In his presentation at RiskConnect Virtual 2020, Johnathan Lusthaus, Director of the Human Cybercriminal Project at Oxford University, explained how cybercriminals have overcome the trust problem to cooperate and build an illicit shadow economy on a grand scale. We examine the learnings for risk professionals.
In the cybercrime underground where partners are anonymous, where there are frequently other criminals who coul drip you off at any point, who do you trust? You can’t necessarily involve the police, enforce agreements legally or visit partners to enforce them physically. This presents huge challenges for doing business.
Acquirers and payment service providers (PSPs) are operating under similar constraints in knowing whether they can trust prospective merchants. Low start-up costs mean that e-commerce merchants in particular can establish themselves in new locations – overnight in some cases – and disappear just as quickly. The quasi-anonymous platform, lack of a centralised legal authority and difficulty of enforcing contracts on the internet further exacerbate the risks.
As a result, cybercriminals may be expected to operate alone or in small groups. But as Lusthaus made clear, the opposite is true. There’s been a huge level of collaboration between cybercriminals. They’ve managed to overcome the problem of cooperating in a low-trust environment, leading to the industrialisation of cybercrime.
Cybercriminals have looked to the legitimate economy for ways to solve the trust problem. The three most important cooperation mechanisms they’ve adopted are reputation, performance and appearance.
Reputation is built up over time. The longer you’ve known and worked with someone, the better because you build up a history and track record with them. Cybercriminals don’t want to work with strangers online. They want to work with people that they know. Or who are known to people they know and trust, explained Lusthaus.
Cybercriminals use recommendations and referrals from their network, just as in the legitimate economy. They also do background checks and consult product and vendor reviews on underground forums. Lusthaus described these marketplaces and forums as lowering the cost of doing business by “institutionalising the reputation process” with qualitative reviews published to forum members. “They’re not getting rid of the risk entirely, but they’re certainly making it easier to assess, without having to put in a huge amount of work for every single transaction.”
If you’re looking to sign a particular merchant, find out what customers, employees, suppliers, shareholders, journalists and others think of them. A lot of information about a merchant’s reputation is in the public domain online and easily searchable. Make this part of your customer due diligence checks.
Start with social media. Scrutinise the merchant’s own accounts on Facebook, Instagram, Twitter and local sites. Note anything inconsistent with what’s on the merchant application form. Legitimate businesses generally do not seek anonymity. So, having no social media presence is unusual and should raise a red flag for follow-up.
Online complaints boards, such as www.complaintsboard.com or www.ripoffreport.com, are where customers can file complaints about deceptive marketing practices, unauthorised charges etc. that they’ve experienced from particular websites or businesses. Review the nature, number and age of such complaints in the context of the merchant’s overall business volume.
Check with trading standards websites whether the merchant or anyone associated with the businessis listed. Regulators and professional bodies also publish details of enforcement actions, and lists of members that have been fined, warned or prevented from practicing on their websites. Similarly, consumer associations such as Truth in Advertising, the Better Business Bureau and the Federal Trade Commission are useful sources for online complaints and consumer protection actions.
Recruitment websites can give an idea of whether a merchant is hiring for particular roles. Is this consistent with other information you’ve ascertained? Employee feedback websites, such as Glassdoor, allow current and former employees to review companies. This gives underwriters another angle on the inner workings of a merchant’s business.
Don’t forget the national, financial and trade press for information on your merchant, their industry and peers. Perform negative news scans on the merchant and people associated with it. Details of criminal convictions, bankruptcy or customer complaints are useful for informing your risk exposure. However, assess the reliability of the source, the age of reports and whether this could be attributed to public relations or the efforts of commercial rivals.
Performance is generally a display of ability, skills or experience. According to Lusthaus, cybercriminals demonstrate prowess by posting tutorials on marketplaces or forums, providing product samples or agreeing to small trades. This may grow to a larger cooperation overtime.
“This shouldn’t be particularly surprising to us because it’s how we would operate in the legitimate industry as well. You start small and build up because that lowers the risk. You’re learning as you go and hoping that you might find out if there’s negative information, or if you’re just not happy with the service or goods provided. You might cease the cooperation and move on,” explains Lusthaus.
The parallels with merchant underwriting are obvious. Underwriting isn’t just a point-of-entry activity; monitoring is a crucial component. After all, it is not until merchants start depositing transactions that you know if your initial risk assessment was correct. Web Shield research shows that 57% of e-commerce merchants change their offering within a month of securing an acquiring contract. So, the days and weeks after on-boarding a merchant should be a time of heightened vigilance and monitoring.
Lusthaus explained how underground forums have institutionalised the performance mechanism, too. A forum official evaluates vendor products or services on behalf of the community, assigning them labels such as ‘reviewed’ or ‘verified’. This type of quality kitemark lowers the costs of doing business. Individuals don’t have to evaluate each vendor themselves prior to working with them.
The card schemes operate in a similar way by compiling certified vendor lists. For example, Web Shield is listed as an official Mastercard Merchant Monitoring Service Provider. Mastercard principal members can expect assessment mitigation when they use and register Web Shield solutions.
More appearance than substance?
Appearance at its simplest level is what someone or something looks like. The problem in the cybercrime underground is that people don’t use their real names, rather nicknames or online aliases. It’s difficult to tie online personas to a real-life person. When it comes to appearance, cybercriminals really value nationality as evidenced by language proficiency and time spent online, according to Lusthaus’ research. Both are hard to fake.
Applying these principles to merchant underwriting, acquirers should be on the lookout for inconsistencies. These are things that don’t quite fit together. Or things an underwriter may have been expecting to see but that aren’t there. One of the biggest risks in this area is bust-out fraud, where a bad merchant tries to appear good. After a period of normal trading, the merchant deposits a large amount of illegitimate transactions, withdraws the cash and then leaves their acquirer to cover the chargebacks.
The antidote is good due diligence. Review the merchant’s application form, website, location and operations to thoroughly evaluate the merchant’s business background and owners. Next, check the functional set-up and disclosures made on the merchant website. What is being sold, to whom, how and where?
Cross-reference this with information supplied by the merchant and verify. Underwriters should be aware of merchants trying to set up shell companies with the intention of cheating them. Check where the merchant does business and pays taxes, where the owners and customers are located, and whether the business is registered in the same place as the merchant’s correspondence address. Is this consistent with the language of their website and marketing materials?
How Web Shield can help
Web Shield has added some new features to its InvestiGate and Monitor platforms to help make customer due diligence and record-keeping quicker, easier and more effective.
UBOReveal retrieves all corporate documents necessary to identify the merchant’s ultimate beneficial owner. This includes documents relating to the merchant’s business, but also those of its parent and any further holding companies, until we get to the bottom of the ownership structure. The UBOReveal Report can easily be added to each merchant file to satisfy record-keeping requirements.
If you want to see more content from industry experts like Jonathan Lusthaus, RiskConnect Virtual 2021 will go online on 26th October 2021! As the year before, it’s free to register and attend.