll take the insert, and this works for any industry, because what I’m walking through is when a user of your platform or business binds you, what do they do with your site for the outcome?

Ultimately, when you build a business, you’re building systems to take a customer on, make them happy, have them pay you, and you give them something in return.

It could be a subscription, it could be a product, it could be a bank account where you’re lending, it could be a bank account where they can move money really fast. That’s just at the high level.

That allows me to then say, “Where are my moments of risk through our entire user journey?” So then I can start to build the layer down from there. At each moment of risk, what are the fraud risks that are available and potentially could happen?

Now this is just simple, drawn out from my brain sometimes. I’ll just take a regular piece of paper and just draw an arrow all the way through, I’ll just put an X here, X here, and then I’ll say, “All right, add account openings.” We could have fake accounts, stolen devices, identity theft, synthetic identity. Then I could just go through the list. I’m not necessarily prioritizing and saying, “What is the costing of today?” I’m just getting a graph of where are we potentially vulnerable?

The next level from that, I’ll be looking at what signals do we have? How could I know that we might have synthetic identities today? We might have fake accounts.

From there, what I’m doing there is I’m starting to understand the system we’ve designed as a business to say, “It’s easier to be vulnerable here,” or, “It’s not as hard to be vulnerable here.”

A digital subscription who only takes an email address and doesn’t verify the email, well, is there a fake email? Is there real email? I just have what is written. Then I can choose to either ask for more information—most times on the situations that’s not going to really pass—or I can run it on the backend of, “Have we seen this anywhere else?”

I’ll go all the way through withdrawals, deposits, payments, messaging, listing, whatever the platform I’m working on. Then at the end of that, what I have is just one piece of paper to say, “Here’s all my potential vulnerabilities of the business here based on what the snapshot is,” and I’ll just circle where we think we care today. For me, a lot of times it’s maybe money movement. It’s going to be more around the transaction bit I’ll circle.

I had one company that was very heavy on identity theft and more. If we are really, really good at who’s on our platform, the risk of fraudulent money movement downstream is going to take longer for that to be a bigger risk.

Then from there, I’ll start to prioritize what we should care about. Then this helps me build out my own roadmap of, based on the system design, our vulnerabilities, and what we’re really seeing for user patterns, where do I think we are protected and where I think we’re not protected.

Do you see larger threats from internal or external sources? When you’re talking account creations, that could be an external actor. When it’s accounts payable, that could be an internal person submitting fake invoices or an employee submitting fake timecards and things like that.

In your experience of what you’ve worked with, is it more external, more internal? Internal is a larger dollar amount, externals are smaller. What’s the lay of the land there?

Again, this is going to go to your mapping of where we have the different touch points. My personal, mainly external, almost entirely external versus internal. Again, there’s some system design of, if you work for smaller companies, you know everyone. You know their roles. You know as you hire people.

Working in more technology startups, you don’t really have a person in AP who’s been working there for 20 years. There’s not really that legacy risk aspect of it. But again, this goes into mapping your risk surface area to really understand, is that a vulnerability today that we have? Maybe. How do I know? And then I’ll work through that. But me personally, being the external.

Dollar amount, it’s going to depend on my business model. I worked at a digital subscription. Our transactions were $9 a month, mainly on credit card testing, where we saw a unique pattern was fake accounts, free trials, pumping up payouts for people in certain regions where they would make 10x–100x. We would be looking for those types of rings gaining our systems. When I worked at a business bank account, those are much larger checks than even what the payouts were from the digital subscription.

Again, this starts with understanding your baseline, where you’re really vulnerable, and what that type of fraud really would look like. Instant payouts on the financial institution that I worked for, much higher dollar impact than what I’m dealing with fraudulent author pay.

From the fraudster’s point of view, do you have much knowledge about how they’re choosing what organizations to go after?

This goes into understanding the whole ecosystem, the fraud or criminal journey, so really understanding what value I have on my platform. Do I have a product that can be resold? Do I have stored payment information? Do I have stored funds? Do I have a specific data point of PII that could be useful to complete a profile? Am I just used for card testing so then the card can be used elsewhere? It’s really understanding what value do I have on my platform today that someone would want to target.

Do I have a specific data point of PII that could be useful to complete a profile? Am I just used for card testing so then the card can be used elsewhere? It’s really understanding what value do I have on my platform today that… Share on X

Physical product falls into maybe a little bit more traditional, but if you’re guiding a specific data point or a unique one today that I’ve been working around is with all these AI tools popping up, there’s more the hardware and software behind spinning up those nodes. If you get an account takeover or fake accounts built on those, those are scaled up.

The same thing goes for the voice-calling tools now where a fake account on one of those, they could call any number. If they have a targeted list of specific numbers, how do you protect those accounts from being taken over, where that asset is the phone numbers that can be dialed, that are maybe higher and more exclusive and harder to get to, but they give us service and tools to use that? It’s understanding where I fall in the criminal’s journey, and what can I do to best be the most annoying at that point?

It’s understanding where I fall in the criminal’s journey, and what can I do to best be the most annoying at that point? -Brian Davis Share on X

You’re not going to be perfect. There’s always going to be a balance, but if I am more annoying than a competitor, the fraudsters/criminals are probably going to go to the competitor.

You’re not going to be perfect. There’s always going to be a balance, but if I am more annoying than a competitor, the fraudsters/criminals are probably going to go to the competitor. -Brian Davis Share on X

It’s not the perfect world, but that’s just the reality and how I think about protecting my platform, my customers, my users, depending on what side of the coin that I’ve sat on. That’s really where I’m starting to think about it. What is most valuable that I own? Why am I a target? And then are we vulnerable? How are we vulnerable in protecting that asset, whatever it may be from the people who want to get it?

What is most valuable that I own? Why am I a target? And then are we vulnerable? How are we vulnerable in protecting that asset, whatever it may be from the people who want to get it? -Brian Davis Share on X

It makes me think of—I’m going to be intentionally vague here because there are things you want to be vague about—doing some infrastructure change on my business.

I was concerned that if I were to transition everything over instantaneously to their platform, it might look pretty, pretty squarely and like, “Oh, that’s, that’s really abnormal. We don’t normally see this type of behavior from our customer base.”

In working with my consultant, it was like, how do we slowly spin this up, spec everything and document everything within the platform, so if somebody looks at it, they’re going to say, “Oh, now I understand why this is happening,” as opposed to, “Oh, yeah, that’s fraud. Let’s just shut it off and not even look.”

It goes into the question that you said—why would someone do this? Usually, that’s the simplest question of the form of both a good user, a fraudulent user, and a user you’re just unsure about. Why would they do this?

That’s really the question at the core of all this. You’re trying to answer and have confidence in what data or signals do I need to say, “Chris has thought about this change. He is doing it and rolling it out. This is behavior that we’d expect.”

Or on the other end of instead of you saying this is squarely, how can I help the business feel comfortable that this is the right decision for me and my business, even though if it looks as an anomaly that they would block or whatever it may be, it’s not, and I need this for my business?

Those are the scenarios of—the question still is why would Chris be doing it? Depending on the business platform, a new user, we don’t know who Chris is. Does Chris have the ability to do this?

There are all these questions that simply go down that list that I’m simplifying, but those really are at the core of what we’re trying to answer when we get into these complex tools, data, stacks, integrations, automation, whatever it may be. That’s the question at the core.

I can see a situation where you might have a platform. It’s an electronic subscription. Like you said before, a subscription that costs $9.99 a month. Your cost to produce that $9.99 subscription is 2¢. Whether you have 10 users or 10,000 users, your costs are still the same.

I can see a business like that going, “Well, we don’t care about credit cards, chargebacks. That’s just the cost of doing business.” Thinking, yes, our profit is lower but it’s not really “costing” us money. Do you find businesses wanting to think through the process of, “Hmm, if there’s a whole lot to chargebacks, maybe someone’s trying to abuse our platform to test credit card numbers.”

Do you find companies wanting to do this? For one, we just don’t like chargebacks because the credit card companies don’t like it; we might get kicked off the credit card processor.

Do you find companies wanting to say, “I want to help the community at large. I realize that there are a lot of chargebacks happening on my platform. Either we’re marketing something wrong, we’re confusing our customers, or fraudsters are using our platform for something that we just don’t understand.” Do you find companies wanting that third option?

It’s changed a little bit the last couple of years since a lot of companies are moving away from growth by any means to economics of scale. Things like that are being considered a little bit more today. I won’t say everyone is perfect.

Again, this will also go back to what I said earlier. When I work with second-time founders who have been hurt by fraud, they’ll ask more questions. They’ll build sooner because they know the implications of building too late and how hard it is to build too late. This just goes into problem aware versus problem unaware.

Unaware, they just don’t know what they don’t know. A couple of here, a couple of there. It is at that point just the cost of doing business because the other alternative is the long-term contract or too costly or I don’t have the mental bandwidth to learn what a chargeback reason code is and what do I do when I get this chargeback reason code or why this chargeback even comes through?

That’s not even getting down to first-party fraud versus true fraud. Different strategies and tactics in itself. That’s really where that unaware versus aware really starts to come into play.

Then egos that play a whole ‘nother aspect that I don’t think a lot of people want to talk about. Baby Chris is like, “I came to you.” And I’ll say, “Here’s an issue.” And you’re like, “That’s not an issue. Don’t call my baby ugly.”

Whereas other people who are a little bit more open to feedback, learning, and understanding problems, and might do a little bit more discovery, might not say yes but will ask better questions earlier to really get a better grasp of, “Is this a problem I should care about? Yes or no?” Those end up being a little bit better conversation.

Again, what I’m still painting is there’s a spectrum of people understanding. I’m finding that more people are starting, I won’t say all the way up here, but shifting a little bit more towards the middle versus I’ll worry about this tomorrow. We’re going to just dump all the money in ads maybe, and we’re just going to keep on growing and growing. We’re going to deal with it.

Where now today, people are considering, “All right, if we put this money in ads and they’re coming through this channel and this channel is higher risk to payment fraud, fake accounts, well, we don’t want to be bloated in fake accounts and chargebacks. Let’s reconsider the risk indication.”

I think more people are open and aware of that. I also think AI has also added this other level to it where people just are not necessarily trusting, is this real or not?

This is a gut assumption, so I’ll just say this as a personal bias. I have a hypothesis that the layer of people not necessarily trusting AI are also layering into other aspects of, “Is this the right bet?” They’re putting in more of these questions of, “Is this the right path for us? What will this lead to? Can I trust it?” I think there is some subconscious level of that as well.

Are there things that businesses do that attract fraud behaviors or ways that they market that might attract fraudsters to their platforms?

Yeah. Again, this goes into what is your asset? A bank account? New FinTech comes on. If you’re a bank account, you’re not necessarily giving out money, but you’re giving them a tool to move money very fast.

If a new FinTech pops up, a new business bank account comes up, personal banking processors are going to find that. They’re going to find it on Product Hunt. They’re going to find it on Tech News. They’re just searching those basic channels for promotion, funding, announcements.

Then they’re going to say, “All right. Let’s see how many accounts I can create with you. I’ve got tons of fake IDs. I’ve got tons of synthetic profiles created. What information do you ask? What regions do you take from?”

They’re going to stress test a lot of that on day zero, especially for a business bank account because it doesn’t matter your brand. The tool is the thing, the vehicle that gives you money to send money somewhere else. If you’re going to be the easy victim in the criminal’s journey to move funds around, to make it harder to find where these funds come from and then close out the account, then it’s really hard to get that money back. It just gets more complicated. You start streaming that through different vehicles there.

If you’re on the digital subscription type of site, if no one wants your account, then you’re probably not going to have a problem there for years from a criminal gaming way.

If you’re lending, well, if you have fake accounts right away, you’re literally giving them money. Then if they don’t pay back, they default. Then, now you’re out of that money. How do you handle that? So it really depends on the company you’re building, the industry you’re in, and the asset that you’re protecting, why you are valuable to a criminal, and understanding what you can really do with that.

When you think about it from a banking perspective, it’s like we are building a bank for solopreneurs, the underserved, the community or identity that I’m tied to very tightly. Criminals don’t care about that. They’ll find the fake identity, they’ll create the information to be able to just get on the platform and say, “Woo! New users. We’re looking really good.” Then, before you know it, you have a bunch of identity theft flowing through your platform. They’re just testing cards, moving money, whatever it may be.

Do things like referral programs spike fraud also?

Absolutely, and now that there are more comprehensive tools from where I’m stepping and the people that I talk with on a recurring basis, a lot of people have the transaction monitoring and the payment fraud down. They’re now starting to look at the next level of policy abuse like promo abuse, promo stacking, fake accounts to get multiple accounts, the repeat offenders, return and refund fraud.

These other avenues of abuse to get the product or use the product for free, or get it at a discounted price to either resell it or just because they wanted a discounted price because they feel like, “Well, someone else is getting this discount, why can’t I get this discount?”

Again, I’ll be Brian Davis one, Brian Davis two, Brian Davis three. Then if it’s, “Hey, if you’re letting this through, that’s a policy letting through. If you’re going to have a 30-day return policy no questions asked, then if I return around in 20 days, don’t ask me a question. That’s your policy. Thirty days, no questions asked.”

Again, this goes into system design. Maybe the system that you designed for the intention on the positive side works wonderfully, but what other behaviors and intentions does it really open to based on the system you designed? Policies are part of the design. Promos are part of the design. They’re just a step within the whole entire process as a whole.

And assume some of it is you talked about the 30-day refund, no questions. I know situations with companies where someone will buy the product, use it for 29 days, return it, buy the product again, use it for 29 days, return it, buy it again, use it.

There’s probably also the internal policy that needs to be, “Well, it’s not you could return it for no reasons, no questions asked. Maybe the first time, but on the fifth time, we’re going to say, ‘We don’t want you as a customer anymore.’”

Yup. Well, you’ve seen in the last year, big companies like Target, REI, have changed their policies. L.L. Bean within the past couple of years changed their lifetime return policy. You’re seeing these big organizations, corporations, change their policies because of that.

The other piece to it is that you’re seeing sneaker companies change their policies because from a policy perspective, if I were to buy 100 shoes from a specific company, I’m going to try to resell them. If I can’t sell them at a higher value, I’ll just return them. Then I get my money back and it’s break even.

From starting a business, if I think I’m a part of the sneaker community of reselling sneakers, well it’s almost a zero cost business to start. I’ll buy a ton of shoes, as many shoes as I can, and if I can’t sell them, I’ll return them. Whatever I can sell, I make a profit. At that point, why not?

You’re seeing different ways where that policy wasn’t intended for people trying to resell the sneakers, but it gave the people reselling the sneakers—they were never going to wear them. The shoes are probably still in the box, never opened, maybe a picture. They’re probably as clean as possible to be returned, but the intention of why they’re being returned or why they were bought in the first place now changes it.

Then, all right, they get it back. The market value went down. Now the big company can’t sell them because instead of $200, they’re now worth $150 in the markets. Now they have to discount it. Now, that also then plays into restocking fees, time of opportunity costs.

At least bigger companies are starting to think like that of, what is our opportunity, margin costs, and the downstream impacts of policies, like different types of promotions? How are they used and abused, communicated? Are they shared?

You’ll see things on X and Twitter. It’s not like you have to go on the dark web. A lot of this, there are Facebook groups around, affiliate codes and promotional. Some of them, again, mean good intentions.

I signed up for this company. If I share this code, I get $5 from it. If I created a group and I create content around it, and I get a bunch of people here and I just keep doing this and I’d say, “Hey. Oh, by the way, open up two accounts with them.” They let you open up two accounts. Now I make double the money.

Now you’re seeing behaviors like that. I think more companies are starting to think about that. As the fraud career has developed even more so, there are more people in the space who, I’ve seen this before, let’s look for this versus everything is new.

I think as the industry from career-wise continues to develop and be seen as more structured across more companies historically and earlier versus, “Hey, what is this loss prevention group? Are they on site? Are they behind the scenes? What are fraud investigators? Do they just investigate fake documents and look at Facebook profiles?”

As the fraud industry, from a professional perspective, on the good guys’ side, continues to develop, a lot of this you’ll come in with a clear sense of what risk should I care about? People are starting to think like that too, because it eats into their margins. And now at the unit of economics, this plays into the economics of a business.

So from the fraud prevention side, has it really grown from being, “I work in fraud prevention, I’m protective of my methodologies, and I don’t want to share them with the wider community because I want to be the best that I can be”?

I know some interests are that way. It’s very, “I’m going to keep all my fraud detection secrets internal because I don’t want anything to get out, whether it’s my competitors to know or the scammers to know.” Is there starting to become a wider community where maybe threat intelligence is not the right phrase, but technique intelligence is more frequently shared amongst practitioners?

Yes, but I think there’s always been an aptitude. It’s just more of, “I will only share it with the people I text, or if I meet those seven people at a conference. We’ll sit down and we’ll talk, but we’ll make sure no one’s around.” It definitely has always been there, but it’s more of like the, “I don’t trust anyone so I’m not going to share anything.” It’s the antitrust trust group.

There are so many different associations from thin crime to money laundering to fraud to vertical focus from FinTech to e-commerce payments. There are all these different groups and I run the House of Fraud where there is a hard time for some people getting to be the one to want to share. There’s a huge desire to want to learn and consume, which is part of the flywheel, not the hard part of the flywheel.

From my perspective, we’re seeing the flywheel start to get cranked. It’s not really cruising, but being able to find these different avenues and venues, whether it’s in-person or virtual, or being able to create this environment where it’s a private group to the people there, you bring together these people who are like, “I get this. I’ve been through this.”

A lot of people want to help, just a little bit of this hold/start problem, a lot of people don’t want to be the first one to ask for help or take a while to be the one to ask for help. Once that part of the flywheel starts, then every loop around it catches more people. Then it becomes a little bit more organic for people to start sharing, “Hey, I’m seeing this. Is anyone seeing this?”

Where that might happen today, maybe in text or in local meetups of people working in specific areas together, it’s getting better. But we have a long way to go. Fraudsters work better together than we do still today. But I think that’s a huge disadvantage for our side of the community, of actually being able to work together.

Fraudsters work better together than we do still today. -Brian Davis Share on X

I’ll just say from my own personal experience, what I’ve seen from working across industry, a lot of the core problems are very similar core problems. I’ve always had an identity issue. I’ve always had a payment issue. I’ve always had an access issue. That means a whole lot of different things.

But identity on, again, digital subscription versus identity on a financial institution, the type of information I have is very different. Still an identity problem. Login access is going to come from typically logins or account openings or account sharing. Then there’s, “OK, how does that happen?” And then the money movement. Could be payments, credit card transactions. Again, really understanding what you’re having.

Point to all of that being there’s still a stigma of, “I work in financial institutions, marketplace. You wouldn’t get it. I work in a marketplace, e-comm, you wouldn’t get it.” But there are so many similarities, and a lot of the tools people use work across the industry. The scope that they see is very wide, and they collect a lot of signals that can be used across industry.

Again, we’re doing ourselves a disservice to carry that mentality. Not everyone carries that. Honestly, a lot of people don’t. But as a core first introduction, first impression, there are a lot of people that do carry that.

Fraudsters work better together than we do. That piece is what drives me the most in being able to answer the question, “How can I help the fraud community, our side, collaborate better?” That’s my North Star question.

So tying in the being willing to share and the stigma of that, I do ask my guests that are in the anti-fraud/anti-scam space/cybersecurity space if they’ve ever been a victim of a scam or fraud or cybersecurity incident.

As practitioners of this space, when we share that something happened to us, it really destigmatizes the audience. If you and I can’t get it right 100% of the time, the audience shouldn’t feel ashamed or embarrassed if they can’t get it right 100% of the time. Sharing of those stories results in a better understanding, and, “Oh, OK. I need to watch out for that.” Or, “OK, I need to talk to this person.” Do you have a story or so or two that you can share about yourself?

Yeah. Years back, I always say—again, it’s a classic one—we knew it, but it happens. We were getting tickets to a sporting event. We bought it through the marketplace. Seller had some ratings. Done a ton of ratings; they weren’t bad. Again, I’m walking through it like, “Here are some social stuff, social proof indicators, that we were looking at.”

They ended up taking it off the platform, sending gift cards. We’re like, “This is weird. We shouldn’t do this.” But you know what? We’re just trying to go hang out with our friends and go to the game. Everything else is sold out or way overpriced. They also weren’t cheap. They weren’t underpriced. They were fair. Again, it was, “Well, they’re not too good to be true.” They’re like, “Send money through this bit and then just cap it off through a gift card.” Weird, but whatever. Then of course, sent it, didn’t get it.

What my wife and I did, taking turns, is they had a customer service portal and someone actually responding to that. We kept creating fake accounts on that end and kept responding and asking them.

It became a personal vendetta until they took down that chat room of customer support. They spun up a new one, just duplicated. But that became our, “All right, you got us, but we’re going to be annoying to you because you got us.”

Then we went back and we tried to find any similar postings, report them all, to try to get them taken down, and try to build that feedback loop. I don’t know if the platform at the time took customer complaints like that or the feedback loop. Some do, some don’t. But from my perspective, hey, if I’m on the other side and this is reported, they look good.

Maybe they did sell some legit things and then never intend again. Intention. Intended to actually long-term sell good things, but wanted to build up a profile of a couple of sales, good reviews. Maybe they sold a water bottle, a hat, whatever it may be. Something easy, lightweight, then they used it and said, “Once I’m good, I’m verified. I’m going through the steps as a true seller.” That seller went bad.

Now it’s like, “All right. How can we do a feedback loop to the company to help them understand, not good. These look similar types of patterns into what got us.” We did pause and hesitate, a little bit of the social pressure of being left out.

The price point for us at that point was, “If this doesn’t work out, OK. We’re not submitting our card details to them directly.” There are a couple of protecting PII in this process, but we were out of money at the end of it. There were the internal justifications to make it work.

I’ll say there’s a peer-to-peer payment platform where someone tries to log in from the APAC region almost every single day up to the point where I have deleted every card and bank account to it. I cannot use this major player in P2P because I do fear the risk if I have too many to think about like these wallet platforms.

You have one login that has all these different cards—debit cards, credit cards—bank accounts tied to it, depending on how many you have tied to it, I just won’t use it. I will put a card on, then do that, and then take the card off. Or I now have a card that gives me the ability to send money to that account if someone only takes that platform, so I can send a card from that moment to that, then the funds are off.

That’s not the intended user experience for that platform, and they’re a pretty major player, but my trust in it is minimal, even though there are no signs that anybody’s gotten into my account. The fact that they try so often, knowing the other side, in due time they will get through. That’s my thought. For me to control the risk is if they can get in, they can see I use the account, but I got no cards on it, and you can’t pull anything in from that side. I can only push.

I think about that one of, how do I limit my risk in some areas that get tested a lot. There are other tools in that and apps that I always see these signals, so I have to look at that.

Everyone says change your password. I hate password hygiene. It is really, really hard. It’s gotten harder as a parent to just remember anything, so bring in password hygiene on top of this.

Everyone says change your passwords, keep them updated. Use something like, “I don’t remember this.” Use the autogenerated one and it’s like, “I’ll never remember that.” Then you still have the vault. There are multiple levels obviously to protect it. That’s the piece I do try to unwillingly build into it.

Other than that, firsthand that I don’t love passwords. I don’t think passwords are the right route long-term. But today where we stand, when I see those, I say, “All right, what’s the email-password combo? What do I think has this email password combo? Which one of those platforms should I be changing? Kid’s crying. I’ll change this tomorrow. Tomorrow never happens. OK, someone tried to get into my account. It’s just a rinse and repeat within all that.”

The purpose of that little rant and rave is just understanding your digital profiles across the land, what is connected to it, and what you can do again to be the most annoying.

There’s so much data out there. There are lots of overused data. I don’t want to change certain pieces of my information and identifiers that I use, but in some cases I have to. I don’t want to get to the extreme where I have to change my identity from an entire bit.

I know someone who uses a different email address for every account they create.

Power to them. I wish I did that.

Theoretically that’s awesome, but the mental overhead of that is just exhausting.

But then it’s like, where’s that stored? How do you store it? And if they found the storage, again, there are complexities layered to that. If you find the true source to that, the original storage, again that’s a lot of damage downstream can be done.

Again, if it’s really, really annoying, you’re more annoying to finally figure out that file, people are going to move on before they get that. That could be a big piece to it.

It’s the, “I don’t have to be faster than the bear. I only have to be faster than you” mentality.

Exactly.

And I think that applies, too, for a business trying to protect themselves from fraud. Start with a low-hanging fruit. Get rid of the easy stuff first or the most impactful to your business, and then work onto the more difficult things.

The fraudsters poke and prod everybody, but if you’re not easy, they’ll spend their time and effort where they’re getting a return on their investment, so to speak.

I like to try people. It’s like a badge of honor. Someone wants to commit fraud on your platform, your business, you now have value. Congratulations.

You’ve arrived. Woo-hoo. As we wrap up here, if anyone wants to get ahold of you, where can they find you?

LinkedIn’s always the best place. I’m most active there. I’m not the biggest on social media, but I will move the most on LinkedIn. I treat it also like a little bit of a text, so it’s easier, honestly, to get me there. Then email Brian Davis. I’m the Head of Fraud at Dodgeball there. That’s how you can find me. You search Brian Davis. It might be hard to find my name, but Brian Davis, Head of Fraud at Dodgeball.

I write a newsletter, Diary of a Fraud Leader, like my rod notes of the good, the bad, and everything in between of actually building and developing a career of moving from tactical to strategic to actually get people to care about what you do in the fraud space.

Awesome. Thank you so much for coming on the podcast today, Brian.

Of course, Chris. I appreciate you having me.

Comments

  1. Pedro says

    that got me. i been just trying to keep up but it is what it is hut yea evrything makes sence but the fact. . tha reason why some of us fail a lot. but getting something like this info the perspective and coming like out of nowhere on the rigth time from a non known entity makes it even better cus sometimes we just cant anymore but thats why there are words that conforms a search just like this one tank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Notified When We Release New EpisodesALERT ME

X

Logo

Get Notified

When we release
new episodes

We will only send you awesome stuff!

Privacy Policy

×

 
×

Easy Prey Self Assessment Cover

Are you safe or at risk? Find out.

We’ll send you instructions to download the self-assessment right away. It takes only a few minutes to complete.

We hate spam and promise not to spam you.
Unsubscribe at any time.

Privacy Policy

×

Hire Me To Speak

Privacy Policy

×

Privacy Policy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on every page of our site.

The Way We Use Information

We use email addresses to confirm registration upon the creation of a new account.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.

On occasion, we may send email to addresses of registered users to inform them about changes or new features added to our site.

We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above.

Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Affiliated sites, linked sites, and advertisements

CGP Holdings, Inc. expects its partners, advertisers, and third-party affiliates to respect the privacy of our users. However, third parties, including our partners, advertisers, affiliates and other content providers accessible through our site, may have their own privacy and data collection policies and practices. For example, during your visit to our site you may link to, or view as part of a frame on a CGP Holdings, Inc. page, certain content that is actually created or hosted by a third party. Also, through CGP Holdings, Inc. you may be introduced to, or be able to access, information, Web sites, advertisements, features, contests or sweepstakes offered by other parties. CGP Holdings, Inc. is not responsible for the actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing information on a feature or page operated by a third party.

While on our site, our advertisers, promotional partners or other third parties may use cookies or other technology to attempt to identify some of your preferences or retrieve information about you. For example, some of our advertising is served by third parties and may include cookies that enable the advertiser to determine whether you have seen a particular advertisement before. Through features available on our site, third parties may use cookies or other technology to gather information. CGP Holdings, Inc. does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties.

We use third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. For information about their specific privacy policies please contact the advertisers directly.

Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose Personally Identifiable Information on our site, such as in message boards, chat areas or in advertising or notices you post, that information can be viewed publicly and can be collected and used by third parties without our knowledge and may result in unsolicited messages from other individuals or third parties. Such activities are beyond the control of CGP Holdings, Inc. and this policy.

Changes to this policy

CGP Holdings, Inc. reserves the right to change this policy at any time. Please check this page periodically for changes. Your continued use of our site following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.

 

×
close
Embed this image

Copy and paste this code to display the image on your site