We’ve all heard of dating scams, but realizing that most of them are part of larger criminal organizations working 24/7 to manipulate and defraud you can be a bit shocking. Today’s guest is Jane Lee. Jane is a Trust and Safety Architect at Sift who specializes in malicious websites, spam, misinformation, account content abuse, and payment risk. Prior to joining Sift, she was on the fraud teams at Facebook and Square and also spent some time as a private investigator.
“The actors behind these scams are becoming more and more sophisticated.” - Jane Lee Share on XShow Notes:
- [1:08] – Part of Jane’s responsibility at Sift is to understand new and emerging fraud trends.
- [2:36] – Jane gets to do the detective work she likes but in a more physically safe tech environment.
- [3:46] – Pig butchering scams are similar to romance scams but more advanced.
- [4:25] – Scammers start on dating apps and move targets to another form of messaging.
- [6:36] – It’s called pig butchering by the scammers.
- [7:34] – As a dating app user, Jane noticed patterns and decided to investigate.
- [9:29] – Jane shares the trends in the profile photos and images on dating accounts.
- [11:58] – Over time, it is easy to see patterns in profiles.
- [13:55] – Using IP emulators is common for scammers.
- [15:47] – Machines are better at detecting patterns than the naked human eye.
- [17:26] – Fraud is largely agnostic.
- [18:58] – It is the same dance but with different “flavors”.
- [20:49] – Moving over to another messaging system is one red flag. After that, love-bombing is another common indicator.
- [23:07] – Covid has given scammers another reasonable excuse for them to use about not being able to meet in person.
- [24:22] – These types of scammers also talk about investments and even screenshots of bank accounts.
- [26:46] – To compensate for grammar and language errors, these scammers will mention that they were born overseas.
- [28:50] – These scammers also may have a fake crypto exchange platform.
- [30:22] – Jane describes the experience of interacting with the “tech help” line of a fake crypto platform.
- [35:27] – Jane shares that a lot of these scammers are coming out of Southeast Asia.
- [36:34] – There is a very sophisticated fraud economy.
- [39:35] – Deep fake technology is getting more and more advanced.
- [42:15] – What is synthetic identity fraud?
- [43:55] – It is necessary to have a little less trust in people you talk to online.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Sift Website
- Sift Fraud Alert: Pig Butchering Blog Post
Transcript:
Jane, thank you so much for coming on the Easy Prey Podcast today.
Thank you so much for having me.
Can you give myself and the audience a little bit of background about who you are, what you do, and how you got into the field?
Sure. My name is Jane Lee. I'm a trust and safety architect at Sift. We are a fraud prevention platform powered by machine learning. We work with a wide range of customers ranging from dating apps to quick-service restaurants—McDonald’s, Twitter, and Uphold—a broad spectrum of different types of companies.
My role is pretty unique. I have not heard of the term trust and safety architect at other companies. Basically, you can think of our team as the subject-matter experts when it comes to fraud. A big part of my role is to understand new and emerging fraud trends and make sure that our customers are informed, as well as that our product is working for our customers.
Prior to joining Sift, I was at Facebook for a little over five years working on spam. Spam at Facebook covers a very wide range of different problem areas. Prior to that, I spent about a year at Square working on payments fraud. That's my portfolio of fraud that I've been working on over the past eight or nine years.
Was there some particular event in your life or family's life that got you interested in working in fraud or was it the CSI show?
Yeah, I was just going to say that. Not anything personal. When I was in grade school, I was obsessed with every single cop show on network television. All of the CSIs, all of the Law & Orders, and all the NCISes. I really wanted to be a detective, and then I learned how dangerous it was.
I like to think of what I do right now as kind of the detective work, but behind the scenes and under the safety of just tech. It wasn't a particular personal event, more so just I think an interest in investigations. I actually was a private investigator. I didn't mention this. I was a private investigator for a brief period before my start in tech. Then prior to that, I went to go to law school, but we all know how that turned out.
I assume you're not a lawyer then.
No.
Let's talk about pig butchering. I want to know what is it and how in the world did the terminology arise?
Let me explain what it is first. Pig butchering, we've all heard and know of the old-school romance scams or Nigerian prince scams where the end goal is to try to get someone to wire over some money. I describe, in layman's terms, pig butchering scam as romance scam on steroids because there is a crypto investment component to it, and the technological sophistication of the scammers.
Basically, the scammers bait their targets on largely dating apps, but on other platforms like WhatsApp. Actually, any platform with any messaging component, I would say, is at risk. But my investigative work was on dating apps. They'll find their targets on the dating apps, quickly move the target over to an encrypted messaging app. In my case, it was WhatsApp. Of course, that adds that extra layer of anonymity for them to avoid detection.
Actually from the beginning, they always position themselves as successful business people. They have achieved financial freedom. They want to travel the world and retire by age 40. They really position themselves as that.
They start by really romancing the target quickly. They use tactics like love bombing, which I don't know if anyone is into behavioral psychology. But love bombing is not a healthy thing, where you're just overwhelming the person, showering them with compliments, and things like that. It's not really genuine love. And then they move over to manipulating their targets.
They'll start talking about, “Hey. You should really start investing. Look how much I'm making with crypto. You're missing out. You could have made this money.” That's really to drive a sense of urgency to really try to get the individual to send over the money fast.
Actually, for some periods of time, the target may be able to withdraw the funds. It's actually tangible. They see, “Hey. I'm making huge returns in a very short period of time.” The money and the profit feel tangible. Ultimately, there's a tax or a fee or something to have to withdraw that money. At that point, I think most people quickly realize that they have been scammed or they get ghosted by the person that they're interacting with.
I didn't answer your question on the term pig butchering. That is not, thankfully, coined by myself. That is actually what the scammers call it. Basically, pig butchering, they refer to their victims as pigs that they plumpen up, they fatten up. Ultimately, they lead them to the slaughter in which they drain them of all their funds and walk away with, in some cases, millions of dollars.
Yeah, definitely. I've interviewed several people that have been the targets and, unfortunately, the victims of romance scams without the crypto component to it.
Yeah.
Your investigation of it, how did that go down? How did you get to be a target, so to speak?
It was first brought to my attention. I mentioned, at Sift, we do work with a number of dating apps or websites. It first surfaced in our network of dating apps. Once I started investigating, I, being the occasional dating app user myself, I quickly recognized that these accounts looked very familiar.
It was something that me, as a dating app user, I couldn't quite put my finger on it, but I was noticing a lot of the same type of accounts. I couldn't put my finger on what it was though. But once I did see what was going on behind the scenes, I knew that this was—anytime you see too much of the same thing online, there's a high chance that it's “fraudy.”
Anytime you see too much of the same thing online, there's a high chance that it's “fraudy.” -Jane Lee Share on XBeing the curious, I guess, person—I mentioned, I wanted to be a detective at one point—I really just wanted to know the inner workings of it. I rolled up my sleeves and I downloaded every single major dating app available on the App Store. I even recruited one of my single girlfriends who was on the apps to help me out. That's how I set myself up as bait. It was very easy to, I guess, bait some scammers myself.
That's really unfortunate—it was so easy just by creating the accounts that you're able to get people to start reaching out to you in an authentic way. Having looked at a bunch of accounts, what was it prior to any type of communication, what were these similarities between the accounts that caught your attention?
At the time, there were a lot of objectively attractive-looking Asian men. They've since changed their MOs, which is why I say, “at the time.” All their pictures looked extremely photoshopped. I even tried doing a reverse Google image search to see if they're using some stock images or some models that I didn't know about. That didn't yield anything.
I do believe that they were either creating these fake AI-generated profiles or they were stealing from existing people's social media accounts. I look like this with a lot of lighting, but your everyday person doesn't look like this—very curated. Their responses to some of the prompts that you're asked on dating apps were all very similar. Again, all talked about financial freedom. All talked about their dreams being to travel with their wife and family. They all looked and sounded the same.
They had very generic job titles. Their job title will say entrepreneur at this location, or CEO at this location. That was the, I would say, V1 of the MO. They have since diversified quite literally in terms of the types of images they're using. You now have CEOs from Germany, from all over the world.
I believe, because the answers to the prompts, they used to make no sense at all. They wouldn't answer the question even. It would be a completely unrelated answer. They have since changed that. What I think they're doing is they're either paying more attention to that as it's getting more exposed, or they've started copy and pasting from other existing profiles.
Yeah. To me, that's probably the scarier thing: the human mind when you're creating a bunch of fake things. This even happens in accounting fraud. People are really bad at generating random numbers. Accountants that are stealing money, when they're creating fake records in the ledger, will use surprisingly consistent numbers that just kind of stand out over time of, “Gee. There’s an awful lot of transactions ending in 33¢, 37¢.
Yeah, it looks too clean.
It's not normal. There's a lot of that. I assume it will be the same way if you're creating a bunch of fake dating profiles is you just start answering. “I'm creating 100 accounts today. I'm going to create them. I love to travel with my wife and kids.”
You just get the same thing over, and over, and over again because we're just not creative people. But if they're copying and pasting from random accounts, it's going to be harder to detect that sort of thing.
Absolutely. Yeah, that's really interesting. Accounting fraud is one of the types of fraud, I guess, I haven't worked in yet, so that's really interesting to hear. Again, I agree that people are creative, but not that creative where you can generate these random strings of numbers without showing any sort of patterns.
I guess from the technical background, is it easy to technically identify these accounts or is it getting more and more complicated over time?
I think it's getting more complicated. The actors behind it are becoming more and more sophisticated. For example, an IP address can be a good signal when you're trying to assess whether, “Hey. Does this person's IP actually match the location they're claiming to be from?” Or things of that sort.
What I've noticed with this particular scam is that they know what IPs belong to specific ISPs—internet service providers—and they will use an emulator to look like they're using a T-Mobile IP address. Another part of what my team and I do is we kind of scour the dark web and deep web forums, private Telegram forums, and credentials being sold on the dark web. We don't buy any of it, but just to understand what's going on.
I have seen a file of IP addresses and they're like, “Hey. You should use these IP addresses. They're reputable. They belong to reputable sources.” From that perspective, for the naked human eye, it becomes really hard to tell at face value what's going on.
I did mention that Sift is primarily a machine-learning platform. That's where if you have the right technology to do this high-volume data ingestion and have the algorithms to do something with it. I hate saying it this way, but that's where the machines have the advantage over us as people.
If a content moderator is looking at it and says, “Hey. OK. It looks like they're based in Los Angeles, they're a Verizon user, and it all checks out.” But hey, what if 1000 other accounts are doing the exact same thing and sending the exact same type of messages? It becomes harder to detect without the right tooling.
The neat thing about machine learning and working with high-volume dating apps is that there's a lot of data to work with. Machines are incredibly good at spotting patterns in the data that we don't necessarily see.
Yeah, exactly.
Is that the reason why these scammers work so quickly to get people off of those platforms?
I wanted to elaborate on that, so I'm really glad that you asked that. What they're trying to do is they're hedging their risks as well. It helps them avoid detection on any single platform. As quickly as you move off the app onto another, they don't know what you're doing on the other app. Basically, you're not committing a terms of service violation on any single platform.
It's OK for me to ask someone, “Hey. I don't really use this app. Here's my number. Let’s move over to WhatsApp.” That's not a real policy violation. But when you look at the aggregate of what they're doing on each platform, that's when you have a better picture of what's going on. Really, they're just hedging their risk of getting caught.
Here's the geeky behind-the-scenes questions, I guess. Does that give a company like Sift an advantage of, not to say that you are working, let's say, with WhatsApp, but if you're working with multiple platforms that you can see people moving from platform to platform?
Yeah, absolutely. This is where the advantage of any large database essentially is. Yes, there are certain types of fraud that come from certain types of regions and impact certain types of users. However, fraud is largely agnostic. Meaning, if they're targeting McDonald's—I'm going to use McDonald's as an example because they're a Sift customer—they're going to probably target Carl's Jr. They're going to target Wendy's. They're going to use the same type of MO across the board.
It's not really just impacting one business at an individual level. They're not just targeting one dating app. Like I mentioned, I downloaded every single dating app and no one's safe. They're everywhere. The advantage of working with a company like Sift, without coming off as too salesy, is that if we've seen it once in our database, in our data, the rest of our customers or people that do work within our network will know about it ahead of time. You can stay a step ahead if you were to just do it on your own.
The other thing, too, is that in my experience, working with fraud in tech, I would say it's the same dance, but different flavors of it. You can predict all the different ways they're going to try to use a stolen credit card, all the different ways that they're going to try to send a spammy link. It might be slightly different, but you can kind of predict it. I think that's where the advantage of working with a large set of existing data is over not using something like that.
Yeah, and that you're involved in a variety of platforms. A variety of technologies allows you to see things at a different perspective than maybe an employee at a dating app trying to deal with the same issues. They're only seeing what's going on in their own platform.
Yeah, exactly.
Let's get back to people that are being targeted. Are there other things that they should be watching out for? We talked about these overly polished headshots, either weird text or the exotic successful entrepreneur traveling the world. It seems to be a really popular one. Also, military vets seem to be a popular personality.
Yeah. I got my first taste of romance scams at Facebook before crypto is what it is today. I feel like that is when I saw the military vets more. Those images are usually reverse searchable.
First, I would say, red flag would be moving the conversation over to an encrypted messaging app. -Jane Lee Share on XFirst, I would say, red flag would be moving the conversation over to an encrypted messaging app. I think encryption is kind of like a double-edged sword where you want to honor privacy, but it makes from a fraud perspective, it does add some huge challenges there.
Moving over the conversation of WhatsApp, again, it's not the end-all-be-all where, “Oh, no. Because this person asked me to move over to WhatsApp, they are fraud.” But it's really like pieces of the puzzle. The next thing that typically happens is the love bombing.
Is this person just bombarding you with compliments? My scammer boyfriend told me how beautiful I was, how they wanted to plan a trip to Osaka with me. These things that really, from a professional perspective, I don't think I'm qualified to give dating advice. But I think as a person, it's moving a little too fast for someone that you just met online a few weeks ago.
The other red flag is they will find a bunch of reasons why they can't meet you in person. -Jane Lee Share on XThe other red flag is they will find a bunch of reasons why they can't meet you in person. Actually, this is one of the things that makes this scam different than the OG romance scams. They take time to understand the region that they're targeting. One of the people that I was conversing with, I looked at the neighborhood that they reported they lived in and I said, “Oh, hey. What are you doing this weekend?” They said that they were going to a local restaurant.
They did their research to actually find a restaurant that was believable to throw back at me, and it is. They're doing their homework as well. I said the love bombing. They'll find reasons why they can't meet you, like I said. They might try to kind of assuage you by saying, “Hey. I can get on a video call,” and their video will be all blurry, but you won't actually see the face behind the phone, I guess.
Yeah. There are always technical difficulties.
There's always a reason. Your internet's not working.
I'm in the airport and the bandwidth here is just horrible.
Yeah. I think COVID also gave them a good excuse at the height of lockdowns for why they couldn't meet. They're seeing their grandma or they can't see people at the moment. Throughout the entire journey or the lifeline of the scam, which actually takes place over a few months. It's not just like, “Hey. We're going to do this in a day and steal your money.” They really cure these relationships.
Throughout the process, they'll talk about investments, about how well they're doing. -Jane Lee Share on XThroughout the process, they'll talk about investments, about how well they're doing. They'll send you screenshots of their bank accounts and also really flaunt an extravagant lifestyle. My scammer boyfriend showed me pictures of him or whoever was the owner of these pictures on a yacht doing a lot of luxurious things. They really, throughout the process, position themselves as financially successful people, and then they'll try to get you.
They really, throughout the process, position themselves as financially successful people, and then they'll try to get you. -Jane Lee Share on XI personally would find it completely bizarre if someone was sending me screenshots of their investment portfolio.
I wouldn't do that either, but maybe just because I don't have the money to flaunt. I'm not particularly proud of my net savings.
I know that they're doing it to backstop their personality, but it just seems to me to be so outside of normal behavior. People might talk about how great their investments are, but to show screenshots after they've logged into their accounts or scans of statements, you're trying too hard to convince me.
Yeah, I would agree.
Early on in the romance scams, because the scammers are almost always overseas, there were these really difficult communication times. Where the person claimed to be was never really the time zone when the person was available. Like, “Oh, I'm in Europe.” But they're never available to chat during a European time zone window.
I think they work graveyard shifts because I never had that issue. I'm based in Pacific time and I never had an issue contacting. In fact, the person that I ended up, I guess, going all the way with in terms of carrying out the scam was available during my hours. If you're asking if there was a lull because of the time zone differences, there wasn't.
Interesting. I tell people this less and less as a protection these days. Were their grammar issues? Was it a pretty good use of English?
There were grammar issues. I think some of the things that we're seeing were very obviously like a copy-paste from Google Translate. However, it's not that you can't have a conversation. It is a conversation, but they're just like those things. Also, I have the advantage of knowing what I was getting into.
I think for me, it was a lot more obvious. Hey, these are probably foreign actors. They also act to position themselves as someone who was born overseas, I think, to cover for that. I did notice the grammar. They didn't sound like native English speakers, but I think they cover for that pretty well.
Yeah. If you're saying, “I grew up in Germany,” or, “I grew up in some other country,” that's the reason why the grammar or the anecdotes aren't what we would normally expect to see. Even if the person is claiming to be, “Hey. I'm in San Diego” when you're in Los Angeles or something like that. That justifies it because they have different upbringing. How did they introduce the crypto element?
I think it really starts off from the profile or from that initial conversation. If it is an app where you can answer certain prompts, they talk about being successful financially. Then they'll scatter in some, “Hey. You're so beautiful, blah, blah, blah,” and then they'll ask, “What did you do today? I made $10,000 because of Bitcoin.”
A few days pass and they're like, “Hey. Would you like to get involved? I'm really doing well with this. I want to share it with you. I can teach you how to be as successful as I am.”
It's actually funny because now that I think of it, I didn't think about this, but my scammer boyfriend—I don't have a better name for them—they mentioned Bitcoin, but what I invested in was not Bitcoin at all. There's a disconnect there, now that I'm realizing it.
I actually did another thing that makes them very tech-savvy. I didn't mention this, I don't think. They have a fake crypto exchange platform. They'll eventually tell you, “Hey. This is way better for what we're trying to do. We usually use this. It's a foreign-based crypto exchange or trading platform.”
These usually do not have a presence on the app stores or even a Google search. That's another way for individuals to check out to see whether it's a legitimate site or not. Of course, it's completely manipulated by them. You're seeing huge returns with 100% returns in just a few minutes.
You're seeing 100% return on their platform when the actual crypto market's down 30%.
Yeah. There's a reason for why they're able to, I don't know, short whatever currency. The platform also has 24/7 customer support. Actually, this was kind of a funny thing for me. I forgot my login credentials, so I tried to log back in. I wasn't having any issues. I was having issues and I'm texting the person on the other end saying, “I'm having issues. I'm running into issues.” And he told me to go to support.
After a few minutes, the person writing to me on the support line basically gave me my credentials, which from a legitimate platform, no one's going to send you, “Oh, by the way, this is your username and your password.” You either have to go through a password reset or they'll send it to your email, which they verified, but there was none of that.
My point in bringing that up was, though, it feels very real. You see the values change. If you look, the actual cryptocurrency values that they share on the platform reflect real-time value. They're using some public API or information to show that, “Hey. This is legitimate.” But again, if you do a Google search or app store search, the search engines don't index them.
Yeah. I've had a number of people who have contacted me because they're like, “Hey. I think I'm being scammed out of this crypto scam. I have the money on this exchange. I never heard of that exchange.”
I just Google that exchange and the word scam and it's just like post, after post, after post of people saying, “This crypto exchange is a scam.” Or I run the domain through Whois. The domain was created 15 days ago. I'm like, “Yeah, I don't think you can be a leading cryptocurrency exchange when you've been around two weeks.”
Yeah, I went through the same process of looking at Whois. I think the one I looked at, they had the privacy controls on it, so I couldn't see. That's also, I don't want to say, always a red flag. But again, if you add all the pieces together, I would not feel comfortable putting my money in that.
Yeah. I suspect as some of these scams are not being run by individuals but organized crime, they probably have been going out and buying domain names for years in plans of using them for things in the future so that there is an age to the domain name and it's not just, “Hey. It was created yesterday.” “No, it was created three years ago.” Everyone's going to go, “Oh, it must be legit.”
Yeah. I actually have experience supporting that. At Facebook, not on domains, but we did deal with a malicious actor that basically bought up a bunch of the generic Instagram handles, so things like leaf, autumn, or summer. They just held onto them for years, and years, and years to build that legitimacy to gain followers, and then they would later sell them. That does happen.
Your crypto-scamming boyfriend, do you know if it was organized crime or if he was just an individual and a couple of his friends?
I didn't learn that they were likely tied to organized crime until much later. I don't think this is just one benign or just a one-off actor. Actually, this is another thing that I mentioned. The way that crypto remittance works is that you have an address. Think of this as your bank account number or equivalent to your bank account number.
On the exchange, I sent the money to the address that was specified. It was $100 worth of crypto. What I did then was I searched that address on Etherscan to look at the transaction history of that particular address. In total, I think it was something over $130,000 that had been moved through this wallet that was supposedly just tied to me. I certainly didn't spend that money.
It gives you an idea of the scale at which they're operating. I don't think it's just one or two friends just trying to have fun or run a small-time scam. I do think it's a lot more organized, actually, especially with the website, the 24/7 support. As other folks in the industry are doing their own investigations, we are learning that it is a lot more organized than we thought.
Do you know where the scam was being run out of?
I don't. I only know what I've been reading afterward. I have read that they are likely coming out of Southeast Asia. That's all I know. It's Southeast Asia, but it's a lot of, I think, organized crime that is based in Southeast Asia is what I know.
I know that different types of fraud can sometimes be geographic in terms of this is just what the crime community in that geography knows how to do, and they just continue to excel on it. Other ones are pretty much non-discriminatory—they’ll operate from anywhere in the world.
Yeah. We do see different fraud coming out of different regions. We talk a lot at Sift about the fraud economy. What we mean by a fraud economy is that it is a very sophisticated network of cybercriminals. They're coordinating with each other. They have turf wars.
I saw this firsthand at Facebook as well where you have certain scam rings or spam fraud rings targeting certain regions but avoiding certain regions. You can all see this on the back end where they're like, “Oh, we're not going to target users based in XYZ countries.” My theory on that is because they are kind of honoring each other's boundaries, I think.
There's a fraud economy. It is very organized. They coordinate with each other. They buy and sell different types of services and skills that they have. We see this in the dark web, Telegram forums, and such.
I had a recent interview with Jack Whittaker, who has done research into fake pet scam, fake pet sites. To him, it was really interesting that you're talking about the scam economy. The web developers that would make the site do have a legitimate web development business that they do, and one of their customers just happens to be the pet scam ring.
There's this weird, kind of, everybody has their specialty. The people that know how to launder the gift cards from iTunes. Then you get the people who know how to do the Google Play gift cards. That everybody has their specialty and this is a loose affiliation of how they work together. It's pretty crazy. It’s scary.
Yeah, and they have their own sort of honor amongst thieves and code of ethics. In Telegram forums, we see people being ostracized by the community. If you're a scammer that scams scammers, you're shunned by your peers or colleagues. I don't know what you would call them. But they do have this sort of honor code amongst themselves.
You're allowed to scam the rich people, but just not us.
Yeah, exactly.
I'm taking a step back and I'll bring us through. What do you see as where things are going with scams in general? If you'd asked me five years ago, I would always say, ‘Get on a video chat with a person as long as they're not having ‘technical difficulties.’ If they get on a video chat, you at least know that you're dealing with someone. If that face doesn't match what you saw on the profile, end it.”
I'm not asking you this personally, but deep-fakes are no longer 20 years in the future. The Tom Cruise deep-fake, that's one thing. That's a lot of work. You've got actors and voice artists, but how long is it before that stuff starts to become accessible to organized crime and telling people, “I'll just jump on a video chat,” is no longer going to be a safe thing to do?
I think we're more than halfway there. They do exist. I come from Facebook and we're dealing with misinfo and things like that, so you do have the deep-fakes. I think there was one of Obama a few years back that looked pretty good.
There's definitely a difference between a staged “we have three weeks to build this deep-fake” and a real-time video chat.
Yeah. This is where I see companies moving more toward upping their authentication for real users. Another big move that we made at Sift is really pushing for password list authentication using biometrics. There are biometric ID tools where you can tell if something is fake or generated.
As a point of clarification for me, would this be the sort of thing when the user creates an account, they can upload a profile picture, but they actually have to, within the app, take a photo of themselves within the app, and then it can kind of compare the two?
Obviously, you don't want to do 100% of your users because that would insult a lot of your well-meaning users. Just understanding, again, if this user has also had 100 other accounts created from the same IP address in the last 30 minutes. I'm not saying that's the criteria people should follow, but let's say that is a highly fraudulent signal.
OK, maybe for those users, we want to force them through this verification process that says, OK. I'm not talking about holding up your face because there are a lot of caveats to that, I'll say. I don't think they're matching necessarily whether something's authentic or not. Authentic, meaning a live person. But you can say, “OK, we'll put them through like a face ID type of scan, a facial scan, or a movement having them move up and down and things like that.”
Yeah, and that definitely helps weed out the guy who runs 50 accounts and everybody on the account looks different than the actor.
Yeah. I will say the industry, we're in a tricky space, though, because you want to balance the right amount of friction that you throw out. Again, your well-meaning users, you don't want them to feel violated. You don't want them feeling violated. You want to get the right people, the people that are going to wreak havoc on your platform.
Again, with the right tooling and signals, I do believe it's achievable. I do think that that's where it's going to have to move, especially with the sophistication. Something we haven't talked about was the rise of synthetic identity fraud.
That's when people are using components of real individuals, Social Security numbers, to look like they're Chris Parker coming from New York. That information actually may belong to you, but it's in the hands of the wrong person. How do you get better at verifying that it's the actual Chris or Jane opening an account or opening a profile? I think that's where we're headed next.
I think some of the challenges, particularly with credit and identity, is that all these things were designed well before modern technology and the thought that people would actually try to create fake identities and steal identities. Trust was almost implied in the way a lot of these old platforms were built. Now, you have to have to build platforms with less trust involved in the platform and be a little more skeptical about, “Is this really who they claim to be?” Whether it's an API handshake or if it's a person using an app, it's a little less trust these days. And that's probably necessitated.
As we wrap up here, are there any particular resources that Sift has where people can keep abreast of what the latest is in the fraud landscape?
Yeah. If people are curious about understanding, we put out a blog a few months ago on pig butchering. It outlines the step-by-step process. It has pictures or examples of pictures, screenshots, and things like that if anyone's curious to take a peek and see if it matches up to what they're dealing with if they're suspicious of someone they're talking to. We also have our recent index report that we issue quarterly. All of those are available on our website, sift.com, if you'd like to take a look and learn more.
Definitely. For those that are listening that don't want to try to figure out how to find it on the website, we'll link to those in the show notes and make it easily clickable for everybody.
Is there any way people can find you and more about Sift online, social media accounts?
Yeah. This is always a balance for me in my online life.
If you don't want to, that's fine.
No, totally fine. LinkedIn I would say is the best way to contact me. I think if you just search for Jane Lee Sift. I think I'm the only Jane Lee at Sift. That should be the way to get in touch.
And then Sift's social media presence?
It's linkedin.com/getsift, and then we have the @GetSift Twitter handle.
Awesome. Thank you so much for coming on the podcast today, Jane.
Thank you.
Leave a Reply