There is some perception that the majority of the fraud we see is carried out by opportunistic individuals or small gangs, who operate on a small scale. The reality for fraud experts is that fraud is organised, complex and widespread. In fact, fraud driven
by identity theft has an ecosystem and indeed a supply chain, which essentially falls into six key parts.
Part 1: Getting the data
Criminals use different methods to obtain data on potential victims of identity theft and they are likely to have developed and invested in tools, such as malware to help them do this. They may take the high-tech route of breaching an organisation to steal
data, but they can also use low-tech methods such as 'bin-diving'.
Part 2: Understanding their victims
From the basic data obtained, criminals then assess it to understand who should be targeted. This could be based on there being a lot of information about them, or whether they appear to be the easiest targets or whether the fraudsters can see potential
for a big return on their investment.
Part 3: Building a profiling with more information
In some cases the data stolen in the initial activity may not be quite enough to carry out a criminal attack. This is where social engineering comes into play. Vishing is where criminals pose as legitimate businesses telephoning their victims to obtain information.
Phishing is where they use the same methods, but through electronic communications, such as email. By building up a profile of an intended victim, which can last months or even years in some cases, means that when they make their attack, it can be all the
more effective.
Part 4: Looking for the way in
Having information isn't the end of the story. Criminals also need to understand where they can use stolen identities to commit fraud. At this stage fraudsters are searching for points of weakness in an organisation and looking out for system vulnerabilities.
They may re-visit an organisation's processes time and time again to determine where the weak points are, the best methods to exploit them and how they can evade security and detection.
Part 5: The attack
Once the fraudsters have built a plan, tested their line of attack and obtained the data they need, they make their move. Opening accounts fraudulently, taking over existing accounts and diverting payments from their intended recipients are just some of
the many ways they carry out their attack. It's worth remembering that fraudsters are always looking for new opportunities.
Part 6: Making it legal
The final stage is to turn their ill-gotten gains into currency they can spend – in other words money laundering. It not only funds further attacks, but in wide-reaching criminal enterprises, it is funding activities like drug dealing and terrorism.
It's a true supply chain with value and risk transferred throughout; amounting to what is a complex structure of criminal activity, with each stage involving different specialisms and assets. For example, malware or call-centres engaged in vishing. Better
understanding means being better placed to combat the risk at every stage and build the appropriate defences to protect businesses, people and society as a whole.