It is easy to build mental models of cyber-criminals. My experience is that it seems to help many individuals to find some sort of work-life balance, and to offer comfort that “high-tech” criminals are a world-apart from the rest of us. They are alien, and easily identifiable in the first person (of course, most will never have knowing, real-time, first-person interaction with an active cyber-criminal or credit card fraudster). Building these images and living in comfort, though, does not mean that those images are even remotely factual or relevant in any way to what is going on in the information security and fraud fields today. Assuming that the world matches what we wish it to be is a relatively common cognitive trap — one that has no place in information security and risk management professions.
In that vein, Jacob Apelbaum offers a valuable and interesting overview and analysis of a credit card theft scam operation.
He received a couple credit card scam calls lasting only a relatively short time, but he listened carefully, collected data, and shares with us an illuminating tale.
As the result of this experience, he wrote,“My mental image of the on-line fraudster has changed irrevocably. Whereas before I viewed fraud as an opportunistic low tech effort executed by crafty individuals, I now view it as an commercial operation, in many ways similar to a legitimate telemarketing niche industry. It employs a well trained workforce, cutting edge BI and telecom technology and a large database of would be “customers”.”
He concluded that:“At its core, fraud is propagated via subtle means and recognizing it requires the aggregation of many nuances which individually may appear inconsequential.”
Mr. Apelbaum outlines some of the more interesting elements of his experience:
- Psychological Usage of Ambient Sound–likely a recording simulating a response hot-line designed to create the illusion of a busy call center…
- Call Traceability and Legitimacy–When asked, the “call center representative” said that her call center was located in a state corresponded to the area code appearing on his caller ID. When tested, the number rang and then rolled to a voice mail system saying that “due to the high call valume I have reached a mail box and should leave a message”…
- Well Scripted Dialogs–During the conversation, the “call center representative” responded in a consistent manner to his questions, emphasizing the positive, and assuring him that any risks were covered…
- Plausibility–Whenever the conversation drifted away from “call center representative’s” primary objective (i.e. getting his credit card and other personal information), they eloquently and skillfully navigated him back to the same spot…
- Professional Composure and Manners–The “call center representative” remained polite and composed, always maintaining a businesslike demeanor and projecting a image of a legitimacy.
- Effective Use of Higher Authority–Brought in the “supervisor” when requested.
My bullets above are only abbreviations of his descriptions, which I highly recommend to everyone involved in information security and financial services risk management.
— References —
“An Afternoon with a Fraudster.” http://apelbaum.wordpress.com/2009/03/20/an-afternoon-with-a-fraudster/
Jacob Apelbaum: http://www.linkedin.com/in/japelbaum