Account Takeover: When Trust Gets Hijacked | "What The Fraud?" Podcast

THOMAS TARANIUK: Hello, and welcome to What The Fraud?, a podcast by Sumsub where digital fraudsters meet their match. I'm Thomas Taraniuk, currently responsible for some of our very exciting partnerships here at Sumsub, a global verification platform helping businesses verify users, companies, and transactions. Today we're looking at account takeovers and how they have fundamentally changed.

This isn't just a security problem anymore. It's a trust problem. Everything looks normal. The checks pass, but the person using the account isn't your customer. So how do you stop the fraudster before they get in? My guests today are Suz Lynch, Head of Financial Crime at Monovate, and Paul Marsden, Head of Risk at Monovate.

Monovate is a fintech company that provides payments-as-a-service infrastructure, enabling companies to launch and manage financial products. Suz, Paul, welcome to What The Fraud?

SUZANNE LYNCH: Really happy to be here.

PAUL MARSDEN: Thanks for having us.

THOMAS TARANIUK: So, Suz, Paul, before we get into how account takeovers can happen, can you explain your roles at Monovate and how you work together to manage risk and financial crime?

SUZANNE LYNCH: So, as you said, I am the Head of Financial Crime at Monovate. Ultimately, my team and I are responsible for onboarding our clients and ensuring that their financial crime capabilities and transaction monitoring are what we would expect from a regulatory standpoint.

As they go live, we offer support and guidance, but we also sit in the second line of defense. We ensure that their transaction monitoring is fit for purpose, and we also conduct transaction monitoring on them, including sample checking, audits, and similar activities, to make sure they are not allowing their program to facilitate money laundering, fraud, or similar criminal activity.

THOMAS TARANIUK: Thank you, Suz.

PAUL MARSDEN: From my perspective, while Suz is doing the more technical, on-the-ground fighting of financial crime, it's my job to foresee any issues that are coming, make sure that the controls we have in place are actually working, and ensure that any risks to the business are properly managed. Fraud is ultimately a major risk to the business. Yes, it's financial crime, but from a business perspective and from our board's perspective, it's a massive risk, and it affects all different parts of the business. So ultimately, it's my job to ensure that we're covering every area.

THOMAS TARANIUK: Excellent. So we're covering multiple bases on this call today, which is excellent.

Account takeovers and attacks that are based on using someone else's credentials remain one of the biggest fraud issues globally, regardless of the industry, whether fintech, banking, or otherwise. Let's start right at the beginning then. Suz, what does an account takeover actually look like from end to end?

What does account takeover look like?

SUZANNE LYNCH: There are various different ways that an account takeover can happen. It can happen right at the beginning when a customer joins an organization, or it can happen a few months or even a few years down the line.

Suggested read: Account Takeover Fraud: Prevention and Protection

If we take the first example, you can have individuals who are using a victim's details to try to bypass the verification checks. Then you will see slight changes in behavior, spending patterns, transaction volumes, or transaction values. You might see the IP address change, the device ID change, addresses change, email addresses change, or other verification details change.

Essentially, what the fraudster is trying to do is make sure the victim doesn't realize that the account is being taken over. They might have engaged the victim through phishing attacks, spam emails, and similar methods to gain access to their accounts.

You also see this with accounts that have been in really good standing for years. They might have gone dormant for a while and then suddenly become active again. You may see very high-value transactions taking place at merchants that you wouldn't normally expect that individual customer to have used before.

If you have the right rules in place, you'll be able to see that the behavior has changed quite significantly. When you investigate further, you'll be able to identify different pieces of information that have changed and determine that the customer has perhaps become a victim of account takeover.

THOMAS TARANIUK: Certainly. Account takeovers can be devastating for the user, but also for the business, resulting in huge losses. The account is already trusted, the friction is low, and by the time anyone notices, the damage is already done.

What kinds of cases really stand out to you in terms of the real impact on businesses, Paul?

Cases of account takeover that impact businesses

PAUL MARSDEN: I think the cases that impact businesses the most are the ones that aren't spotted instantly. Where behavior changes quickly, it can be quite obvious in some cases. There are other cases, however, where fraudsters have become so sophisticated that things don't change very much.

You've got a bunch of controls, a bunch of limits, and all these different defenses set up for somebody that you trust—someone who has passed all of your KYC procedures and everything else you've put in place. You're in a position where you've trusted your own controls, never mind your customer.

Ultimately, you're now dealing with someone you can't trust, but your controls are configured completely differently. So I think we're affected most when we can't spot things quickly enough. The fraud has already happened, the money has already moved, and the damage has effectively been done. That's a challenge every business faces nowadays.

SUZANNE LYNCH: But I think it's really important to learn from these situations. Unfortunately, in financial crime, a lot of what we do is reactive. You try to be as proactive as possible. You try to think of every edge case and every possible instance of fraud that might arise, but it's impossible because technology is constantly changing.

What's really important is that if fraud does happen and you don't notice it immediately, and then it grows and affects more customers, it's important not to dwell on what happened.

Instead, analyze what has taken place. Try to find the commonalities. If it's a fraud ring, identify the common factors. Are they in the same location? Are they all using the same IP address? Are they all using the same device? Are they using throwaway mobile phones? What about domain names and email addresses?

These are the trigger points that make analysis so important. Once you've identified them, you can work to prevent the fraud from happening again because you'll know what to look for.

What I wouldn't want is for companies that have experienced account takeover, or whose customers have been victims of account takeover, to dwell on what happened. Instead, focus on ensuring it doesn't happen again in the future.

THOMAS TARANIUK: Certainly difficult as well, of course, to be proactive when there are so many blind spots with the new technologies being used on the market by fraudsters who are trying to game the system and also take over these accounts. I mean, a question back to you as well, Suz. On the other side of what Paul was saying, what is the damage done to actual individuals? I mean, what cases stand out to you?

The damage caused by account takeovers to individuals

SUZANNE LYNCH: Well, I've been in financial crime now for 15 years, so there are lots of different cases.

I started my career in the first line of defense, working in a contact center, and you're listening to clients who thought that the email they received was completely genuine, and they can't believe that this has happened to them. They can't believe that they gave away their details, and so on and so forth.

It's very difficult for us to be in a situation where we have to tell them, "Unfortunately, your money is gone. We can't tell you exactly where it's gone." In some cases, those individuals don't get their money back. It's better now because we have a lot more liability that sits with the issuers and the banks in order to take responsibility for what happened.

But when I was starting, that was it. It was your account, it was your details, your money got taken, and it was very difficult for us to prove that you didn't do that. Thankfully, we have moved on from that.

It's very difficult to hear because these people are often in very vulnerable situations. Some of them could potentially have had all of their life savings taken away, stolen from them. We have to listen to those stories about how their details have been compromised. But the point is trying to find out what you can do to help that customer.

PAUL MARSDEN: We're focused on the fraud because of what we do, and we're looking at the accounts. But the background to some of these cases can be horrendous, and the reasons why these accounts have been compromised can be devastating. These people are in very vulnerable situations, and I think there's a huge onus on us to make sure that we get it as close to right as possible.

From a risk perspective, bringing it back to the business side of things, it's impossible to stop fraud completely. You're never going to stop it. Given the way it has been industrialized, fraud teams could be as big as our Monovate team. Essentially, they'll be sitting there, organized, well-funded, and potentially doing a better job than we are, maybe even faster.

Like Suz says, it's all about learning, improving, and trying to keep up with it as best we can. Limiting it is the best we can possibly do.

THOMAS TARANIUK: Certainly the case. Looking at the victims themselves, if we take a fraudster and what they're currently doing, they're using the credentials of a real person, right?

To stop them and be proactive, you need to understand how to act like them. What are the warning signs and signals specifically that you'd look out for to stop a fraudster in their tracks during an account takeover?

Key signals of account takeover fraud

SUZANNE LYNCH: It's a difficult one because there are lots of different avenues you can go down. You've got the glaringly obvious ones, such as an account being opened and then the details changing quite quickly, which is something that I've seen in the past. Within 24 hours of the account opening, the geolocation has changed, or the device has changed, or the IP address has changed.

This is why it's so important at the point of onboarding.

KYC is great, and you need it, but you also need to look at the background data. You have to pay attention to the device. You have to pay attention to the IP address.

Are they utilizing a VPN? These details, which often elude people during onboarding, are so important because that's how you can see where the account was taken over or when it was compromised.

Obviously, we've got AI and deepfakes and things like that, and it's up to our KYC systems to be able to identify those and highlight them for further review so that we can investigate further. There needs to be a real partnership where your technology is evolving as well.

THOMAS TARANIUK: Exactly. And when we're looking at geographical location, IP address, device information, and so on, and when you're specifically issuing cards and have real users spending on those cards, do you look at discrepancies in volume, frequency, deposits, as well as expenditure?

SUZANNE LYNCH: Yeah, 100%. It's very important that when you are writing your monitoring rules, you're looking at volume, value, and geographical location.

It's not just about looking for customers who are spending large amounts. That's a great rule to have, and you want to see people who are hitting the big numbers. But you also want to see people who are trying to fly under the radar.

That's why transaction count is really important. If you're looking at card payments, you want to know how many times they're using the card for smaller amounts. It could be for testing purposes. It could be to determine, through a BIN attack, whether the card details they obtained online are linked to active cards so they can later facilitate fraud.

So it's not just about the high-value fraud transactions. It's also about small-value transactions conducted at high velocity. That's really important.

I always say to our clients, "When you're writing your rules, don't just think about the value. You must think about the count as well."

THOMAS TARANIUK: Certainly. It's really interesting to think about that and where you're exposed to fraud as well. Across the board, there might be lots of different typologies and lots of different angles that fraudsters are pursuing.

Paul, from your perspective, where do most companies underestimate their exposure to fraud within the fintech industry?

Where do companies underestimate their exposure to fraud within the fintech industry?

PAUL MARSDEN: I think partly what Suz has just said about believing that their tools are doing the work for them.

There's a big onus on technology. And you know yourself, Tom, there are lots of companies selling solutions at every industry event, telling you that this fraud tool does this and that fraud tool does that. Most of the conversations you have go along those lines in the early stages. But every single one of those tools still needs people with experience, people with know-how, people who have seen how fraudsters have operated in the past, actually using those tools.

I think there's a significant failure in how fraud is viewed as a risk to the business. Too often, it's treated as a box-ticking exercise for the regulator rather than something that affects the business as a whole.

One of the big things for me is making sure this reaches our executive team and board, and ensuring they understand how crucial all of this is.

The questions the executives should be asking are not, "How did the fraud happen?" or "What was the situation with case A?" Instead, they should be asking, "Is this going to happen again tomorrow? Is this going to happen again in the next six months? Is this issue going to get bigger?"

Once they start asking those questions, we begin evaluating our existing controls. Are they working? Are they working quickly enough? Can we introduce additional controls? What can we do better?

It's not just down to Suz. It's not just down to the Head of Risk or the Head of Compliance or wherever people may sit within a business. It has to start right at the top. Everyone has to care about it.

Ultimately, from a personal point of view, when we talk about the victims, I feel like everybody should be involved in trying to slow this down as much as we possibly can.

SUZANNE LYNCH: What's really interesting is that, as a BIN sponsor, we work with a lot of clients. Many of them have really great ideas, and they want to capitalize on them. They're building businesses, creating great systems, and launching fantastic products.

For some of them, AML and financial crime risk are an afterthought because they're so focused on the product. When we speak to them about creating rules and implementing monitoring thresholds, they'll ask, "Well, what do you think the thresholds should be?"

My response is always, "I can't tell you what your risk is. You have to determine your own risk appetite."

Then they start struggling with questions like, "Well, what's right? What's wrong?"

My question back to them is, "How much money are you willing to lose?"

Let's say you allow your customers to spend £10,000 in a single transaction, and, God forbid, 100 customers all become victims of fraud at the same time, with £10,000 taken from each account. Do you have enough money available to reimburse all those customers who have been victims of fraud?

That's your risk. How much money are you willing to lose before you do something about it?

I know it should be at the forefront of everybody's mind, but when you break it down and think about the bottom line, that tends to get the conversation going a little more.

PAUL MARSDEN: I think there's a lot to be said about the ongoing monitoring of everything as well.

I know everything Suz is talking about is about trends and what's happening and what's changing, but I think within many businesses there isn't enough focus on re-verification, the kind of stuff that you guys do. How we re-verify our customers, how we change the risk rating of a customer.

I mean, a customer that we trust, we've onboarded, and who sits within our trusted rules, limits, and KYC parameters. Once they get through there, their risk rating could change within a week. If their account is compromised, their risk rating could change five times, six times, the greedier these fraudsters get.

One area where I don't see enough focus pretty much anywhere—and we try to do it as best we can, but it's very difficult—is risk-rating somebody on the fly. I think that's where, over the next few years, AI and machine learning can help us. That's where our win can be. The win doesn't just have to be on the fraudster side of things.

THOMAS TARANIUK: Well, they're utilizing those tools as well, so it's that cat-and-mouse game where we need to be faster.

So, diving a little deeper into how you both work together, especially on escalation paths, from a risk perspective, when does an account takeover become a business-level issue that you need to step in on, Paul?

PAUL MARSDEN: Ultimately, from my perspective, it's when controls are failing.

The best way to look at it is that I keep coming back to the speed of detection and how quickly we stop things and recover from them. Ultimately, if our controls are spotting things within minutes or within a day of something happening, then for this type of fraud, we're probably doing all right because you can't see a change until the change has happened, right?

But ultimately, when things have gone on for an extended period of time, that, to me, is a control failure. Whether the changes in behavior within the account have been really small and it's taken us a little longer, or our rules simply aren't tight enough to catch these subtle changes.

Some fraudsters may be really clever. They may know everything about the account they're taking over and essentially mimic it. If that's the case, what can you do from a controls perspective?

But if there are obvious signs and it takes a long time for us to spot them, everything on my side comes back to the controls. Do they work? Are they fast enough? Do we need more?

There's also the issue of friction points from a business perspective. We still want a good customer experience. We still want our trusted customers not to have to go through hell to use their accounts the way they want to.

So there's a balancing act, a big balancing act, in how we do it. And that starts right from the onboarding of a customer, as you guys know, through the KYC side of things, all the way through to how we monitor them, how many checks we do, and how often we involve them in re-verification.

THOMAS TARANIUK: Well, from the perspective of the business, of course, that's super important to protect. But at the end of the day, the onus is on us to make sure that the user is safe as well.

Education is a massive part of that, and that's why we created the What The Fraud? Podcast.

In the mission of fighting fraud and helping customers stay alert, what should customers be doing to keep their accounts, details, and PII safe?

What should customers do to keep their accounts, details, and PII safe?

SUZANNE LYNCH: It is a difficult one. With emerging technologies, deepfakes, and the more sophisticated fraud techniques that are coming out, it is really difficult for everybody to keep themselves safe.

There are different things that you can do. You can add specific markers to your credit file. For example, you can have categories added to your credit file that basically say, "I've been a victim of fraud in the past. If an account is opened in my name, please call me and ask for a password."

That's always on your credit file, and if your number changes, it's up to you to update that information. Companies are then expected to engage with that and check directly with the client.

It's also important to do research when you're shopping. This is something that gets said a lot, and we're not saying it because it sounds good. We're saying it because it happens. If you're not checking the websites you're using before giving them your details, this can happen.

If you're on TikTok, Instagram, Facebook, or YouTube and an advert pops up—it happens to me all the time—and I see something and think, "Oh my God, that would be amazing. I want that."

The first thing I do is close Facebook and go onto Google. I check reviews. I check to see if there are any scams related to it or any adverse media that comes up.

Now, that's just me because of the industry and environment I've worked in. Then I'll make the decision about whether I want to make a purchase.

PAUL MARSDEN: There's a real human aspect to it as well, though, Suz.

I don't want to say it's simple because it's not, but part of it is literally questioning everything. Don't give your details to anybody without questioning absolutely everything because the world isn't safe.

Don't be naïve. Avoid that sense of naivety. There is definitely a human element to it as well.

SUZANNE LYNCH: And what's really important—and I know this gets said a lot—is that banks and financial institutions will always say, "We'll never come to your house. We'll never call you asking for this, that, or the other." But you do get vulnerable people who might receive a very threatening phone call and be pressured into acting.

What I have to stress is this: always, always remember that your bank is not going to threaten you. They can't threaten you. They can't come round to your house. They could send you a letter, but they can't phone you and demand anything.

Now, if you're worried or anything like that, what I would say is always hang up the phone and find out the number for your bank, or whoever it is, and call them directly. They'll tell you straight away whether it's genuine or not.

So that gut feeling you're having in your stomach, going, "Oh, I'm just not sure about this," I've always said, and I've always said to my team, there's no such thing as a stupid question. If the thought pops into your head, something made you think that, something made you feel that.

Even if it was just a small thought, hang up the phone and do something about it. Go directly to the organization. Don't listen to what anybody has to say over the phone, especially if they're asking for your details, your passwords, your PINs, or anything like that.

THOMAS TARANIUK: Certainly the case, and I think some fintechs are adapting to that. "Only contact us," or rather, "We'll only contact you through the app," right? Revolut, et cetera.

But when we're talking about these victims, of course, there are a lot of unsophisticated routes to defrauding people. But they are becoming more sophisticated, and we talk about that shift in sophistication here at Sumsub.

Account takeovers aren't just technical. They also start with relationships. So you have that combination of the relationship and the technical side with sophisticated fraud, such as romance scams, right? Authorized push payment fraud. These are the entry points to a lot of fraud as well.

Fraudsters build trust, then they exploit it, and that can be a terrible thing for the victims themselves. How often does that translate into a full account takeover, though?

How fraudsters turn trust into account takeovers

SUZANNE LYNCH: Well, it depends on what the fraudster is asking for. It could be a case where they're just asking for money: "Send me money." Sometimes they'll pay it back; sometimes they won't.

They want to keep their stream of funds going for as long as possible. So progressing into the stage of an account takeover is actually limiting themselves because they have to obtain those details from the person they are potentially scamming.

Then, when they gain access, they have to change the contact information on the account so the victim isn't alerted to the fact that their account has been taken over.

So it becomes more limited when you start moving into account takeover territory.

I think a lot of romance scams prefer to maintain the relationship: "Just give me the money, I need it for something."

So the victim still controls the funds, but they're willingly sending them out.

Suggested read: Fraud Is in the Air: The Growing Threat of Online Romance Scams

PAUL MARSDEN: The difficulty with this one, going back to trends and how we can assess things from a monitoring perspective and ongoing monitoring, is that the victims often don't know they're being scammed until they're a year down the line, two years down the line.

Because, from our perspective, the behaviors on the account don't change. If that abusive boyfriend or girlfriend, or whoever it may be, is doing what they're doing, the behaviors might remain the same throughout.

We still think we trust that account because, ultimately, it's doing what it did from the very start.

THOMAS TARANIUK: Certainly. And I guess when we're looking at the victims themselves, if you have that relationship and that sophistication, there is still a lot of victim-blaming that you see on social media and within society, right? Should people's perceptions of victims of fraud actually change quite a bit? I believe they should. It can happen to anyone.

Every time we do these podcasts, we ask our guests whether they've been a victim of fraud themselves, and I would say 90% of them have. So do you believe that mentality should shift in modern society?

Why the society needs to stop blaming victims for fraud

SUZANNE LYNCH: 100%.

PAUL MARSDEN: 100%.

SUZANNE LYNCH: And I will put my hands up and say I was one of those people.

I wasn't a victim-shamer, but I was one of those people who would say, "How did you not know?"

It wasn't until I was on a panel a few months ago, and they were talking specifically about romance scams. A person on the panel with me had actually written a book, and she was speaking from the victim's perspective because she had been a victim of a romance scam. She had interviewed a lot of people and talked about that journey.

It wasn't until I saw her perspective as a victim and as a writer that I thought, "Right, okay, these can actually be quite sophisticated, and I can understand how people manipulate the vulnerabilities of an individual to make them feel loved and wanted." There were a lot of situations where they would give them presents, give them money, ask for money, pay it back, and everything seemed really normal until it escalated and escalated.

So yes, I live in the world of financial crime. I know what I'm looking for. I would know what unusual questions to look for. But not everybody thinks the way I do.

It's very easy for me to sit here and say, "How did you not know?" That was such an obvious question, because I'm not in that situation. I'm not in that environment at that particular time. And to answer your other question, yes, I have been a victim of fraud before.

PAUL MARSDEN: I think my example would be a situation that wasn't actually fraud, but it was a risk that I took because it was almost too good to be true, but I really wanted the dog that I bought.

I bought a dog for a lot less than I thought it was worth. Ultimately, I drove halfway across the country to pick this dog up, thinking, "This dog's not going to exist. I've sent my money. My money's gone."

And I got there, and thankfully there was a beautiful little puppy waiting for me. But I was 99% sure while I was driving there that there wasn't going to be a dog there. Yet I took that risk.

I work in this industry. I listen to Suz talking to me every day about the problems that we have. And ultimately, if I can think, "Yeah, I really want that dog," then anybody can.

THOMAS TARANIUK: Certainly. The center of so many people's lives is finance. And people are taking risks with their finances every day, whether that's through a fintech app, an exchange, or something else. When they're trying to onboard to these apps, we have that front layer of approval, that KYC. Everything looks fine. But after that, account takeovers can ruin people's lives.

So from the perspective of the tension here, how do you reduce fraud without putting too much friction into the process for people who are simply trying to improve their lives on a day-to-day basis?

Reducing fraud without too much friction

SUZANNE LYNCH: It's a double-edged sword, isn't it? You want to take away friction by reducing the checks that you do, but if that person becomes a victim of fraud, then we didn't do enough.

If we add too much friction because we want to put in a lot of checks to protect them, we're causing too many problems because we're adding too much friction. So it's a no-win situation.

I think the industry is inundated with fintechs and the hottest new wallets, crypto products, savings cards, and lots of different things that you can have. All of them boast, "Sign up and make your first spend within five minutes." I think it is about utilizing good technology, and it's about investing in your people because technology can only get you so far.

When you invest in your people, listen to the people who are actually doing the job. They've gone out and opened these accounts themselves. They've been through the process. They understand what was quick and what wasn't.

It's really important to make sure that you're treading that fine line between just enough friction to make sure you're safe, but not so much that you're asking too much of your customer.

THOMAS TARANIUK: Certainly the case.

Suz, Paul, I want to find out more about what a frontline defense looks like and how fraud as a landscape has changed over the last few years.

Things are evolving massively. We mentioned AI, and Paul, you brought this up as well. Deepfakes, different types of relationships, romance scams that can be orchestrated through more sophisticated means, the growth of info stealers, session hijacking, AI-assisted fraud, as I mentioned. Fraudsters can adopt near-instant tools anywhere in the world at a very low cost. It's becoming more democratized, which is a funny thing to say about fraudsters and fraud itself.

So what feels different about fraud today compared to only a few years ago, and how do you see fraud and account takeovers looking in 2026?

What's different about fraud today compared to a few years ago?

SUZANNE LYNCH: I don't know if it's going to be in 2026, but definitely in the future, I think fraudsters will start using AI bots to have conversations with people.

Phishing scams, romance scams—you think you're talking to a genuine person, but you're actually talking to a bot.

THOMAS TARANIUK: Sixteen Mac Minis in someone's bedroom.

SUZANNE LYNCH: Yes, exactly. But we're moving into a place where AI controls much of our lives. You can get it to buy your shopping. You're going to be able to get it to organize your meetings, reply to your emails, buy your flights, etc. So it's really not beyond the realm of possibility that fraudsters—let's say there are 10 of them in a group—will want to capitalize on as much money as possible, so they set up 50 bots each.

AI is learning from the conversations that are happening with victims. It knows what to ask for. It knows how to react. It understands the language being used, and it can use that to manipulate individuals. In that way, they're getting a bigger return.

The difficulty for us in the industry is that when we're trying to implement new technology to combat AI and all these emerging threats, we have resource limitations. We have financial limitations. We have to make sure everything is signed off by a regulator, and various other requirements.

Even after all of that is done, it then goes into a backlog of projects to determine where it sits on the priority list.

Fraudsters don't have those constraints. They've got the money. They've got the time. They can simply go ahead and do it. So we're always a bit on the back foot, unfortunately. I think that's something we really have to be aware of in the future.

PAUL MARSDEN: I think the key as a business is closing that gap. From a risk perspective, you have to understand that you're never going to stop fraud. You're never going to stop it altogether.

It's a case of closing the gap between us and the fraudsters. If fraud happens—and it does happen to every single card company on the planet—we're behind them in some way, shape, or form.

We might be two steps behind them. We might be 20. It depends on how significant the fraud cases are. But we have to constantly work on closing that gap. That's the key. There has to be an understanding that you can't stop fraud completely, but we can close the gap.

SUZANNE LYNCH: I had a manager years ago, and something he said to me has always stuck with me.

We're never going to stop fraud, but if we can make it more expensive for them, that's great. Every time we shut down an email address, every time we shut down a mobile phone, every time we block a device, an IP address, or close an account, we're costing them more money. They have to acquire more devices. They have to spend more money buying them online.

It's not solving the problem completely, but we are hitting them financially as well. That's why it's important to keep closing that gap, closing those loopholes, and costing them more time and money.

THOMAS TARANIUK: Fraud detection is becoming much more automated nowadays, but investigations still rely on human judgment. How do you balance the two?

SUZANNE LYNCH: I love technology. I love being able to automate things and give us those answers through machine learning, AI, and so on. But you will never convince me that technology will be better than an actual team on the ground. I am a firm believer in investing in your people because if you invest in your people, they will want to do a good job for you, and in turn, they will help save your business.

And I'm not just talking about my team directly, such as a fraud or financial crime team. I'm talking about your first line of defense. I'm talking about your customer service or operations teams. They are the first port of call. They're the first people victims might speak to when they call in.

What I find a lot of the time is that we've drilled into them so much what they can and can't say, concerns around tipping off, and various other restrictions, that they're often confused about what they can say and what they can't say. As a result, they may miss really obvious characteristics of account takeover, identity theft, and things like that.

So it's about enabling your teams, giving them the right training, giving them the confidence to ask the right questions, and allowing them to make judgments. Sometimes they're not going to be right, and sometimes they'll be absolutely spot on, and it will cascade into something even bigger that you didn't even realize was happening at the time.

So yes, you're investing in technology, automation, and all that sort of stuff, but you still have to make sure that you've got a team that you trust.

I've always said it: I never want to be an MLRO because I don't trust people. It's probably the wrong thing to say, but I don't trust people because I can't 100% say that they've been given the tools—or allowed to use the tools—to understand how important it is to report things.

PAUL MARSDEN: It goes back to the overall business attitude that we discussed. It needs to start at the top. I don't know how many times over the years I've heard a board member or somebody on an executive team say, "How many alerts did we have this week?" They didn't care what any of those alerts were, what happened with them, or where they went. They just said, "How many did we get?" because that's what they wanted on a spreadsheet. Now, that means nothing to anybody.

They actually need to care about the fraud that's happening. They need to care about the situations people are finding themselves in. These aren't just statistics that pop up on Suz's screen. These are people's lives. These are people's accounts. It's their money.

Scams are happening, and you can't stop that by simply saying, "We've had 100 alerts in the last two days." That's not what financial crime is. It's not just numbers.

THOMAS TARANIUK: So have we got the balance right, or are we still over-investing in tools rather than humans and the people themselves?

PAUL MARSDEN: I don't believe we're over-investing. I think the tools just have to be right.

There are a lot of tools out there, and I can only speak from the risk side of things, but we have tools now that do a lot of the nitty-gritty, boring work for us rather than using spreadsheets for risk assessments like we did in the old days.

When we go about choosing those tools, we speak to 10, 15, sometimes 20 different providers.

And I'll be honest with you, every time you go through this process, you probably discount 17 or 18 out of 20 providers within five minutes of the conversation starting.

I think there are too many tools. I don't think we're overusing the good ones, though, if that makes sense.

SUZANNE LYNCH: There's a lot of noise. What's really important to me is when I'm speaking to providers that want to show us their transaction monitoring rules, financial crime alerting tools, or whatever it might be, and I've got two project managers sitting in front of me telling me how this tool is going to benefit me.

My immediate thought is, "Do you have anybody on your team who's ever worked in a fraud team before? Who's ever worked in financial crime, compliance, or even risk?" Normally the answer is no. It's usually, "We've spoken to people in the industry, and we've built this because we think..."

That's great, but you've never actually been on the ground, and you don't understand why we do the things that we do. So I'm much more inclined to speak to people who have actually worked in the industry, understand the pitfalls, and know where the problems are.

THOMAS TARANIUK: You've taught me so much on this episode. And to finish things off, although I've learned a lot about both of you, we like to learn a little bit more about the guests who come on our podcast.

So we have five quick-fire questions. No overthinking. Suz, Paul, let's go.

Quick-fire round

If you could ban one risky online behavior forever, what would it be?

SUZANNE LYNCH: Can I say allowing Trump to say anything online? Sorry, I probably shouldn't say that.

THOMAS TARANIUK: I think we can keep that in. What did you say, Paul?

PAUL MARSDEN: Gambling.

SUZANNE LYNCH: Gambling? Yeah. Not utilizing privacy and lockdown features on social media.

THOMAS TARANIUK: Excellent. Okay, that's a new one. Have you ever been a victim of fraud yourself? I know, Suz, you mentioned it earlier. Paul, almost?

PAUL MARSDEN: Almost, yes. I don't think I have.

THOMAS TARANIUK: Excellent. Well, you're very good at your jobs. That's good to hear. What's the one thing about fraud prevention that the public completely underestimates?

PAUL MARSDEN: That they don't know best. And we're not blaming the victim in any way, shape, or form, but I think people have to understand that fraudsters are very, very clever.

THOMAS TARANIUK: Do you concur, Suz?

SUZANNE LYNCH: I would say the amount of data we can access through open-source intelligence. We can gather a lot of information from an open Facebook, Instagram, or LinkedIn profile to determine whether you are where you say you are, where payments are going, or whatever it might be. We can gather a lot of information about you.

THOMAS TARANIUK: Okay. And the penultimate question: passwords. Are they dead, or are they resting? Do we need them anymore, or should we forget them as a form of security?

SUZANNE LYNCH: I think they're dead. Unless you're really good and use things like "chair, house, table," which I would forget. So I'd rather just use my thumb.

PAUL MARSDEN: They're very close to dead. As Suz says, they get hacked quite easily, and we all want easy passwords, don't we?

THOMAS TARANIUK: Yeah. Well, mine's 12 characters, with one uppercase, one lowercase, and a symbol as well, so I heard that was enough.

PAUL MARSDEN: Who knows if that's enough?

THOMAS TARANIUK: Exactly. If you could have any other career other than the one you're very happy with right now, what would it be?

SUZANNE LYNCH: Okay. I would love to be a doctor.

PAUL MARSDEN: I always wanted to be a footballer, and I'm still depressed about it now.

THOMAS TARANIUK: Well, Suz, that was very selfless because you're still helping people now, which is great.

SUZANNE LYNCH: No, do you know what? I think it's the fact that I got way too into Grey's Anatomy, and I genuinely believe I could do open-heart surgery with my eyes closed, no problem whatsoever. So blame Grey's Anatomy.

THOMAS TARANIUK: Well, there were 17 seasons or so of that show, weren't there?

SUZANNE LYNCH: Yes. I was a hardcore fan for about 15 years. I absolutely loved it. So yeah, I could totally be a doctor.

THOMAS TARANIUK: Well, I would say it's not too late for either of you, so follow your dreams.

Paul, Suz, thank you so much for joining us on the What The Fraud? podcast. It's been an absolute pleasure.

SUZANNE LYNCH: Thank you. Thank you for having us. It's been really good. Thank you.

THOMAS TARANIUK: If you've enjoyed today's chat with Suz and Paul, make sure to hit follow wherever you get your podcasts.