• Jul 03, 2026
  • 29 min read

Cash Out: Fraud's Final Act | "What The Fraud?" Podcast

Dive into the world of fraud with the ‘What The Fraud?’ podcast! 🚀 In this episode, Tom is joined by Apurva Shrivastava from Amazon. Together, they discuss why payout fraud is one of the most underestimated risks in the industry, and why "we caught it at onboarding" isn't enough on its own.

THOMAS TARANIUK: Hello and welcome to What The Fraud?, a podcast by Sumsub, where digital fraudsters meet their match. I'm Thomas Taraniuk, currently responsible for some of our very exciting partnerships here at Sumsub, the global verification platform helping businesses verify users, companies, and transactions as well.

Today, we're looking at the moment that fraudsters cash out, the moment they're at the finish line. It's our last chance to stop them. My guest today is Apurva Shrivastava, Product Lead for Global Payments Product at Amazon. His work is focused on the very last moments of a transaction, when the money is paid out.

Apurva addresses how platforms can continuously assess risk right up to the moment money leaves the system. Apurva, welcome to What The Fraud?

APURVA SHRIVASTAVA: Thanks, Thomas. Super excited to be here.

Stopping fraud at the point of no return

THOMAS TARANIUK: Apurva, fraud has become faster and more industrialized too. We focus a lot on the onboarding problem, but an equally critical moment is further down the line. It's when the money actually moves. That's the point of no return for them and also for us. How do you go about stopping it at that stage?

APURVA SHRIVASTAVA: That's a good question and the right way to put it. So, if you think about fraud, what does fraud mean? Fraud essentially comes alive when the money goes out to the fraudster. And everything before that is kind of a rehearsal. So the last mile becomes super important. What has been happening in the industry is that our entire focus on fraud has been on the onboarding layer. We are doing KYCs, we are doing all kinds of modeling, all kinds of fraud prevention checks, but that's all happening at onboarding.

However, that entire concept or the entire rail is missing when the payouts happen, when the actual fraud comes into action. So what we are trying to do—when I say we, I mean the industry—is move towards a concept called disbursement-time identity assurance. And the only way to stop or handle that is to bring onboarding and payouts, or when the disbursement goes out, these two silos in sync so that we can assure that the person we are paying out to is the same person that we saw at onboarding and there has been no drift in all this time in the identity of this particular beneficiary, whether it's a seller, a driver, or whatever.

So that's the way to think about it, I feel, in the long term and to stop it.

THOMAS TARANIUK: Makes a lot of sense. And fraud and compliance, traditionally or historically rather, have been reactive rather than proactive, right? I know you've developed a specific framework around this, and we'll get to that later in the episode. When it comes to actually cashing out for these fraudsters, where does the opportunity for fraud happen?

When cashing out, where does the opportunity for fraud arise?

APURVA SHRIVASTAVA: It's a good question, and let's look at it as the entire lifecycle of when and how fraud happens. So it essentially happens in three phases.

The first phase is called account farming. This is where, if I'm a fraudster, I'll set up an account on any marketplace, and I'll wait for 60, 90, or probably 100 days without doing any activity so that my account seems legitimate. Or I'll probably do, like, one or two transactions here and there just to bypass all the onboarding models that are out there. One thing we have to keep in mind is that fraudsters evolve faster than systems evolve, so they are already aware of what systems exist in place to catch them. So this is phase one, where I'm just setting up an account and trying to bypass all the models so my account feels legitimate and I'm in the system.

Then phase two is that fraudsters usually wait for a trigger event. Now, this trigger event can be an API change, or it can be a promotional event that's going on on your platform. Anything that is system-driven from the platform or from the marketplace, the fraudsters actually wait for it.

The third phase is what we call burst execution. That is, hey, we have waited for a long time. We see an opening, and then all the fraudulent activities happen in a short duration of time.

So those are the three stages that we have to see, or should see, holistically. But the problem is we do not. And the reason for that is, first of all, there is a beneficiary-side blind spot.

In marketplaces, there is a sender and there is a receiver, which is a beneficiary. In most marketplaces, the focus is on who is onboarding, and all the modeling is being done on the person who is getting onboarded, but not on the person the money is being sent out to. I'm not saying it is not present at all, but it's kind of skewed.

We do not do all kinds of identity and fraud checks on where the money is going. So a very common pattern is a seller paying to a mule account. It is one of the most common cash-out fraud patterns. The reason is that onboarding KYC essentially never looks at the receiving end.

Suggested read: What Is a Money Mule? Red Flags, Examples, and Prevention

The other thing, from a systemic point of view, is why these things happen. If you see, we have been talking about onboarding, and there are a lot of measures we take at onboarding. Now, that's usually where the fraud team sits in any organization, and anything that flows through that system is kind of accounted for as, hey, it's a fraud loss. If a seller is caught, or if we are stopping bad sellers or bad actors in the system, that goes into the books as, hey, we have stopped fraud.

But when it comes to payouts or cash-out, it's in the realm of payments.

And these two teams, more often than not, sit in silos and don't talk to each other as much as they should.

THOMAS TARANIUK: Right.

APURVA SHRIVASTAVA: And if there is a cash-out problem or if there's a cash-out loss, it goes in as an operational P&L item rather than a fraud loss. So then the question becomes, "Hey, are we treating fraud as an operational loss because certain measures were not there and it was not caught in time, or are we actually treating it as a fraud loss?"

That's where I feel the openings are where most cash-out fraud happens. You have to look at it both ways: A, what the fraudster is trying to do and what opening they are waiting for; and B, from a system point of view, why those openings exist and what we can do to solve them.

THOMAS TARANIUK: So there is a clear imbalance between, of course, the onboarding critique, let's say, at the very start of a user's journey, all the way to there even being a different team for, let's say, the payment side, right? When they're trying to cash out. And we have strong controls at the entry points, but we might be having a similar loss later down the line, which is classified differently, with two teams not speaking. So why do systems miss these signals so late into the process? Is it because of that disjointed nature of the two teams?

Why do systems miss the fraud signals?

APURVA SHRIVASTAVA: That's primarily the reason, but that's not the only reason. See, the thing is, okay, fine, these two systems exist in silos. A lot of investment in fraud is happening upstream, whether it should be there downstream as well. So there is an organizational blind spot, and we are not modeling all our models on the right data set. When I say the right data set, we're just taking signals during onboarding and not exactly on the payout side.

Another reason, which I just mentioned, is that payout fraud often gets booked as an operational loss. So if we talk about fraud loss, it's not being accounted for in the right bucket, I'll say.

The systems that are in place are kind of more reactive than proactive, and what usually happens is we wait for something to happen to put a system in place. So fraudsters are always one step ahead, and that has been the norm of how things have been working out.

Another reason why systems miss the signal is especially in terms of payments. Okay, let's look at onboarding. There are so many things we can do at onboarding. We can do all types of ID verification, so on and so forth, and we have a good amount of time to catch these bad actors.

At the time of payouts, you don't have that luxury. So if it's an instant payment, the money is out. And even if you catch or flag, "Hey, that was a fraudulent transaction," there's no way to get the money back.

So most of the systems that are in place are being pushed upstream. The idea is, hey, let's try and catch the bad actors before they enter the system because it is very difficult to catch the bad actors when the payout is happening because of the timeframe and the window.

The other reason is that companies or platforms, or anyone who's building a good product, want to reduce friction as much as possible when the user is actually making the payment.

So that's why everyone tries to push this process upstream as much as possible. The thing that breaks in between is that communication is broken. I agree that it should be upstream, but the systems are not in place for the right communication to happen between these two systems, and that's where I feel most products or most marketplaces actually miss this.

THOMAS TARANIUK: But when we're looking at businesses as a whole, marketplaces that are operating on their own out there trying to prevent fraud at the start, they're missing the entire big picture. What are some examples that you have of the mid- to long-term effects that this type of fraud can have on a business?

What are the long-term effects of payout fraud on businesses?

APURVA SHRIVASTAVA: I look at it in a different way. First of all, with fraud, we have to look at it from two sides. One is, "Hey, that's a monetary loss." The wrong person is getting the payment. And the second is: which market are we operating in, and what are the AML or regulatory laws there? From a platform point of view, it's not just about the wrong or bad actor getting paid, which can be used for any number of reasons, but also the system or platform being held responsible and being fined by regulators if we are not complying with the regulatory norms of that particular region.

Suggested read: Inside AML Investigations: Spotting and Reporting Financial Crime

So it's not just that, hey, it's a reputational hit where the bad actor is actually siphoning money out through your marketplace; you also get fined and penalized by regulators. So it's bad in every way possible. That is exactly what can happen.

But the second-degree effect of that is that, because we are putting all these systems in place, we are trying to do fraud checks upstream when we have a limited amount of data because, hey, someone is getting onboarded. So we are relying on a lot of signals that are external to this particular system, and we have no idea about their behavior, their patterns, so on and so forth.

And this leads to a large or a very high false positive percentage, where good actors are now being treated as bad actors. And that's where the major churn lies for your particular marketplace or platform. And that second-degree effect, I feel, is much more critical from a product manager's point of view: to keep an eye on how we can reduce that false positive rate.

THOMAS TARANIUK: Well, it's the classic scenario, right? We don't want to create too much friction that's going to annoy our customers and lead to that churn. But at the same time, we do need enough friction to stop these fraudsters from cashing out. Once they're through the gates, that's one thing. Cashing out is another. And given that these payout systems are designed for speed and a seamless experience, it doesn't make things easy for us. But it does make it easier, maybe, for the fraudsters.

So, Apurva, do some companies knowingly accept that this is the highest-risk point, but willingly let their guard down as well just to make things move faster?

APURVA SHRIVASTAVA: To an extent, yes, and there is more reasoning and rationale behind it than it sounds. So it's not a one-or-zero question usually when it comes to speed versus security, because what's happening is that most marketplaces try to do modeling. At the time of a feature launch or a product launch, they do all the modeling, and they come up with a particular, let's say, threshold.

That's the amount of fraud loss that they are probably fine with accepting when we are doing the trade-off with speed. And when I say fraud, it's not like the marketplaces, systems, or platforms actually know what exactly the fraud would be and they're still fine, saying, "Hey, let's go ahead with it."

But there is a margin of error where they're like, "Hey, in this particular category, we might be a little more vulnerable, but we are ready to accept that risk, and that risk might be X amount of dollars." But the challenge there, and what happens, is that fraud rates for new products are usually low because your product has not yet been discovered by fraudsters.

So there are two angles to it. A, your product is new, so the different types of fraud that can happen to the product are not known. So that is not accounted for in your modeling. And you account for, let's say, it being 0.002%, and at the end of one year, it might be more. And that's usually gradual, so it can be corrected over time and measures can be put in place. But that's one, I'll say, area where these systems falter. B is: how do you define acceptable loss?

And let's take the example of Etsy. Etsy, when it launched, was a very small marketplace, so they might say, "Hey, for us, an acceptable loss is, let's say, 500 grand for the entire year."

But if you look at Etsy's scale right now, it would have gone up. If they still had the same fraud-stopping processes, because the marketplace has grown to, like, a multimillion-dollar marketplace from a few thousand dollars, that threshold also increases by that much. So are we right in saying, "Hey, I'm fine taking a $10 million payout volume loss if I'm doing, like, $1 billion in transactions"?

Probably not. So, two things. A, the risk patterns do not catch what can come next because this field evolves at a rapid pace. Fraudsters come up with new rings, new patterns all the time. And B, how do you keep that moving target in check regarding your acceptable loss?

Those are the true trade-offs that, probably, when we are launching a product, a product manager should think of, and there should be guardrails around them.

Because, let's be honest, if I have to launch something, I can never be 100% sure that no fraud will happen on my system. So it has to be an evolving process where we keep an eye on both our acceptable loss and the types of risk factors. It's kind of a fine balance that products have to maintain because you cannot get rid of security at all, for sure.

Because in an ideal world, if I'm launching a product just for you, I won't have any security there. It will be as fast as possible. But at the same time, I cannot fall under the category where I might be fined by regulators. So there has to be a fine balance between what, as a platform, our responsibility is towards our sellers, buyers, and so on and so forth, taking into account what regulators are expecting us to do.

But, in the end, we need to ensure that we are super customer-obsessed, that we are doing the right thing for the customer, and that we are making it as fast as possible. So, there is no right answer there. There is a trade-off here and there, but it's very complicated in the sense that we have to have eyes on it all the time, ensuring that we know where the metrics are moving and what we are doing to keep those in check, especially the fraud rate and the loss.

THOMAS TARANIUK: Certainly complicated, and you've brought up some very, very interesting points as well. And it's complicated because the goalpost keeps moving, right? At the end of the day, fraud is dynamic, and so is the onboarding piece. It needs to be based on the region, based on logic such as the risk profiling of the user or business on any of these marketplaces.

But you've also mentioned something very important: guardrails, right? From our perspective, and maybe without giving away any secrets from Amazon as well, Apurva, what do you think are the points of friction you should be putting in place for the most crucial parts of the payment flow at the very last moment of that payout?

What points of friction should businesses introduce at the final stage of a payout?

APURVA SHRIVASTAVA: Good question. I have my own framework for it. Definitely not at all applicable to Amazon because that's usually not where I deal with. Let's look at it from the way things have evolved in the last one or two years, the GenAI boom, and how things have been evolving around that.

So I mentioned three phases where cash-out fraud happens, but if we look at fraud in a general sense, it acts like a combating fraud lifecycle. It starts with detection, then you basically decide what needs to be done, and then you do something about it, which is the act. So it's three stages: you detect, you decide, and then you act.

And the underlying layer there is govern, which is the regulatory stuff I was talking about, because your detection, your decision, and your action all have to be in compliance with the regulatory laws for that particular geography.

So what you are pointing to right now is, hey, what can we change at the act part, or that last section, so that these things are taken care of in a better way?

So historically, how act has happened, or how these things have been looked into, is that there have been three types of acts that we could have done.

Either you just allow the right user; the second is that you put them on hold for an indefinite time. Usually, there's no specific time. That's where your queuing happens if there are certain flags that are raised about a particular seller or a buyer, whatever. You have some human in the loop. They'll look at the queue, a ticket is raised, they'll do cross-verification, and then the transaction might continue.

Or the third one is block. You are absolutely sure this is a fraudulent activity, and you block it.

Now, when we take this framework into the payouts domain, it's either allow or block. There are not a lot of fancy ways to hold a payment because, as I just mentioned, there is no score that we do right now, or it's mostly a concept, where I can say, "Hey, let's hold on for a minute. We'll check something, and then we'll process this payment out."

THOMAS TARANIUK: Is that because regulators haven't prescribed these mandatory rules at the last step of, let's say, the payout?

APURVA SHRIVASTAVA: That is one reason, and that's a good point because the way I have seen this industry work is:

A, either we'll be proactive if something is mandated by the regulator, or

B: when something bad has happened, and then we retroactively work and say, "Hey, some systems need to be in place."

So, yeah, you are right. 50% of the reason is that there's no clear or absolute mandate around payout identity assurance. So that is one. But what I was coming to is the GenAI space, because now you can have systems in place that have a lot of context about your seller, about your beneficiary, where the payment might be going out, and all the historical transaction patterns and all the signals from consortiums and so on and so forth—telemetry signals, digital fingerprints. You can have all these signals together, and then you can now spread the act layer out from just three stages to multiple stages.

Your basic one could be, "Hey, everything is right. Allow." The second could be, "Hey, I can add a small amount of friction," which is fine when making the payment. And not just talking about the payment space, or if it's a regular transaction at a marketplace, you can put someone on hold for a minute, saying, "Hey, we are checking something," or, depending on the use case, whatever message you want to lay out.

Even if it's in the payment space, can we have those milliseconds of friction where we can go and identify or verify, reverify a particular node that you want to reverify? So it's like, hey, 99.9% of the signals are green. There is one orange blip, so we might want to reverify it before the transaction happens.

Suggested read: Customer Reverification: What It Is and Why It Matters

And when I say transaction, it can be a monetary transaction; it can be an actual purchase on a marketplace. So that becomes your guardrail there to stop even that 0.01% chance of fraud.

Then the second could be a step of verification. Probably won't work in the payment space, but can definitely work in the marketplace space, where you could just chat with a chatbot. They can ask you to upload a document or, let's say, take a selfie or do some kind of biometric check right there. And then, rather than putting you on hold or actually blocking you, we can have a step of verification, a confirmation step, basically.

And for payment, it can be, "Hey, can you just re-enter your account?" Right? Probably they just want to reconfirm what my account number is, and we can have this kind of step of verification to control fraud.

Suggested read: Secure Digital Payments: A Complete Guide for Businesses

Then there are your regular holds, and then you can block and auto-block as well. So auto-block essentially means you're not relying on any human in the loop, and you are saying, "Hey, we are absolutely sure that this seller or this particular transaction needs to be blocked."

Now, again, coming back to the reason I keep coming back to the regulatory layer is because it runs across. You cannot have auto-blocks everywhere.

THOMAS TARANIUK: From the perspective of what you've just introduced as a couple of ideas, I would see it as, let's say, the merchants or these marketplaces, such as Amazon, would rather die before they add friction at the checkout because it's the last mile, right?

But, I mean, at the end of the day, with the user acquisition costs for certain products or services, adding anything that puts friction in their way at the very last moment of that user acquisition for a product or service may, in turn, stop users from purchasing. It's a balancing act, right?

And it's a really difficult balance to get right. So what would you say is the biggest blind spot that you see in the industry?

Blindspots in the marketplaces industry

APURVA SHRIVASTAVA: Let's take the example of credit cards, right? Credit card payments are instant, and the credit rails always have risk scores that run in parallel. So it's not something that happens after you are trying to make a payment.

It happens in parallel. You have your credit risk. So, on credit rails, your risk score actually exists even today. And there, you see that if they identify any kind of fraudulent activity, they'll put a hold on it in terms of payments. So the architecture is proven. It's just not yet applicable or applied to payouts.

So when I say there needs to be a system in place, when we talk about payouts or disbursement-time identity assurance, ensuring that we are paying the right person, it has to involve as little friction as possible or no friction at all.

So we need to have systems running in parallel to come up with the right identity at the time of payment and only flag if there is a substantial drift.

The concept exists, the architecture exists; it's just not applied yet at the payout stage. And the reason why it's not is the exact point that you touched upon, which is: what is the blinding factor?

And I call it velocity blindness because what it essentially means is that we already talked about onboarding being in one silo because it comes under the fraud domain, the onboarding team's domain, or the registration domain. Payouts sit with payments, and there are multiple systems that sit between them, and there's a lot of knowledge loss by the time we make a payment in terms of the identity of the person from the time they were onboarded.

So this particular lack of visibility into what has happened between when an account was created and when we are trying to make the payment is essentially the biggest blind spot.

So we have no clue. And, again, this is probably not applicable to smaller marketplaces. These things are being resolved right now because this is one of the biggest issues in the industry right now: "Hey, how can we have all these signals and the drift? How can I calculate the drift?"

Between onboarding and while the payouts are happening? And that is the biggest unlock that we are looking forward to.

Now, what usually happens is that at the time of payouts, or whenever a payment is happening, we kind of use different velocity rules. What does that mean? We have a lookback window.

Hey, before the transaction happens, how many transactions have happened in the last 24 hours, the last 30 days, or probably the last 60 days? And we try to derive patterns around what kind of transaction this might be or whether it can be a fraudulent transaction.

But what signals we don't have are, "Hey, can it be a case of account farming?" How would I know that? I need to have that signal propagated from the onboarding fraud models to the payout model.

Now, if there is no system that exists to either ingest that particular signal, then it fails, because how would the onboarding models tell some model down the line that, "Hey, this might be a case of account farming. This particular account has been dormant for, like, 90 days. There has been no transaction."

And it kind of fits the profile where we might see a burst execution because the payout system is now functioning in a silo. It has no clue that this can be a problem.

What we do is we kind of do a lookback and say, "Hey, the last 30 days, 90 days—maybe no transaction, maybe one transaction. Doesn't look like it can be a fraudulent account."

So what we need to come up with is something we call CISI. And it's not—again, whatever I'm speaking about, I just wanted to—I should have put the disclaimer out. It's nothing related to Amazon. These are all concepts that I'm trying to wrap my head around.

We should have some kind of cumulative identity state index that measures the drift across the full account lifecycle. Because we need to ingest all these signals about what account activity is happening, and it doesn't just have to be related to payments: when an account has been added, when a new payment method has been added, how many times the payment methods have been updated, what kind of listings this particular person has, what kind of buyer transactions are happening, so on and so forth.

And we also need to ingest signals at payouts from all the different middle layers that we have. So, for example, if there is a marketplace, let's take the example of Plaid at onboarding for a particular marketplace. I think in the US especially, most of them use Plaid to give sellers the option to link their bank accounts to their accounts, right?

Now, Plaid is connected to all the major marketplaces across the US. If they see a particular seller or a particular fraud pattern happening through Coinbase channels, do they have the capability? And if they do, do the other marketplaces have the capability to ingest those signals and say, "Hey, we see similar kinds of patterns on Etsy and eBay as well, so we might want to look out for these particular types of sellers because this type of fraud is happening right now at Coinbase and has just been caught."

So we have to take all these consortium signals, all the account signals, and when we are making the payouts, that risk score should be ready. Today, it is not. There is no concept of it. What we have is probably just transaction history, and we try to judge based on that.

So this type of blindness, or velocity blindness, is probably the biggest unlock in the payout space that needs to happen.

And after that—I think I should have covered this concept earlier—you come to that phase, right? Now, if I have all these signals, I can be very smart in designing my UX to have as little friction as possible because you're looking at it from a friction point of view.

But if you think about it, the false positive rates, which I talked about, 19%—those 19% of sellers today are getting either put on hold or blocked.

We are saying, hey, our model is now so much more advanced that the right sellers who were transacting earlier are still transacting, so there is no stopping them. The false positive rate of 19%, I want to probably reduce it to, like, 1 or 2%.

So now I have 17% more sellers who were actually earlier put on hold or blocked going through a less friction-heavy experience. It can be a step of verification or, like, a soft friction, and we can have just 1 or 2%—again, just a margin of error—as false positives. And we also have to ensure that the bad actors are getting caught, so we are not even touching that.

But we are more sophisticated in terms of identifying whether it's, like, a 100% block or whether it can be a case of identity theft, so let's put this particular transaction or seller on hold.

So we are making our system more sophisticated and trying to reduce false positives rather than adding friction. So we have to look at it from a different lens. We have to ensure that the right sellers or the right—I keep coming back to sellers, but whatever that marketplace is—the right players are getting the best experience possible, and the bad ones are getting caught. And that middle part needs to be as small as possible.

THOMAS TARANIUK: Definitely the case, and it's really interesting, of course, looking at the cumulative identity state within this velocity blindness. I think there are some good points that you need to monitor everything from the initial KYC, the first transaction, to everything thereafter, because the person can literally change into a fraudster, or their behavioral state can change.

And from the perspective of, let's say, breaking down a few of the points that you've mentioned, I would love you to basically go through how the risk scoring you mentioned works in practice.

How does risk scoring work in practice?

APURVA SHRIVASTAVA: Small disclaimer there. I don't know how it works in practice, but I have opinions on how it should work in practice because the interpretation can be different for different marketplaces. There are so many factors, like what kind of marketplace you're running, whether it's a two-way marketplace, a three-way marketplace, or whether it's something like a P2P marketplace like Facebook Marketplace.

Then the second variable is where you're running this particular marketplace. Which geography is it in? If it is in multiple geographical locations, then there are so many complications that come with it.

But the concept there is: we have something—we have to keep in mind that we have a credit risk score, so we need a disbursement identity assurance score, essentially.

There are four key pillars and/or signal categories that we should keep in mind, and this will, again, evolve and take shape based on your marketplace and geography, so on and so forth.

So the first one is seller identity drift. I call it seller identity drift, or whoever your primary actor on your marketplace is.

So we have device fingerprints. What kind of activities or listings is this particular account doing? What is the authentication pattern that they have used to authenticate themselves? Their geolocation, if it is moving.

There are companies, there are startups, that actually track fraud just based on your geolocation. So what kind of geolocation shift is happening with this account? What movements are taking place for this particular seller, which are kind of encapsulated in your device fingerprint?

And this is on top of your regular KYC ID verification and onboarding for the seller. We need to have all these signals, and we probably might want to rely on different consortiums to get these signals in place in your model that specifically comes up with this risk score for disbursement.

Suggested read: AML & Fraud Risk Assessment: Risk Matrices, Risk Scoring, and Best Practices

The second one, which is something missing in a P2P marketplace, is the beneficiary signal.

The most important is the account age. If you have to catch mule accounts, the account age becomes super critical. Whether they are first-time recipients. Again, there are so many signals coming out of consortiums.

If there is a list of mule accounts, what kind of proximity do they have? What network proximity do they have? What are the patterns evolving in these types of fraud?

So we need to be on top of all of these signals, especially for the beneficiary as well.

The third one is pretty common. It's your transaction patterns. You have to have a correlation between your transactions. Again, it goes like, "Hey, what is the amount versus the lifecycle average? If there is, like, a huge spike, why is it there?"

If we have seen a velocity burst, because fraud patterns keep changing, it's not like a velocity burst will happen and there'll be, like, 1,000 payouts and then the account will be done. Sometimes it's like, "Hey, probably 50, and then 50."

But sometimes 50 for a bigger marketplace may look like a smaller number, and we are ignoring that. So all these transaction patterns and the correlation between your sender and beneficiary patterns need to be tracked and ingested as important signals.

The final one is contextual signals and, for example, the consortium signals that I've been talking about.

We need to treat them as fraud features and also treat all the internal contextual signals, like your platform event timing, channels, payout method changes, so on and so forth. So that's the fourth pillar that becomes super critical.

THOMAS TARANIUK: You've mentioned regulation a couple of times, and I do want to come back to that. Over the course of this episode, we've alluded to regulations and regulators as well, from the G20 to the FATF (Financial Action Task Force) and to regulations implemented by organizations such as the EU. Why does the industry remain so reactive, even though everyone across the board knows that the risk is shifting towards the payout?

APURVA SHRIVASTAVA: There is no right answer to that, but there are multiple reasons why it's more reactive. If you think about fraud in general, my thinking is that you have to be right as a platform every time. The fraudster has to be right only once.

You have to be right as a platform every time. The fraudster has to be right only once.

So the job of the fraudster is to come up with new ways, new innovative ways, and, especially with AI and GenAI, new patterns or new techniques where they can siphon money in some way or another.

Risk, in general, and the way the industry has evolved, is that we look at what has happened and what might happen. And then we try to have guardrails around it. So it's always a catch-up game. And the reason why it's a catch-up game, why we are always behind, is that throughout the podcast, we talked about the visibility loss.

Within the platform, we don't have visibility into all the signals that we need to ingest to either look at payout fraud or even onboarding fraud. It's a constantly evolving field, and we are on top of it. But again, as I said, the fraudster has to be right just one time.

The other thing, specifically for payout fraud, is, again, that it's looked at as an operational loss, and we have to change that mindset and treat it as a fraud loss and connect these dots together so that the visibility problem is, first of all, tackled, which becomes the most important thing.

THOMAS TARANIUK: From the point of view of the regulatory landscape, being a big proponent of whether or not businesses pick up certain activities to drive out fraud, do you think enough is being done right now, or could more be done around the payout stages? Or the monitoring of risky behaviors among these marketplaces?

APURVA SHRIVASTAVA: If I talk about regulations, how do regulations work? These are usually written in response to documented losses or perceived losses that might occur with the advancement of new technologies.

So the regulators anticipate that these kinds of attacks might happen, these kinds of advancements might happen, and then they put out a regulation, which is pretty much in layman's terms. And then it is up to every marketplace, every platform, to interpret it for their own systems and decide how they want to implement those particular regulations.

Suggested read: Breaking News, Explained: UK’s ‘Failure to Prevent Fraud’ Law Takes Effect

So if you see the entire structure there, it's mostly reactive. It is reactive because, again, we don't know what new fraud pattern might emerge, and both regulations and the systems we come up with are totally dependent on what we have seen so far.

There might be some kind of anticipation, but then again, it comes to the question: in this day and age, everyone has a limited budget, so where do you want to invest?

And then comes your trade-off, coming back to your speed and security and feature launch. There's one more variable added there. So I'd probably rather want to invest more in my core capabilities than keep adding to them by thinking about what kind of new fraud might come up.

THOMAS TARANIUK: Certainly.

APURVA SHRIVASTAVA: That's why it's more, I'll say, reactive.

THOMAS TARANIUK: Let's say the fraudster has gotten as far as the point of cashing out. I guess you're sort of the last line of defense, right? So what makes holding that line incredibly difficult as it stands? What's the most difficult part for you personally within your job, Apurva?

Why is stopping fraud at the cash-out stage so difficult?

APURVA SHRIVASTAVA: The biggest challenge is that we know these systems are there. These are working in silos. The data is there. We can come up with this particular score. But what is the driving factor? How do I make a case for this to become any organization's top-line or most important priority? Or, let's say, how can I get investment from my leadership into this particular thing?

Because, let's be honest, if I'm running a company and someone comes to me with this and I'm saying, "It's fine. The systems that are in place are catching almost 98% of the fraud," I probably will focus on something else rather than catching 2% of the fraud.

If that's the case, where do you draw the boundary of what is acceptable loss versus what is not?

So, that is a big challenge. It's more or less to do with organizational consensus to act on something before a loss happens. But this is, again, given what kind of losses we have seen and what kind of fraud patterns we have seen. Now, the second part is: how can we be smart enough to anticipate, along with the regulations that are coming into place?

Because regulations, even though they look at what has happened, are kind of forward-looking as well. And, for example, there's the EU AI Act that is coming up in August. So it is not like something has happened. It's more forward-looking.

Suggested read: Comprehensive Guide to AI Laws and Regulations Worldwide (2026)

How can we accumulate that data and come up with the right case so we protect our platform and the marketplace from foreseeable risk?

And that is where it becomes—that angle becomes super critical and difficult to make. It's like, "Hey, if I'm Coinbase, and if there are some kind of crypto regulations coming up or I feel might come up, can I make the right case to make sure that business continuity is not hampered?" I'm not talking in terms of technical lines, like what's the hardest part of holding the line. But actually, in the day-to-day job, the hardest part is anticipating what might happen in the future.

And that's the whole catch-up game, and that's the whole blame the industry actually takes. They say, "Hey, why are you always more reactive, not proactive?" Because it is not very easy to be proactive.

So you have to take signals into account because not every measure exists in every company or every marketplace. So you have to see, based on your marketplace, what measures you have and what your competitors have. Do you see any kind of signals from there? Do you see any signals from regulators that you feel might impact your platform or marketplace?

You basically have to have a score, or you have to have some basic spreadsheet score, showing where your platform or your marketplace is in terms of dealing with these bad actors versus where it should be. And gauging that delta is not very easy because usually the mindset is, "Hey, do we wait for something to happen to make the case, or can we be more proactive and look at these signals?"

THOMAS TARANIUK: We do say proactive a lot, but it is essential. And it does sound like you've got your head screwed on, and everything at Amazon is planned for these sorts of measures and in place. But by the time most systems for most companies find out something is definitely wrong, the money's already gone, right?

APURVA SHRIVASTAVA: Yeah.

THOMAS TARANIUK: What's stopping all of these other companies from taking this approach, such as what you've built through these systems, proactively looking for risk on an ongoing basis, right? If it's already so obvious to us.

APURVA SHRIVASTAVA: It's the same question. If I'm a startup, I have limited funds, I have limited resources. It's a straightforward question of prioritization. If I'm a single-stack company where I am competing with N number of different other startups to launch a particular feature, and if I have 10 resources, do I want to spend, like, one resource out of that on combating that additional 1 or 2% of fraud?

Because, let's be honest, what does that 1 or 2% number look like? For a marketplace that is worth $10 billion, that 2% is huge. And regulators have their eyes on you.

2% of that particular $10 billion number can mean anything if that money is used for, like, terrorism. We have counter-terrorism financing laws, so on and so forth. Versus if someone is doing, like, $1 million, what does that 2% look like?

So that's where, when we discussed speed versus security, scale becomes super important. And that's why I keep coming back to it, because it's so subjective where you are as a marketplace in terms of scale, in terms of geography, in terms of whom you're dealing with, what kind of payouts, in which geographies, in which markets.

There are so many factors that go into deciding whether, right now, we should invest in stopping more fraud or building the next feature, which might change our position entirely.

So the question is simple, and the answer is also simple. It's a simple prioritization rubric or metric, but the reasoning behind that prioritization is much more complex: when is the right time for a company to invest in stopping more fraud versus launching the next new feature?

THOMAS TARANIUK: Excellent. I think those are some really interesting points as well. And prioritization within a big organization is easy because you can allocate a lot of resources from different teams. But as you mentioned earlier in the episode, these teams aren't speaking across KYC and onboarding, which creates a fragmented journey, fragmented analytics, and disjointed reactions.

And if you want to be proactive, right, you need to find out and have all of these included—all of the identity signals, all of the fraud signals, and all of the intent signals as well—within one journey.

To finish, Apurva, I've really enjoyed this podcast. We want to get to know you a little bit better as well. So I have five quick-fire questions for you today. Apurva, are you ready?

Quick-fire round

APURVA SHRIVASTAVA: Yeah.

THOMAS TARANIUK: Excellent. If you could ban one risky behavior online, what would it be?

APURVA SHRIVASTAVA: Probably, I want technology to be at a stage where we're not doing any document-based verifications anymore. It should be a live detection, biometric kind of check. So get rid of all the legacy ways of checking the identity of a person.

THOMAS TARANIUK: Biometric and then also retina scans, and that's basically it. Is that what you want?

APURVA SHRIVASTAVA: Yeah. The future is here.

THOMAS TARANIUK: Excellent. Have you ever been a victim of fraud yourself, Apurva?

APURVA SHRIVASTAVA: Yes, once.

THOMAS TARANIUK: We can do a quick-fire story time. I think that's okay.

APURVA SHRIVASTAVA: All right. So that was not at a marketplace, but more of a call fraud, where the person was impersonating an FBI agent. I was new to the US. The good thing is I didn't have enough money, so it was not painful. But yes, I kind of almost was drawn into paying whatever I had to get rid of it.

THOMAS TARANIUK: Oh, God, Apurva, I'm so sorry to hear that. What's one thing about fraud prevention that the public always underestimates?

APURVA SHRIVASTAVA: The importance of it. It is always treated as a last-mile check or something that has to be done because, again, regulators are asking for it, or we ought to do it. But it needs to be more upstream in the thinking when building features and products.

THOMAS TARANIUK: That's certainly the case. From the perspective of our next question, it's quite interesting. If you had an extra million pounds to spend on fraud prevention tomorrow, where would it go?

APURVA SHRIVASTAVA: Well, if I had an extra million pounds, I'd probably not spend it on fraud prevention.

THOMAS TARANIUK: If I forced you, though?

APURVA SHRIVASTAVA: I don't have a very good, to be honest, very good answer to that £1 million question because it totally depends on whether I'm looking at it sitting in a bigger company or a smaller company, because the problem statement looks super different. If I were at a bigger company, I would want to solve it within the company through systemic changes, and I'd probably just spin off a separate team altogether. Because we talked about the hardest part: it's building consensus. If I have the money, okay, fine, we don't have to build consensus, and we can go ahead with it. In a smaller company, I'll probably just look to outsource the entire problem to someone else.

THOMAS TARANIUK: Certainly the case. With bigger companies, you're spending money to save money as well across the board, and even that small percentile is a big shift.

APURVA SHRIVASTAVA: Yeah, that's a big shift.

THOMAS TARANIUK: Now that you have a million in your back pocket, or rather spent on fraud prevention, if you could have any other career other than the one that you're currently in, what would it be?

APURVA SHRIVASTAVA: If you ask me about anywhere, I'd probably go back to sports, but that's totally unrelated to the fraud space. If I have to still be in the industry, I'd rather try to take the role of a regulator at some point because I feel they play a very crucial role, but they are not as active or proactive as they can be.

THOMAS TARANIUK: Well, sports is one we hear quite a lot. Regulator, or becoming one, is not so much.

APURVA SHRIVASTAVA: Again, totally, if you forced me to be in this domain. Otherwise, never.

THOMAS TARANIUK: Excellent. Well, fraudsters don't need to beat every control, do they, Apurva? They just need to reach the moment where money moves faster than the risk signals do or the regulators do.

So it'd be good to have you in that position as well. Apurva, thank you so much for joining us on this episode of What The Fraud?

APURVA SHRIVASTAVA: Thank you so much, Tom. It was fun.