Dynamics Matters Podcast Ep 39: £2.3bn lost to fraud in 2021

Welcome everyone to the HSO Dynamics matters podcast.

Your regular sonic dive into the world of Microsoft technology related matters and much more besides.

I’m your host Michael Lonnon, and for today’s episode I went undercover for a chat with HSO fraud expert, Pete Sharp – who recognised me even with a baseball cap and dark glasses on.

And in this episode Pete talks about the best way organisations can tackle the growing threat of fraud, and how Microsoft is helping you find the good fight.

So, grab a brew, sit back, relax, and enjoy the show.

Michael Lonnon

Is digital accessibility a blessing or a curse?

Peter Sharpe

Interesting. I guess blessing generally, as it gives us a lot more ways of sharing stuff around and giving people useful information. But it comes with a lot of difficulties in terms of how you do that and it’s quite easy to do it wrong.

Michael Lonnon

In terms of doing it wrong, which perhaps leads us into our topic today around fraud, has the rise in digital accessibility exasperated the problem of fraud do you think?

Peter Sharpe

I think it’s got a lot to do with it because it opens your front door to so many people in so many places. If you’ve got a physical retail store, and you’re worried about people nicking stuff, you just keep an eye on anyone coming in through the doorway and you can see them and you can see them wander around. There are only so many people that can come in, when you stick up your website, you happily give access to everybody on the planet to have a go at it. You’ve got to be very careful about how you set that up and manage it.

Michael Lonnon

That’s a good analogy, actually. Do you think people are generally dealing with that greater accessibility or more openness well, or do you think it’s also a bit of a problem?

Peter Sharpe

I think it doesn’t stop. If you said I am dealing with it well today, and then nothing by tomorrow, you are dealing with it not very well and by a year’s time, you’re dealing with it very badly. It’s a constant arms race between people trying to protect their stuff, and people trying to find new ways into and through it and to take advantage of it. I think the last two years have seen quite a big step up in terms of some of the attacks, and the complexity and the sophistication of what people have got to bring to bear on these online stores. But equally, we’ve seen some of the defence mechanisms evolving over that time as well. So I think everybody’s working really hard at it but with varying degrees of success.

Michael Lonnon

Which companies do you think are doing it better and why or how are they able to do better? Is it those that are bringing in new ways of tackling fraud, more regularly, and being more proactive about it? What sets them apart from those that aren’t managing it quite so well?

Peter Sharpe

You’ve got maybe two angles on this. One is the number of different ways people look at the problem that’s coming in. And the other is the tools that people use to manage it. The people that are doing this well, are the ones looking at every possible direction that an attack can come from. That’s considering their people and the social engineering side of it, and how they need to give their people the tools and the protection for managing it. It’s looking more at what people can do online and that’s not just payment fraud. That’s how they can manipulate different accounts, how they can abuse the refund process, how they can look at gift cards, or fraudulent credit cards and all of the different ways they can come into it there. Thirdly, slipping a little more into how people use the process and where there tends to be gaps in the process. A lot of people put up the frontline defences and say, we’re going to check your credit card against a service that tells us whether it’s been stolen, somewhat fewer people are systematically looking at every point in the process from, how do I see who you are, when I first get contact with you on that site? How do I track your behaviour all the way through and then how do I start to plug the gaps in the different parts of my business process that runs behind that it? So not just the standard flow, but all of the different points behind it and then how do we use the best tools to do that? Not just applying the older versions, which is here’s a list of banned postcodes or bad credit cards but actually, how do I start to use AI in that mix? How do I start to score? How do I start to share intelligence across organisations, rather than just using my view of the world and what that tells me?

Michael Lonnon

In essence then what’s more important? Is it the technology that’s protecting and supporting you or is it the people’s education and skilling of people’s use of the technology or the way they’re using it? What’s more important?

Peter Sharpe

It’s quite difficult to have one more important than the other because the two go together well. You need the tools, but you’ve also got to skill people up to use them. So, I want something that gives me an intelligent view of what’s going on and joins the dots in a way an individual can’t, or in the way an individual company can’t, by creating a broader view across the landscape. Then, once I’ve got that, I need to teach people how to use it. I need them to take the intelligence and use it to adapt their processes behind the scenes. They will find that is where fraud tends to come from. It’s people that set up accounts like this, or who target gift voucher returns process like that. Here’s how to stop that direct attack but then here’s how to take the learning and change the refund process to close that loophole.

Michael Lonnon

As you say, it’s a continuous arms race, one loophole opens, you try and close it another one open somewhere else.

Peter Sharpe

Exactly. And all the time you’re trying to make this as easy for customers as possible, you want to make it really simple for people to shop online, you want to give them loads of flexibility about all the ways of transacting. But the easier you make it, the harder it is to control every step of that process.

Michael Lonnon

There is a perception of, say, adding your bank details, and then having it saved in different shops and stores online but you have the worry in the back of your mind that somehow somebody is going to find a loophole and pull that information out and share it.

Peter Sharpe

Exactly, as much as the company wants to protect themselves, they’ve got to make people trust them. They’ve got to make you feel like they are trustworthy and that’s different to how they fraud score and wall off their business.

Michael Lonnon

How is Microsoft then tackling the problem of fraud?

Peter Sharpe

Microsoft came at this in the way they do for quite a few things, actually, which is first tackling problems for themselves, and then go more widely. So, across the Microsoft Store, which operates in about 130 countries, and X Box and all of the 10s of millions of users, they saw a huge amount of fraud; over a billion pounds a year Microsoft sees in fraud. So, they started trying to tackle the problem. They looked at what was in the market and decided it didn’t give them the right tools to deal fraud. So they built their own service, taking the best of everything, in terms of modern technology, AI models and machine learning. Microsoft now has their own Fraud Management solution, and is incredibly effective in reducing fraud saving hundreds of millions of pounds a year in attempted fraud. And now they’re rolling it out. Their approach is based on the idea of broadening a view and not relying on one retailers view of people attacking them, but on sharing information across everyone using their services. While you, as a retailer, implement Microsoft for protection, it will look at who’s trying to create an account and check out a basket and give you intelligence on that. It’s using the data from every single place that Microsoft fraud services is installed. If you try attack website A and then you go on to retailer B, we’ve already learned who you are, we’ve learned your mechanisms and your attacks and we’ll block you the second time around without having to re-learn who you are and how you’re dealing with us.

Michael Lonnon

Perhaps this is a related question; is fraud management heightening the value of having a cloud-based system because the learnings of solving particular fraud problems over there have been implemented into the solution, that you can take advantage to solve the same problem as an organisation, is this also a reason why cloud is the way to go?

Peter Sharpe

It is, and it means there’s one central service that’s running this thing and taking all of that investment. You’re not looking at every single person implementing their own and building their own list of dodgy card details or ways of identifying who’s trying to compromise your payment gateway, you’re investing in that once and getting it shared.

Michael Lonnon

If you could offer one piece of advice for any organisation trying to tackle fraud or trying to be more proactive about dealing with potential fraud later on, what would it be?

Peter Sharpe

As we’ve already talked about there are a lot of things that are important to make this work. There isn’t one lever an organisation can pull to solve fraud. There is people, processes, technology that comes into this. I guess the one thing I’d say more than anything else is give yourself a wider view than just your company. One company stood in the face of all of the possible different ways people can try and execute fraud on you. Sooner or later, you’re going to lose. You need support, and you need an awful lot of allies, and an awful lot of information about how you can do this. Take something that gives you a view and gives you a set of defences that are wider than just you.

Summary

Battling fraud is a constant arms race. As fast as loopholes are discovered and closed, new one’s are found and exploited.

Advances in digital technology is both a blessing and a curse. New tools allow organisations to improve efficiency, reduce costs, serve customers better and so on, but they also come with new unknowns. And it’s often those unknowns that are found by unscrupulous types first.

Cloud technology provides a way to stay at the forefront of fraud protection, and Microsoft’s continuous investments in prevention provide at least some hope of staying ahead of the crooks.