• It’s amazing how COVID has boosted the amount of online fraud, particularly in banking and travel. The premise is age-old: give something for free or at a discount, and many people’s mental barriers go down. What I’ll describe below is something that happens in various parts of the world, and Russia (where I currently reside) is no exception.
• The business model goes like this: fraudsters create new advertising accounts in search engines and social networks (out of courtesy I’m not going to name names) and use stolen credit card details (see below) as funding sources.
• Before we move further, I should mention an interesting phenomenon (successfully exploited by Mr Goebbels not so long ago): “If you tell a lie big enough and keep repeating it, people will eventually come to believe it”. However, if the lie is not just big enough, but a huge one, then there’s quite a large segment of people who will believe there’s a conspiracy to keep prices high. God help them if they come across the retail markups and the percentages get stuck in their heads…
• Then the fraudsters make simple promos (while maximizing the cost per click to the ad platform, because you don’t need efficiency with free money, but do get the highest exposure) advertising, say, a 50% discount on all flights (high value, huge and completely unrealistic savings, which overcome the mental resistance) as a promo for 24 hours (time pressure, buy now!). All there’s left is making a small (completely fraudulent) flight search page and a “checkout” mechanism asking people to send their money via almost non-traceable and non-refundable means (like card-to-card transfers, which are very popular in Russia). Alternatively, just capturing credit card details to be used to fund further fraudulent campaigns will do. As you can imagine, once someone “buys” the flight ticket, not only their personal details are leaked and carefully stored in the fraudster’s “sucker” database, but also (possibly) their credit card details, too. Now, of course there’s 3DS and stuff, but there’s a wonderful thing called the “BIN database” (BIN being “Bank Identification Number”, which tells you the card issuer bank as well as (probably) the batch of the card – whether it’s 3DS-enabled or not, for instance (not a general rule, but with relatively large numbers everything’s possible)).
• Of course, if one sends money direct to another card or phone # (hello fintech!), reversing this operation is almost never possible as the fraudulent party’s account may be registered on behalf of a homeless person (who would gladly sell their identity for some booze).
• Financial fraud in paid channels works in quite a similar way (exploiting the two common sins of 2020 – entitlement and distrust for the government), which leads people to actively (and damaging to their wallets) to respond to ads like: “the Govt is giving you $100 / ₽10000 for … [some silly reason like Christmas in October]”, and some people really respond not with “WTF?”, but rather with “Bloody finally they started thinking about the small guy/gal and will give me what I deserve”. (Please don’t confuse it with PPP – Paycheck Protection Program, even though, on a second thought, there are quite a few similarities.) Of course, dear, there’s someone thinking of you, but even more – about your credit card details that you need to provide to get this coveted Government’s financial apology. You kind of know where it’s going. Who’s the victim here (other than the naïve internet user)? The Government, of course. It’s never the platform.

Filed under: Мысли вслух