Podcast / fraud analytics
In conversation with ex-fraudster Alexander Hall
Fraudster turned fraud prevention consultant Alexander Hall shares his insights into fraud behaviors over holiday seasons, and the top challenges fraud teams have faced in 2020, speaking from his unique experiences on both sides of the fence.
Grace (Ravelin): This is Ravelin’s podcast and today we are speaking with Alexander Hall who is an ex fraudster turned fraud prevention consultant who now owns his own business called Dispute Defense, and I’ll let him introduce himself a bit more in a minute. Today we’ll be speaking about the top challenges merchants have faced in 2020 and what we can expect from fraud as we are going into the new year.
It’s thanksgiving today and Alexander has so kindly given me his time on a national holiday so thank you so much!
Alexander: No worries it’s a pleasure to be here and I’m very excited to be working with Ravelin.
Ravelin: Well we are so excited to have you too so thank you again. So to kick things off, could you tell us a bit about yourself, your background and how it led you to where you are now.
Alexander: So for about a decade I was a career criminal, I was an effective fraudster, being involved with everything from organizing methods, authoring methods, creating information, building profiles, checks, credit cards, cash, the whole nine.
"For about a decade I was a career criminal, I was an effective fraudster"
In 2016 we learned we were pregnant with our daughter, and my wife said if I wanted to be a father then I needed to clean up my act. I turned myself in on a couple of outstanding charges that existed.
My experience in fraud prevention took place with a vape distribution company, they brought me on as the sole fraud specialist. When I was there in my first year I mitigated and prevented a loss of about 1.2 million dollars if all the math works out, so I felt pretty good with my ROI on that, the ROI for my salary. And then in 2020 when covid hit, the company ended up dissolving the division that I was running, so I started Dispute Defence. Since being here, I've met a lot of great people, my eyes have been opened up to a lot of good technologies that are out there. I just know that my assessment of the fraud prevention industry as a whole, is that there are a couple of lacking points. A lot of people are doing great stuff, don't get me wrong. A lot of people have put a lot of effort and done a lot of great work in their individual pieces of the fraud prevention pie, but there are a lot of gaps in between there. And I want to help both service providers and merchants close those gaps as best as possible, by using my experience on the other side of the fence.
Ravelin: And how did you first find yourself getting into fraud?
Alexander: So for me, like with a lot of other people, the gateway was drugs. When I was young I got into drugs, started selling it, it became a lifestyle, and then over time you want to make more money and your moral compass is kinda skewed so you don't mind doing bigger and badder things. It's kinda like the frog in boiling water fable. So I ended up getting into it, I saw where the flaws were with the lower level operations, and that's when I started to build and develop my own methods, to the point where I was pretty well known in my area of where I operated, to where groups of other people would come to me regarding how to use whatever information they came across. So to answer your question the gateway was drugs and secondarily was the fact that my moral compass was left in the glovebox during my operations.
Ravelin: So it was when you had your children that you decided to make the switch?
Alexander: It was. I didn't anticipate that being a father would be as important to me as it ended up being. Once I was greeted with the possibility of losing access, losing the potential for being a father, I decided it was just time. My daughter has been the greatest blessing that I could ever imagine, and then my wife is super supportive, my three stepsons are amazing, the family that I am now a head of is more than I could ever expect in my life. So yes, to answer your question, that was all it took, and it means a lot to me.
Ravelin: That’s so lovely. So in one of our previous conversations, you mentioned that as a fraudster you were a success but you said it was a 'bad success.' And on LinkedIn you say you advertise that you have a ‘masters in fraud’ from your somewhat unconventional school of fraud. So could you talk a bit about your success as a fraudster and what you think makes a successful fraudster?
Alexander: So when you're on that side of the fence, operating as a fraudster, you put these conditions on yourself and others because you have to keep in mind that as you expand a network, you end up working with more people who have the potential of getting busted and rolling on you or snitching on you, selling you out to the cops when they get busted. So there's a lot of challenges and obstacles you want to overcome while you're operating over there. That could range anywhere from the type of network that you hold, how these people interact under pressure, how these people maintain themselves, also how you hold yourself - I can say that one big factor into what I claim as being a success on that side is that no one under my umbrella that was employing any of my methods, never, did anyone get busted. And that's close to a decade of operations, and additionally that's hundreds of people that were doing different things at different times.
"No one under my umbrella that was employing any of my methods, never, did anyone get busted"
The biggest contributor to me being a success over there is the fact that no one got busted under my authority. But then secondarily, the other contributing factor is just the knowledge that I accumulated over time - how to use what. I was able to take information that to 99% of the fraud game would be absolutely worthless, but I can take it and make it worth something. Typically through math as a payment method, or understanding how limited information can be used at different levels through the checklist building that I've outlined on my profiles in my content. But that's pretty much what it was. In my opinion, the person who is most successful is the person who has the best record, the highest success rate of course, no one getting busted and being resourceful with the information that is presented, knowing where to use it, how to use it, and how to get the most out of it.
The most effective fraudsters are doing stuff that hasn't been identified yet, they are doing things that are multisystem exploits, they are doing things that they have full control over at every step and if something fails, it's not a high risk situation. The stuff that I was known for, and why in my school of fraud dictations, what gives me the opportunity to be a masters degree holder, is the fact that 80% of my operations have not been identified by the fraud prevention industry as of yet. There aren't any pretty names associated with it. I guess I'm tooting my horn from a bad perspective, but there's no beating what I was doing, it's called the unbeatable fraud, and full cycle fraud- I'm now defining it that way- but I want to bring it to light. The whole goal is to close the gap between fraud prevention and where effective fraudsters operate, so yeah that's the story there.
Ravelin: So let’s move on and talk about 2020, which has clearly been an extremely difficult year for businesses, and particularly for online merchants who are having to deal with this huge increase in demand due to Covid, while also thinking about how to protect themselves from new fraud risks. And then on the other side of the coin, there are those who are struggling and perhaps having to desperately think of how to boost sales and keep afloat in these difficult times. So over the past year and in this ‘new normal’ world, what do you think are the top challenges fraud teams are facing?
Alexander: There are three things that I have identified that are happening. One is definitely the fact that due to Covid a lot of people moved from in store retail to ecommerce without proper prevention methods, without knowing what's waiting for them. The introduction to CNP is already waiting for them, that's not a new trend that is happening, but we see it as a new trend because so many people are making that move from in store to online. That's one that's been identified and is definitely going to spike the number of fraud that is going on.
Second is the number of friendly fraud things that are going on because of exactly what you just said. There are a lot of desperate people out there who have become unemployed, who have credit cards, who have knowledge of the fact of the power that disputes and chargebacks have. So they will go and buy something with money they don't necessarily want to spend and they will dishonestly file a chargeback knowing that the issuer will have their back and then get their money back for the purchase.
And then the third one, in my opinion, is policy exploits, where dishonest consumers who are otherwise goodhearted and good solid people don't have a problem exploiting policies in order to get more than they paid for, because again, desperate times lead to desperate measures and again people leave their moral compass in the glovebox when they go shopping. So ahead of the holiday season, as if fraudsters gearing up for the holiday season wasn't enough, you also have to take into consideration those three things and keep your eyes open for it.
"People leave their moral compass in the glovebox when they go shopping"
Ravelin: It’s interesting that you said that the fraudsters are gearing up for this holiday season, because that leads me nicely onto the next question. So obviously (Happy thanksgiving again, it’s holiday season, as you are all too aware of as I’m making you work on a national holiday) the holidays are the busiest time of the year for merchants in any normal year, so with covid and all of the things you just said, can you just expand on how you think fraudsters change their behavior in holiday seasons?
Alexander: Without question, I feel confident in saying about 98% of the fraud world gears up for the holiday season. And what I mean by that is they spend the rest of the year honing their skills, honing their abilities, making sure their fake cash, their fake credit cards all look good, checks are ready to go, they've done their research, they've built their checklists, they know what works where. And it's during the holiday season that they know that is the easiest time to get things through because merchants are more likely to bend the rules a little bit in order to just keep the cash cow going. So what is infinitely more effective this year- the difference between 2019 and 2020, there is a stark difference there- merchants are super hungry- the problem with and the biggest issue because of that is that merchants are hungry for the sale more than just looking at this as a way to get positive, they are also looking at a way to make up for losses that took place during the year. Especially in the US where there's been a lot of lockdowns and closures- there've been a lot of problems with instore retails. So both instore and online merchants tend to move the needle a little bit towards customer satisfaction in order to just keep everything flowing, but fraudsters identify that, and they take advantage of that. And they gear up by getting their embossers in line, their reader writers in line, they've bought all their dumps or the track information from the dark web. They're prepared, and they wait for black friday because just like with normal consumers, a lot less can go a lot further. So at the end of it, fraudsters are getting ready for the holiday season and merchants need to keep their guard up.
"Fraudsters are getting ready for the holiday season and merchants need to keep their guard up"
Ravelin: And how did you operate as a fraudster over the holiday season? Because I know in our previous chats you’ve that there’s 1% of fraudsters who just take the holiday season off and give themselves a break, which I thought was really interesting. So when you were in the game, were you in the 99% or that 1%?
Alexander: I was that 1%. My operations were solid, thorough. If I wanted to do something I did it that day, everything was taken care of during the year. My operations never changed, except for during the holiday season when I just spent time around the family and doing things I wanted to do. I didn't necessarily gear up and go peddle to the metal in order to exploit the holiday season, I just did what I wanted. There were a couple of things that I would participate in, but they weren't my operations; it was just helping other people do what they wanted to do. So, I definitely count myself in that 1% of people who would just sit back and chill. I was good. I never exploited the fraud game to live this rich lavish lifestyle, I used it to just get what we needed with a couple of perks here and there really.
Ravelin: And just touching on what you said earlier about policies and merchants just tipping that needle towards customer satisfaction- we’ve recently done some research about refund abuse and promotion abuse- or I think you use the terms return fraud and marketing fraud- so we found that over half of the merchants this year have seen as increase in refund abuse and just under half have seen an increase in promotion abuse. So what I’d like to ask you is, have you seen this increase in refund and promotion abuse? And can you tell us a bit about your previous experiences with these fraud types that are in a bit of a grey area because it tends to be the genuine customers that are doing it.
Alexander: So as far as identifying a trend this year, I think thanks to the great work that has been done in this industry across the board, a lot of people are becoming aware that they need to watch for that type of stuff, so when they report an increase, I feel like there's a misrepresentation when they use the word increase, I think if you're watching for something you’re going to see it more than if you aren't. So if they finally employed data management in order to track these occurrences they are going to see an increase because now they are tracking it, their eyes are on the prize a little bit more, so they are going to track that effectively and then see an increase. Although I wouldn’t be surprised for there to be a real increase because of the desperate times we are in right now. But I think that once you start looking for the red car as you drive down the highway, then you are going to see more red cars, and I think that's the phenomena that's going on right now.
So the second thing is my involvement, what I've seen first hand in terms of these type of exploits, the biggest success story was when I was working for that vape distribution company, where in the first 6 months I was promoted to be the manager of the fulfilment center problem area essentially, which is the returns the AVS, the AV address verification, stuff like that. But as I was taking over the returns department, I found pallets in the back, pallets that were just stacked and stacked, pallets of merchandise, and as we started to break that down in order to get it cleared out, get it moved on, pushed on, returned to vendors, whatever it needed, we ended up identifying that there was about 300,000 dollars worth of products that had already been issued credit wrongfully. Either the product was never purchased from us, the product came back after it was expired, we were getting rocks and stuff in the boxes that would just meet the weight requirements for shipping, which wasn't even necessary because at that company we didn't even check it, but there were a whole bunch of ways that people would give this product back and request credit while unknowingly the accounting department issued the credit.
"There was about $300,000 worth of products that had already been issued credit wrongfully"
Now that was just one customer taking advantage of 300,000 dollars worth of returns over the course of the last 8 months to that point, so in identifying that along with the several other customers who had done lesser amounts, we put together that it was about 600,000 dollars total over the course of the last year we'll say, where 600,000 worth of credit had been issued. What makes that so lethal to a company is the fact that once it gets processed that looks okay in the books, it’s like that's just how many returns we had, we issued credits and it's done, the problem with that is it was dishonest and your staff needs to be aware of that possibility as they handle these returns. So what we did is that we put into place new polices, practises, we made sure there was an end date for processing, we made sure there were requirements out on the customer in order to send items back, we had two-factor authorisation essentially, where we would approve it before you could send it back - those are some tricks that you can do to make sure you're not getting anything back that you don't expect that hasn't already been approved. That ended up saving the company 1.2 million dollars over the course of the year. So that's a great example of how it can turn bad and then also be fixed.
And when it comes to the marketing, a company sets out a specific stock of inventory for a buy-one-get-one-free (BOGOF) promotion, so they expect to get a bunch of sales from it, but they also expect for that to be what brings customers to their platform, and they expect to get a lifetime's worth of purchases from a customer by sacrificing a BOGOF offer. One way that we saw it was getting exploited is that one person would set up 50 accounts and all have these BOGOF and have those items sent to the same address using the same card. This is an honest customer using the system to the detriment of the merchants. This is why the needle between merchant security and customer satisfaction needs to be put in check, it needs to be monitored because otherwise good people are taking advantage of your system, and because merchants don't tend to classify that as fraud, they don't tend to look at it as fraud. Well, understand that the definition of fraud (you know not the webster's definition but in my opinion) is taking advantage of someone under false pretences and there's a loser in the situation which is 99% of the time going to be the merchant.
"The needle between merchant security and customer satisfaction needs to be put in check"
Ravelin: It's amazing how it adds up with all these refunds and promotions. I think it's such a pervasive issue, especially coming into this holiday season when people are still locked down, there's going to be so much ordering going on to different locations- people gifting across the world- it's just going to be so hard for online merchants to track their wares and keep tabs on how much it is costing then. So moving onto the next question, we’ve also spoken to merchants who alerted us to more fraud emerging on social media platforms like Snapchat and Tiktok as customers have started bragging about their money-saving tips or offering fraud as a service and then profiting themselves. So what are your thoughts on this social media trend and how do you think merchants should approach it?
Alexander: So when I was operating I made a clear decision that I never advertised my skills, I never advertised my methods. If someone came to me and asked me how to do something I would do it, I wouldn't tell them how to do it, I would just do it, like here you go and now it's done, give me my cut whenever it's done. It was a really tight-knit circle but I never advertised. The reason why, from a frausters perspective, why advertising is really dumb is that you are leaving yourself open to people who if they get busted for a bad practise, they have no problem giving over the information that they used when they contacted you. So you put yourself at risk, so that's dumb. Anytime you communicate with someone that you don't have a good running history with that you haven't investigated beforehand to know how tough they are, you put yourself at major risk.
From a fraud prevention perspective- that's just called research. If you come across these things you're not going to stop it from happening, but the second you become aware of it, you need to be aware of what it looks like when it enters your system. And that's one thing that sets my company on its own path is the fact that using my own insight from the other side of the fence, when it work with merchants I identify all of the ways they stand to be exploited and work on ways to either identify the attacks or attempts, I work on ways to defend the merchant and I work on ways to prevent further losses in the future if they've already been exploited.
Looking at it from a fraudsters perspective is very important. If you see these guys posting on social media - that’s real - if that sounds feasible, if it sounds like they are ripping off your returns department, or your marketing, or your different policies, take it to heart, go back to your policies and figure out where these loopholes are and how to identify them when the attempts happen.
"If you see these guys posting on social media - that’s real...take it to heart, go back to your policies and figure out where these loopholes are"
Ravelin: Well I guess before we finish up, I’m sure our listeners would love to know if you have any parting words of wisdom. So what advice or top tips do you have for merchants looking to protect themselves going forward?
Alexander: First things first, identify your transfers of value. Not all fraud is represented in transactions and chargebacks, not all fraud takes place with cash check credit cards, you have to consider the difference between a hot dog vendor on the street and a corporate juggernaut. A hot dog vendor might exchange just cash for hot dogs, you look at a corporate juggernaut they have lines of credit, dropshipping, ecommerce, in store, check cashing, they have all these different transfers of value that don't require payment methods, and every single one of them stand to be exploited by someone who wants to exploit them. So just identify your transfers of value.
Secondly make sure your policies and practises are fluid, dynamic and well-informed.
And I guess there's a third, understand because of the way a fraudster thinks, if you employ a fraud prevention department and you have fraud prevention measures in place, understand that fraud happens in every department where there is a transfer of value. So going back to that, the fraud prevention team needs access and needs to be a part of every department where there is a transfer of value it’s not just one department that sits alone by itself and looks at credit card transactions, because fraud lives elsewhere, and they need to be able to look at these different things to see how you might be losing, they need to stay informed and they need to be a part of the team all the way throughout the team. So yeah I think those are some good words of wisdom.
"The fraud prevention team needs to be a part of every department where there is a transfer of value...because fraud lives elsewhere"
Ravelin: Yeah I love that, because I think that is the most important thing, is the human insights into fraud. It’s all very well having the best tech and best glitzy fraud prevention tools, but if you haven’t got those humans behind it with their own unique perspectives then it’s never going to be as agile and as effective as possible. Thank you so much for that and thank you for speaking with me today, it’s been so interesting and I’m sure our listeners will have found it helpful. So please go and enjoy your thanksgiving and forgive me for eating into a chunk of your day.
Alexander: No forgiveness required, this was a blast, I am so happy to be working with you guys and thank you so much for doing it with me. It was awesome!
Ravelin: No honestly it was my pleasure. And to those of you who are listening, if you found anything we were talking about interesting and want to find more information, you can do so on our website.