Digital Footprinting: An Effective Way to Stay a Step Ahead of Fraudsters
Committing online fraud – or at least attempting it – is shockingly easy. Most tech-savvy people, if they were minded to, could learn the basics and take steps towards becoming a criminal mastermind.
All it takes is to install a Tor browser, head to the dark web, and purchase a dump of some compromised card details. These are straightforward first steps into the life of a fraudster.
Thankfully, the majority of people are fundamentally honest – otherwise, the world would have much bigger problems with fraud than it already has.
But the problem is still huge. Year-on-year statistics show a marked rise in successful scams, and in the amount of money lost by businesses. Criminals are getting away with fraud on a massive scale.
It’s a cat and mouse game that will never end, but tools do exist that can provide companies with the ingenuity required to combat fraudsters. Digital footprinting is a great example.
In this article, we look at how digital fingerprinting works, study some data around its effectiveness, and suggest ways to use it to combat fraud.
How Does Digital Fingerprinting Work?
Everybody has a digital footprint, and as Avast says, it’s a valuable thing. It encompasses everything you have and do online: your social media accounts and their activity, the websites you visit and log on to, the IP addresses you usually connect from, and much more.
While it’s easy for a fraudster to get hold of some stolen credit card details, it’s much more difficult – almost impossible – for them to replicate a digital footprint that’s built up over many years.
As a result, very few even try: Internal data at SEON has shown that 98% of criminals who set up a new email address to match a stolen card name did not take the time to create a social media presence for this identity.
This is an example of why and where digital footprinting can help to combat online fraud. We can take basic data points, such as an email address, phone number or IP address, and hunt down a vast array of related information. Things like:
- What social media accounts are linked to that email address.
- What network the phone number is hooked up to.
- How long the email address has been active.
- What country the user is normally based in.
- What data breaches the account has been caught up in.
Here’s an example:
Let’s say an amateur cybercriminal has got hold of legitimate, live fullz and wants to try to order something using them. First off, they may well use a VPN. Even an amateur is likely to know that committing fraud from an IP address that could lead the authorities directly to their front door is a bad idea!
Next, they’ll need an email address. Sure, in theory they could try to gain access to the cardholder’s email address. But this would require too much effort – and since the amount of fullz and identities they have is huge, the return on investment is low: they want to scale up easily instead.
As a result, they don’t use the person’s genuine email address but instead create a throwaway one. The simplest thing is to set up a throwaway email account, such as a Gmail, in the person’s name. They can do a similar thing for a phone number, getting a burner phone or virtual number.
Already, the fraudster’s digital footprint differs vastly from the genuine article, and a fraud prevention tool will be able to identify this. It can then automatically block the transaction or flag it for manual review.
The Proof Is in the Data
SEON data serves to demonstrate how gaps and inconsistencies in the digital footprint, such as those shown above, frequently trigger flagging rules.
As always, IP analysis is the first line of defense. In recent data, 65% of rule triggers in eCommerce (and 52% in iGaming) relate to high risk IPs. These include those known to be linked to VPNs and proxies, and those in the wrong country. Even VPN companies themselves, such as SecureVPN, warn that the use of VPNs can trigger fraud alerts.
But it’s the email addresses and associated openly available data that stand out the most, and show just how potent digital footprinting is:
Moving on to email addresses, thorough checks can expose those throwaway accounts. The data proves that accounts linked to fewer social media and web platform profiles are more likely to be suspect, and therefore flagged by detection rules.
In eCommerce, email addresses linked to declined transactions typically only tie up to an average of 2.89 social media profiles – a suspiciously small number in the modern, connected world. Genuine, approved transactions are from accounts that link to a much higher average of 5.68 profiles.
Similar contrasts exist in other verticals. In online lending, flagged applicants often try to use email accounts linked to just 1.02 online profiles. Approved applicants are usually linked to 5 or 6. As SEON explains, load fraud takes many different forms, but at some point in the process, a participant has to pretend to be somebody they’re not. Examining these digital footprints can thwart their efforts.
In fact, banks like Barclays continually circle back to KYC checks to ensure they’re still dealing with the people they think they are.
Another key data point will reveal even more: a check of how many data breaches an account may have been caught up in in the past.
It’s perhaps a little counterintuitive that an email address that shows up as compromised in databases like Have I Been Pwned is more likely to be legitimate. But if you think about it, with so many breaches, there’s something suspicious about email addresses that have never fallen victim. At the very least, a data breach reveals the email address as active at least for as long, while legitimately used email addresses are more likely to be part of breaches.
As such, a good general rule is that it’s safer to approve transactions from accounts that appear on such lists. Looking again at loan applications, approved accounts have usually been caught up in an average of 1.2 breaches, while declined accounts are linked to just 0.15.
How to Incorporate Digital Footprinting
The information needed to conduct these digital fingerprint checks is all out there in the public domain – an OSINT source. On a very basic level, it’s possible to conduct certain checks with nothing more than the search facilities on social networks, a Google search box, or an online WHOIS lookup tool.
Lookup tools and browser extensions also exist, both free and commercial, that allow checks on IPs, email addresses and phone numbers. They can return results that encompass linked online accounts, locations, data breach histories and more, though not all are comprehensive in their results.
Obviously, conducting manual lookups is often unfeasible, especially for high-turnover companies and online businesses handling automated transactions. In these cases, it’s wise to incorporate an identity checking tool as part of a checkout and onboarding process. SDKs and plugins exist for commonly used platforms (such as Shopify), and APIs facilitate custom deployments for bespoke setups.
It’s worth noting that there’s potentially a role for digital fingerprinting at different points in a process. For example, a fintech or lending company could use it as a pre-KYC tool when on-boarding a customer, and again for ongoing checks, to ensure a legitimate account hasn’t been taken over.
In most cases, a rules-based system can automatically decline some applications or transactions if the digital footprint doesn’t check out. However, a mixture of automation and manual reviews is the best happy medium.
No company wants to alienate customers or turn away legitimate business. After all, there could be a good reason why an individual has set up a fresh email account, or why they’re logged on from an unfamiliar browser or location.
There’s also one more key benefit: Digital footprint-enabled identity checks can ensure legitimate customers complete transactions and processes with minimal friction because the checking process demonstrates their legitimacy without the customer needing to provide any information besides the usual: their email address and/or phone number.
While it’s theoretically easy to commit online fraud, it’s much harder for criminals to address the parallel need to evade detection and present a convincing digital footprint.
The more companies realize this and put it to good use through fraud prevention platforms that include this, or individual modules, the harder it is to make use of those dodgy card details from the dark web.