Millions have been impacted by data breaches. Many of us know how fraudsters work and how they utilize this information. But our parents and children become victims because of their fear or urgency inflicted by the scammers. Today’s guest is Mike Cook. Mike is an entrepreneur with over 30 years of experience working and serving in the financial services, wireless, cable/satellite, and auto financial industries. He has built several data breach applications in compliance, manual verification, and account management solutions.“As a consumer, you have to be hesitant to click on anything and say anything. Don’t feel bad hanging up the phone or giving any information to anyone.” - Mike Cook Click To Tweet
- [0:56] – Mike shares his background and what he currently does.
- [2:10] – When Mike talked to a fraudster who stole cars, he immediately became interested in fraud and scams.
- [3:47] – Mike’s daughter was a victim of a scam and lost a lot of money, but the biggest impact was how fearful she was.
- [6:20] – In years past, fraud was easier to stop, but now everyone’s data is available somewhere online.
- [8:04] – Once data is breached, that information can be copied and sold over and over again.
- [9:30] – What is a citizen fraudster?
- [11:01] – Lenders and consumers are both heavily impacted by data breaches.
- [12:31] – As a consumer, you need to listen to every word. If it sounds too good to be true or too scary and urgent, it’s a scam.
- [14:08] – It is so easy to click on things without thinking about it.
- [15:19] – Don’t ever feel bad about choosing not to give someone information.
- [16:57] – When the economy goes down, fraud goes up.
- [18:55] – Fraud has never been harder to stop, has never been smarter, never been swifter to change patterns. It is on fire right now.
- [20:04] – Covid resulted in everyone moving to remote working, learning, and everything being online. It expedited the growth in fraud.
- [21:22] – Fraud is easier to commit online in a faceless environment.
- [23:46] – Mike is optimistic about upcoming policy changes.
- [25:18] – What is synthetic fraud and what are the impacts for consumers?
- [26:44] – There are ways to create a false identity to get through defenses and commit fraud.
- [28:21] – Synthetic fraud can get through but isn’t as hard to stop.
- [29:42] – Stopping fraud for consumers is a huge balancing act for organizations.
- [31:47] – Chris shares a story that shows the work that banks are doing to help mitigate fraud.
- [34:06] – We are going to see a lot more confirmation from organizations, especially financial institutions, to be sure you are not being scammed.
- [37:19] – There are several things we can do to make sure our kids don’t experience credit fraud by way of someone using randomly generated numbers.
- [40:21] – There are definitely other legislation needed to protect people from theft and fraud.
- [42:08] – Things that are being done in credit repair need to change in order to protect people.
- [43:58] – The government and the industry work together.
- [45:21] – Over time, fraud trends change. They follow whatever the fastest way to take money is.
- [46:19] – Synthetic fraud is unique in that all of it is completely fake.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Mike Cook on LinkedIn
- Report Link
- Socure Website
Mike, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me, Chris. Appreciate it.
Can you give myself and the audience a little bit of background about who you are and what you do?
Sure. My name is Mike Cook. I work for a company called Socure. We are an identity verification company, been around for about 10 years, VC-backed. We serve 1500 customers, most of them you and your listeners know. I can't really say the names because of NDAs—non-disclosure agreements—but if it's a big bank, if it's a card issuer, if it's a FinTech, if it's somebody who's offering any kind of a loan online, they're likely our customer.
What we do is score their applications every day. In the course of the year, we score millions of credit applications to help them understand if that application is fraud or if it's a good consumer, because we don't want to impact consumers, especially when they're trying to get an auto loan, a credit card, or a bank account online.
I've been doing this for over 35 years. Started right out of college for a company called Chrysler Credit in auto and was in credit. From there, I went into American Express, did fraud, and have never looked back.
Nice. So when it comes to online fraud and identity theft, have either you or anyone you’ve known been a victim?
Yes. It's interesting. I had mentioned that I had started at Chrysler. The first thing when I really got interested in fraud was less when I was a victim and more when I actually talked to the fraudster who defrauded the company.
There was a woman. She had stolen five cars. We at Chrysler Credit had delivered five cars to the Astrodome. I was working in Houston at the time, and her name was Carol Jones. She'd gotten cars under Carolyn Jones, under Carolyn A. Jones, and she had used all kinds of different Social Security numbers.
I finally got ahold of her. Never did find the car. Never was able to repossess it or get it back, but I was able to talk to her. It was really intriguing because she thought it was funny and she thought that we were fools for delivering cars to the Astrodome. Ever since then I thought, “Gosh, this is really easy, and why can't people stop it?” So I got really interested in it. It is interesting, though.
I've always been extremely passionate about fraud, but in the last six months my daughter was a victim of a P2P—person-to-person)—like a Zelle scam, where she sent money to a government agency. She totally believed they were government. They had all the information on her, talked to her for two days. She sent all the money that she had, which was about $900, and lost it. Wasn't able to get it back, called the bank. They said, “Sorry, you sent it out through peer-to-peer program,” and she lost that.
It really has fueled a new passion in me, mostly because not the money lost to her, but she was fearful and upset, and it was very emotional for her. It's one thing 35-plus years ago to have an interest. It's another thing that six months ago, again my passion to solve for fraud really got piqued.
Things change when you go from a theoretical and conceptual—a Fortune 500 company is the victim and it's 1.01% of the company's earnings or something like that. It’s a rounding error. Let’s just figure out how to deal with it—as opposed to it's a family member and it has real-world impact, not just the financial impact but the trust aspects and the fear that it invokes with people.
Yeah, especially when it's your daughter. I think the first thing I blurted out to her was, “You know what I do for a living? Why would you have done this?”
If you don't mind talking, what got her over the hill of not trusting them to trusting them?
They basically had all her information. That was it. She was like, “Look, it seemed like a professional person. It seemed like they knew everything about me. They were just telling me that I owed these dollars. I didn't believe I did…” but then they would talk to her about how it was going to be very embarrassing, and she was going to get fines and have to go into court, and her parents would get brought in.
At that point, she just said, “Whatever it takes. Let me just pay you.” They basically settled the fine on what she had in the bank, which probably should have let her know that that was fraud—“We’ll take what you have.” She completely believed it for two days. It wasn't until she told me what happened, and immediately she was like, “Oh my God. Yeah, I got scammed.”
So it was more than just the random phone call of, “Hey, person who answers the phone, who I don't know your name, I'm the IRS and you owe me money.” But they actually knew name, address, and more about her to make the story more compelling.
Yeah, they called her. If you've been doing fraud for this long, you track. You see how good the fraudsters have gotten.
Years ago, fraud was easier to stop. They weren't as good. They weren't really paying as much attention. And now with all the data breaches that have happened, most everybody's data's out there on the Internet. If you can buy the data, you can buy some information from a data breach.Years ago, fraud was easier to stop. They weren't as good. They weren't really paying as much attention. And now with all the data breaches that have happened, most everybody's data's out there on the Internet. -Mike Cook Click To Tweet
From a data breach, you would get your email and your password, maybe, and maybe something clear. You could do something called credential stuffing where I just send all that info to every bank that I know and see if I can get it to open up the account.
Or I can get FOLs. I can get their social […], phone, date of birth, email, all the data about them. They can do a better job at convincing people that this is a legit thing and you're really going to get in trouble, so you have to pay.
For most people in the US, is that data out there and readily available for the vast majority of us?
Yes, the data is. If you think about some of the data breaches—I'm not going to name them because I think a lot of these companies have gone through pretty harsh times, seen stock hits and reputational risks, people have been fired, had to let go—there have been massive data breaches of 200-million-plus with all the PII—personally identifiable information—so all of the name, address, and social.
When that happens, it gets put out on the Internet. It gets sold, copied, sold and copied, and sold and copied, and it never goes away. If you think about your identity, my name is my name, my social is my social, my date of birth is my date of birth. More and more your email is fairly permanent, and with portability of cell phone numbers, that sticks with you. Your identity really is unique to you, and the more and more we make it to where it can be permanent—you have that email, you have that phone number over time—it just becomes yours.
With all of these data breaches, the data doesn't go away, so it's fairly available. You just have to know how to go out to the dark web, go to some of these marketplaces, and then make the purchase, download it, and hopefully you're not going to get scammed yourself as a fraudster because fraudsters get scammed, too.
I was about to say, I bet there are plenty of scams that take advantage of people that are new to trying to commit scams.
Oh, absolutely. There is a community group that we follow for financial services and fraud. They wrote some academic research paper awhile back and they talked about the citizen fraudster. It's interesting.
Twenty years ago, you're kind of on your own. Back when I did fraud investigations and I'd look at case studies, I could pick out and look at this is some person in his or her grandmother's basement perpetrating fraud, and they're doing a terrible job. Yeah, easy to catch. And then here's an organized ring, and they know what they're doing.
Today that's completely different. With forums that are out on the Internet, with technologies that are shared, you can actually go out as a person who wants to commit fraud, and I can rent a server from a fraudster that will help me do bot attacks, so robot attacks where I'm constantly attacking people. I can rent that capability. I can buy the identities to put through it, and I can learn how to do it online.
Fraudsters have gotten really smart at teaching other people how to do that. They're making money. They don't really care, because they'll continue to defraud, too. There really isn't easy fraud to catch anymore. It's all very difficult. It's made it hard, not just for lenders and banks but for consumers like you, me, or your listeners.
I think there are two separate conversations. There are the lenders that are being taken advantage of, and then the consumers. Let's talk primarily about the consumer side of it. Not that I say no one cares about the corporations, but we're talking to consumers listening here. They're less concerned about what happens to Chevrolet and more concerned about what happens to their mom. How does this impact individuals?
In a lot of different ways. There are so many different ways to perpetrate fraud. Let's do this for consumers. Let’s focus on the one scam that is second fastest. If you look at the Federal Trade Commission and the way they track, identity theft is number one. But that's really a little bit different. Let's talk about scams.
It's the impersonator scam, like the person that did it to my daughter. I'm the government, you shouldn't do this. It's a romance scam. It's, “Let me send you money.” “I don't have a bank account.” “Then you can keep a thousand dollars of it and send me back 10.” There are these scams that are happening.
Oftentimes, they are social. Fraudsters like to do social engineering. It's a lot easier. People think about fraudsters, they think, “Oh, they're going to hack and they're going to do all this stuff.” Generally, they just talk you into stuff. The simplest thing is they're going to call. They’re going to talk to you about something. As a consumer, you should listen.Synthetic Fraud with Mike Cook Click To Tweet
If something sounds too good to be true, it is, and you should be very careful about what you do next. If somebody is using words like, “You need to pay immediately,” and, “Did you know this?” They're really trying to scare you. And they're with a government entity. It is going to be fraud. It's likely fraud, and there's nothing wrong.If something sounds too good to be true, it is, and you should be very careful about what you do next. If somebody is using words like, “You need to pay immediately,” and, “Did you know this?” They're really trying to scare you.… Click To Tweet
Even if you literally hang up on the real person who works for the IRS, you just hang up on them. Just keep hanging up on them. If it's a legit issue that you have to address, you can address it over time.
Fraudsters are going to try and push, and push, and push, and get you to respond right there, right when you're on the phone. If you're a consumer and you answer the phone, be very careful, if it's not somebody that you know, if it's not somebody calling you back.Fraudsters are going to try and push, and push, and push, and get you to respond right there, right when you're on the phone. -Mike Cook Click To Tweet
The other thing if you're a consumer is clicking on things. Consumers might think, “Well, it's just in my email.” If it just comes in my email, I don't want to click on it. No. If you get a text and that text says, “Oh, click here to win.” Or, “Gosh, we have this great story. You should click here.” Or, “I'm Bank of America. You should click here. We have a fraud report on you.”
There are these things where fraudsters try and create a sense of immediacy in the consumer's mind. This is what I've been doing for my lifetime. I've almost clicked on things because I've been like, “Oh, OK.” I'll start to click on it and I realize that that's a scam. It can come to you through a social network. It can come through your text. It can come through your phone on a phone call. There are so many different ways.
I even got a piece of mail—and this is three days ago. It was a good one because it looked legit. I called the number. It made me go through a frustrating process. Dial one for this, six for this, seven for that, and then finally it gave me this new thing that said, “Give me your social and we'll get you to an agent.” I realized, “I bet this is fraud.”
I put in a fake social and the recording said, “Thank you very much. We’ll get back in contact with you,” and hung up. Thankfully, I put in the wrong social. But again, I've been doing this my whole lifetime, and this is 2-3 days ago. I almost got defrauded. So for consumers, it's very hard. You just have to be very hesitant to click on anything, very hesitant to say anything. Don't feel bad to hang up the phone. Any information, do not give it out.
I assume someone in our neighborhood a couple of weeks ago went and put a little piece of paper on everybody's door. It was a QR code. It just said, “Please help me reach my goal.” And I'm like, “I'm not scanning that darn thing. I am not curious as to what it is.” But I can't imagine, like maybe it was a legitimate fundraiser for something, I don't know. But I could see just the desire of people, like, “I just want to know what it is. I'm going to scan it just to see what it is.”
Oh yeah, absolutely. It may have been legit, but to your point, you're not going to touch it because even if it's legit, then gosh, I'm sorry I didn't help you get to your goal. But if it's not legit, it really can be bad because they could insert malware on your phone, then they have all your passwords.
First thing they're going to do is go look in your notes section on your phone. A lot of people put their passwords in, and they're going to read to see if you have your passwords in your notes section. Or they're going to put on something that collects your keystrokes on the phone. So yeah, it's really easy.First thing they're going to do is go look in your notes section on your phone. A lot of people put their passwords in, and they're going to read to see if you have your passwords in your notes section. -Mike Cook Click To Tweet
It's a really easy fraud, and it's going to continue to climb after COVID. It's really climbed quite a bit. When the economy goes down, fraud goes up. I think the economy probably is going to turn down a little bit. Hopefully, not too bad. But consumers, those people listening, can anticipate more, and more, and more of these kinds of scams.
I've always been particularly, maybe impressed is not the right word, with the speed with which the scammers adapt to what's happening in the world. As soon as the government announced free COVID tests, I started getting spam for, “Here's how you get your free COVID tests.” I'm like, “No, that's definitely not how you do it.” And, “Oh, hey. We have this government refund program.” All of a sudden, start getting scam emails about, “Well, here's how you apply for this government refund.” They're faster about getting the process out to you than the government is.
They are. You’re talking about the organizations that Socure protects. It isn't like the consumer thing, but I think even consumers can understand. They may have heard the term machine learning and artificial intelligence. It’s just really, really fantastic data science.
Well, in the world that we watch on a daily basis where all these applications are coming through, it's interesting. Years ago, the behaviors changed every 6-8 months—the fraud behaviors. “You figured out what I'm doing, so I'm going to change it.” Then they start changing every month.
What we're seeing now is intraday. Like in the middle of the day, they will change their behaviors, like you're talking about with consumers. Even with lenders, they change in the middle of the day. I think they're using advanced machine learning and some really cool data science to start to try and get out ahead of those things that are trying to protect consumers that are used by big businesses.
I've been doing it for 35+ years. Fraud has never been harder to stop. It has never been smarter. It has never been swifter to change patterns. It is on fire right now.
And to me, that's particularly scary that you're someone who's sitting in the middle of the transaction, and you can see what's being submitted. The fact that it's getting harder and harder to detect it is alarming because, like you said, what defines our identity isn't changing to evolve. It's been pretty static for quite a bit of time.
Yeah. Identity has been static for quite a while. The biggest change was moving online. The biggest change was COVID. I bet you without COVID, we as an industry—everybody that's working with consumers—would've slowly progressed to the Internet, slowly progressed to more virtual relationships over the course of eight more years. COVID took all that eight years and shoved it into six months. When you do that, you create huge gaps and a huge need to learn. Fraudsters can just take advantage of any changes really, really rapidly. They can really change fast.
Do you see that there's going to be a coming need to change how the US credit system works in order to be able to take a significant effort to stop fraud? If there’s one new thing to be implemented, we could cut down fraud by 90-95%. Is there something like that that needs to be implemented, is being thought about being implemented?
All the time, and it's crazy. Years ago, it used to be that you wanted the fraudsters to try and attack you in a physical environment. The conventional wisdom was, a fraudster’s not going to walk into a bank where there are locked doors, there's a person with a gun, there are cameras. In a physical environment, consumers are a little bit safer because there's not as many fraudsters. But online is the concern because it's called a faceless environment. It's easier to perpetrate that fraud.
I think fraudsters have had an early start in that environment for years. But I'll tell you, the phone is ubiquitous now. I used to say, “I think there'll be a point where technology is embedded in us.” It doesn't need to be anymore. I mean, Chris, how far is your phone from you right now?
It's two feet away.
Right, so it's embedded. This is just as good as being embedded in us. That's when I felt like there would be a switch, because then we have this. Fraudsters don't have it. They can do a SIM swap, which means they can basically take over your phone. There are ways that they can take advantage of this.
But I think the better we get with device—knowing that this device is in this location, that this device has an IP address that is in this area, that this device has an operating system that looks like this, right down to what time is it on my device, that I've got maybe even an app here where I know that this is the device.
I think as the population ages—the younger people come in, they're more comfortable with their device, they're more comfortable with apps, they're more comfortable taking a picture, a picture of their driver's license and […], which can be defeated—as we get smarter—younger people are smarter about technology—we're going to catch up.
With fraudsters, I've always pictured it as maybe some predator chasing a gazelle. You're chasing this gazelle, who is the fraudster, and you're nipping. You're lucky to be nipping on their heels. That's good. Even if you don't ever catch them, as long as you're nipping at their heels and not running a hundred yards behind them. So I think we will get better.
One thing I'm pretty excited about is some regulatory changes that are coming that will help consumers. The Consumer Financial Protection Bureau (CFPB) was created under Obama’s administration. They've come out and they're going to push the banks to accept the loss for P2P frauds.
When I ‘Zelle’ you $100, $3000, because I want to buy that pedigree dog off of Craigslist, and then I never get the dog because I've been scammed, the bank is going to be responsible for that. My banking friends don't like it, but what it does for consumers—this is what's good for your audience—is it puts more of the stress on the lender, on the bank to keep fraud out of their accounts.
In banking, when I'm doing a P2P scam, it's called a money mule. A money mule is basically, I'm here, send money here, I'm going to take that money, and then I'm going to send it out here. I'm just basically going to move that money around for fraudulent purposes. That's a money mule. In the past, they used to have money mules that were actual people. They paid the people, they either scammed them, and they didn't realize they were being a money mule or they were taking money to do it.
What we've seen, especially since COVID, there's a kind of fraud called synthetic fraud, where it doesn't really impact consumers because it's not using their identity. But that synthetic fraud is fake, and now that is the new money mule. The banks haven't done as great a job as they can stopping those upfront.
Now that the government is going to change regulations, or the banks will self-regulate themselves and take that loss, the responsibility and value is there for them to stop those losses up and make sure they don't have these money mules in their accounts. Consumers should see banks working harder in 2023 and 2024 to help stop those P2P frauds on behalf of the consumers because it helps the bank not take financial loss.Consumers should see banks working harder in 2023 and 2024 to help stop those P2P frauds on behalf of the consumers because it helps the bank not take financial loss. -Mike Cook Click To Tweet
Got you. Just to clarify, with the synthetic fraud, the scammer is creating a fake identity, a fake entity. That fake entity then goes and creates a bank account, and then the money gets moved through that bank account. It's not your bank account, it's not my bank account, it's a bank account owned by a fake individual, right?
Right. If you're going to do something and you're going to get in trouble—I'm going to do money laundering, or I'm going to do terrible things like human trafficking or drug trafficking, or I'm going to scam people—I don't want to do that under my identity, so I just create a fake identity.
There are ways to do it. I won't tell your audience how to do it, but there are ways that you can do that and get through some defenses. You can establish a lot of those relationships. We believe—we've done a ton of research at Socure—anywhere from 1-3% of open active accounts, bank accounts in the US, are synthetic. Think about that. In a group of a hundred people, you’ve got three people working against you and they're not telling you they're doing that.
This is the conspiracy theory side of me or the don't trust big business. Shouldn't it be fairly easy for a bank to detect a synthetically created account that's being used for fraudulent purposes?
Humans are very consistent about how they use their bank accounts. Someone who gets cash, gets this amount of cash on a regular basis every so often, they get their paychecks deposited. Whether they get cash or they get a paycheck, they make deposits on a regular basis, and make Zelle transfers on, let’s say, once or twice a week. Shouldn't the banks be able to detect, “Gee, there’s been 100 Zelle transfers through this bank account in the last 24 hours.” Wouldn't that flag as suspicious?
It can or cannot. Think about that. Let's say, number one, they should be able to stop it before it gets in. Synthetic fraud's not that hard to stop. It can get through. I mean, it's not easy. So number one, you should try and stop it before it gets in.
But if it does get in, think about this. Ninety-one percent of businesses in the US are small businesses with less than three employees. Ninety-one percent. It's a huge chunk, especially following COVID. Think about how many people that you know. How many people in your audience open up an Etsy account or open up some kind of a marketplace.
It's interesting where, yes, it's true. You shouldn't see a hundred transactions come through for a day, but I'm sure there are some good Etsy accounts where they're seeing that many transactions. If I set it up as a synthetic account, if it looks like it's a commercial account because it's doing so many transactions and they've got a hundred going through per day, then it may not look as suspicious.
Banks, big businesses, they're kind of in this rock and a hard place, where they're all competing for consumers and they're competing for consumer spend. I don't want to anger a good customer, especially if I'm doing a hundred transactions a day. That's a lot of transaction fees. If I anger you and you go to my competitor, then I've lost business.
So stopping fraud for consumers is this balancing act of how do I not bother you and really catch the bad guys. The more difficult thing is, fraud looks a little bit like the underserved, or the younger, or the elderly, or the new immigrant. At Socure, something we really pay attention to is going out and making sure that if there's a new population, how can we do a better job of not impacting that population?
And that's always going to be the challenge with a security product. Security is an obstacle in some form. You have to make it an obstacle enough to prevent fraud but not so much that it prevents your consumer from doing business with you.
Exactly. If you try and make a wire transfer with some banks, I don't know how many times you get that, “Hey, we're going to send you a code to your phone.” You can, during a wire transfer, get that code sent to you three times. That's probably a bank who is very concerned about fraud loss or they just don't have the right process in place because you can do that in a little bit more of a smoother operation. But again, if you're the fraud manager you want to throw up as many blocks as you can so that you don't take fraud.
Here's a question for you in terms of dealing with banks with good fraud processes in place. My audience will be annoyed because I'm going to tell the story again. I needed to send some money to family overseas and the bank that I primarily work with doesn't do international wire transfers. Partly by choice on my part. That was intentional on my part. But I needed to send an international wire. I had to open up an account with a bank, make a deposit in it, wait for the money to clear, and then turn around and wire most of it out to a family member overseas.
I got a phone call from the bank within 24 hours, a very nice woman who wanted to make sure I wasn't being scammed. She was asking, “We noticed you just opened this account and you're already sending money internationally. Who are you sending it to?” “Oh, my family member.” “Are you sure that you're sending it to a family member, that it's not a scammer? Have you met this person in person? When was the last time that you talked with them?”
Part of me was overjoyed about the level of intention behind the bank trying to stop it. But a part of me was also annoyed because I just want the transfer to go through. Ultimately, I was really happy with it. Are there things that consumers should be doing if they're particularly concerned about, I don't know, their parents? “Hey, mom and dad. Let's move you over to this bank, which has tighter fraud restrictions in place than maybe some other bank.”
Are there things that consumers should be asking their banks, like are there additional levels of security you can turn on to help prevent my aging mom or my aging grandma from becoming a victim, where we're going to make it so she has to jump through an extra step or two and hopefully talk to a human being, which will talk her out of sending money to that Nigerian prince?
Yes. And by the way, Chris, you look like a fraudster if you open up an account and then you […] internationally right after you wait for it to clear. She wasn't only making sure you were not getting harmed, she was making sure the bank wasn't getting harmed. Entirely, that was a total fraudster move. It was good she did that.
I think we're going to see a lot more of that in 2023. A lot more of, “Are you sure you want to send this? Let us call you. Let us talk to you beforehand.” There are a couple of things for your older parents who may get scammed, and also for your kids. We’ll talk about both here.
For your parents, you don't want them to have the capability of sending out a P2P—peer-to-peer—payment, so a Venmo or a Zelle. Those are great products. I use them all the time, especially if you have kids in college. They're wonderful. But for your parents, what I would say is I don't want them to have a large transfer, and I don't want them to have a Zelle or Venmo account.
Both of those companies are great companies, but you definitely want to get ahead of them by having the ability of sending money out. For your parents, you definitely want to do that. If the bank says we can't shut that off for them, or they could go in and turn it on—they’re parents and may not be able to turn it on because they don't know technology that well—I would try and make sure wire transfers and P2P is something they can't do on their own. So that's for parents. All of us with kids—I have five kids, and I've not done this, so I'm not taking my own advice.
Interesting thing. In 2011, the SSA—Social Security Administration—who administers SSNs—Social Security numbers—started randomizing those numbers. Before 2011, there was some intelligence to it. I can tell you, you were born in the state of Texas and I can tell you how old you were from the range.
There was a research paper that was written where we could recognize and almost identify what a Social was because it wasn't randomized. We could almost guess it within a certain number. I actually helped on that research paper.
After that research paper was written and came out, the SSA changed it to random numbers. Everybody after 2011 gets a randomly generated number. Fraudsters love those numbers because they look like they're an immigrant using a randomly generated number.
One of the things that parents can do with kids is, as soon as they get their Social, call the bureau and freeze their credit report, so that nobody can establish credit in that Social's name, because once your son or daughter turns 18, they may find they already have a credit report, really bad credit with their Social. It's something that can be done.
In that white paper that I wrote for synthetic fraud, I do think several years ago the SSA went to enumeration at birth. We don't have to walk into an office when your kid turns seven. It now really just happens at birth. I would love to see the government just place the security freeze on any of those new ones, and then let the parents take that off.
Those are two things they can do. With parents, really be careful of the mail. The mail is worrisome, too, and I know that oftentimes, the elderly want to be on the phone, want to be talking. They're easily scammed. Young kids are easily scammed. A lot of people are easily scammed.With parents, really be careful of the mail. The mail is worrisome, too, and I know that oftentimes, the elderly want to be on the phone, want to be talking. They're easily scammed. -Mike Cook Click To Tweet
Do you think there would be a greater uptick in credit freeze if, like you're saying, that was the default when a Social Security number was created? I know with retirement contributions, if companies by default were going to have you participate in the retirement plan unless you say no, versus we're not going to put you in unless you say yes, that almost everybody just goes, “OK, I guess I'll just save my money.” Would there be that same effect, do you think, with Social Security numbers and that should be what the process is?
I don't know because I think there are always consumer privacy concerns. What bothers me may not bother somebody else, and what doesn't bother me may bother somebody else. Even for me to say the government should be able to put a security freeze on it to protect that Social right at enumeration at birth, I think it'd be wonderful for two things.
One, for the kid. When he or she turns 18 and they’re at credit age, they literally could walk into a bad credit report and they've done nothing. That's one. Secondly, it would take away one of the tools of the fraudsters. They're called CPNs—Consumer Protection Numbers—or something, privacy numbers. It’s a made-up term that they use in credit repair. It would take away one of the tools of fraudsters. For me and for the countless people that fight fraud, you take away a tool from a fraudster, I'm like, “Thank you very much.” That's one of the 10 things that I put in.
Synthetic fraud has been around for 22 years, and we can eradicate it. It is something we can get rid of. That's one of the 10 points that I included in that white paper was, gosh, I wish we could do this at enumeration at birth, because that would take away one of the tools and make stopping synthetic fraud that much closer.
I know you had talked about legislation to make things a little more difficult as far as the Zelle transactions. Obviously, if the bank has a risk, then they're going to put a mitigation process in place for that risk. It's probably the right thing. As soon as someone's on the line for the money, they're going to do something to protect the money. Is there other legislation that you think needs to happen around identity to make it more secure and less prone to theft or fraud?
There are a couple other things that I think can be done. When you talk about credit repair, there are products in the market, especially now with FinTech—financial technologies—where I open up an app, I try and make it to where you can build your credit.
There is a new group of credit builder solutions that are responsible. They are really there to help consumers. They're a FinTech, they're venture capital-backed, they want to make money, but down to the core, they want to help consumers. That's a credit builder product. There are some of those things that are out there today. We help them stop fraud.
Then there's credit repair. Credit repair uses a couple of tools that I don't want to go into them because I don't want to explain to people how to commit fraud, but if I told you these tools, you would be upset and you would say, I promise you the first words out of your mouth, Chris, would be, “Isn't that illegal?” And I would say, “No, it's not, unfortunately.”
There are a couple of things that can be done on the Internet that these credit repair organizations, the ones that are illegitimate, the ones that aren't good guys, have taken advantage of. The government sees it's going on. They're locked up because it's not illegal, so can they really stop them?
I'd like to see some of the things being done in credit repair to go away. That's going to take some regulatory changes. That's something that needs to be done. Beyond that, I think the number one thing that's going to be done that has not been done yet—this is like me before Facebook saying, “Gosh, if there was a social network with pictures on it […]”—there's going to be a company—I don't know if it's going to be an Apple or a Google or a Socure or somebody else, I don't know what brand it’s going to be—or somebody who can capture the consumer's imagination enough to where that consumer wants to store their identity here on the phone.
The whole system is set up in a way that if you want to get Mike's stuff, you let me know. Today, I don't need that. Your data's everywhere. It's out on the Internet, but it's also in public record information. It’s in the credit bureaus. It’s in marketing databases. It should be right here. If you want it, you should come to me. I should permission it to you. I should give you a token that says how long you can have it, if it's an instant or not.Your data's everywhere. It's out on the Internet, but it's also in public record information. It’s in the credit bureaus. It’s in marketing databases. It should be right here. If you want it, you should come to me. I should… Click To Tweet
I think that that is something that will get there. Getting consumers to adopt it is like getting consumers to adopt Facebook, Instagram, Snapchat for young kids, or Twitter.
Maybe Twitter won't be around.
Maybe something new. So it really is. I think that’s the next thing. The government and the industry work together. When the industry could do more, the government generally here in the US will say, “Hey, we're thinking about regulating you.”
Then the banks, especially here in the US, are smart enough. They're like, “Look, we don't want to get regulated, because then there's a written law and I have to follow it. I'm going to self-regulate, and then I'm going along with the spirit of the law, so the fines are probably less.”
People can be conspiracy theorists or hate big banks, but there is this common understanding that we have to do good for consumers. We have to keep the economy afloat, so people, I think, do their best.
You had mentioned a report that you had worked on. Is that something that's available to the public?
It is. If they go to socure.com and go to the publications resources section, and then white papers. There is a new report we just put out about three weeks ago on synthetic fraud, and it's interesting. Synthetic fraud, I've been watching for over 20 years, and I've been paying attention to the behaviors.
Basically, 20-plus years ago, fraudsters would set it up and it was all about, “Let me steal money fast. Let me get that phone and then ship it to Europe. Let me get a credit card and run it up.” Then they got smarter over time and they started doing something called bust out, which means “I'm going to be patient. I'm going to run this card up, and run it up, and run it up, and then I'm going to eventually take it for $20,000 on a $10,000 credit line because of the way I work the system.” That's been the behavioral and the behavioral changes over the last 20 years.
Since COVID, synthetic fraud patterns have changed drastically. We did a three-year study. We were curious on, “Hey, it seems like synthetic fraud is changing. What's going on?” So we looked at it.
We looked across all these different industries, and what we found is that fraudsters are using synthetic identities in deposit accounts where they can't really make a lot of money, but they can use it to fuel fraudulent money movement.We looked across all these different industries, and what we found is that fraudsters are using synthetic identities in deposit accounts where they can't really make a lot of money, but they can use it to fuel fraudulent money… Click To Tweet
Again, the term the money mule. They've created these money mules. For consumers that may be interested in it, synthetic fraud is an interesting fraud because it's fake. It's an entirely fake identity. And it's neat to understand it.
But the biggest thing I think for consumers is please don't click on things. Recognize that these guys have gotten so much smarter, and that if you don't click on something, your world's not going to stop. If you don't return a phone call, your world's not going to stop. If you hang up on a government person who's yelling at you about how “I’m going to find you,” hang up the phone and don't answer it. You're not going to go to jail.But the biggest thing I think for consumers is please don't click on things. Recognize that these guys have gotten so much smarter, and that if you don't click on something, your world's not going to stop. -Mike Cook Click To Tweet
I've seen more and more public information in terms of the IRS will never call. Unless you're already working with the IRS, they will never call you. You're perfectly safe hanging up on someone who claims to be from the IRS.
Yeah, and deleting that text, get rid of that email. Pay attention to the mail. That's the interesting thing. This came to me from the IRS a few days ago. It was a piece of mail that from my perspective was fraud. Right when you think you've got fraudsters whipped and you tell them don't answer the phone, they send you a piece of mail.
I was wondering when they would start moving back to paper mail, and it's like, “Well, if we can't be the IRS over the phone, we can't be the IRS via email, we're just going to go back to paper mail and get you that way.”
Absolutely. They're patient and they'll get you.
As we wrap up here, if people want to find you online or your company online, where can they find them?
The company’s on socure.com. I'm on LinkedIn. If you type in mike cook@socure, you can find me and just connect me through there.
Awesome, and we will make sure to link the report that you created in the show notes, because people have a hard time figuring out—I can never write down URLs when I'm listening to them.
Yeah. OK, well, Chris, hey, listen, I appreciate the time, and I appreciate what you do. If we can stop one person from being a victim of fraud like my daughter was, it makes this time well worth it. So thank you for, for allowing me to be on.
Our values are definitely in alignment. Anything that I can do to help stop fraud is the total reason this podcast exists.
Awesome. Thank you.