AI transcript
0:00:05 The content here is for informational purposes only, should not be taken as legal business
0:00:10 tax or investment advice or be used to evaluate any investment or security and is not directed
0:00:15 at any investors or potential investors in any A16Z fund. For more details, please see
0:00:22 a16z.com/disclosures. Hi, and welcome to the A16Z podcast. I’m
0:00:27 Hannah, and this episode is all about synthetic fraud, a new evolution of consumer fraud that’s
0:00:32 emerging in financial services to the tune of $1-2 billion a year.
0:00:36 In this episode, Naftali Harris, co-founder and CEO of Centelink, which builds technology
0:00:41 to detect and stop synthetic fraud, talks to me and A16Z operating partner for information
0:00:46 security Joel de la Garza, all about what this new kind of fraud is, including the life
0:00:52 cycle of this long con, how these synthetic identities get made, incubated, and finally
0:00:57 busted out, and some of the wildest stories behind the strange fraud rings he’s seen.
0:01:02 We also touch on why this new fraud is on the rise, who the true victims are, and at
0:01:06 the end of the day, what the foundational security issue at the heart of it all truly
0:01:11 is. We’re here to talk about synthetic fraud, which I have to confess I didn’t even know
0:01:15 what that really meant when we first started talking about it. What does synthetic fraud
0:01:18 even mean? Almost no one hears about it in the public
0:01:22 outside of financial services industry. I hope that neither of you have been the victim
0:01:23 of identity theft. I have.
0:01:29 Okay, I’m sorry to hear that. And if you haven’t, you probably know someone that has been.
0:01:32 And so the general public is very aware of identity theft because there’s that consumer
0:01:38 victim. With identity theft, you’re stealing a real person’s identity. With synthetic fraud,
0:01:41 you’re saying, forget the real person, I’m going to make up a totally fake one.
0:01:44 And that means like fake from the very ground up.
0:01:49 Yeah, from the ground up. So a fraudster will use a synthetic identity, so a made up, named
0:01:54 date of birth, an SSN combination in order to open up an account with a bank or get a
0:01:58 loan from a bank. The key thing here is that there’s no one record, there’s no one one
0:02:02 actual person that it all belongs to. And then what they’ll be able to do is actually
0:02:07 acquire quite a bit of credit, take out a lot of loans, usually a few tens of thousand
0:02:13 dollars from every major bank and lender, and then use that to get a lot of money and
0:02:14 not repay any bit.
0:02:19 How prevalent is this kind of fraud in the industry? I mean, how much is this happening
0:02:21 versus like we all hear about identity theft all the time?
0:02:25 So this is actually one of the super interesting things. So we’ve added up the losses across
0:02:29 the industry and within lending, it’s somewhere from one to two billion dollars a year of losses
0:02:30 annually.
0:02:34 Wow. And how aware of it are the banks? At what point do they catch on?
0:02:38 That’s also one of the really interesting things because there is no consumer victim.
0:02:42 The banks have a really hard time figuring out which of their losses are attributable
0:02:46 to synthetic fraud as opposed to somebody that had a hardship or lost their job.
0:02:48 Oh, right. Same pattern of behavior.
0:02:52 Exactly. With identity theft, what happens is somebody opens up an account, they get
0:02:56 a new credit card, they steal a lot of money from the bank, and the way the bank finds
0:03:01 out about it is eventually the victim contacts them and says, “Hey, I didn’t take out this
0:03:04 credit card. This wasn’t me.” And they’ll sign an affidavit and then the bank will realize
0:03:09 this was an actual victim of identity theft as opposed to someone that just had a hardship
0:03:13 and took out more money than they should have. And with synthetic fraud, all the bank sees
0:03:19 is a large set of people that haven’t been making payments for the loans, and they have
0:03:23 a really hard time of figuring out which of these are people that have had some toward
0:03:26 of local economic challenges.
0:03:29 Yeah. Legitimate need for the loan, basically.
0:03:32 Exactly. And which of them are people that were actually defrauding them?
0:03:37 Synthetic fraud is a relatively new-ish phenomenon. So I think it’s something that’s kind of
0:03:41 grown up. As banks have gotten better at spotting identity theft and credit freezes and those
0:03:46 sorts of things, it seems that that correlated to the rise in synthetic fraud. Identity theft
0:03:52 used to be ridiculously simple. If you think back 10 to 15 years ago, as bank fraud teams
0:03:55 got better, they got better tools to catch this kind of thing you had credit freezes
0:03:59 come to effect, it seems like the fraudsters pivoted in this direction.
0:04:02 Yeah, that’s exactly right. I mean, another big one actually is the rise of the EMB chip.
0:04:04 Oh, that is a factor in this?
0:04:09 Absolutely. Fraudsters are committing fraud as a business. And what they do is they gravitate
0:04:14 towards channels, so to speak, that are profitable for them. And it used to be you can make a
0:04:17 lot of money doing card skimming. The EMB chip made that a lot harder. So you saw a lot
0:04:23 of fraud move online to card not present fraud. So people stealing credit cards online. There’s
0:04:27 been a lot of great technology that’s arisen there recently, which has made that harder
0:04:32 to do. Still certainly happens as we all know. And then a lot of progress towards identity
0:04:36 theft and that’s gotten harder. And so they’re moving on to synthetic fraud, which is very
0:04:40 challenging for banks and lenders to detect and quite lucrative for the fraudster.
0:04:44 But can we just go back to like that moment of opening the account? Why is it so hard
0:04:50 to verify like an actual birthday against an actual name against an actual SSN? Like
0:04:56 if those things are not matching, why is that initial moment not the place to catch it?
0:05:02 So what most people don’t realize is that financial institutions, so banks and lenders
0:05:08 do not have a list of all name, date of birth, and SSN combinations in the United States.
0:05:11 A lot of people think that the credit bureaus have this list, you know, experiencing Equifax
0:05:17 and TransUnion, and they don’t have it either. Essentially, the banks and lenders believe,
0:05:22 certainly until recently, had believed that the three credit bureaus had lists of all
0:05:25 name, date of birth, and SSN combinations. So they, everybody’s thought somebody else
0:05:26 was doing it.
0:05:27 Exactly.
0:05:28 That’s absurd.
0:05:31 It’s quite funny, actually. And this is the way that fraudsters actually create these
0:05:37 synthetic identities. If you apply for credit with a name, date of birth, and SSN repeatedly,
0:05:41 the credit bureaus will believe that it’s a real person, and they’ll create a record
0:05:43 for this totally fake person.
0:05:48 Because they’re only tracking the applications, they’re not backing it up to reality.
0:05:50 Yeah, and they have no way of doing so.
0:05:56 I feel like we’re giving tips to everybody in the world. I don’t like how to create this.
0:05:57 Do not do this.
0:05:58 Exactly.
0:06:03 But that is such a gaping hole in the information flow, a weird blind spot that everybody else
0:06:05 just kind of assumes that…
0:06:09 Yeah, it’s pretty interesting. I mean, so banks and lenders believe that the bureaus have
0:06:13 records on everybody, and mostly general public believes that as well. The logic on the bureau
0:06:18 side is essentially banks and lenders have strong know-your-customer procedures, they’re
0:06:21 doing a great job of risk. And so consequently they say, “Oh, you know, everyone’s talking
0:06:26 about John Smith, that must be a real person.” But actually, nobody really knows here. And
0:06:28 so everyone’s pointing fingers at everybody else.
0:06:34 It seems like, actually, it was this gaping hole for quite a while, right? So why… Was
0:06:37 there always some level of this, and then it just spiked?
0:06:44 I think the interesting point is sort of the actual genesis of this whole situation, which
0:06:48 is that there is no source of truth for proofing identity. And that really lies at the center
0:06:53 of kind of a lot of these issues. There’s sort of a coordination and a collaboration
0:07:00 that has to happen in between entities that, while wanting to minimize fraud, these entities
0:07:04 are also competing with one another in a number of different product categories. And so there
0:07:09 isn’t always necessarily a line financial incentive for them to collaborate.
0:07:12 It’s always been possible, but the thing that’s really challenging about synthetic fraud is
0:07:15 it is such a long con. It’s challenging.
0:07:16 What do you mean by that?
0:07:22 It’s not sufficient to just make a fake identity. You can do that, and it’s pretty easy. But
0:07:28 when you do that, all you have is a person who exists on one of the bureaus, or all three
0:07:33 of them, but doesn’t actually have real credit to their name. No bank is going to give them
0:07:35 $100,000 or even $10,000.
0:07:38 Right. So it’s like me when I first got out of college or whatever.
0:07:42 Exactly. It’s like when you first entered the credit space. And so there are some fraudsters
0:07:46 that will just try to churn through $300 cards, but there’s not a ton of money in that. The
0:07:52 real money that the fraudsters are pursuing is getting access to all the prime credit
0:07:59 cards, to big auto loans, to huge unsecured personal loans. And that requires building
0:08:03 up their credit over a period of one to two years. Get some low limit credit cards, start
0:08:08 making a little bit of payment, build their credit. They do it quite aggressively because
0:08:12 they’re optimizing to when can they get to that 700 plus credit score or better, but
0:08:13 it does take a long time.
0:08:18 And I think that’s the answer as to why we hadn’t seen it in the past because in the
0:08:23 old days, you could go steal someone’s identity, open a line of credit, have access to that
0:08:27 credit within a week, maybe even a couple of days, depending on how you did the disbursement
0:08:33 of funds. But then sort of as people got better about reporting those things as consumers
0:08:37 actually started to notice when lines of credit were open for them, or they had credit
0:08:42 monitoring capabilities, the response time was a lot quicker. So you couldn’t necessarily
0:08:46 get those funds out in the amount of time. And so this is kind of the new process that
0:08:51 they’ve moved on to. And to the earlier point, like this does take some amount of time and
0:08:55 preparation. So creating lots of identities, going through the process of establishing
0:08:59 credit for them over a period of one to two years, and then getting to a cash out that
0:09:03 in the old days, you could have done in five days to maybe a month.
0:09:06 So a lot more work for that same size hit.
0:09:10 So the hit actually can be even bigger than for identity theft. So with identity theft,
0:09:15 you’re racing against the clock, because the victim will actually notice this at some point
0:09:20 and they will, they will say, this wasn’t me. And so they go back to the, to the bank,
0:09:24 they go to the lender and they say, stop doing this. And they’ll put a freeze on their cutter
0:09:29 report and so forth. But with synthetic fraud, there’s, there’s no race for the clock. There’s
0:09:35 no one who’s watching for this. There’s no one, there’s no one that, that is going to
0:09:37 notice this until they stop making payments.
0:09:40 Yeah. Are you seeing the synthetic fraudsters actually make payments?
0:09:41 Oh, absolutely.
0:09:42 Absolutely.
0:09:43 Wow.
0:09:44 So they’re, they’re taking out loans. They’re making the payments except for the initial
0:09:50 fraud of the identity. They’re not, the behavior is not caught, is not at that point doing
0:09:51 anything wrong.
0:09:56 So there are three phases in the lifetime of a synthetic identity. The first part is
0:10:02 the creation phase. So this is where a synthetic identity starts applying for credit a couple
0:10:06 of times. Oftentimes, we’ll actually start with any lender that does a poll from all
0:10:12 three credit bureaus. So most lenders only pull from one of the three bureaus. So TransUnion
0:10:17 Experian and Recofacts. But when you first create a synthetic identity, you want to get
0:10:22 that synthetic ID to have credit records on all three of the major bureaus. So one of
0:10:27 the things that we see synthetic identities doing is initially the first place that they’ll
0:10:32 apply for credit is anywhere that does a tri-bureau poll that pulls from all three of the major
0:10:33 bureaus.
0:10:34 They want immediately to disperse that information.
0:10:35 Exactly.
0:10:36 Okay.
0:10:42 So in this creation phase of the synthetic identity’s life, they will apply for credit
0:10:46 at places that do tri-bureau polls. They’ll sign the synthetic identities up for an email
0:10:49 address and for a phone number.
0:10:53 So it’s really, it’s becoming like a real identity almost in a lot of dimensions.
0:10:54 Yeah.
0:10:58 They’ll sign them up for social media accounts. So get them a Facebook or even better as a
0:11:03 LinkedIn or a Twitter. The reason being that later on, a fraud investigator is going to
0:11:08 be looking for this person and this gives them a little bit more legitimacy.
0:11:12 That is so much, that’s so much attention paid at that early phase.
0:11:13 Absolutely.
0:11:17 So one of the things that we’ve, we noticed with a lot of the fraud rings, the traditional
0:11:23 fraud rings was a tremendous amount of technical sophistication. So highly automated, really
0:11:28 well, a really deep understanding of not just the fraud controls, but the entire technical
0:11:29 stack.
0:11:34 With this kind of fraud, it seems very manual. It seems very kind of almost like an artisanal
0:11:35 form of fraud.
0:11:37 Yeah. It’s like a bespoke, like you literally create these lives.
0:11:38 Absolutely.
0:11:47 The whole cloth. So, okay. So that’s phase one and then the birth of the fake person.
0:11:48 Yeah.
0:11:49 Exactly.
0:11:53 So then in phase two, that’s the buildup phase. This is where it takes one to two years. And
0:11:57 in this phase, the synthetic identity is acquiring credit as quickly as they can. So often this
0:12:03 means getting small credit cards, introductory credit cards, and actually making oftentimes
0:12:09 the minimum payments, but anything that shows this person has a good repayment history.
0:12:13 Now when eventually down the road, this is discovered and people are presumably going
0:12:18 back to figure out, can you start tracing those payments when you look back and start
0:12:23 understanding where that money comes from and have like understanding into the fraud from
0:12:24 that route?
0:12:30 Well, those payments often come from bank accounts in the names of the synthetic identities.
0:12:34 Isn’t there a point when you open the bank account where you need more than those three
0:12:35 pieces of information?
0:12:39 You’re supposed to collect four. It’s technically name, date of birth, SSN, and address.
0:12:40 Okay.
0:12:45 It’s called the customer identification program. And you’re supposed to verify these things
0:12:49 in a number of different ways, but because there’s simply no way of doing it, a lot of
0:12:54 times people say, “Oh, they have a credit record that’s sort of sufficient.”
0:13:00 Most of the account opening anti-fraud stuff people do is focused on identity theft, which
0:13:03 has traditionally been the big account opening from a fraud.
0:13:09 But for account opening, if you want to prevent identity theft, what you’re doing is trying
0:13:14 to see whether the person submitting the application is the same as the identity that they’re using
0:13:15 to apply for credit.
0:13:21 So as an example, if you see John Smith apply for credit using naftaliharris@gmail.com as
0:13:22 their email address.
0:13:23 Problem.
0:13:28 Yeah, problem. Exactly. It’s probably not John Smith doing it. It’s probably naftaliharris.
0:13:35 But if you see John Smith applying for credit with johnsmith@gmail.com, then it looks fine.
0:13:40 But what if it’s actually naftaliharris that made John Smith and made John Smith at gmail.com?
0:13:44 Let’s go back to the life cycle. So we talked about the birth, then we talked about the
0:13:45 development.
0:13:46 Incubation.
0:13:52 The incubation, where is the moment where they die, where you generally get killed?
0:13:56 So that’s every fraudster’s favorite part of the life cycle. It’s the bust out. Once
0:14:03 you have a synthetic identity that has been making payments, which has gotten access to
0:14:07 higher credit lines. So at the end of that incubation period, the synthetic ID has a
0:14:11 credit score over 700 or 750 plus, or even less than 800.
0:14:12 Pretty good.
0:14:13 Yeah.
0:14:14 Yeah, they look great.
0:14:15 Yeah.
0:14:19 And they make every bank and lender, especially in today’s low rate environment, wants to
0:14:23 throw as much money at them as they can.
0:14:27 And so in the bust out phase, fraudsters acquire as much credit as they possibly can. They max
0:14:32 out any credit card they’ve had, and all of a sudden they just stop making payments. They
0:14:35 go from your model customer to your worst one.
0:14:39 They stop paying their loans, and then what happens next?
0:14:43 So someone stopped making payments, and so the bank starts pushing them through their
0:14:44 collections process.
0:14:46 So somebody starts calling.
0:14:52 Yeah, it’s usually, it’s a polite email, “Hey, John Smith. Notice you missed your payment.
0:14:54 Could you please do that as soon as you can?”
0:14:58 And then that becomes a little bit more stringent, and then it starts paying phone calls. In
0:15:02 some cases, the fraudsters will ignore it completely and vanish from the face of the
0:15:08 earth. And in that case, it’s uncollectable. In other cases, they’ll pick up the phone
0:15:14 and they’ll say, “Oh, I’m really sorry. I couldn’t make payments. I lost my job. I had
0:15:19 a hardship. Someone in my family got ill. I can’t make payments right now.”
0:15:20 And they buy some time.
0:15:24 And they buy some time, and eventually the loan gets charged off.
0:15:29 Why does this not, at that moment, trigger when you suddenly, your behavior suddenly
0:15:35 changes and you take a big loan? There are all sorts of legitimate reasons for that kind
0:15:41 of sudden big loan. But why is that not automatically getting flagged just for a little check at
0:15:42 that point?
0:15:46 To the earlier point, right? There’s a very big interest to grow your creditor base, to
0:15:51 grow the base of people you’re loaning money to. And in that process, friction is generally
0:15:57 found upon, right? It’s a risk determination. Some of these organizations, they’ve built
0:16:00 risk models that feel comfortable enough about the validity of this identity, and they make
0:16:06 kind of the business decision to take a risk on extending credit to them. And it’s probably
0:16:09 one of those things where they need to make some adjustments to that risk model.
0:16:14 So that’s, I would say that there’s probably some perfectly rational process-driven reason
0:16:19 why this is happening. Fraud, like most of these kinds of criminal enterprises, are very
0:16:24 much games of cat and mouse. And this is just sort of the mouse finding a way around the
0:16:25 cat in this instance.
0:16:29 So where in the life cycle do you guys try and intervene? Like, how do you look at this
0:16:33 life cycle? And where do you think is the weak point? And with what kind of tools?
0:16:37 The places where they really are experts are on the U.S. credit system. They understand
0:16:44 that very deeply, honestly better than probably a lot of people who have that as their careers.
0:16:50 They know who does a tribunal credit poll. They know how to get through the KYC processes
0:16:56 at different organizations. They know who is weak at the beginning. And so, at a high
0:17:01 level, the way we actually solve this problem is we have a team of risk analysts that manually
0:17:06 review transactions, looking for fraud, investigating cases, deeply trying to understand individual
0:17:11 fraud transactions, and understanding what is new in the fraud world.
0:17:16 And then on the other hand, we have a sister team of technologists, so engineers, machine
0:17:20 learning engineers, data scientists, who are taking the insights and the labels from the
0:17:25 risk operations team and using those to build production-alized machine learning models
0:17:28 that actually can detect this sort of fraud in real time.
0:17:32 It almost sounds like a detective agency on one side, and then building the tech on top
0:17:33 of the knowledge.
0:17:38 So, I mean, a lot of the tech is based on the fact that we understand synthetic fraud
0:17:42 extremely well. Different kinds of products naturally fall in one or different parts,
0:17:48 so like a high limit rewards credit card from a top 10 card issuer. Those will tend to get
0:17:53 hit towards the end of that process a little bit before the bust out. And so, in that case,
0:17:58 we have more history through which to actually identify an application as synthetic.
0:17:59 Right.
0:18:06 But we also work with card issuers that are trying to give cards to immigrants or to young
0:18:11 people even as early as in college. And there, we’re really playing at sort of the very beginning
0:18:14 during phase one or the very beginning of phase two to differentiate between those real
0:18:16 people and those fake people.
0:18:21 A big thing that we do is around clustering, connecting together applications that come
0:18:26 from the same fraud ring. So, for this form of synthetic fraud, most of it comes from
0:18:33 organized crime rings, and $100,000 per identity is great, but if you want to make a business
0:18:40 out of it, the fraudsters are a lot more ambitious. And so, they make a number of these different
0:18:43 synthetic identities and incubate all of them at the same time.
0:18:45 Oh my gosh, it sounds like the Matrix that way.
0:18:50 Yeah, it’s a lot of fake people. We’ve seen them be so ambitious as to actually make
0:18:51 families.
0:18:53 So, they’ll have like a mother…
0:18:56 But only a families of lendable ages.
0:19:02 Exactly. So, they’ll be like a mother and father. So, they’ll have the same last name
0:19:07 with birthdays that are a couple years apart. And they’ll have like five kids, all of them
0:19:12 are in their early 20s or something like that, address history that’s shared at different
0:19:15 points and they tried to make the ages staggered and stuff like that.
0:19:20 It’s like scripting a story. So, you’ve seen that more than once?
0:19:24 We’ve seen a number of such families, quote-unquote, created. Internally, we call it the Keeping
0:19:29 Up with the Joneses approach because the first time we saw this, the last name was
0:19:30 Jones.
0:19:32 You know, a family that commits fraud together, stays together.
0:19:36 We need like a symbol, put on, but shh.
0:19:40 Thank you. I’ll be here all week. I was going to suggest we call this a fraud cast.
0:19:41 Yeah.
0:19:42 There you go.
0:19:49 Another good one. So, what are some of the other types of fraud rings that you guys see?
0:19:54 We oftentimes see alleged people that have no relationship with each other who are sharing
0:20:00 address history at some point. And it’s really interesting what causes that. So, one reason
0:20:05 this happens is that a fraudster will oftentimes reuse the same address or for that matter
0:20:08 the same phone number or email address if they’re lazy.
0:20:13 But during the incubation period, one of the ways in which fraudsters boost up someone’s
0:20:19 credit quite a bit is by purchasing authorized user trade lines. That’s when you give a credit
0:20:25 card to your spouse or one of your kids. So, like when you’re younger, sometimes your parents
0:20:29 will give you a credit card. The credit card, it actually is in the name of your parents
0:20:32 and they’re the ones that are actually responsible for making the payments.
0:20:36 But what a lot of people don’t realize is that that credit card will oftentimes show
0:20:41 up on the recipient’s credit report. So, if you’re a kid and your parent gives you a credit
0:20:45 card, which they’re responsible for, it’ll end up on your credit report. And that’s sort
0:20:51 of what all the major card issuers had historically thought was the point of having an authorized
0:20:57 user card. It’s to usually within a family or at most friends or maybe employees or something
0:21:04 like that. But actually, you’ll find hundreds of these, hundreds of these marketplaces that
0:21:08 let you purchase or sell a high-limit credit card that you have.
0:21:10 And that’s legitimate?
0:21:13 It’s not, but it is as far as I know, legal.
0:21:18 Whoa. So, you sell your ability to borrow to somebody else? I mean, it sounds like such
0:21:19 a bad idea.
0:21:25 The recipient won’t actually get the card. The card will show up on their credit report,
0:21:31 but the card actually won’t get sent to them. And the purpose of it actually is essentially
0:21:36 credit score arbitrage. If you have a high-limit $20,000 credit card that you’ve had since
0:21:41 2005, it looks really good when it shows up on somebody else’s credit report and they’re
0:21:42 willing to pay for it.
0:21:49 So fraudsters who are very prolific about buying and selling these authorized user cards will
0:21:53 oftentimes have shared addresses. And the reason the addresses are shared is that multiple
0:21:57 of these synthetic identities at one point or another bought the same authorized user
0:22:03 credit card. Our technology can detect this and realize that these people, 50 of them
0:22:07 throughout the United States, who should have no relationship to each other nonetheless
0:22:08 have shared history.
0:22:12 What’s the weirdest thing you’ve seen besides the Joneses?
0:22:19 So we saw one case where the fraudster actually had taken two totally different people and
0:22:23 mashed their identities together. And one of the identities that was mashed together was
0:22:29 someone that was actually in prison for murder. So that person, if they ever get out, might
0:22:30 be pretty upset about this.
0:22:36 So it’s like half identity fraud, half synthetic, like a kind of weird Hollywood mashup. Like
0:22:40 you take two movies and splice them together with lazy storytelling, basically.
0:22:46 One that I thought was just really amusing. And we saw a fraud ring that had so many identities
0:22:53 in it that the way they kept track of which identity had which SSN is actually included
0:23:00 the last four of the SSN in the email addresses of the synthetic identities. So lots of people
0:23:07 have, you know, Naftali Harris and then monthday@gmail.com or a lot of people have, you know, Naftali
0:23:14 Harris, year of birth@gmail.com. These fraudsters actually use Naftali Harris last four of SSN
0:23:15 at gmail.com.
0:23:16 Wow.
0:23:19 And they did this for all several hundred of their identities.
0:23:21 So that was an immediate first signal.
0:23:26 Yeah. And essentially the identities all looked very cookie cutter to us as though somebody
0:23:31 was following directions for how to create a synthetic identity. They had something that
0:23:38 worked. They all used the same original institution as their first inquiry. They all were structured
0:23:44 the same way. They all had first name, last name, last four of SSN@gmail.com was the one
0:23:49 that they used. Everything about them was sort of similar even though none of the information
0:23:51 was overlapping in that case.
0:23:57 So, you know, when we looked at this, people use the SSN4 in their email address. Almost
0:24:01 everyone who did that was fraudulent, but there were some that were not. And some people
0:24:05 just didn’t realize that you’re not supposed to put the last four of your SSN in your email
0:24:10 address. I think most of us realize that, but, you know, some people don’t.
0:24:13 Yeah. That’s another tip for our listeners. If you’re doing that change of email right
0:24:14 now.
0:24:18 So you look for patterns. You look for clustering. Are there other hallmarks that you look for
0:24:21 that you guys are paying attention to?
0:24:26 It’s a lot around the consistency of the history. Synthetic identities have histories
0:24:31 that are not really cohesive. So we’ll do things like look at state-by-state migration
0:24:37 patterns. So it’s pretty common for people to move from Florida to Georgia. It’s a lot
0:24:42 less common for people to move from Florida to Alaska. Obviously it does happen. And apologies
0:24:47 to whoever’s listening and did just that. But statistically, it’s there are certain
0:24:52 patterns that are more or less likely. So we’ll look at when SSNs were issued and then
0:24:56 when and where those were issued and see if they match up with someone’s actual credit
0:25:01 history. We’ll look at where they’ve been moving, how fast that’s happening. It’s pretty
0:25:07 rare for someone to be in a, have a residential home in a new state every, you know, one or
0:25:12 two months. It’s just not very frequent. So we’ll look for a lot of things around cohesiveness
0:25:13 of the identity.
0:25:14 And weird outliers.
0:25:20 I think there’s a really interesting salient point here that’s being made, which is that
0:25:27 kind of the first two generations of large-scale consumer fraud were mostly about technical
0:25:31 weaknesses, underlying technology weaknesses, lack of two-factor authentication, inability
0:25:37 to secure endpoints, right? It was very kind of software-driven or computer breach-driven.
0:25:42 This is actually a business process hack or a hack of sort of existing broken business
0:25:46 process. Yeah. You know, essentially it’s social engineering and scale.
0:25:50 So in some ways, it sounds terrible to say, but it kind of feels a little bit like a
0:25:55 victimless crime because you’re not stealing money from another person. You’re stealing
0:25:56 it from this like institution, right?
0:25:57 The funny thing about that is…
0:25:58 I know that’s not true.
0:26:04 Having worked at institutions that had lots of things attempted to be stolen from them.
0:26:07 Yeah. Like can you talk about how that impacts the whole?
0:26:12 Yeah, absolutely, right? Losses of these nature, of this nature go directly against
0:26:17 the bottom line of the corporation, right? Losses like these translate directly into
0:26:21 the financial performance of the stock, and these are the kinds of things that shareholders
0:26:26 and board members and anyone with the fiduciary responsibility that they want to tackle as
0:26:30 quickly as possible because reducing losses in these kinds of categories can translate
0:26:35 into meaningful movement of stock, especially if you’re talking about a billion to $2 billion.
0:26:41 That’s not trivial. So usually the way that these start to materialize is that this will
0:26:46 translate into higher costs associated with borrowing for legitimate customers. So these
0:26:50 expenses, they’re not going to get eaten by the corporation. They’re going to get probably
0:26:55 pushed out in the forms of new fees or higher interest rates to people opening new accounts.
0:27:00 It’s going to translate probably into more internal controls, more expense on the back
0:27:05 end to start validating some of these transactions to do more verification, and we’re going to
0:27:10 pay for it. And it’s going to be maybe a tenth of a percent, maybe a fifth of a percent,
0:27:13 but it’s going to start to drive up costs of borrowing for consumers, and that’s usually
0:27:14 where it turns out.
0:27:19 There’s actually two other sorts of ways in which certain groups are victims. So one
0:27:24 of them is that synthetic identities look like people that are new to credit, and those
0:27:29 populations, the legitimate populations there are often young people and immigrants.
0:27:33 Oh, so it’s making it harder for all the people who need credit the most.
0:27:38 Exactly. So it makes banks a lot less comfortable lending to immigrants and a lot less comfortable
0:27:42 lending to young people, or even just people that decided they didn’t need credit for
0:27:46 a long time. A lot of money will say, “I have no reason I should get a credit card and get
0:27:51 trapped in debt,” until they decide they might want a mortgage, and it makes it harder
0:27:54 for those kinds of people to acquire credit because they look like they might be not a
0:27:55 real person.
0:28:00 We did a podcast before about sort of different areas of cybercrime and different geographic
0:28:03 concentrations of different kinds of fraud. Is there a geographic concentration or is
0:28:07 there a type of fraudster that tends to gravitate towards this kind of fraud?
0:28:13 Yeah, a lot of this form of fraud is geographically concentrated. So we see a lot from Southern
0:28:20 California, a lot nowadays from the Atlanta region, a lot from South Florida.
0:28:24 And is that just because people get good at it and then the organization gets bigger?
0:28:26 Or they’re telling their friends, it’s like Amway or something.
0:28:27 Yeah.
0:28:28 Yeah.
0:28:29 A lot of it is organized crime.
0:28:33 Typically, the way we’ve seen these illicit criminal industries develop is that they start
0:28:38 off as sort of what you could think of as sort of familial clusters, right? Small groups
0:28:43 of individuals that figure out a neat trick, share it among a couple friends, perhaps locally,
0:28:46 which is why you’re seeing geographic concentration.
0:28:51 And then that information gets distributed more broadly, and other more professionalized
0:28:54 career type criminals start to move in.
0:28:59 And in industry develops, you’ll get sort of a one-stop shop, right? A group of individuals
0:29:03 that do soup to nuts, this kind of fraud. Specific tasks now will start to get broken
0:29:08 up. So you’ll be able to probably go buy these identities in the dark web. There’s probable
0:29:12 places that are actually farming them, developing them, and then selling them to other parts
0:29:16 of the organization. And then you’ll get specific groups that are focusing on kind of the bust
0:29:18 outrings and those sorts of things.
0:29:20 The industrialization of synthetic fraud.
0:29:24 I would suspect that we’re either in that phase or we’re moving towards it. We’re seeing
0:29:28 sort of that hockey stick growth of a new industry, right? And it’s just kind of the criminal
0:29:33 variant of it. And so as that starts to ramp up, it’s going to be interesting. So I am
0:29:38 not aware of any large scale arrests of people involved in this kind of activity. I’m interested
0:29:43 if you know of like any of the regulators have said anything about synthetic fraud or interested
0:29:44 in looking at it.
0:29:48 You know, that’s one of the really interesting things. Synthetic fraud right now is a huge
0:29:54 money laundering issue, but a totally underappreciated one. If you look at the regulations around
0:30:02 KYC, so specifically the laws that require this, they really contemplated identity thefts
0:30:08 and did not contemplate synthetic fraud almost at all. Everyone’s assumption for a really
0:30:14 long time has been that identities that are used to apply for credit are real. And as we’ve
0:30:17 discovered over the last couple of years, that’s really not the case.
0:30:21 So the banks are starting to understand it and noticing it and getting new tools to try
0:30:26 and notice it. When the banks catch this and they stop it, do they then alert the authorities?
0:30:28 Do people try and pursue this at all?
0:30:34 No, the first instinct of banks is to try to have it not happen again. And they’re not
0:30:42 quite as focused on having law enforcement step in and apprehend the people doing it.
0:30:46 What would be the tipping point for that to have to happen if it becomes this big industrial
0:30:49 loss? So it’s dollars, right? Arrests typically
0:30:55 happen towards the end of the life cycle of something like this. And so as it gets professionalized,
0:31:00 as you see kind of the industrialization of this sort of activity, regulators will start
0:31:05 to notice, law enforcement will start to notice. They may already be active investigations,
0:31:10 we don’t know, but they’ll start to kind of move against these sorts of organizations
0:31:16 as large scale criminal organizations that are engaged in things that may be drugs, may
0:31:21 be terrorism, could be things that are life-threatening. They’re always looking for new conduits for
0:31:25 money laundering. So sometimes what happens is that money or some of that activity will
0:31:31 find its way into some of these channels as a way to clean and rinse some of these funds.
0:31:33 And that’ll also draw the attention of law enforcement.
0:31:35 And then you really have to pay attention to where interesting.
0:31:39 Absolutely. If you don’t necessarily see criminals from other forms of crime moving into this
0:31:44 sort of crime. So you won’t see racketeers or you won’t see narcotics traffickers like
0:31:46 quitting their day jobs and deciding to do synthetic fraud.
0:31:47 It’s the specialist.
0:31:52 Exactly. But they will sort of give money to people to run it through these systems
0:31:57 to clean it for a fee, right? And that’s usually where you start to see the real professionalization.
0:32:00 That’s where it starts spreading through the criminal system.
0:32:04 And then you start to see the cases come and you’ll see arrests made. And that’s usually
0:32:05 how these things start to get rolled up.
0:32:09 Are there sort of fundamentally new human behaviors that you’re noticing? Or is it the
0:32:15 same fundamental criminal behavior, but just manifesting itself in new and different ways?
0:32:20 I think that’s actually a really interesting point here about all of this. And I think
0:32:26 most of the fraud discussions and just broadly a lot of security issues we have in general,
0:32:29 it all comes back to that kind of earlier discussion about like the social security
0:32:33 number that, you know, if you look at your social security card, it says this is not
0:32:37 to be used for identification, right? Like this is this is this number should mean nothing
0:32:41 to you. I mean, it’s almost like money Python, right? Like we’ve built all these things on
0:32:46 something that said, don’t make me the Messiah. And we kind of did that. And then as a country,
0:32:50 we’ve sort of refused to meaningfully consider any kind of national level identity or identity
0:32:55 management. And so you have the proliferation of a lot of these issues. And that’s that’s
0:32:59 sort of the really fascinating thing about almost all the fraud discussions.
0:33:05 So if there is this huge kind of foundational crack in all these systems that we’ve built
0:33:09 up, but that make it feels like a house of cards almost with this missing kind of giant
0:33:14 verification piece at the bottom, how do you get at the heart of that problem?
0:33:18 So I think one thing that Joel mentioned earlier was the sort of cat and mouse nature of a
0:33:22 lot of fraud. We want to go a step beyond that. There are many organizations out there
0:33:28 or even beyond financial services that are verifying identities as part of their business.
0:33:35 So every major bank in lender does this, but so do online marketplaces like Lyft or Airbnb.
0:33:41 So do also retailers. So one that you’re constantly having to do this. Yeah, you probably did
0:33:45 this a couple of times even today. Yeah. And one thing that we’ve observed is that these
0:33:52 organizations with respect to customer identification don’t really work together, despite the fact
0:33:54 that it’s fundamentally the same problem they’re solving, like figure out if someone
0:33:59 is who they say they are and if they actually exist. All these organizations are fighting
0:34:04 the same fraudsters and they’re verifying the same 300 million Americans. So the way
0:34:10 this really should work is the government should step in and make a sort of national
0:34:17 ID, I think to really solve this. One that does have printed on it. You should use this.
0:34:20 There’s web standards for how to do this and cryptography is advanced quite a bit and there
0:34:25 are ways of doing this. I don’t think we’re going to see the U.S. government step in and
0:34:29 do this. And so we’re building it. Thank you so much for joining us on the A16Z podcast.
0:00:10 tax or investment advice or be used to evaluate any investment or security and is not directed
0:00:15 at any investors or potential investors in any A16Z fund. For more details, please see
0:00:22 a16z.com/disclosures. Hi, and welcome to the A16Z podcast. I’m
0:00:27 Hannah, and this episode is all about synthetic fraud, a new evolution of consumer fraud that’s
0:00:32 emerging in financial services to the tune of $1-2 billion a year.
0:00:36 In this episode, Naftali Harris, co-founder and CEO of Centelink, which builds technology
0:00:41 to detect and stop synthetic fraud, talks to me and A16Z operating partner for information
0:00:46 security Joel de la Garza, all about what this new kind of fraud is, including the life
0:00:52 cycle of this long con, how these synthetic identities get made, incubated, and finally
0:00:57 busted out, and some of the wildest stories behind the strange fraud rings he’s seen.
0:01:02 We also touch on why this new fraud is on the rise, who the true victims are, and at
0:01:06 the end of the day, what the foundational security issue at the heart of it all truly
0:01:11 is. We’re here to talk about synthetic fraud, which I have to confess I didn’t even know
0:01:15 what that really meant when we first started talking about it. What does synthetic fraud
0:01:18 even mean? Almost no one hears about it in the public
0:01:22 outside of financial services industry. I hope that neither of you have been the victim
0:01:23 of identity theft. I have.
0:01:29 Okay, I’m sorry to hear that. And if you haven’t, you probably know someone that has been.
0:01:32 And so the general public is very aware of identity theft because there’s that consumer
0:01:38 victim. With identity theft, you’re stealing a real person’s identity. With synthetic fraud,
0:01:41 you’re saying, forget the real person, I’m going to make up a totally fake one.
0:01:44 And that means like fake from the very ground up.
0:01:49 Yeah, from the ground up. So a fraudster will use a synthetic identity, so a made up, named
0:01:54 date of birth, an SSN combination in order to open up an account with a bank or get a
0:01:58 loan from a bank. The key thing here is that there’s no one record, there’s no one one
0:02:02 actual person that it all belongs to. And then what they’ll be able to do is actually
0:02:07 acquire quite a bit of credit, take out a lot of loans, usually a few tens of thousand
0:02:13 dollars from every major bank and lender, and then use that to get a lot of money and
0:02:14 not repay any bit.
0:02:19 How prevalent is this kind of fraud in the industry? I mean, how much is this happening
0:02:21 versus like we all hear about identity theft all the time?
0:02:25 So this is actually one of the super interesting things. So we’ve added up the losses across
0:02:29 the industry and within lending, it’s somewhere from one to two billion dollars a year of losses
0:02:30 annually.
0:02:34 Wow. And how aware of it are the banks? At what point do they catch on?
0:02:38 That’s also one of the really interesting things because there is no consumer victim.
0:02:42 The banks have a really hard time figuring out which of their losses are attributable
0:02:46 to synthetic fraud as opposed to somebody that had a hardship or lost their job.
0:02:48 Oh, right. Same pattern of behavior.
0:02:52 Exactly. With identity theft, what happens is somebody opens up an account, they get
0:02:56 a new credit card, they steal a lot of money from the bank, and the way the bank finds
0:03:01 out about it is eventually the victim contacts them and says, “Hey, I didn’t take out this
0:03:04 credit card. This wasn’t me.” And they’ll sign an affidavit and then the bank will realize
0:03:09 this was an actual victim of identity theft as opposed to someone that just had a hardship
0:03:13 and took out more money than they should have. And with synthetic fraud, all the bank sees
0:03:19 is a large set of people that haven’t been making payments for the loans, and they have
0:03:23 a really hard time of figuring out which of these are people that have had some toward
0:03:26 of local economic challenges.
0:03:29 Yeah. Legitimate need for the loan, basically.
0:03:32 Exactly. And which of them are people that were actually defrauding them?
0:03:37 Synthetic fraud is a relatively new-ish phenomenon. So I think it’s something that’s kind of
0:03:41 grown up. As banks have gotten better at spotting identity theft and credit freezes and those
0:03:46 sorts of things, it seems that that correlated to the rise in synthetic fraud. Identity theft
0:03:52 used to be ridiculously simple. If you think back 10 to 15 years ago, as bank fraud teams
0:03:55 got better, they got better tools to catch this kind of thing you had credit freezes
0:03:59 come to effect, it seems like the fraudsters pivoted in this direction.
0:04:02 Yeah, that’s exactly right. I mean, another big one actually is the rise of the EMB chip.
0:04:04 Oh, that is a factor in this?
0:04:09 Absolutely. Fraudsters are committing fraud as a business. And what they do is they gravitate
0:04:14 towards channels, so to speak, that are profitable for them. And it used to be you can make a
0:04:17 lot of money doing card skimming. The EMB chip made that a lot harder. So you saw a lot
0:04:23 of fraud move online to card not present fraud. So people stealing credit cards online. There’s
0:04:27 been a lot of great technology that’s arisen there recently, which has made that harder
0:04:32 to do. Still certainly happens as we all know. And then a lot of progress towards identity
0:04:36 theft and that’s gotten harder. And so they’re moving on to synthetic fraud, which is very
0:04:40 challenging for banks and lenders to detect and quite lucrative for the fraudster.
0:04:44 But can we just go back to like that moment of opening the account? Why is it so hard
0:04:50 to verify like an actual birthday against an actual name against an actual SSN? Like
0:04:56 if those things are not matching, why is that initial moment not the place to catch it?
0:05:02 So what most people don’t realize is that financial institutions, so banks and lenders
0:05:08 do not have a list of all name, date of birth, and SSN combinations in the United States.
0:05:11 A lot of people think that the credit bureaus have this list, you know, experiencing Equifax
0:05:17 and TransUnion, and they don’t have it either. Essentially, the banks and lenders believe,
0:05:22 certainly until recently, had believed that the three credit bureaus had lists of all
0:05:25 name, date of birth, and SSN combinations. So they, everybody’s thought somebody else
0:05:26 was doing it.
0:05:27 Exactly.
0:05:28 That’s absurd.
0:05:31 It’s quite funny, actually. And this is the way that fraudsters actually create these
0:05:37 synthetic identities. If you apply for credit with a name, date of birth, and SSN repeatedly,
0:05:41 the credit bureaus will believe that it’s a real person, and they’ll create a record
0:05:43 for this totally fake person.
0:05:48 Because they’re only tracking the applications, they’re not backing it up to reality.
0:05:50 Yeah, and they have no way of doing so.
0:05:56 I feel like we’re giving tips to everybody in the world. I don’t like how to create this.
0:05:57 Do not do this.
0:05:58 Exactly.
0:06:03 But that is such a gaping hole in the information flow, a weird blind spot that everybody else
0:06:05 just kind of assumes that…
0:06:09 Yeah, it’s pretty interesting. I mean, so banks and lenders believe that the bureaus have
0:06:13 records on everybody, and mostly general public believes that as well. The logic on the bureau
0:06:18 side is essentially banks and lenders have strong know-your-customer procedures, they’re
0:06:21 doing a great job of risk. And so consequently they say, “Oh, you know, everyone’s talking
0:06:26 about John Smith, that must be a real person.” But actually, nobody really knows here. And
0:06:28 so everyone’s pointing fingers at everybody else.
0:06:34 It seems like, actually, it was this gaping hole for quite a while, right? So why… Was
0:06:37 there always some level of this, and then it just spiked?
0:06:44 I think the interesting point is sort of the actual genesis of this whole situation, which
0:06:48 is that there is no source of truth for proofing identity. And that really lies at the center
0:06:53 of kind of a lot of these issues. There’s sort of a coordination and a collaboration
0:07:00 that has to happen in between entities that, while wanting to minimize fraud, these entities
0:07:04 are also competing with one another in a number of different product categories. And so there
0:07:09 isn’t always necessarily a line financial incentive for them to collaborate.
0:07:12 It’s always been possible, but the thing that’s really challenging about synthetic fraud is
0:07:15 it is such a long con. It’s challenging.
0:07:16 What do you mean by that?
0:07:22 It’s not sufficient to just make a fake identity. You can do that, and it’s pretty easy. But
0:07:28 when you do that, all you have is a person who exists on one of the bureaus, or all three
0:07:33 of them, but doesn’t actually have real credit to their name. No bank is going to give them
0:07:35 $100,000 or even $10,000.
0:07:38 Right. So it’s like me when I first got out of college or whatever.
0:07:42 Exactly. It’s like when you first entered the credit space. And so there are some fraudsters
0:07:46 that will just try to churn through $300 cards, but there’s not a ton of money in that. The
0:07:52 real money that the fraudsters are pursuing is getting access to all the prime credit
0:07:59 cards, to big auto loans, to huge unsecured personal loans. And that requires building
0:08:03 up their credit over a period of one to two years. Get some low limit credit cards, start
0:08:08 making a little bit of payment, build their credit. They do it quite aggressively because
0:08:12 they’re optimizing to when can they get to that 700 plus credit score or better, but
0:08:13 it does take a long time.
0:08:18 And I think that’s the answer as to why we hadn’t seen it in the past because in the
0:08:23 old days, you could go steal someone’s identity, open a line of credit, have access to that
0:08:27 credit within a week, maybe even a couple of days, depending on how you did the disbursement
0:08:33 of funds. But then sort of as people got better about reporting those things as consumers
0:08:37 actually started to notice when lines of credit were open for them, or they had credit
0:08:42 monitoring capabilities, the response time was a lot quicker. So you couldn’t necessarily
0:08:46 get those funds out in the amount of time. And so this is kind of the new process that
0:08:51 they’ve moved on to. And to the earlier point, like this does take some amount of time and
0:08:55 preparation. So creating lots of identities, going through the process of establishing
0:08:59 credit for them over a period of one to two years, and then getting to a cash out that
0:09:03 in the old days, you could have done in five days to maybe a month.
0:09:06 So a lot more work for that same size hit.
0:09:10 So the hit actually can be even bigger than for identity theft. So with identity theft,
0:09:15 you’re racing against the clock, because the victim will actually notice this at some point
0:09:20 and they will, they will say, this wasn’t me. And so they go back to the, to the bank,
0:09:24 they go to the lender and they say, stop doing this. And they’ll put a freeze on their cutter
0:09:29 report and so forth. But with synthetic fraud, there’s, there’s no race for the clock. There’s
0:09:35 no one who’s watching for this. There’s no one, there’s no one that, that is going to
0:09:37 notice this until they stop making payments.
0:09:40 Yeah. Are you seeing the synthetic fraudsters actually make payments?
0:09:41 Oh, absolutely.
0:09:42 Absolutely.
0:09:43 Wow.
0:09:44 So they’re, they’re taking out loans. They’re making the payments except for the initial
0:09:50 fraud of the identity. They’re not, the behavior is not caught, is not at that point doing
0:09:51 anything wrong.
0:09:56 So there are three phases in the lifetime of a synthetic identity. The first part is
0:10:02 the creation phase. So this is where a synthetic identity starts applying for credit a couple
0:10:06 of times. Oftentimes, we’ll actually start with any lender that does a poll from all
0:10:12 three credit bureaus. So most lenders only pull from one of the three bureaus. So TransUnion
0:10:17 Experian and Recofacts. But when you first create a synthetic identity, you want to get
0:10:22 that synthetic ID to have credit records on all three of the major bureaus. So one of
0:10:27 the things that we see synthetic identities doing is initially the first place that they’ll
0:10:32 apply for credit is anywhere that does a tri-bureau poll that pulls from all three of the major
0:10:33 bureaus.
0:10:34 They want immediately to disperse that information.
0:10:35 Exactly.
0:10:36 Okay.
0:10:42 So in this creation phase of the synthetic identity’s life, they will apply for credit
0:10:46 at places that do tri-bureau polls. They’ll sign the synthetic identities up for an email
0:10:49 address and for a phone number.
0:10:53 So it’s really, it’s becoming like a real identity almost in a lot of dimensions.
0:10:54 Yeah.
0:10:58 They’ll sign them up for social media accounts. So get them a Facebook or even better as a
0:11:03 LinkedIn or a Twitter. The reason being that later on, a fraud investigator is going to
0:11:08 be looking for this person and this gives them a little bit more legitimacy.
0:11:12 That is so much, that’s so much attention paid at that early phase.
0:11:13 Absolutely.
0:11:17 So one of the things that we’ve, we noticed with a lot of the fraud rings, the traditional
0:11:23 fraud rings was a tremendous amount of technical sophistication. So highly automated, really
0:11:28 well, a really deep understanding of not just the fraud controls, but the entire technical
0:11:29 stack.
0:11:34 With this kind of fraud, it seems very manual. It seems very kind of almost like an artisanal
0:11:35 form of fraud.
0:11:37 Yeah. It’s like a bespoke, like you literally create these lives.
0:11:38 Absolutely.
0:11:47 The whole cloth. So, okay. So that’s phase one and then the birth of the fake person.
0:11:48 Yeah.
0:11:49 Exactly.
0:11:53 So then in phase two, that’s the buildup phase. This is where it takes one to two years. And
0:11:57 in this phase, the synthetic identity is acquiring credit as quickly as they can. So often this
0:12:03 means getting small credit cards, introductory credit cards, and actually making oftentimes
0:12:09 the minimum payments, but anything that shows this person has a good repayment history.
0:12:13 Now when eventually down the road, this is discovered and people are presumably going
0:12:18 back to figure out, can you start tracing those payments when you look back and start
0:12:23 understanding where that money comes from and have like understanding into the fraud from
0:12:24 that route?
0:12:30 Well, those payments often come from bank accounts in the names of the synthetic identities.
0:12:34 Isn’t there a point when you open the bank account where you need more than those three
0:12:35 pieces of information?
0:12:39 You’re supposed to collect four. It’s technically name, date of birth, SSN, and address.
0:12:40 Okay.
0:12:45 It’s called the customer identification program. And you’re supposed to verify these things
0:12:49 in a number of different ways, but because there’s simply no way of doing it, a lot of
0:12:54 times people say, “Oh, they have a credit record that’s sort of sufficient.”
0:13:00 Most of the account opening anti-fraud stuff people do is focused on identity theft, which
0:13:03 has traditionally been the big account opening from a fraud.
0:13:09 But for account opening, if you want to prevent identity theft, what you’re doing is trying
0:13:14 to see whether the person submitting the application is the same as the identity that they’re using
0:13:15 to apply for credit.
0:13:21 So as an example, if you see John Smith apply for credit using naftaliharris@gmail.com as
0:13:22 their email address.
0:13:23 Problem.
0:13:28 Yeah, problem. Exactly. It’s probably not John Smith doing it. It’s probably naftaliharris.
0:13:35 But if you see John Smith applying for credit with johnsmith@gmail.com, then it looks fine.
0:13:40 But what if it’s actually naftaliharris that made John Smith and made John Smith at gmail.com?
0:13:44 Let’s go back to the life cycle. So we talked about the birth, then we talked about the
0:13:45 development.
0:13:46 Incubation.
0:13:52 The incubation, where is the moment where they die, where you generally get killed?
0:13:56 So that’s every fraudster’s favorite part of the life cycle. It’s the bust out. Once
0:14:03 you have a synthetic identity that has been making payments, which has gotten access to
0:14:07 higher credit lines. So at the end of that incubation period, the synthetic ID has a
0:14:11 credit score over 700 or 750 plus, or even less than 800.
0:14:12 Pretty good.
0:14:13 Yeah.
0:14:14 Yeah, they look great.
0:14:15 Yeah.
0:14:19 And they make every bank and lender, especially in today’s low rate environment, wants to
0:14:23 throw as much money at them as they can.
0:14:27 And so in the bust out phase, fraudsters acquire as much credit as they possibly can. They max
0:14:32 out any credit card they’ve had, and all of a sudden they just stop making payments. They
0:14:35 go from your model customer to your worst one.
0:14:39 They stop paying their loans, and then what happens next?
0:14:43 So someone stopped making payments, and so the bank starts pushing them through their
0:14:44 collections process.
0:14:46 So somebody starts calling.
0:14:52 Yeah, it’s usually, it’s a polite email, “Hey, John Smith. Notice you missed your payment.
0:14:54 Could you please do that as soon as you can?”
0:14:58 And then that becomes a little bit more stringent, and then it starts paying phone calls. In
0:15:02 some cases, the fraudsters will ignore it completely and vanish from the face of the
0:15:08 earth. And in that case, it’s uncollectable. In other cases, they’ll pick up the phone
0:15:14 and they’ll say, “Oh, I’m really sorry. I couldn’t make payments. I lost my job. I had
0:15:19 a hardship. Someone in my family got ill. I can’t make payments right now.”
0:15:20 And they buy some time.
0:15:24 And they buy some time, and eventually the loan gets charged off.
0:15:29 Why does this not, at that moment, trigger when you suddenly, your behavior suddenly
0:15:35 changes and you take a big loan? There are all sorts of legitimate reasons for that kind
0:15:41 of sudden big loan. But why is that not automatically getting flagged just for a little check at
0:15:42 that point?
0:15:46 To the earlier point, right? There’s a very big interest to grow your creditor base, to
0:15:51 grow the base of people you’re loaning money to. And in that process, friction is generally
0:15:57 found upon, right? It’s a risk determination. Some of these organizations, they’ve built
0:16:00 risk models that feel comfortable enough about the validity of this identity, and they make
0:16:06 kind of the business decision to take a risk on extending credit to them. And it’s probably
0:16:09 one of those things where they need to make some adjustments to that risk model.
0:16:14 So that’s, I would say that there’s probably some perfectly rational process-driven reason
0:16:19 why this is happening. Fraud, like most of these kinds of criminal enterprises, are very
0:16:24 much games of cat and mouse. And this is just sort of the mouse finding a way around the
0:16:25 cat in this instance.
0:16:29 So where in the life cycle do you guys try and intervene? Like, how do you look at this
0:16:33 life cycle? And where do you think is the weak point? And with what kind of tools?
0:16:37 The places where they really are experts are on the U.S. credit system. They understand
0:16:44 that very deeply, honestly better than probably a lot of people who have that as their careers.
0:16:50 They know who does a tribunal credit poll. They know how to get through the KYC processes
0:16:56 at different organizations. They know who is weak at the beginning. And so, at a high
0:17:01 level, the way we actually solve this problem is we have a team of risk analysts that manually
0:17:06 review transactions, looking for fraud, investigating cases, deeply trying to understand individual
0:17:11 fraud transactions, and understanding what is new in the fraud world.
0:17:16 And then on the other hand, we have a sister team of technologists, so engineers, machine
0:17:20 learning engineers, data scientists, who are taking the insights and the labels from the
0:17:25 risk operations team and using those to build production-alized machine learning models
0:17:28 that actually can detect this sort of fraud in real time.
0:17:32 It almost sounds like a detective agency on one side, and then building the tech on top
0:17:33 of the knowledge.
0:17:38 So, I mean, a lot of the tech is based on the fact that we understand synthetic fraud
0:17:42 extremely well. Different kinds of products naturally fall in one or different parts,
0:17:48 so like a high limit rewards credit card from a top 10 card issuer. Those will tend to get
0:17:53 hit towards the end of that process a little bit before the bust out. And so, in that case,
0:17:58 we have more history through which to actually identify an application as synthetic.
0:17:59 Right.
0:18:06 But we also work with card issuers that are trying to give cards to immigrants or to young
0:18:11 people even as early as in college. And there, we’re really playing at sort of the very beginning
0:18:14 during phase one or the very beginning of phase two to differentiate between those real
0:18:16 people and those fake people.
0:18:21 A big thing that we do is around clustering, connecting together applications that come
0:18:26 from the same fraud ring. So, for this form of synthetic fraud, most of it comes from
0:18:33 organized crime rings, and $100,000 per identity is great, but if you want to make a business
0:18:40 out of it, the fraudsters are a lot more ambitious. And so, they make a number of these different
0:18:43 synthetic identities and incubate all of them at the same time.
0:18:45 Oh my gosh, it sounds like the Matrix that way.
0:18:50 Yeah, it’s a lot of fake people. We’ve seen them be so ambitious as to actually make
0:18:51 families.
0:18:53 So, they’ll have like a mother…
0:18:56 But only a families of lendable ages.
0:19:02 Exactly. So, they’ll be like a mother and father. So, they’ll have the same last name
0:19:07 with birthdays that are a couple years apart. And they’ll have like five kids, all of them
0:19:12 are in their early 20s or something like that, address history that’s shared at different
0:19:15 points and they tried to make the ages staggered and stuff like that.
0:19:20 It’s like scripting a story. So, you’ve seen that more than once?
0:19:24 We’ve seen a number of such families, quote-unquote, created. Internally, we call it the Keeping
0:19:29 Up with the Joneses approach because the first time we saw this, the last name was
0:19:30 Jones.
0:19:32 You know, a family that commits fraud together, stays together.
0:19:36 We need like a symbol, put on, but shh.
0:19:40 Thank you. I’ll be here all week. I was going to suggest we call this a fraud cast.
0:19:41 Yeah.
0:19:42 There you go.
0:19:49 Another good one. So, what are some of the other types of fraud rings that you guys see?
0:19:54 We oftentimes see alleged people that have no relationship with each other who are sharing
0:20:00 address history at some point. And it’s really interesting what causes that. So, one reason
0:20:05 this happens is that a fraudster will oftentimes reuse the same address or for that matter
0:20:08 the same phone number or email address if they’re lazy.
0:20:13 But during the incubation period, one of the ways in which fraudsters boost up someone’s
0:20:19 credit quite a bit is by purchasing authorized user trade lines. That’s when you give a credit
0:20:25 card to your spouse or one of your kids. So, like when you’re younger, sometimes your parents
0:20:29 will give you a credit card. The credit card, it actually is in the name of your parents
0:20:32 and they’re the ones that are actually responsible for making the payments.
0:20:36 But what a lot of people don’t realize is that that credit card will oftentimes show
0:20:41 up on the recipient’s credit report. So, if you’re a kid and your parent gives you a credit
0:20:45 card, which they’re responsible for, it’ll end up on your credit report. And that’s sort
0:20:51 of what all the major card issuers had historically thought was the point of having an authorized
0:20:57 user card. It’s to usually within a family or at most friends or maybe employees or something
0:21:04 like that. But actually, you’ll find hundreds of these, hundreds of these marketplaces that
0:21:08 let you purchase or sell a high-limit credit card that you have.
0:21:10 And that’s legitimate?
0:21:13 It’s not, but it is as far as I know, legal.
0:21:18 Whoa. So, you sell your ability to borrow to somebody else? I mean, it sounds like such
0:21:19 a bad idea.
0:21:25 The recipient won’t actually get the card. The card will show up on their credit report,
0:21:31 but the card actually won’t get sent to them. And the purpose of it actually is essentially
0:21:36 credit score arbitrage. If you have a high-limit $20,000 credit card that you’ve had since
0:21:41 2005, it looks really good when it shows up on somebody else’s credit report and they’re
0:21:42 willing to pay for it.
0:21:49 So fraudsters who are very prolific about buying and selling these authorized user cards will
0:21:53 oftentimes have shared addresses. And the reason the addresses are shared is that multiple
0:21:57 of these synthetic identities at one point or another bought the same authorized user
0:22:03 credit card. Our technology can detect this and realize that these people, 50 of them
0:22:07 throughout the United States, who should have no relationship to each other nonetheless
0:22:08 have shared history.
0:22:12 What’s the weirdest thing you’ve seen besides the Joneses?
0:22:19 So we saw one case where the fraudster actually had taken two totally different people and
0:22:23 mashed their identities together. And one of the identities that was mashed together was
0:22:29 someone that was actually in prison for murder. So that person, if they ever get out, might
0:22:30 be pretty upset about this.
0:22:36 So it’s like half identity fraud, half synthetic, like a kind of weird Hollywood mashup. Like
0:22:40 you take two movies and splice them together with lazy storytelling, basically.
0:22:46 One that I thought was just really amusing. And we saw a fraud ring that had so many identities
0:22:53 in it that the way they kept track of which identity had which SSN is actually included
0:23:00 the last four of the SSN in the email addresses of the synthetic identities. So lots of people
0:23:07 have, you know, Naftali Harris and then monthday@gmail.com or a lot of people have, you know, Naftali
0:23:14 Harris, year of birth@gmail.com. These fraudsters actually use Naftali Harris last four of SSN
0:23:15 at gmail.com.
0:23:16 Wow.
0:23:19 And they did this for all several hundred of their identities.
0:23:21 So that was an immediate first signal.
0:23:26 Yeah. And essentially the identities all looked very cookie cutter to us as though somebody
0:23:31 was following directions for how to create a synthetic identity. They had something that
0:23:38 worked. They all used the same original institution as their first inquiry. They all were structured
0:23:44 the same way. They all had first name, last name, last four of SSN@gmail.com was the one
0:23:49 that they used. Everything about them was sort of similar even though none of the information
0:23:51 was overlapping in that case.
0:23:57 So, you know, when we looked at this, people use the SSN4 in their email address. Almost
0:24:01 everyone who did that was fraudulent, but there were some that were not. And some people
0:24:05 just didn’t realize that you’re not supposed to put the last four of your SSN in your email
0:24:10 address. I think most of us realize that, but, you know, some people don’t.
0:24:13 Yeah. That’s another tip for our listeners. If you’re doing that change of email right
0:24:14 now.
0:24:18 So you look for patterns. You look for clustering. Are there other hallmarks that you look for
0:24:21 that you guys are paying attention to?
0:24:26 It’s a lot around the consistency of the history. Synthetic identities have histories
0:24:31 that are not really cohesive. So we’ll do things like look at state-by-state migration
0:24:37 patterns. So it’s pretty common for people to move from Florida to Georgia. It’s a lot
0:24:42 less common for people to move from Florida to Alaska. Obviously it does happen. And apologies
0:24:47 to whoever’s listening and did just that. But statistically, it’s there are certain
0:24:52 patterns that are more or less likely. So we’ll look at when SSNs were issued and then
0:24:56 when and where those were issued and see if they match up with someone’s actual credit
0:25:01 history. We’ll look at where they’ve been moving, how fast that’s happening. It’s pretty
0:25:07 rare for someone to be in a, have a residential home in a new state every, you know, one or
0:25:12 two months. It’s just not very frequent. So we’ll look for a lot of things around cohesiveness
0:25:13 of the identity.
0:25:14 And weird outliers.
0:25:20 I think there’s a really interesting salient point here that’s being made, which is that
0:25:27 kind of the first two generations of large-scale consumer fraud were mostly about technical
0:25:31 weaknesses, underlying technology weaknesses, lack of two-factor authentication, inability
0:25:37 to secure endpoints, right? It was very kind of software-driven or computer breach-driven.
0:25:42 This is actually a business process hack or a hack of sort of existing broken business
0:25:46 process. Yeah. You know, essentially it’s social engineering and scale.
0:25:50 So in some ways, it sounds terrible to say, but it kind of feels a little bit like a
0:25:55 victimless crime because you’re not stealing money from another person. You’re stealing
0:25:56 it from this like institution, right?
0:25:57 The funny thing about that is…
0:25:58 I know that’s not true.
0:26:04 Having worked at institutions that had lots of things attempted to be stolen from them.
0:26:07 Yeah. Like can you talk about how that impacts the whole?
0:26:12 Yeah, absolutely, right? Losses of these nature, of this nature go directly against
0:26:17 the bottom line of the corporation, right? Losses like these translate directly into
0:26:21 the financial performance of the stock, and these are the kinds of things that shareholders
0:26:26 and board members and anyone with the fiduciary responsibility that they want to tackle as
0:26:30 quickly as possible because reducing losses in these kinds of categories can translate
0:26:35 into meaningful movement of stock, especially if you’re talking about a billion to $2 billion.
0:26:41 That’s not trivial. So usually the way that these start to materialize is that this will
0:26:46 translate into higher costs associated with borrowing for legitimate customers. So these
0:26:50 expenses, they’re not going to get eaten by the corporation. They’re going to get probably
0:26:55 pushed out in the forms of new fees or higher interest rates to people opening new accounts.
0:27:00 It’s going to translate probably into more internal controls, more expense on the back
0:27:05 end to start validating some of these transactions to do more verification, and we’re going to
0:27:10 pay for it. And it’s going to be maybe a tenth of a percent, maybe a fifth of a percent,
0:27:13 but it’s going to start to drive up costs of borrowing for consumers, and that’s usually
0:27:14 where it turns out.
0:27:19 There’s actually two other sorts of ways in which certain groups are victims. So one
0:27:24 of them is that synthetic identities look like people that are new to credit, and those
0:27:29 populations, the legitimate populations there are often young people and immigrants.
0:27:33 Oh, so it’s making it harder for all the people who need credit the most.
0:27:38 Exactly. So it makes banks a lot less comfortable lending to immigrants and a lot less comfortable
0:27:42 lending to young people, or even just people that decided they didn’t need credit for
0:27:46 a long time. A lot of money will say, “I have no reason I should get a credit card and get
0:27:51 trapped in debt,” until they decide they might want a mortgage, and it makes it harder
0:27:54 for those kinds of people to acquire credit because they look like they might be not a
0:27:55 real person.
0:28:00 We did a podcast before about sort of different areas of cybercrime and different geographic
0:28:03 concentrations of different kinds of fraud. Is there a geographic concentration or is
0:28:07 there a type of fraudster that tends to gravitate towards this kind of fraud?
0:28:13 Yeah, a lot of this form of fraud is geographically concentrated. So we see a lot from Southern
0:28:20 California, a lot nowadays from the Atlanta region, a lot from South Florida.
0:28:24 And is that just because people get good at it and then the organization gets bigger?
0:28:26 Or they’re telling their friends, it’s like Amway or something.
0:28:27 Yeah.
0:28:28 Yeah.
0:28:29 A lot of it is organized crime.
0:28:33 Typically, the way we’ve seen these illicit criminal industries develop is that they start
0:28:38 off as sort of what you could think of as sort of familial clusters, right? Small groups
0:28:43 of individuals that figure out a neat trick, share it among a couple friends, perhaps locally,
0:28:46 which is why you’re seeing geographic concentration.
0:28:51 And then that information gets distributed more broadly, and other more professionalized
0:28:54 career type criminals start to move in.
0:28:59 And in industry develops, you’ll get sort of a one-stop shop, right? A group of individuals
0:29:03 that do soup to nuts, this kind of fraud. Specific tasks now will start to get broken
0:29:08 up. So you’ll be able to probably go buy these identities in the dark web. There’s probable
0:29:12 places that are actually farming them, developing them, and then selling them to other parts
0:29:16 of the organization. And then you’ll get specific groups that are focusing on kind of the bust
0:29:18 outrings and those sorts of things.
0:29:20 The industrialization of synthetic fraud.
0:29:24 I would suspect that we’re either in that phase or we’re moving towards it. We’re seeing
0:29:28 sort of that hockey stick growth of a new industry, right? And it’s just kind of the criminal
0:29:33 variant of it. And so as that starts to ramp up, it’s going to be interesting. So I am
0:29:38 not aware of any large scale arrests of people involved in this kind of activity. I’m interested
0:29:43 if you know of like any of the regulators have said anything about synthetic fraud or interested
0:29:44 in looking at it.
0:29:48 You know, that’s one of the really interesting things. Synthetic fraud right now is a huge
0:29:54 money laundering issue, but a totally underappreciated one. If you look at the regulations around
0:30:02 KYC, so specifically the laws that require this, they really contemplated identity thefts
0:30:08 and did not contemplate synthetic fraud almost at all. Everyone’s assumption for a really
0:30:14 long time has been that identities that are used to apply for credit are real. And as we’ve
0:30:17 discovered over the last couple of years, that’s really not the case.
0:30:21 So the banks are starting to understand it and noticing it and getting new tools to try
0:30:26 and notice it. When the banks catch this and they stop it, do they then alert the authorities?
0:30:28 Do people try and pursue this at all?
0:30:34 No, the first instinct of banks is to try to have it not happen again. And they’re not
0:30:42 quite as focused on having law enforcement step in and apprehend the people doing it.
0:30:46 What would be the tipping point for that to have to happen if it becomes this big industrial
0:30:49 loss? So it’s dollars, right? Arrests typically
0:30:55 happen towards the end of the life cycle of something like this. And so as it gets professionalized,
0:31:00 as you see kind of the industrialization of this sort of activity, regulators will start
0:31:05 to notice, law enforcement will start to notice. They may already be active investigations,
0:31:10 we don’t know, but they’ll start to kind of move against these sorts of organizations
0:31:16 as large scale criminal organizations that are engaged in things that may be drugs, may
0:31:21 be terrorism, could be things that are life-threatening. They’re always looking for new conduits for
0:31:25 money laundering. So sometimes what happens is that money or some of that activity will
0:31:31 find its way into some of these channels as a way to clean and rinse some of these funds.
0:31:33 And that’ll also draw the attention of law enforcement.
0:31:35 And then you really have to pay attention to where interesting.
0:31:39 Absolutely. If you don’t necessarily see criminals from other forms of crime moving into this
0:31:44 sort of crime. So you won’t see racketeers or you won’t see narcotics traffickers like
0:31:46 quitting their day jobs and deciding to do synthetic fraud.
0:31:47 It’s the specialist.
0:31:52 Exactly. But they will sort of give money to people to run it through these systems
0:31:57 to clean it for a fee, right? And that’s usually where you start to see the real professionalization.
0:32:00 That’s where it starts spreading through the criminal system.
0:32:04 And then you start to see the cases come and you’ll see arrests made. And that’s usually
0:32:05 how these things start to get rolled up.
0:32:09 Are there sort of fundamentally new human behaviors that you’re noticing? Or is it the
0:32:15 same fundamental criminal behavior, but just manifesting itself in new and different ways?
0:32:20 I think that’s actually a really interesting point here about all of this. And I think
0:32:26 most of the fraud discussions and just broadly a lot of security issues we have in general,
0:32:29 it all comes back to that kind of earlier discussion about like the social security
0:32:33 number that, you know, if you look at your social security card, it says this is not
0:32:37 to be used for identification, right? Like this is this is this number should mean nothing
0:32:41 to you. I mean, it’s almost like money Python, right? Like we’ve built all these things on
0:32:46 something that said, don’t make me the Messiah. And we kind of did that. And then as a country,
0:32:50 we’ve sort of refused to meaningfully consider any kind of national level identity or identity
0:32:55 management. And so you have the proliferation of a lot of these issues. And that’s that’s
0:32:59 sort of the really fascinating thing about almost all the fraud discussions.
0:33:05 So if there is this huge kind of foundational crack in all these systems that we’ve built
0:33:09 up, but that make it feels like a house of cards almost with this missing kind of giant
0:33:14 verification piece at the bottom, how do you get at the heart of that problem?
0:33:18 So I think one thing that Joel mentioned earlier was the sort of cat and mouse nature of a
0:33:22 lot of fraud. We want to go a step beyond that. There are many organizations out there
0:33:28 or even beyond financial services that are verifying identities as part of their business.
0:33:35 So every major bank in lender does this, but so do online marketplaces like Lyft or Airbnb.
0:33:41 So do also retailers. So one that you’re constantly having to do this. Yeah, you probably did
0:33:45 this a couple of times even today. Yeah. And one thing that we’ve observed is that these
0:33:52 organizations with respect to customer identification don’t really work together, despite the fact
0:33:54 that it’s fundamentally the same problem they’re solving, like figure out if someone
0:33:59 is who they say they are and if they actually exist. All these organizations are fighting
0:34:04 the same fraudsters and they’re verifying the same 300 million Americans. So the way
0:34:10 this really should work is the government should step in and make a sort of national
0:34:17 ID, I think to really solve this. One that does have printed on it. You should use this.
0:34:20 There’s web standards for how to do this and cryptography is advanced quite a bit and there
0:34:25 are ways of doing this. I don’t think we’re going to see the U.S. government step in and
0:34:29 do this. And so we’re building it. Thank you so much for joining us on the A16Z podcast.
Synthetic fraud—yes, it’s a thing: a new evolution of consumer fraud that’s been emerging in financial services, to the tune of $1-$2B a year.
In this episode of the a16z Podcast, Naftali Harris, co-founder and CEO of Sentilink, which builds technology to detect and stop synthetic fraud, talks with a16z’s Hanne Tidnam and operating partner for information security Joel de la Garza all about what this new kind of fraud is.
Where did this new form of fraud come from, and why is it on the rise? Who are true victims here (hint: it’s not the Joneses… or maybe it is!). And what is the fundamental security issue really at the heart of it all? The conversation covers the fascinating life cycle of this long con: how these “synthetic” identities get made, incubated, and finally busted out… and some of the wildest stories (and art of storytelling!) behind the strangest fraud rings we’ve seen.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Where did this new form of fraud come from, and why is it on the rise? Who are true victims here (hint: it’s not the Joneses… or maybe it is!). And what is the fundamental security issue really at the heart of it all? The conversation covers the fascinating life cycle of this long con: how these “synthetic” identities get made, incubated, and finally busted out… and some of the wildest stories (and art of storytelling!) behind the strangest fraud rings we’ve seen.