May 20, 2020

Tony Sales is Director of We Fight Fraud, a UK business that works with and advises organisations across the globe on anti-fraud systems and processes, and pressure tests systems, particularly customer onboarding and online account processes to reveal weaknesses that criminals could exploit.

London-based Tony is a former fraudster and was once dubbed Britain’s most prolific fraudster by the Sun newspaper, a fact he admits he’s not proud of. After serving a prison sentence, Tony reformed and set about putting his extensive personal and ‘professional’ experience to good use helping organisations in the fight against fraud.

Tony explains to Steve Elliot, MD of LexisNexis Risk Solutions, how he and fellow fraudsters simply follow the money when it comes to deciding exactly when and which companies to target, describing the ‘greed’ demonstrated by the market at times, as a key motivation. Any market-driven rush for organisations to sign up and on-board new clients, such as the rapid expansion of the mobile phone market in the early 2000s, he says, results in firms lowering standards on KYC and fraud checks, which opens them up to fraud attacks. He also cites vulnerabilities that typically emerge when new service or payment types are introduced to the onboarding process, such as when Direct Debits were first launched. Any process weakness in these new systems will be quickly spotted and taken advantage of by fraudsters, eagerly awaiting for the next easy opportunity driven by change.

The current global crisis is a prime example. We Fight Fraud research estimates an 80% increase in online fraud and cybercrime since March, much of which capitalises on the current situation. Sales of fake, substandard or non-existent PPE equipment and hand sanitizer and countless phishing emails offering everything from advice to a cure in an attempt to spread malware, are among the examples. Tony cites another where fake NHS IDs are being used by drug runners to gain free movement during the lockdown. The lack of widespread testing is another opportunity criminals have quickly jumped on, setting up websites and payment gateways to offer testing kits to the general public.

Aside from opportunism, Tony explains that fraudsters will simply pick off the low hanging fruit – looking for ‘chinks in the armour’ of firms they can exploit for a quick earner. In one example, Tony relates to defrauding a major global financial institution simply because it was behind the curve in terms of implementing digital processes that meant fraudulent activity would remain undetected for days due to a delay in receiving paperwork.

To further exacerbate the problems for institutions with procedural weaknesses, once a flaw is spotted, criminals waste no time in sharing the knowledge with their networks. “Criminals share information at the speed of light – they want to see each other succeed. The reason is that you could be making money off something one week and the next it ends, so, like any business, when you’re doing well, you bring in someone else to earn a bit of commission from you, then later they’ll think of you when they find some way to make money. There’s many an entrepreneur in the criminal world.”

Tony goes on to explain that fraudster networks have code words for well-known institutions like high-street banks, and will freely share tips about how and when they are most vulnerable to attack, due to systems being switched off, or similar. What’s more, the proliferation of this ‘inside’ knowledge amongst criminal networks can come as quite a surprise to the institutions themselves. Exactly how this information gets into the public domain is uncertain, but Tony says that insiders (rogue employees sharing information from inside the company) are an essential tool for anyone ‘serious about committing fraud’ and are still a ‘massive’ problem for organisations.

KYC authentication and AML checks are some of the tools available to firms in the fight against fraud, but Tony explains he and other fraudsters can often find ways to bypass them, once they know how they work: “the problem with most controls is they look for patterns and once you understand that it’s easy to get around. You just give them that pattern they look for, then create something else around that that they don’t spot. At the end of the day a (control) system is only as good as the information it’s got.”

The challenge most organisations face, Tony explains, is that their own employees are designing their online customer onboarding controls and checks and setting the parameters themselves: “if they’re good honest, decent people, the systems just aren’t going to work. They’d have to be experts in all types of criminality, which just isn’t the way it is.” Tony says that unfortunately, 9 times out of ten, firms aren’t willing to pay the right people to come in that can actually set those parameters.

The key to organisations successfully protecting themselves and fighting fraud, Tony says, is simply down to more training for those responsible for the anti-fraud systems, and more controls. “Technology is great and technology used in the right way (in the fight against fraud) can be amazing, we should use as much of it as we can. But, the systems must be set with the right rules and parameters from the very beginning.” According to Tony, that requires incorporating insights from him and the many others like him that have turned over a new leaf and are now putting their energy and extensive experience towards helping firms detect and fight fraud. The old adage – to catch a criminal, you have to think like a criminal – still rings true in the world of fraud, it seems.

Steve Elliot commented on Tony’s insights: “your name, address and date of birth establish little more than a legal identity, and as Tony explains, these can be easily manufactured to create “ghost” identities for fraudulent purposes. Even expanding these data attributes to include nationality, gender or passport number and even electoral role and social media accounts doesn’t necessarily create a concrete identity that can be relied upon. It’s therefore surprising that many firms still failing to look any deeper than the basic legal data attributes or simple internet search engine queries when on-boarding or carrying out identity checks to fulfil KYC obligations.

“Data is critical to achieving improved KYC insight. Using too few and static data attributes is the reason why so many firms fail to gain an accurate risk profile for their customers. Failing to truly understand who a customer is means organisations are failing to detect and prevent potential fraud and money laundering activity and exposing themselves to fines and other action. Tony’s assertion that fraudsters actively target the “low-hanging fruit” organisations that have weaker processes should be a stark warning to the many organisation relying heavily on human labour to investigate KYC, risk profiling and screening with ineffective data sets.

“Research indicates that many businesses are reluctant to embrace a data-driven culture. But, failing to do so means missing out on the benefits of data-led KYC. By harnessing large, cross industry data sets, it is now possible to authenticate individuals faster than ever before, and to do so with far increased accuracy and lower costs, whilst at the same time, achieving improved compliance and risk insights. We’re grateful that Tony Sales is now on the right side of the fight against fraud, but the battle continues and only with the right tools and the right approach to data, will organisations, together as a coordinated effort, be able to make effective progress.

Subscribe today to Fraud and Identity in Focus to receive regular email updates.

LexisNexis® IDU®
Digitally identify genuine customers

Combine seamless customer experience with multi-dimensional fraud and identity checks

Learn More