Dive into the World of Fraud with the "What The Fraud?" podcast! 🚀 Our guest today is Charity Wright, a leading cyber threat intelligence analyst. In this episode, Tom and Charity delve into strategies for effectively integrating fraud prevention into a company's cybersecurity framework.
TOM TARANIUK: Hello and welcome back to series two of “What The Fraud?”, a podcast by Sumsub where digital fraudsters meet their match. I’m Thomas Taraniuk, currently responsible for some of our very exciting partnerships here at Sumsub, the global verification platform, helping to protect users, businesses and of course transactions as well.
In today’s digital age, fraud cannot be viewed in isolation. It must be considered within the broader context of an organization’s information security strategy. So we’re excited to kick off the second season by tackling a very crucial question. Should fraud prevention be part of a cyber security strategy, and how can threats intelligence enrich anti-fraud measures as well? So today, we’re diving into a fascinating case study highlighting how one of the nation’s largest service providers is stepping up its game in the fight against payment fraud, as billions of dollars are lost every single year.
Traditional reactive approaches are no longer enough. This company has shifted to a proactive strategy using advanced threat intelligence to spot fraud before it indeed happens. We’ll explore how this strategy and approach not only saves money, but it also protects their customers while raising the very crucial question. Should fraud prevention be a core part of cyber security as well?
So now I’m very excited to introduce you to our very first guest of series two, Charity Wright. Charity is a world leading cyber threat intelligence analyst with more than 20 years of experience, including over 15 years at the US Army and the National Security Agency, otherwise known as the NSA. So high stakes fraud indeed. One of the specializations is being able to translate Mandarin Chinese, which has led her to work on China’s cyber threats. She is also an undercover dark web researcher where she advises huge enterprises on fraud mitigation. Currently, Charity works as the principal threat intelligence consultant at cyber security company Recorded Future in the United States of America. Charity, welcome to “What The Fraud?”. Even just touching upon your resume there. Wow. I can’t wait to find out more about your fascinating career.
CHARITY WRIGHT: Thank you. I’m so excited to be here with you.
TOM TARANIUK: Fantastic. But firstly, let’s rewind right back. How did you get into cyber security in the first place? I mean, was it always the plan or something that you actually fell into?
CHARITY WRIGHT: You know, that’s a funny story. I never planned on being in this industry. I honestly didn’t think that I was good enough at math or science to be in this. It was, a coincidence, I suppose, and also a little bit of forecasting. So I worked in the intelligence community, primarily focused on military intelligence for the first half of my career. And, set of circumstances. I ended up being back at home in Dallas, Texas. And here in Dallas, there’s really no government agencies doing intelligence work.
I mean, there is the FBI, local field office here, but not much of a need for a Chinese linguist. So what I did was I just started searching for intelligence analyst jobs in this area. And I saw a position open up for cyber threat intelligence. And at that point, I thought, man, I know nothing about cyber, but I know I can learn pretty quickly.
So I was lucky enough to step into that role and was surrounded by mentors and leaders who who coached me into the cyber security aspect. So really, it’s the same type of work. We’re analyzing intelligence. We’re just analyzing, very technical type of intelligence and analyzing how hackers do what they do. And also, of course, working for the US Army and the NSA for 15 years.
TOM TARANIUK: It sounds very James Bond, Charity. I mean, what was it like day to day? Is there anything you can tell us without, of course, giving away any national secrets?
CHARITY WRIGHT: Of course. Like any job, there are many more boring days. And there are exciting days. Of course, you know, day to day, as I was translating Chinese, live in real time. So that was very exciting, and essentially our job at that agency is to monitor our foreign adversaries. So we just want to keep an eye on or an ear on them and make sure we know what they’re up to and make sure we can protect us and allied assets in that particular region. So it was very exciting. I did get, to escalate some of my work all the way up to the president. And as a young analyst, that was very exciting. So kind of hard to top that kind of career. But I absolutely love working in the private sector now, working in cyber threat intelligence, which is ever evolving. And there’s never a dull day.
TOM TARANIUK: Fantastic. And what a resume for Charity as well. Years and years of having impacts on both the society that we’re in today and hopefully the the future as well. I mean, when preparing for this episode, we read a case study on how Recorded Future actually helps a major financial institution anticipate and also tackle payment fraud. I mean, previously, the company’s cyber threat intelligence and fraud teams used behavior rules to flag suspicious activities, but they said it had no visibility into dark web activities as well. This actually means that they were missing out on potential new fraud tactics being used by criminals in question. And the main challenge, of course, with this approach is it’s mostly reactive, right? Only catching fraud after the actual financial losses had already happened. So that brings me on to our first question of the podcast, Charity. Why is it no longer enough for financial institutions to deal with fraud reactively and after it happens?
CHARITY WRIGHT: Yeah. So this particular organization, one of the biggest financial services companies in the world, is one example of a broad trend that we’re seeing even across payment payment card companies. the problem is many companies are playing whac-a-mole. They see a fraud incident pop-up and they try to squash it when it happens. And what they should be doing is looking for indicators and warnings of fraud before it even happens.
That’s what intelligence is for. And I read a quote recently that said when fighting fraud, time is of the essence. And I love that because really what we’re doing is we’re providing critical pieces of information about what those threat actors, what those criminals are doing before they even do it. So we’re really giving a competitive edge to these companies and to their customers that every day card user, intelligence gives people and businesses the leading edge on that threat.
TOM TARANIUK: Oh, absolutely. And if we’re talking about a competitive edge, how would you say Charity? How does integrating fraud prevention into a cyber security strategy actually enhance?
CHARITY WRIGHT: Let’s say, the defense against, in this case, payment fraud as well. Well, essentially we’re talking about reducing risk across the board. And at the strategic level. I’ve been advising these big companies and their threat intelligence teams and their fraud teams, and I keep hearing the same thing over and over, all the way up to the top, to the CEO, the CFO, and even the board of directors. They all are focused on one thing, and that is reducing risk across the board, reducing risk and saving money. So for companies whose business is money and services are payments, every incident of fraud sets them back and creates risk to that business. So interestingly, I read a report, a Nilson Report estimated that by 2031, fraud losses will total $47.22 billion. That is a huge chunk. Think about the impact that has on our economy in the US, but also the global economy. So for financial technology companies like this and leading payment providers, stopping fraud before it impacts the bottom line, their money and their customers is really business critical. So instead of doing this reactive approach, like many fraud applications and programs are really going okay we see something popping up here and over here, and we think that there might be a trend going this way.
What our intelligence does is breaks down the exact steps from the very beginning. When a criminal is surveilling, a company and looking for vulnerable parties and weaknesses at every step that criminal takes. We have information so that we can deter them or stop them in their tracks.
So I think to answer your question—intelligence. Incorporating that intelligence into a fraud program is absolutely essential, especially as we move forward. And we’re expecting so much of this activity in the future.
TOM TARANIUK: What types of fraud signals can threat intelligence detect that traditional methods actually might miss?
CHARITY WRIGHT: There are so many indicators and warnings. When a criminal is conducting this type of fraud activity these days, quite often they’re starting with cyber attacks, whether that’s phishing, which actually phishing is a prevalent form of attack and fraud these days. They’re phishing people’s credit card information. They’re also using social engineering, making fraudulent phone calls on behalf of the client. but even more than that, some of the indicators we find in the criminal underground, where a lot of organizations don’t have visibility because they either don’t have access to the dark web, they don’t know how to access it.
They don’t have exclusive access to some of these forums where this information is being, bartered and sold. so what we’re looking for is we’re identifying accounts that are at highest risk of fraud. bank accounts, credit card numbers, debit card numbers, even checks and gift cards are part of this problem as well. So we’re finding those signals and identifying those, higher risk accounts early.
We’re finding that before they’re abused. Oftentimes these groups and gangs operate like organized crime groups. They operate like enterprises. Some of them have 24/7 customer service. Some of them have assigned, you know, financial, representatives to work with you when you’re in that criminal underground. So they’re operating at a very high level.
Suggested read: How to Check if a Company is Legit
They’re getting these cards from malware infections on your computer or your phone. One example of, a stealer malware that steals your information is called Magecart. Magecart is a very common malware that is installed on devices, whether that’s corporate devices or personal devices, and it steals your credit card info. It takes your name, address, phone number, everything it can get about you, and it sends it in a nice little package back to the criminal actor on their computer.
Then they have an automated process around this. They’re able to fully automate and upload all of this card data into a marketplace, and these marketplaces on the dark web look very much like eBay or any e-commerce site that you would find on the regular clear web, except on the dark web. All you have to do is you go in and the criminals looking for credit cards that belong to a particular bank. If they know the bank identification number, which is the first 4 to 6 digits on a credit card, then they can search that marketplace for that particular bank ID number, and they can narrow down what types of cards they’re buying. They can also determine if this card is eligible to use right now, if it has available credit.
And so we’re able to identify those bin numbers and those cards that belong to those banks in advance of being used by criminal. And then another indicator that we’re looking for is testing services where criminals are able to go ahead and test that card with a $0 transaction or a five cent transaction. We can identify those transactions early and often catch those cards before they’re actually used for large amounts, and then hand over the right information to those banks to stop them in the tracks, shut off those cards, and issue new card numbers to those clients.
Suggested read: Payment Fraud Guide 2024: Detection and Prevention
So these are just a couple of examples of how we’re able to find those indicators and warnings before, those cards are exploited.
TOM TARANIUK: Fantastic. I mean, it’s such a nefarious game that people are playing, right? And as you mentioned, they’ve got complete structure in terms of their work with conspirators outside and within the dark web. So, Charity, what measurable impact has Recorded Future had on reducing fraud risk?
CHARITY WRIGHT: Significant changes have happened within these organizations that are incorporating intelligence into their program. They’re seeing a significant risk in time spent on these investigations. And they’re significantly reducing the time it takes to identify those cards and get them shut off. So clients are saving money. The bank customers and the companies themselves are saving money on fraud risk reduction across the board, which is phenomenal. But I think there’s even more so of an impact globally. As I mentioned, some of these numbers are in the hundreds of billions of dollars of impact across the world. So we’re talking about not just saving people money, but when we’re saving organizations’ and people’s money, they’re fueling that money into proper programs for security. They’re funneling that back into their local economy is where they can actually make purchases and fuel their economies locally. So I think it’s very interesting. I read, recently that payment card skimming, where fraudulent actors capture card information at ATMs and payment terminals, cost businesses an estimated $1 billion each year. That is huge in the UK.
TOM TARANIUK: Think about how big their budget is for operations. Can they afford security tools and fraud tools? Some of these budgets are being cut because of the costs of security impact on their organizations. So we’re basically fueling back into security programs and, in my opinion, fueling the global economy as well.
CHARITY WRIGHT: Oh, absolutely. I mean, attacks don’t always come from the outside as well. I mean, they can happen also within organizations, for example, too. And that’s why it’s so important to check your service providers and also not allow supply chain attacks across the board, even if it’s on the front scope. Tourists coming in having their card scams. But on the other side, within the actual supply chain, for example, authenticates an Israeli identity verification company that works with top tech firms around the world. It had a major security issue in breach in which administrative credentials were exposed online for over a year. I mean, they initially downplayed the breach, but later admitted the data was potentially accessible.
TOM TARANIUK: From your side, Charity, this is another another question for you: in the event of such a data breach, what would you say are the immediate steps a company or companies should take as part of their incident response plan as well?
CHARITY WRIGHT: Well, normally the first step is to, assemble the team that you have, like an incident response team. with the proper tools and the proper people there, then going to either, you know, do an internal investigation or hire an external party to do an investigation for them. I think it depends on what that company is capable of. So many companies today don’t have the proper team, don’t have the proper resources internally to do that kind of deep dive investigation. So they usually hire a consultant company to come in and determine where did this incident originate from; have those criminals pivoted to, move laterally across our computer network and across our, our IT systems.
A lot of times in the case of ransomware, you know, pretty soon, pretty quickly, you determine if this is a ransomware incident because there’s usually a note or some kind of threat. So it’s, increasingly important for incident response teams to move quickly. But to have a plan ahead of time, because when you’re in the midst of that incident, things can be really crazy, very chaotic and hectic.
You want to make sure that you know who to contact and that you have contacts with the FBI or with the Secret Service or whoever internally. And your government that you need to notify and get assistance with, especially if you have any hint of it being some kind of international criminal group. Let’s say a ransomware gang or, a nation state sponsored criminal group.
TOM TARANIUK: Absolutely. And Charity, that’s a really interesting point because we’re talking about reactive versus proactive. Once you’re in the midst of it, it’s also making sure the public, these organizations, their stakeholders, their employees do understand exactly what to do. I mean, from the actual perspective of ten techs or other companies in that position as well, how do they communicate with their customers and stakeholders to maintain trust, in your opinion?
CHARITY WRIGHT: The trust part, I feel, is earned over time. I think working with any vendor, whether it’s an intelligence vendor, a security provider, it takes time and effort. And I strongly believe that you get out of a security program what you put into it. So if you prioritize security, you’re allocating budget, you’re allocating people to those to those areas to make sure that they’re protected and that they have the resources they need. But it is a trust building. So as an intelligence provider, we should always be providing valuable information that is relevant to that specific company and their customers. We may also provide intelligence related to the industry in general. What threat actors are targeting your industry? How are they doing that? What type of malware and techniques are they using and how do we defend against that? But it is a trust building exercise. So if you’re providing real value to your client, let’s say, a bank or a payment card company, you should be getting feedback from them as well. And these companies as as a customer of an intelligence organization or security, I need to be expressing what I really need. And also it’s okay to not know what you need from a security vendor. It’s okay to say this is the problem.
TOM TARANIUK: How can we solve this together? I think communication is really important as part of that security program. And from your opinion, Charity, how should companies actually evaluate the third party vendors?
CHARITY WRIGHT: Well, this is to ensure not to introduce any supplementary or additional risk into their into their life. I’m so glad you asked that. I think third party risk is one of the most significant issues being addressed, in the security realm today. And that is because there are so many criminals and nation state, you know, threat actors, hackers that know, hey, maybe I can’t get to that bank because they’re very secure. And by the way, banks are known for having some of the most secure programs, and networks in the world. But threat actors know that. So they may go, okay, we know that this bank does business with this third party over here. Let’s see if we can get into this third parties, networks and then somehow phish the bank or conduct some kind of other fraud on this bank to get access to them and their resources. So third party protection and security is critical right now.
So from the intelligence perspective, we’re looking at risk across those third parties. Like for example, when you work with an intelligence provider, you can build a watch list of third parties that you work for and be notified as soon as there’s a, a hint of an incident there. Or if you see the risk has increased, like, your third party has a website that is no longer secure, maybe a certificate expired. If that introduces a vulnerability threat, actors will see that the hackers will identify that vulnerability very quickly. So it’s very important for us to identify when our third parties are weak and vulnerable, to help put that hedge up between us and them, and notify them as fast as possible. Hey, we were just notified that there is a weakness or vulnerability. We want you to have this information to remediate that so that you can be protected as well as everyone that you’re connected to.
TOM TARANIUK: Absolutely. Charity, it makes so much sense, especially when you’re looking at some of these banks or these other companies and multinational institutions that don’t have dozens and dozens of vendors. Each one could be a risk. And of course, there needs to be a unanimous flow of how you, how you actually control that risk and make sure that there aren’t any bad actors finding a backdoor. Charity, stay right there is. There’s so much more to talk about right after this. Now we’ve got a couple of brand new features for this series. First, we’re going to give you a sneak peek behind the scenes at Sumsub and explain how each episode’s topic relates to the work that we do with our clients.
In today’s conversation, we’ve talked about the importance of integrating fraud prevention into your overall information security framework, and it is indeed a complex task. And having the right strategy is key, but so is having the right tools. Take one of our clients, for instance, a fast growing payments company. They needed a solution from Sumsub to detect suspicious login attempts and prevent account takeovers while minimizing false positives with Sumsub, Fraud prevention solution. We together achieved a 40% reduction in fraudulent logins and improved user retention as well. It perfectly illustrates how the right technology can enhance security without compromising the user experience. So what is the results? A significant decrease in fraud attempts and a stronger sense of trust from their user base as well. So if you’re facing similar challenges within your business, our website, Sumsub has resources to help you protect your platform effectively.
Suggested read: How to Prevent AI-generated Fraud: Use Cases
Now back to today’s guest. While we’re talking with Charity off camera, I was really taken aback by the story that she shared. Even though this story isn’t directly related to the main topic of this episode, I felt it was important, however, to include it because it does highlight some critical issues that our audience might find valuable. So with Charity’s permission, we’re going to share this with you as a very special segment today.
CHARITY WRIGHT: So a few years ago, my son, who was 13 at the time, was a victim of a sextortion campaign on Instagram. And at that time, I had not heard much about this type of activity. I am very familiar, you know, working in the Intel space, working in cyber security. I’ve heard about social engineering and these types of various extortion, especially from ransomware groups, but they’re targeting our children and the reason this came up is my son came to me one night. He texted me, actually, go figure. He’s upstairs in his room. I was downstairs in my room. He texted me, hey, mom, can I have some money?
And I said, you know, how much do you need? He said, $40. And I asked him, what is this for? Because he has his own bank account. And, he said, I just, you know, need the money for a video game or something. And I said, well, you have your own money. You can wait until next payday. And, a little while later, he walked in my room and just busted out in tears. And I knew immediately something’s very wrong. And he said, “Mom, this is so embarrassing. I hate talking to you about this, but something bad happened. And some bad people who pretended they were a teenage girl? I was talking to them on Instagram over DM, and, you know, they sent me a picture. I sent a picture back. Now they’re threatening to send this picture to my family and friends if I don’t pay them money.”
And of course, I’ve had talks with my son about not sending any kind of explicit photos, not talking to strangers online. But teenage boys are especially vulnerable to this type of fraud. Basically it was a fake account and it was a group called the Yahoo Boys, a criminal group out of North Africa, and they specialize in manipulating young teenage boys into sending explicit photos and then, extorting them for money. And they sent screenshots of their Instagram follower list, and they identify close friends and family from that list and say, if you don’t send me this money, we’re sending this picture to everyone. And my son brought this to me, and I told him, I’m going to have to look at your text messages because he had given them a phone number before they exposed who they really were, and they were spamming him screenshots and it was horrifying.
As a parent, I hate that he had to experience that he’s a child and he’s learning about boundaries and security, and this was a very hard lesson for him to learn. But the good that came out of it was he was honest with me. I was able to, you know that movie “Taken” with Liam Neeson, where he harasses them back and threatens them and says, “I know who you are, and I’m coming after you”? I did that, and I let them know you messed with the wrong parent, and I collected as much information as I could from their screenshots, their text messages, and their phone number to send that information to the FBI. And what I was able to collect was in those screenshots, it was visible that they were screenshotting a phone. It was an iPhone, and it displayed who the telecom network was. It was a network in, I believe, Nigeria. And so I was able to pair the phone number, the type of phone, the time that it said on his screen and compare it to my time local time and determine that he was in Nigeria or they were in Nigeria. I also added in a little bit of a lie myself and told them I had their IP address and was sending all this to the authorities. Needless to say, they stopped messaging me back. Communication was completely cut off and we blocked them. I immediately submitted it to the FBI, who then communicated back to me that they had other incidents like this that they were aware of, and they were compiling this information together.
So putting together an intelligence report on this group, it was months later that I first saw the news break about this Yahoo boys group. At that point, when it happened to my son, I did not know the name of the group. And sadly, over the past year I’ve been seeing so much information come together. Interpol and many organizations around the world are working to combat this group because dozens of teenage young men have committed suicide over these incidents. This is setting off alarms, especially in Australia, the US, Canada, UK, you know, Western nations are a highly targeted area and they’re targeting our children, boys and girls. But it mostly boys who become victim of this type of attack. So it’s something that I’ve shared on my personal LinkedIn is something that I share with friends and family.
To be more aware of these types of attacks so that we can educate our children. They’re targeting kids as young as eight years old and some of the teenagers that have lost their lives, the parents have come out telling their stories, talking about the signs to watch for a one day your child is normal, and a few days later they’re isolate it. They’re depressed. You might catch them crying. They’re not attending school. All of these warning signs could be a symptom of being a victim of some some kind of online bullying or extortion like this.
TOM TARANIUK: Thank you, Charity, for sharing that. Obviously very distressing because it can happen to anyone and people of such a young age who are malleable, who will take orders, and the fear of obviously, being in that sort of environment and who to go to, I mean, it might be having a bigger impact than we’ve seen with the less reporting, of course, as well. I mean, from your perspective, Charity, what strategies can individuals listening and families listening on to this podcast now actually implement to reduce this risk of online threats, particularly around this case of sextortion as well?
CHARITY WRIGHT: Communicate, communicate with your children, with your teenagers. I know it’s awkward and it’s uncomfortable. I’ve had these talks with the kids so many times before. I have two teenagers, and I’ve explained to them the way that criminals will try to take advantage of them and how, you know, pedophiles are out there trying to fish them for nude photos and things like this. I’ve talked to them about it before. Of course I’m a mom, so maybe they didn’t believe me. Or they’re like, oh, maybe they have to learn from their own mistakes. But letting your children know if anything like this happens, please come to me right away. It’s important to be able to report it to law enforcement right away, to be able to block them and and let law enforcement help you through that situation. So to parents, I want to say you’re not alone. There are hundreds of other parents dealing with this as well. And if we are communicating with our kids and they’re coming to us with these problems, we can better help them and prevent the type of depression and suicide that comes from it. But even more, I advise parents to seek out counseling for your children if they are a victim of an incident like this, because there are some things they need to talk about that they may not feel comfortable talking to a parent about. And it helps to have a professional walk them through and reinforce to them, this is not your fault. Yes, you made a mistake sending that photo, but you did not deserve this. You’re a victim of a crime, and I think that’s really important for kids and for parents to understand as well.
TOM TARANIUK: Charity, I think that’s some very grounding advice for everyone listening as well. And of course, as we always say, fraud is not a victimless crime. But, thank you very much for sharing that with us. Before you go, I’d like to introduce a quick fire round. It’s something new that we’ve implemented, and this is where we’ll have some fun and also get to know you a little bit more better with rapid fire questions. So, Charity, you’re in the hot seat right now. And the rule is simple. Answer fast. No overthinking.
Ready? Let’s go. So strong passwords or biometric authentication?
CHARITY WRIGHT: Biometric authentication.
TOM TARANIUK: Ok. When choosing an app do you go for ease of use or better security?
CHARITY WRIGHT: Better security.
TOM TARANIUK: Thought so. Is online frauds more about technology flaws or indeed human error?
CHARITY WRIGHT: Human error.
TOM TARANIUK: Okay, Charity, what is one habit that you rely on to stay safe online?
CHARITY WRIGHT: Facial recognition.
TOM TARANIUK: So final one, if you could have any other career other than the one that you are actually currently in, what would it be?
CHARITY WRIGHT: I would do dog rescue, full time dog rescue.
TOM TARANIUK: Fantastic, Charity. I’d like to thank you so much on behalf of my, my crew and also the guests of this podcast. Thank you for joining us today and sharing your thoughts, and it’s great to learn more about yourself as well. Thank you so much. This is a great time. How can we find out a little bit more about you?
CHARITY WRIGHT: My LinkedIn page would be a great way. Reach out to me on LinkedIn connect. I’d be happy to to connect with any of the audience members and answer any follow up questions that pop up.
TOM TARANIUK: Wonderful, Charity. Thank you so much for coming on board “What The Fraud?” Oh, what a fantastic first guest to kick off this brand new series of “What the Fraud?” Big thanks to Charity Wright for all of our insights on cyber fraud and threat intelligence as well. If there was anything that made me rethink my stance on a particular issue within the business, it would be the idea that cybersecurity or threat intelligence should be closely aligned with the overall fraud prevention strategy. This includes ensuring that you are thoroughly vetting third-party vendors or businesses you rely on regularly, because, of course, you wouldn’t want to let a Trojan horse into your organization.
Stay safe and see you on the next one!
