There may be errors in spelling, grammar, and accuracy in this machine-generated transcript. Earmark CPE: Are you an accountant with a continuing education requirement? You can earn free Nasba approved CPE for listening to this episode. Just visit earmarked app in your web browser, take a short quiz and get your certificate. Caleb Newquist: Hello and welcome to Oh My Fraud, a true crime podcast where the victims stay above ground while their finances get dead and buried. I'm Caleb Nyquist. Today on the show, Kimberly [00:00:30] Sutherland. She is the global head of fraud and identity at LexisNexis Risk Solutions. So you might be wondering, who is this person and what is LexisNexis Risk Solutions? Well, LexisNexis is this big data and analytics company. They help businesses and governments with a lot of different things. Maybe you've heard of them, maybe you haven't. Anyway, Kim leads their global business around fraud and identity. They put out [00:01:00] lots of studies and white papers and just interesting information about all kinds of different fraud. And we got the chance to talk to her and some of the things that they put out, you know, the white papers and whatnot. And one of those things was the reward and loyalty points. Fraud. And so that kind of led to us doing our last episode where we kind of found some stories and talked about that stuff. And, [00:01:30] um, but we also got to talk to Kim. And so this kind of serves as a nice companion to our last episode. And we had a nice conversation. We'll get to that in a minute. Caleb Newquist: For now, how about a review? A couple reviews. Okay. From Apple podcasts. A relentless Arizona, I assume, writes very five stars. Very interesting. Plus CPE. I've been listening to this podcast for CPE lately, and it's the most [00:02:00] interesting CPE I found out there. Oh, the most interesting CPE you say? That's that's very nice. Thanks for saying that, and we're glad you think so. It's we we we like it. We keep doing it anyway. People seem to like it. Thanks for the review. A-z relentless, also from Apple Podcasts. Burton J, 87, writes funny and informative five stars. I'm amazed at the ingenuity and complete lack of morals of the characters in these stories. [00:02:30] After listening to nearly the entire catalog, I'm a bit more cynical and less trusting in a good way. You'll learn a lot and be entertained. Easy as CPE ever. Uh, yeah. Thanks for the review. And totally agree with you. Um, the reason I think the reason we are able to, you know, do so many episodes is that there is no shortage of ingenuity and kind of creativity when it comes to fraud. So there's [00:03:00] plenty of episodes to go, I think. I don't know if we run out, I'll let you know. But anyway, um, yeah, the whole catalog is nearly 100 episodes. Caleb Newquist: So for those of you that care about the CPE thing, then that's a lot of hours. Go to earmark, sign up, listen to an episode, take a quiz, get all your credits. What else? Oh yeah. Reminder to check out the YouTube channel for clips and listen to the episodes there, if that's where you prefer to do [00:03:30] your podcast thing. Also, we've been posting reels on Instagram again, so if you like that particular advertising Mecca of a place, check us out there. Uh oh. My fraud pod is the handle. So yeah, back in action over there. Also, if your organization or event needs a keynote speaker, a webinar, or just a friendly conversation on fraud or ethics. We can talk about that. [00:04:00] Email fraud at your CPE. Com to get more information on pricing and availability. Okay. Kim Sutherland we had a nice conversation. And as I said, if you're you're curious about the rewards loyalty fraud topic from our last episode, if you enjoy that episode, then this will be a good follow up. Yeah. All right. Here's me with Kim Sutherland. Enjoy. Caleb Newquist: What's [00:04:30] a typical day for you? Like? Like what comes across your desk on a typical day? Kim Sutherland: So all day, I help companies find out ways to strengthen their online programs, improve the way that they are adding new customers and protecting the accounts that their existing customers have. Caleb Newquist: So do you talk to a lot of like, chief security officers or like who's who's like a typical who's your who's your counterparty in a lot of those situations. Kim Sutherland: Yeah. [00:05:00] So it's really interesting to watch this. Most of the work usually comes in through, um, leaders of fraud businesses, the fraud division of their business. Um, but what we've been seeing is more of a collaborative effort where it could be the fraud teams, it could be their marketing teams, it could also be, uh, cyber security. And we're starting to see things where fraud, cyber, even, uh, anti-money laundering, AML, um, are starting to become more like a fusion center where they're really learning how to work together to [00:05:30] protect their business and strengthen the the trust that they have with their customers. Caleb Newquist: And just out of my own curiosity, does that roll up into compliance for like, big enterprise businesses usually, or how's that structured? I'm just curious. Kim Sutherland: It really depends on the organization. So sometimes it could be in the compliance side. And then that you also have like your legal teams that are involved in that piece of or your to be with information security. Um, but also it could be in the operations team. So the, the way [00:06:00] that businesses structure that part of their business really does vary. Caleb Newquist: All right. Interesting. Okay. Very good. So today we're talking about uh, reward and uh, points fraud. Is that like how do you refer to it? I'm just curious, am I is that the terminology or is there terminology that's common? Kim Sutherland: Yes a loyalty um, points if you think about the way that businesses are trying to strengthen the relationship and give consumers more, um, value in [00:06:30] the relationship they have. So it could be loyalty or it could be rewards where they're actually getting something back. Caleb Newquist: Yeah. Okay, cool. And this is this is a relatively I don't want to say it's unknown because I you know, I did some I did a little bit of research and like there's definitely stuff out there. But in terms of common types of commercial fraud, this is a little bit below the radar. Is that fair to say? Kim Sutherland: I think it's definitely below the radar. It's an area that has [00:07:00] been growing for many years now. So the global loyalty management market is over $13 billion. Caleb Newquist: Okay. Kim Sutherland: Almost every type of company that you can interact with has some type of a program to really reward their existing customers and to keep them to be a long standing customer. So everybody's very familiar with airline points and getting, you know, points for that. [00:07:30] You have, you know, points associated or rewards with your credit card companies. But now it's everywhere you go. You go to restaurants, you go to your hairstylist, um, you it doesn't matter. You go to your auto mechanic. The whole idea around, uh, adding more value in the relationship and strengthening that relationship with some type of a reward is is everywhere, even in schools? Caleb Newquist: Yeah. Yeah. So obvious one for me. [00:08:00] Well, you know, I wouldn't say an obvious one for me, but like one that I have used for a long time, but I don't use as much as I used to, is my Starbucks gold card, which I load with money and especially like if we're going to the airport and I can order from the app and we're on the train getting to the terminal and it's like, right there when I pick, I'm like, there is something very satisfying about that. So that aspect of Starbucks business, it's kind of like a mini bank within that company. Is that a fair characterization? Kim Sutherland: Um, loyalty points are [00:08:30] a form of digital currency. So it makes sense that you are associating that with a bank. Uh, people treat it the same way that they would treat their savings accounts in terms of allowing that balance to increase, paying attention and thinking about the value of what it means to their lives and the things that they can do with it. No different than if you're planning for a vacation. Are you planning for a vacation with your dollars? Or are you thinking about all the different rewards that you may have with your hotel and your and [00:09:00] your airline and your rental car company? Or are you thinking about what are you going to do each day as you're driving to work, and you don't want to have to pay for your cup of coffee and a piece of banana loaf? So those. But you know, it's currency. Definitely. Caleb Newquist: Yeah. So this is kind of as you pointed out, it's reward points have kind of evolved to almost be ubiquitous, I think. I think you the [00:09:30] airlines I think you're right is like what people most commonly think of or hotel points like those have been around for a long time. But yeah, now coffee and, you know, um, you know, I think we get points at the Michaels art store every time we take our kids, you know, like we're racking up points for for a big box art supply store. So in terms of the fraud that affects these programs, what's been evolving as these programs have become more widespread. Kim Sutherland: So as more [00:10:00] programs exist, we all have access to even more. The average person has between 16 and 20, um, loyalty programs that they belong to, but they're only paying attention to a fraction of those. That is why it becomes a great target for fraudsters. They understand the value, um, of each of those rewards points, and they're going to pay more attention to those that you're not paying attention to. Caleb Newquist: So and we covered some of [00:10:30] well, what are I guess in terms of the most sophisticated programs is aside from airlines, what we've mentioned in like hotels. What are some others that are, you would say that are kind of maybe incumbents when it comes to maybe incumbents is the right word. But like in terms of royal points and rewards programs, what's what what industries are kind of has the most sophisticated programs? Kim Sutherland: Yeah, I think the most sophisticated programs are really around the credit card companies. [00:11:00] Okay. As you're getting those points, as you are, uh, using your, your, your card for different payments, but we're seeing the increase in everything from, uh, gaming organizations that are rewarding you for online gaming to even the time you spend in app where you could be, um, even streaming. So there's so many different ways that you could have, um, the whole gamification of the use of a service or of a payment transaction. [00:11:30] Uh, so that's it's going to be an ongoing opportunity to gain those points. The concern is the, uh, value of the points and losing them. Right. How do we protect them? And the focus has been much more around traditional currency. Um, so when you think about protecting a bank account, very different than what people think about when they're protecting their rewards points, right? Caleb Newquist: Okay. So walk us through like, what a typical, uh, [00:12:00] fraud scenario looks like for, uh, like a rewards program. Kim Sutherland: So it does vary by the type of industry. The most common type of fraud that, uh, can be encountered with loyalty programs is account takeover. Right? Someone else has actually done the work of building that relationship with the business, using their card, using their services, purchasing products. But now, because that account either has not been secured in the same manner that a traditional financial account has, [00:12:30] there is more opportunity for someone to actually do an account takeover. So that allows them to transfer funds into another account, or just use those funds outright for the. For purchases, because usually there is some type of relationship to be. Able to convert those points into other ways of using them. So converting them to uh, being being able to purchase outside of the company [00:13:00] that actually has provided those. Caleb Newquist: So let me I want to make sure I understand you correctly. So let's say I've got a credit card and it gives me 5% cash back or something like that. Or no, not forget about cash back for a second. Uh, say it's just, uh, 5%. I earn 5% of my purchases, uh, accumulate points. Yep. In points. And then from there, I can use that point and in, in my credit card app, uh, it'll say redeem your points today, and I will go [00:13:30] over there and say, oh, I could redeem them at Amazon. I could redeem them at American Airlines. I could redeem them, uh. I don't know. Countless. Kim Sutherland: Exactly. Caleb Newquist: Yeah. And so. And so, instead of actually paying out of pocket or using the credit card, you're using the points you've accumulated to do those. And what a fraudster can do is that they can hack into they can take over your account, and then they can either make those purchases for themselves, or they can just swipe [00:14:00] your points into account, an account they control. Is that about right? Kim Sutherland: Absolutely. So that's a pretty typical approach where it's just been a takeover of an existing points that have been accumulated. And your examples are are perfect. Uh, most people are looking at their statement, um, their, their, their credit card statement or paying attention in their app on all of the points that they're accumulating. Um, there's actually a dollar value tied back to points. [00:14:30] And, um, in on the dark web, those points, uh, have dollars assigned to them. So if I can take a large volume of points and convert those to actually cash for selling them, that is exactly how a fraudster would operate. Caleb Newquist: So you mentioned the dark web. And for people listening that aren't familiar with that, can you just talk a little bit about what that is and then also the role it plays and these types of schemes. Kim Sutherland: So we're all very familiar with using [00:15:00] the internet all day every day. Um, but there's a whole nother aspect that is, um, a little more seedy. Things are much more anonymous in nature, and a lot of the nefarious activities that are associated with using stolen information, data from data breaches. Um, there's a whole marketplace, uh, for, for fraudsters, because fraud is a business. And so fraudsters have the ability to work together to be able [00:15:30] to share information, to, um, sell things, Sell train each other even on on how to to perform fraud. Illegal activity is very common on the dark web because again, the whole goal is to do things in ways that you wouldn't be able to as freely in the most the public web. Caleb Newquist: Right? So I think so, to give maybe some common examples, uh, like narcotics, like buying and selling narcotics, uh. [00:16:00] Kim Sutherland: Every form of trafficking. Caleb Newquist: Any kind of trafficking, right? Kim Sutherland: Drug trafficking, sex trafficking, um, unfortunate human trafficking, um, all those are all common on the dark web. But, you know, where I put the majority of, uh, focus around trying to help businesses is the information that is available on the dark web and the ability to make purchases like, uh, rewards points, um, or, uh, stolen goods on the dark web. Caleb Newquist: Right. So, um, [00:16:30] at any time you hear about a data breach on the news, whether it's at I don't know, you know, a big name company and they say, oh, uh, you know, x x million numbers of account holders, uh, were exposed in this hack. That information, that data ends up on the dark web. And then the person who is able to procure that information, that's a pretty actually, uh, generous way to put it. Procure. But they they they [00:17:00] steal the information and they take it to the dark web, and there they can sell it to whomever they want. Highest bidder. Or maybe they have a partner. And is that about right? Like, that's, that's it's generally a way for people to make money. Or do you find that the people that steal it are also the ones that use it? Kim Sutherland: Both. Right. Some people are very good at at amassing large amounts of, of, uh, information that they shouldn't have access to or, or, um, any type of, of a, a product. [00:17:30] Others are really good at using that. So it is very much like a corporation when it comes to fraud, um, where people have different roles and responsibilities and the same person that steals may not be the individual that's actually using it. I just want to highlight that when when we see data breaches, because we have seen, you know, so many every year, um, all data is not always utilized. Sometimes data breaches are leakages, right? Where it's not been something that's going to be reused. But what we do know [00:18:00] is that due to the number of data breaches that have occurred over the last ten plus years, most information has been made available. So it's really important to not just verify the data that a company receives, but to also do fraud analytics, um, to to analyze it from a fraud standpoint to ensure that the data actually kind of belongs together, because we see a lot of combining of stolen information to create what we call a synthetic identity. Caleb Newquist: Yeah. Okay. [00:18:30] So we're going to talk about that in just a minute. One thing I wanted to ask about as it relates to the dark web, because I'm sure some people are wondering this, but as as cryptocurrencies have become more common and kind of more, um, yeah, just more common. And as people have developed familiarity with them, there may be sometimes be a, uh, a kind of an immediate kind of association between, like nefarious [00:19:00] activities and cryptocurrencies, which is not always the case. But can you just talk a little bit about the role of cryptocurrencies, uh, within the dark web or within, you know, uh, the perpetration of fraud more generally? Kim Sutherland: I think the key about cryptocurrency is that there is, um, less of an association with an individual. So the ability to trace is a lot, a lot more difficult than if I were to use my credit card to make purchases. [00:19:30] So if I'm going to make a purchase for something that I don't want others to know about, you know, in the physical world we use cash. In the digital world we use cryptocurrency. Um, you wouldn't want to use something that could be tied back to an account that's tied directly to an individual. And so it's going to be a combination of that or of stolen cards. Right? So that's the other side of it. So if you're not so usually fraudsters use cryptocurrency harder to trace um or [00:20:00] stolen credit cards or gift cards. All all three of those are the most common ways to, um, do fraudulent purchases. Caleb Newquist: And keep me honest here. But it's also a mechanism for money laundering, right? Kim Sutherland: 100% money laundering, you know, becomes a real challenge. Again, if you have the less direct connection that you have with being able to trace it, the more likely that people are going to try to use that to take dirty money and try to make it look clean. Caleb Newquist: All [00:20:30] right. Great. Let's go back to that synthetic identity fraud. Can you talk a little bit about that? Because I think that's something that I would I'm, I'm speculating, but that it's kind of a new idea to most people. I don't think most people have heard of it. Kim Sutherland: Yeah. So synthetic synthetic identity fraud is when you're taking either components of information. So, Caleb, your name, my address, um, another individual's phone number and date of birth. And combining that information to make [00:21:00] it look like it belongs to a legitimate individual and then allowing them to open accounts, um, use that and transact with that identity. And as they build up credibility. So trust has been gained with one business, they may even issue credit. Um, and you can you can continue to do positive things with it, right, to build your credit around that. All with intention at some point that you're not going to continue to pay for it. So that's called a bust out when they [00:21:30] when then now that fake identity has, is has um created enough of a of a credit to be able to get what they need and then no longer make any forms of payments. So that thought is a very common approach. But synthetic identity fraud can also be made with completely fictitious information. So it's not from real individuals at all. The real problem with synthetic identity fraud is that you, even if your name [00:22:00] had been used, may never know that you were part of the creation of that synthetic identity fraud. So a real victim doesn't come forward to the the bank or the retailer. So it's very hard to detect. Analytic models are probably the most common way, but in that way you start to look and see that that individual doesn't have a normal pattern like a legitimate individual they may be. Their identity emerged when they were 35, and there's no back history to that [00:22:30] individual. Um, they don't have friends and relatives, um, that you would have normally and they don't they haven't had the normal life instances that help to prove that that takes a lot of work. And so that's why analytic models are needed to be able to compare against a population of normal, um, identities. Caleb Newquist: Yeah. But as you were, as you were kind of explaining that I was just thinking through in my own mind, I'm like, oh, so she means, like, people's previous addresses and, [00:23:00] uh, driver's license numbers or passport numbers or all those kinds of things. But if you're constructing if you're constructing a synthetic person, then they don't have all those things, um, that you have. But you have to if you're going to make a, uh, if you're going to try to fool an organization like a bank. Let's keep it simple then. You have to. There have to be some kind of evidence that the synthetic person is a person. [00:23:30] Person, and that's person in scare quotes, so that you can then take out a big loan and then never pay a cent back. Is that kind of. Kim Sutherland: That's right. Caleb Newquist: Yeah. Okay. Kim Sutherland: And that's and that's why financial institutions, um, are responsible for and knowing your customer um, SIP program. So customer identification programs where they are verifying name and address and social Security number and date of birth and a host of information to be able to understand whether or not that individual [00:24:00] truly exists. And then if you are that proper holder of that account, it's when it's other types of businesses that may not have that same level of rigor that is required. So maybe a retailer or a telco that do proper identity verification. Possibly, but they may not need to have the same number of data elements in that process. So maybe I don't need your Social Security number. And so I can start to help in I can I can onboard you [00:24:30] um, without having to go through all the same checks. Sometimes synthetic identities start with a smaller type of a business, maybe a jewelry company. Then as they strengthen that process, that's when they can then be used also with the financial institution. And it makes it so much harder for them to detect because they have a credit line, a credit report, just like, um, a legitimate person. They've worked through all that whole process. They may have been misusing a Social Security number. Um, and [00:25:00] no one even has, uh, seen that correlation. And so because of that, the the federal government now has even tools in place to allow you to to confirm that the Social Security number is valid and is tied back to the identity that's presenting it. Caleb Newquist: Okay. All right. So if I go back to the rewards schemes that we were that we're talking about an example again, I think credit cards are an easy one. But you have you have a credit card. It's [00:25:30] got a it's got a points, uh, system that you accumulate and you, you accumulate points by making purchases. So conceivably a fraudster could, uh, in, in the case of a synthetic identity, uh, the identity, the synthetic identity could open up a credit card, uh, and make probably legitimate purpose, uh, purchases. But they could be doing those fraudulently, like, they could be, um. While [00:26:00] the account is real, I don't know, maybe I need you to walk me through that. How how how does that. Can you just explain how that would work? Kim Sutherland: So one concern would be if you opened up multiple accounts. So you opened up Um, an account with the real Caleb. And then the fraudster opens up an account, multiple accounts under different names so that they can amass those points. Um, and the and and that is a problem [00:26:30] for the company because now they're issuing points that should have never been issued. So we see that type of abuse, especially with, um, any type of a bonus. So if you're going to get an extra $200 for opening an account, or you're going to be able to, um, get some type of, uh, set set of rewards points for, for, you know, for just the opening of the account, that means the fraudster is going to target themselves at trying to open more accounts so that they can get those. If the points are based [00:27:00] off of usage, then the issue is again, how do I use the account more to be able to, um, get those points. So reward unused rewards points. Um, is a $100 billion of unused reward points are out there because people are amassing the points and they're holding on to them. I hardly use my points, right? I don't know what number I'm trying to strive for with the different companies I work with, but that's a very common behavior, right? We hoard our points until [00:27:30] we really need them. So that means that fraudsters have a great volume that they can go after. Caleb Newquist: Mhm. Yeah. Okay. Interesting. Reminds me of that old um I think it's a, it's like falsely attributed to, uh, an old bank robber whose name I cannot remember. But the saying is it's like, well, why did you rob the bank. And he says, because that's where the money is. So in this case, you have you can imagine fraudsters saying it's like, well, why are you stealing [00:28:00] rewards points? Because like, well, because there's a lot of them and they're valuable. Like they may not be cash, but they're as good as cash. Oh, interesting. Okay. Very good. All right. Um. Oh, here's kind of an interesting question that I have. To what extent are there insider threats on in some of these loyalty programs? So whether that's a credit card company or whether that's an airline or a casino or something like that, or insider threats, something that's common and um, and [00:28:30] to and to what extent? Kim Sutherland: I think insider threat comes in multiple ways for rewards points. If we think about the ways that a third party could assist, um, a consumer. So let's use a travel agent. A travel agent could work with the actual, uh, person who's, uh, the actual consumer to be able to, uh, book the trips. If points are being accumulated, they may not be going to [00:29:00] the actual passenger, the actual person going on the trip. The, um, agent could be taking those points for themselves. So there are a lot of third party, agents in different parts of the things that we do for you on a day to day basis. Um, so it could be in purchasing a house. It could be in, um, buying a car, things where you actually have another agent working on your behalf. Um, that becomes an insider way of being [00:29:30] able to, um, take the points that you didn't even know that you were gaining from that process. So that's a concern for a lot of companies that issue rewards points. Being able to actually use those points internally, uh, to to put them across different accounts is another challenge that that businesses run into. Um, so there definitely are insider threats when it comes to rewards points. Um, whether it be through an agent of some type that works on behalf of an individual or [00:30:00] an actual employee of the company. Caleb Newquist: A little sidebar is part of your job just imagining how to commit fraud all day long so that you can tell people how to prevent it. Kim Sutherland: Um, I do think that we try to figure out, and we have such great professional services teams that are working day to day with, uh, businesses that they identify ways that could cause another way to to commit fraud. And so [00:30:30] I think that sharing and, um, being very imaginative in how you can overtake an account is something that works very well for fraud, you know, fraud fighters. Right. And so I think that every person in that type of a role is constantly trying to put themselves in the mind of the fraudster. Caleb Newquist: And one follow up to that is there. I mean, and I'm not asking you for anyone specific, but a business like LexisNexis Risk Solutions, if someone decided rather than break bad [00:31:00] that they want to break good, would you would you hire that person for a job? Would you be like, yes, bring us all your crime knowledge so that we can figure out what we don't know is that is that. Has that ever happened or is that something that you guys consider? Kim Sutherland: Well, I mean, I think if you, um, have watched movies like Catch Me If You can. Yeah. Or, or others, you know, scenarios where someone has committed such an egregious crime. Um, they've come back to share information, uh, [00:31:30] about what they did and how you can now work for good. So there's all kind of ethical hackers. Caleb Newquist: Um, white hat hackers. Yeah. Kim Sutherland: That know how that have had, um, bad stints and now working for governments and commercial organizations to try to, you know, help people prevent that from happening. Um, so I think it's very interesting to talk to those individuals. Yeah. Um, we often, uh, contract with them. Caleb Newquist: Contract basis. Yeah. Right. That makes [00:32:00] sense. Kim Sutherland: On, you know, um, I think that hearing their, their story, learning how they think is really helpful. I've never hired someone like that. Caleb Newquist: Okay. Yeah. Fair enough. Keeping them at arm's length, I understand. Okay, cool. Um. Let's see. So let's talk a little bit about detection and prevention. Um, again there's, there's, you know, a spectrum of sophisticated programs out there. So on one end you have stuff that's [00:32:30] super sophisticated. What do they do? And then kind of for nascent programs like what are the basics that you see organizations implement. Kim Sutherland: So it kind of goes back to the core of trying to prevent new account opening fraud, um, or account takeover fraud. And the two things that or the things that we really focus a lot on is trying to have layers of security. It can't be. There's no magic bullet, um, when it comes to trying to [00:33:00] prevent fraud. But it does start with, uh, assessing the risk that's associated with the device that's being used. So typically fraudsters are not just going to do something once. So their laptop or their mobile device that they're using probably has already been associated with other activity. That is you know, that's fraud. So being able to assess is that a known, um, risky device, um, or doing things to your device, to a jailbroken [00:33:30] device where you've actually changed the way that the device itself works, the security system, the security around the device, um, maybe made it easier to be able to go between different carriers. Um, so you've done some, some way to unlock the device to be able to use different SIM cards. Um, all of those kind of things are really important to understand. The location in which you're transacting makes a difference. Um, so being able to understand the digital risk [00:34:00] around the transaction, uh, While the device is being used, where it's coming, where the transaction is coming from, how the device is being used. Kim Sutherland: Because we even see situations where multiple devices are being connected in a device farm, there's no individual connected to the device. There are scripts that have been placed on these devices that are sitting in racks. So is the device moving naturally as we would expect it to? So those are the types of things that we're trying to understand. Is it a human [00:34:30] or a non-human meaning like a bot? Um, a script that's actually driving this behavior. Um, so that's the first thing to look at, um, the digital risk. Then we start to understand more elements around the email address that's being used. Um, the phone number that's used, those types of things, we see that, um, it could be a, a throwaway phone number. Right. So they're using a burner phone. Um, it could be an email address that's, um, from a more [00:35:00] risky, Um domain. So understanding those aspects and then we can look at the actual physical identity, um, their name, their address, um, their age. And so all of those things come into play. That usually is a really important around the new account opening side on the um, account takeover side, um, is ensuring that you haven't seen, again, that same device accessing multiple accounts because [00:35:30] that would be a definite sign of, of of risk. One real strong area, um, that strengthens account takeover is changing account details. Kim Sutherland: So there we all change at some point, possibly our address. Or maybe you change the email address. But before those types of changes can occur, most businesses that are trying to prevent account takeover fraud are paying attention to the information that's being changed. Is it actually tied back to that individual. [00:36:00] So do I trust the new phone number that has been given? And let me make sure that they have possession of the phone, that there aren't other risk signals tied back to that. And then the email address, the same thing. Most individuals have only a few email addresses. I have like 15 that I use. Um, it's very abnormal. Um, so people hold on to their same email address for many years. And even though I have like 15, um, because I like to segment my life [00:36:30] and then I help manage other people's lives, like, my husband never checks his email. So I just like, you know, check it for him. Um, but you know, those types of examples, but I've had the same email address, um, my primary email address for probably 20 plus years. And that's the more common thing that people hold on to that same email address. So there's constant changes of an email address with one account. That's a high risk scenario. Caleb Newquist: Hmm. Very interesting. And so for LexisNexis [00:37:00] Risk Solutions, is it part of what you all do is like is like putting all these pieces together to be able to identify patterns and to kind of pinpoint, not pinpoint. That's maybe too precise, but you're looking for abnormal data patterns. And and is that part of what you do. And what else what else kind of services does does your organization provide? Kim Sutherland: Yeah, I think that the you know, there are [00:37:30] always more good consumers, good businesses than there are bad. So we focus first on how do we help enable good customers to be onboarded, to be able to transact and add new services and new accounts. So being able to validate that someone is a legitimate customer is very important. We also, on the other hand, from a safety and protection standpoint, Point. Try to help him prevent fraudulent activity of a [00:38:00] an individual or of a business. Right. So there are just like there are synthetic identities we talked about. There are synthetic businesses. In a sense. All businesses are synthetic in a way. Kim Sutherland: Right. Caleb Newquist: Right. Kim Sutherland: They're not organic nature, you know. So no being able to detect if it is a, um, a real business or something I just made up and it doesn't have all of the proper licensing and placement and the government, those aspects from a business standpoint is important [00:38:30] as well. So LexisNexis Risk Solutions focuses on being able to help businesses verify and authenticate the authenticity of an individual of a business. We also help in using data and risk signals, um, as well as technology to, um, help in more safely working with Companies and working with individuals. It's not just with [00:39:00] fraud detection, but we talked about anti-money laundering. Yep. So we help in trying to prevent any financial crimes. And then also we have with onboarding, uh, individuals that may have thinner credit files they to with, um, the ability to extend credit decisions to them as well. Caleb Newquist: I want to ask you something that came up in a recent conversation I had, which is when you have a when you have a perpetrator of fraud [00:39:30] and as you said, uh, many fraudsters, they don't just commit one fraud. You know, they they have several things kind of going on. If that person has a, uh, paper trail that shows that they're engaging in illegal behavior. Are there things in place like, for example, can banks identify these people more easily and prevent them from opening new accounts. Or can they? Or [00:40:00] if they create like an LLC and they try to open an account under that LLC, are there mechanisms in place that identify those people? In a way, I'm trying to it's kind of like, and this is, uh, kind of a I don't mean to give such a dark example, but like registered sex offenders like those, there's databases that have those people in there. And when, like they move into your neighborhood. Yeah. Okay. So then can you talk about, like, the fraud database because that's kind of that's kind of an interesting thing. And I guess I'm not familiar with it. And [00:40:30] but that you're saying it's proprietary for LexisNexis. That's something that you all keep. Right. It's not a it's not it's not a public thing. Kim Sutherland: No. So last year, um, as a to give you an example, last year we saw over 120 billion transactions around the world. So that's a lot of intelligence that we get from every one of those transactions. Right. And we try to give our customers the ability to share fraud feedback. And that's extremely valuable in [00:41:00] helping to prevent the next fraud attack that could occur to a business. So we have a proprietary network that looks that allows our customers to be able to share insights with one another. They can create smaller subsets that maybe are very specific to an geography and an industry. So all the banks, major banks in a particular country in the UK, for example, work together [00:41:30] to share information. Um, we have the same in Singapore. Uh, we have banks working together in the US. We have companies across multiple industries sharing insights with one another. Those are the types of things that shared intelligence makes a humongous difference in trying to quickly detect and prevent fraud and onboard safe customers. So that is a really important aspect. Going to your example with sex [00:42:00] offenders, those are databases that we can help in providing additional insights at one point. Um, sex offenders were registered only within a smaller jurisdiction, so each state had their own database. Sex offenders do not stay in one location. Um, so it was important to be able to build networks, to be able to have a database that looked across jurisdictions. So now that's a very common thing to have the ability to [00:42:30] look across. And that's the same thing that happens in traditional fraud as well. Fraud does not stay within any country. We see the same fraudster transacting in the US and in France and in South Africa. So being able to look at it from a much more holistic standpoint. It's something that companies like LexisNexis Risk Solutions has a strength of being able to do, and to allow it easily to be interacted with in real time decisions. Caleb Newquist: Okay, [00:43:00] let's let's talk a little bit about what organizations, how they respond to these, uh, when this kind of stuff happens. So like you've got a rewards program and, and, um, something terrible happens. There's a, there's a big leak or a big hack. And I think, you know, one thing that we haven't really touched on, but is kind of obvious when you think about it, but like these reward programs, they're optimized for customer service, right? They're not optimized [00:43:30] to keep the the digital assets, you know, the points safe. That's not their main priority. They want they want their customers to have a really good experience, and they want them to feel good about the points or the rewards that they're earning so that they continue to do those things. So in the case of a organization that has something go wrong where there is a fraud or there a leak or some kind of, uh, something transpires [00:44:00] that's bad, that's a bad situation for the company, right? Because all of a sudden you have all these customers, you have these rewards members or loyalty members or whatever it is that the sense of betrayal or the sense of failure on the part of that rewards, that's that's probably feels pretty awful. So how does a how does an organization kind of respond and recover from a situation like that? Kim Sutherland: Um, I think that consumers are definitely seeing the importance around security. So, [00:44:30] um, when we think about the three things, um, when we think of a triangle around risk with, we think consumers care about privacy, they care about security, and they care about convenience. Depending on the type of business it is and the type of transaction they're making, 1st May outweigh the other. Convenience for consumers is always at the top. So if you're going to have to go through a ton of hurdles, they're not going to be quite interested in participating, right? But when [00:45:00] when something goes bad, consumers turn towards security. So they want to be able to see that the business is taking this seriously and is trying to protect the accounts that they are collecting, those those rewards points in. I think the big thing that we're seeing is the need for treating the rewards and loyalty programs the same way that you would treat, again, protecting currency within a business. And so [00:45:30] the companies that have really built their brands around these, these programs, um, have, have now put someone in charge that is looking at it from a fraud standpoint as well, really trying to make sure that it's not just about the marketing side of it, but also about the protection of those. So that way people can safely grow their accounts. Caleb Newquist: What are some techniques that businesses are using in order to encourage, encourage consumers to us to [00:46:00] be more vigilant when it comes to their reward and loyalty programs? Kim Sutherland: So because consumers again want to focus on convenience, they're most of the activities are passive in nature. And the consumer may not even realize it's happening, but it is to protect their, uh, access to an account. So we're seeing more, uh, embedding into, um, their mobile apps. So mobile apps are typically consumers in general have gone now towards digital [00:46:30] transactions, as we know, mobile over uh, a laptop, for example. So mobile transactions have the highest, uh, growth. And mobile apps um, are probably the leading area where we're seeing consumers want to transact. And that's great for businesses because you can do a lot with incorporating an SDK that has more security features. So we're seeing more, um, time focused on trying to strengthen that mobile app that the business has. [00:47:00] And then within that they're doing more options around authentication. So trying to find the authentication method that the consumer is willing to use. Because I always say the best form of authentication is one that a consumer is going to use. Um, there are a ton of authentication methods, but if it's too hard, if it's, um, you know, takes too much time, um, a consumer will go to a different business. So it's very different than an employee who will do whatever form of authentication that their employer requires them to do. Consumers are just not that diligent. Right? [00:47:30] Caleb Newquist: It's so interesting. You can give me your personal take on this because I'm, I'm I know that you're you use it as well. But like two factor authorization feels like it's just like it is threading the needle so well, because every time I log into my bank, I'm asked for it, right? Every single time. Every single time. And I think, oh, this is kind of tedious. But I also there's the other part of my brain that says, shut up, this is keeping your money. Like [00:48:00] there's the that seems to be and again, as you pointed out earlier, there's no silver bullet. Like there's not one thing that's always going to prevent fraud. But like two factor authorization or authentication seems to do a pretty darn good job of of finding something that people are willing to keep doing, but is also there's kind of some tedium around it, but not so much that people like, reject it. Kim Sutherland: Yeah. I mean, I think that there's so many different [00:48:30] ways some businesses are adopting something called a passkey that makes it almost transparent, as long as you're using the same devices to be able to access your account, and being able to bind the device to the account and to the individual is the key, and there's no one way to deal with it. Um, but it definitely, uh, is very important to be able to have that connection, to be able to prevent fraud. So it's not just [00:49:00] it's a safe device, but it's a safe device that's being used by the individual for the account that is in question. Caleb Newquist: Yep. It also calls it again, this is kind of stream of consciousness here. But like more so I see that, uh, when I'm trying to log into something, they'll say, oh, go to your YouTube app and respond that and confirm that it's you or, you know, I think it's I think it might be within like networks. In that case, it's we're talking about [00:49:30] Alphabet or Google. But that's something that has kind of emerged in the last few years that is I'm seeing more often is like, oh, you can verify this by going into an app rather than, uh, you know, putting in a code from a text message. So, yeah, it's it's interesting to see how that's evolving. Kim Sutherland: And once the device and the account has, uh, we've been able to bind it and you've had a strong onboarding, you can actually use things like biometrics for subsequent transactions. [00:50:00] So using your face to be able to access, um, an account is something that consumers are much more comfortable with. Um, they're accustomed to being able to unlock their phone with, uh, you know, it was first a fingerprint. Now it's a facial print. Um, having that more secure being directly bound to the account is where the next phase is, because the, uh, face access through your phone is not necessarily tied [00:50:30] back to just because you could open the phone with your face, you could put anyone's face there. So it could be your face. It could be your your child's face. It could be your spouse's face. But that doesn't mean that you want them to have access to your bank account or to your rewards points account, right? So I've amassed a lot of points with the airlines that I travel with. I don't necessarily need to have easy access with someone else who could unlock it with their face, but having that bound to the account is the important part. Caleb Newquist: Yeah, [00:51:00] even at the grocery store, when you're using, you know, using your phone to pay with it, every time it asks me. In my case, it asked me for my fingerprint. And that is so convenient. And it's so easy and it works so well. And so I don't panic anymore when I've forgotten my wallet, because I almost always have my phone. But I tend to. I don't know about tend, but like occasionally I will forget my wallet, but I can still pay with my phone. I can pay with my phone in a fingerprint. So that's very convenient. Okay. And like [00:51:30] you say, convenience, right? One of the one of the three things. Okay, um. Moving on. What about what role does government have to play in in terms of, you know, these types of frauds like reward and loyalty? They you know, these are these are largely the let's be honest, these are largely like marketing tools of corporations because they have customers. They want them to stay customers. They want them to be [00:52:00] bigger customers. What role, if any, does government play? Is there are there regulatory things that could be in place? Are there other mechanisms where governments can assist to protect both consumers and businesses, and what's what's some examples of if so what are some examples. Kim Sutherland: So the proper security and protection of rewards points has greatly been driven by businesses trying to do the the right thing for those, um, you know, so it's it's good business [00:52:30] to be able to protect your accounts. Government agencies definitely care, um, about the use of currency and and protecting consumers. And so those accounts have not been singled out separately. But we definitely see that there is a desire for businesses to try to protect the accounts in the same way that they would a traditional financial account. Caleb Newquist: I think what you're saying is it's in the case of like a social [00:53:00] media companies that are pushing back against regulation very, very hard. Kim Sutherland: Mmhmm. Caleb Newquist: Organizations that have reward and loyalty points, programs, it's in their best interest to figure this out for themselves. They don't they don't necessarily need rules, uh, that are that, that come out of legislation about protecting consumers, the businesses themselves, like, yeah, we don't want to lose our customers. So we're going to make really robust security [00:53:30] systems around these programs so that we don't lose them, because if we don't, we'll lose them, and then that's bad. Kim Sutherland: Yeah. Most businesses that are focused heavily on trying to protect their loyalty and rewards programs, um, are not doing it just to ensure that they're checking a box. It is brand reputation. It is truly trying to ensure that consumers can trust what they're doing. And so that's the biggest driver. Doing the right business to ensure that consumers have allowed [00:54:00] um microphone now. Right. They go to social media the minute something goes wrong. And so trying to ensure that you're, um, uh, properly protecting that rewards program is just as important as your core piece of your business today, right? Caleb Newquist: Yeah. Corporations aren't doing this out of the goodness of their hearts. No, there's a there's definitely it's still a capital. It's still capitalism at work in a very interesting, uh, in a very interesting way. I hadn't I can't [00:54:30] quite thought of it in that context, but that's totally right. Caleb Newquist: Okay, cool. Kim Sutherland: But I mean, but but if you're a corporation, that's why you exist, right? You're here.To. Caleb Newquist: Oh, yes. Of course, Kim Sutherland: To make money.Right. And so they're not a non not for profit organization. And so they should do things that will encourage more usage of their solutions, um, of their services. Um, the whole gamification process is really to encourage more user interaction and um, loyalty and rewards points are a great component of that. [00:55:00] Caleb Newquist: Right. Caleb Newquist: Okay. So finally, to kind of wrap things up and man we're doing great on time. I love this. Uh, what's kind of the outlook for uh, let's just start let's just start with the scope and of, of these kinds of the size of this fraud. I think you said 13 billion globally for rewards and loyalty points, programs like what's the trajectory of that? Has that like been growing exponentially in the last few years. Or what do you expect to see? Or [00:55:30] do you expect exponential growth in this area of fraud over the next several years? Like just what's the what's the future hold? Kim Sutherland: Yes, absolutely. The the loyalty programs are going to continue to grow. Um, the usage of these are well received by consumers. Um, value is driven for businesses and it really becomes a differentiator. Um, as you think about the coffee program that you mentioned, you know, in, um, a [00:56:00] few times. Definitely that or my credit card company or my or my, um, airline program. Those build loyalty. Um, and so they're doing these programs are doing exactly what they're intended to do. So we're going to continue to see that that's the where the problem is going to continue to lie, because we're not going to be able, as consumers, to keep up with all the different points that we're accumulating. And as soon as That gap exists between paying attention to those accounts is where the fraudster has [00:56:30] the the bigger opportunity. So we're seeing almost 100% growth year over year of loyalty based fraud. And so we're seeing that in different industries and in different regions. I think that's going to continue, um, definitely in the out years. Caleb Newquist: Okay. Caleb Newquist: And then conversely, like what what can you talk a little bit about the role of technology and innovation in this area in order to prevent, um, I mean, we can't [00:57:00] we can't stop fraud. Everybody knows that anyone who listens to this show knows that. So we're not going to stop it, but we're going to do our best to keep up with it and build things to, to to keep it, uh, in check. What role does artificial intelligence play? Are there other technologies that are kind of emerging, or are there other areas of innovation that you've been seeing that, uh, have a lot of promise. Kim Sutherland: Yes. I'm really excited about the future when it comes to trying to [00:57:30] protect accounts and safely onboard new customers. So businesses are going to have a lot of opportunities to be able to, um, depending on the level of risk that that account has safely on board with just scanning a government issued identity document, like a driver's license or passport for those higher risk activities, being able to use, uh, facial biometrics to help in the authentication, as well as leveraging device intelligence [00:58:00] to, uh, be able to correlate. Is there a risk associated with the account? And so that part is going to continue to make things safer. We're seeing the challenges around generative AI impacting the data that's being used, as well as, um, being able to do things like deepfakes of, you know, faking a face that should not be used with an account. So being able to to to leverage AI to strengthen that onboarding [00:58:30] process. We're going to see that make it a lot faster for consumers and a lot safer for businesses. On the authentication side, we're seeing advances as well with, uh, doing stronger device binding with that account. Um, and so I think the more passive solutions are going to make it safer. And number one, for, for consumers, convenient. Um, so we're going to be able to see that happening as well. [00:59:00] I'm very excited about this concept called a digital credential. Um, I think people are getting more familiar with that with, um, mobile driver's licenses, for example. But there may be new things where you could use a digital credential so that you have you don't have to share as much information when you're opening your accounts, and that will make that process easier as well. So definitely I think the, the, the wave of the future is going to be sharing less information. Still, being able to [00:59:30] protect an account, um, without having to have too much physical intervention in the process. Caleb Newquist: Yeah. Caleb Newquist: Cool. Okay. And one last thing I just thought of, uh, what? You get to work in and around fraud all day long, which is fascinating. What continues to surprise you about fraud and fraudsters? Kim Sutherland: The number one problem that businesses report, [01:00:00] um, around, uh, the biggest challenge is still identity verification. That is amazing to me that that simple thing, being able to verify that you are who you say you are, that you're a real person and you are who you say you are, still continues to be a huge nag. Um, so it always amazes me that the problems that we've been trying to solve for the last 20 years are still the same problems. It also, you know, surprises me, I guess that businesses [01:00:30] still don't protect as many areas of that consumer or customer workflow as they could. So being able to ensure that you are protecting those account changes, you know that we talked about being able to protect when someone's adding a new email address or, or, um, changing their phone number. Those types of things are still overlooked regularly by businesses. And that is a huge area of concern to cause [01:01:00] account takeover fraud. So those are probably the, you know, the the bigger challenges that, um, continue to exist, and it's just not the core area that, um, falls within a business. Caleb Newquist: There you go. That was me and Kim Sutherland. You can learn more about her at the links in the show notes. And that's it for this episode. And remember, your friends don't care how many frequent flier miles you have unless your friend is a fraudster. If [01:01:30] you want to drop us a line, send us an email at oh My fraud at CPE com o my fraud is created, written, produced and hosted by me, Caleb Newquist Zach Frank is my co producer, audio engineer and music supervisor. Laura Hobbs designed our logo. Rate review and subscribe to the show wherever you listen to podcasts. If you listen on your mark, you can get CPE. I think we've mentioned that before, so I'll just mention it again. If you listen on earmark, you [01:02:00] can get CPE. Join us next time for more avarice, winners and scams from stories that will make you say oh my fraud.