How fraudsters can dupe even tech-savvy risk analysts

Think it’s just your clients that can get tricked into revealing personally identifiable information (PII)?

Not always. A recent experiment has shown that even tech-savvy individuals are willing to provide PII without due diligence.

A Vancouver-based global identity and business verification company decided to conduct an online fraud experiment during International Fraud Awareness Week, which ran from Nov. 11 to 17. Trulioo wanted to see if fraudsters, under the guise of a fake company offering a fake product, could convince fraud-and-risk analysts, as well as others with an interest in data privacy, cybersecurity and technology, to disclose their personal information.

It concluded had the campaign been an online scam, 3.1% of the targeted individuals would have become victims to it, putting themselves at risk.

Trulioo created a webpage for a fictitious company called Agile ID Technologies, offering a fake mobile app “Aurdentity.” Marketed as “Shazam for voice identification,” the app was described as one that uses voice recognition technology to not only identify people when exposed to their voice, but also retrieve background information about them.

The week-long campaign delivered ads to certified risk analysts, fraud investigators, compliance directors, risk management directors, risk management specialists and compliance specialists, Trulioo general manager Zac Cohen told Canadian Underwriter Tuesday. These ads were used to drive traffic to the fake company’s website; once a visitor landed on the page, they were asked to sign up for Aurdentity by providing their personal information.

The campaign resulted in a total of 2,139 unique visits to the fictitious company’s website. Of those visitors, 66 people completed the sign-up form, effectively providing their name and email address (none of the information was stored or collected with any intention to use it).

“The results from this campaign show that people are so accustomed to communicating and transacting online that they often become vulnerable to new and sophisticated fraud schemes,” Cohen said. “It’s not just individuals that are susceptible; even businesses are increasingly at risk of being exposed to fraud.”

Global companies lose an estimated five per cent of their revenue annually due to fraud, the Association of Certified Fraud Examiners estimated in their 2018 Report to the Nations.

There are a number of ways to distinguish a fraudulent website from a legitimate one:

• Checking the website’s related social media accounts
• Looking for comments by users and other social media activity
• Assessing the encryption status of the website: a HTTPS website is, by definition, more secure than a HTTP one, which is often vulnerable to data theft
• Doing your due diligence on the organization that owns the website (or app, product or service). “In Aurdentity’s case, it was Agile ID Technologies,” Cohen said. “Doing a Google search, or looking for the company on Crunchbase would have easily confirmed that the company doesn’t actually exist.

“In practice, however, vetting a business entity is an intensive and searching process; there are multiple moving parts and actors within in a company, so it becomes imperative to conduct a more comprehensive examination,” Cohen said. “Looking at company registers, watchlist records, uncovering the ownership structure, etc. — these measures need to be taken to identify any suspicious activity. In such cases, a Know Your Business (KYB) solution, which automates this process to conduct a comprehensive verification of the identity of the business, becomes a necessity.”