I have worked in the fraud prevention field for roughly 14 years, helping companies like Etsy, Airbnb and 1stdibs understand how fraud is impacting their business and how to fight it.
Over those 14 years, I’ve seen fraud become more diverse and complex thanks to the rise of e-commerce, new means of payment like Buy Now, Pay Later and cryptocurrency, and a corresponding increase in scams and other types of abuse due to newly available technology and fraud techniques. It’s also become more expensive: Fraud cost consumers $8.8 billion last year, up 44 percent from the previous year.
What's the difference between the deep web and the dark web?
While colloquially these spaces fall under the umbrella of the dark web, they have a few key distinctions. To go on the dark web, you need to bypass internet security measures and reduce your online footprint as much as possible.
Meanwhile, the deep web includes hidden parts of the internet, but also anything that is unindexed and not accessible through traditional search engines.
Deep Web Vs. Dark Web
To stay aware of the latest tactics and fight fraud effectively, I’ve had to work to understand the motivation of a fraudster — how they approach certain methods, and what compels them to harm innocent people. And this information is easier to find than you may think; while fraudsters still use private forums to share and sell tactics, they have become increasingly active in open channels too. These messaging groups serve as ideal entry points for further research into fraud.
My work requires me to go undercover on the deep and dark web. While colloquially these spaces fall under the umbrella of the dark web, the reality is that they have a few key distinctions. To go on the dark web, you need to bypass internet security measures and reduce your online footprint as much as possible. Oftentimes, to stay anonymous, dark web users will use a VPN and/or special browser to disguise their location and keep actions hidden.
Meanwhile, the deep web includes hidden parts of the internet, but also anything that is unindexed and not accessible through traditional search engines. That means that something as widely used as a secure messaging app, such as Telegram or WhatsApp, can be an active space for trading fraud tactics.
Fraudsters operate with a high amount of anonymity, which allows me to go undercover to witness these conversations in real-time. I can see firsthand how these scammers communicate with each other and what tactics they are promoting. In fact, one aspect of my job is searching within deep and dark web forums and markets to see what sort of conversations fraudsters are having about a specific company, at that company’s request.
Why Do You Need an Expert to Go on the Dark Web?
Typically, when thinking about the dark web, it conjures an image of anonymous hackers operating in the shadows. It’s not quite that dramatic, but going into the fraud groups requires education and caution. It’s important to follow proper protocols to ensure the security of personal information and devices. Many companies lack the ability or comfort level to do this type of research on their own. And certainly the average employee wants to avoid unintentionally installing malware on their work computer or exposing their company to risk.
It’s also not enough to merely have the tools or software needed to access the deep and dark web. You need to know where you want to go. Blindly searching for forums and markets may lead you to scam sites. It’s not uncommon for scammers to commit fraud against other bad actors on the deep and dark web. My work in this field has led me to develop an instinct for whether something is fact or fiction.
What Insights Do Companies Gain From My Investigations?
As a trust and safety architect, my job is to help Fortune 500 companies take a look behind the curtain. By observing the conversations fraudsters are having on the deep and dark web, I can help businesses understand vulnerabilities in their systems and how to protect themselves.
For example, say you are on the fraud or risk team at an international hotel chain. You have to be worried about account takeovers, where a fraudster gains unauthorized access to an account and locks out the legitimate user. Fraudsters may try to transfer loyalty points to another platform, where they can take actions like purchasing electronics on Amazon, or reselling the points at a discount to effectively turn stolen hotel points into cash.
Even learning a handful of the fraud techniques that fraudsters discuss is a great step to take.
This not only hurts your business’s credibility and trust, but it also directly impacts your users. Nobody wants to log in to their account to find all of their hard-earned points drained. To protect your users and your revenue, you need to understand the tactics fraudsters are using to take over accounts. They may have found loopholes to gain access to user accounts or illegally obtained username and password combos through phishing attempts — tactics we can see reflected in forums.
Another scenario could be that you work on the fraud prevention team for an online bank with robust know your customer checks. These are standard industry practices to verify the identities associated with accounts. However, on the deep and dark web, fraudsters are having conversations about how to bypass these KYC protocols to gain unauthorized access to accounts. Some are selling tools like fake IDs, selfie and ID combos stolen from social engineering scams, AI-generated deepfakes, and even technology that can override identity checks with manipulated footage injected into a webcam feed. As fraud tactics to bypass verification become more sophisticated and accessible, undercover information-gathering can help these banks understand how they need to update their security systems to stay ahead of these threats.
These are just a few of the different conversations taking place on the deep and dark web. The reality is that fraudsters are discussing many different tactics, and fraud can hurt any industry. Nobody is immune from fraud attempts, because these bad actors go anywhere they believe they can make money.
How My Job Supports the Broader Fraud-Fighting Ecosystem
These findings complement other proactive fraud-fighting efforts. Undercover investigations alone will not be able to stop all fraud, but they will give you a better understanding of the sorts of specific behavior you want to address. No matter the tactics you have at your disposal and how sophisticated your methods might be, it’s not possible to monitor all of the conversations on the deep and dark web.
Even learning a handful of the fraud techniques that fraudsters discuss is a great step to take, because this is intelligence that companies would otherwise not have. These tactics also span different companies and industries. If one retailer is facing issues with refund fraud, the chances are high that others are facing these challenges too, even if they’re not in the exact same industry.
Fraudsters constantly share and sell their knowledge and tactics, and fraud-fighters need to share knowledge too. As we like to say in the fraud prevention space, it takes a network to fight a network. This also extends to technology; an expansive network of shared insights helps ensure that fraud-specific learnings can benefit other companies who might find themselves in similar situations. Through greater awareness and understanding, and the technology and tools enabled by research, businesses can fight fraud and prevent harm to both businesses and consumers.
