Who are the best fraud fighters?
Seasoned fraud expert PJ Rohall has recently become the new Head of Fraud Strategy & Education at SEON. In this Help Net Security interview, he talks about how he entered the industry, about the evolving fraud landscape, and offers advice to other fraud fighters.
[The answers have been lightly edited for clarity.]
You’ve spent more than a decade working in the fraud-fighting industry. What has led you and what has kept you working in it?
Believe it or not, I fell into fraud prevention by accident. During college I majored in finance, but in 2011, I found myself looking for an entry level role and discovered a posting for a “fraud analyst” position. The opportunity seemed interesting, so I bit the bullet and went for it.
Once I learned more about the industry, I was totally hooked. I love that the industry is incredibly tight-knit, with fraud fighters within my team and from other businesses helping one another to work towards a common goal. While working in the fraud space, I saw a clear trajectory of technology, and the benefits it would have for the prevention and detection of fraudulent activity. Because of this, I did everything I could to learn the landscape, including co-founding About-Fraud five years ago.
How has the fraud landscape evolved during this time? Also, what things haven’t changed?
The landscape has seen a large increase in the number of solution providers offering their technology to stop different fraud use cases. When I started in 2011 on the merchant side, there were a handful of tools people used to tackle the problem. Now, you can’t go to a conference without seeing a range of new fraud vendors.
One of the reasons Ronald (Praetsch) and I co-founded About-Fraud was to make sense of all the fraud solution providers in the market, the existing and the emerging. Although the changes we see are positive, there is still a way to go with changes to be made, especially when considering the motivations of fraudsters. It is in their nature to constantly try to exploit soft spots across a plethora of industries for financial gain. This could be against merchants, banks, fintechs, marketplaces, and beyond. Their tactics may have evolved over time, but ultimately, their core motivations remain the same.
What technologies are widely employed by modern fraudsters and what technologies is the anti-fraud industry counting on to counteract them?
It varies across physical and digital spaces. Within physical spaces, fraudsters use a variety of methods, most notably skimmers, which steal credit card information, through devices hidden within card readers to harvest data from people who swipe their cards at legitimate checkouts. In digital spaces, fraudsters often deploy bots to launch brute force attacks and take over customer accounts. These are just a couple of methodologies, but it’s important to mention that fraudsters are always innovating, finding new ways to infiltrate systems and take advantage of vulnerabilities.
On the anti-fraud side, we need to keep up with the pace of their innovation. I think from a technological standpoint, we are doing a good job, but the challenge comes with democratizing the technology to make it accessible for more individuals. At the moment, some of the software on the market are very expensive and take many resources to deploy. Unfortunately, this is cost prohibitive for many small to medium-sized companies. Ultimately, the main goal is to ensure that the best fraud fighting technologies are getting into the hands of as many businesses as possible.
It seems to me that privileged insiders are ideally positioned to perpetrate fraud against the companies they work for. How should organizations fight this threat?
You’re right, insider fraud is a big problem. Beyond traditional internal audits, you can implement internal activity reviews to analyze accounts and transactions, both monetary and non-monetary, to better understand anomalous behavior. Often, the challenge here is gaining access to the right data in order to perform the appropriate analysis, and then once you do, deploying the optimal analytics.
What advice would you give to CISOs that want to proactively stop fraudulent behavior and enable their companies to stay ahead of evolving threats?
To stop fraudulent behavior, I wouldn’t advise the CISO. Instead, I would talk to the executive in charge of fraud and risk; this is probably the CRO (Chief Risk Officer) or someone similar. The CISO would likely oversee infosec, and although this converges a little with fraud prevention, it sits more upstream.
When advising the CRO, I’d recommend they strike whilst the iron is hot and employ individuals or strategies capable of tackling fraudulent activities before they become serious or unmanageable. Many businesses make the mistake of waiting to justify the investment into people, processes, data and technology, however this investment will go a long way in protecting their business from fraudulent harm. It’s important to do your homework ahead of time and understand your vulnerabilities. Then, build a fraud team that can develop the appropriate blend of processes, data and technology to fight the problem efficiently.
It is often said that to catch a thief you must think like a thief. Do former fraudsters make the best fraud fighters? What attributes do good fraud fighters have in common?
Former fraudsters can make good fraud fighters, but this must be carefully considered on a case-by-case basis. The best fraud fighters are curious and want to understand exactly how a fraudster would monetize their efforts and think outside the box to commit their crime.
Fraud fighters should be passionate about using the data and technology at their disposal and take ownership of what they are doing to solve the problem. The best fraud fighters do it because they know they are making a difference in the world, and this helps to drive them through tougher times (which there are plenty of!).
Fighting fraud seems like a never-ending endeavor. What advice would you give to those in the trenches to prevent themselves from burning out?
A fellow fraud fighter and friend Karisse Hendrick puts it nicely: fighting fraud is like fighting zombies – you kill one, and more pop up. As I just mentioned, having something to drive you is vital and, to me, there’s no better motivation than knowing how much good you are doing for the world. It’s a little cliche, but it’s true.
People are being defrauded and scammed at an alarming rate and, sadly, some victims endure both financial and psychological damage. By working in fraud, you aren’t just protecting the company you are working for, but you are preventing other human beings from enduring hardship. That’s a big deal and is something that will help push you through the grind.
What are your plans related to your new position as Head of Fraud Strategy & Education at SEON? What do you want to achieve?
In my new role, I want to engage closely with fraud fighters across multiple industries to educate people on fraud trends and technology, equipping them with the knowledge they need to fight back. By listening to other fraud fighters across the industry, I want to take their challenges and turn them into technological upgrades at SEON, helping the wider community tackle the issue.
Fraud is a complex, nuanced field which varies across industry and use cases, so collaboration is key to collectively fortify our defenses. This can be done through digital channels, conferences, written text, video, social media, podcasts and more. There are so many ways to connect with others now, and my main goal is to establish connections which enhance our collective knowledge of fraud.