S2E10: Peter Taylor – The Fraud Guy

Dubbed by many as The Fraud Guy, Peter Taylor is a vastly experienced fraud consultant who’s supported a number of companies with their fraud strategies to spot and prevent cybercrime.

In the final episode of the Cat and Mouse Podcast, he shares a range of exciting insights with Jimmy including:

• Why fraud is always going to be about people, not technology
• What do the ‘Zombie’ and ‘Cybercrime Triangle’ theories stand for
• Importance of policies and structure for when fraud or ransomware does hit
• How fraud has shifted in the last decade

From your cybercrime research project in 2017, what did you learn most about fraudsters after interviewing them?

That they range across a variety of people. I interviewed big guns that operated globally as well as local people too.

The aim was to understand the patterns of how somebody became a cybercriminal. You’ve got people like Brett Johnson who was big-time and then you’ve got the opposite of it, the kind of person who was what most people would describe as a bit of a nerd, wasn’t very popular at school etc.

These often start by making forged driving licenses and false IDs for his friends so they could get into clubs or buy booze; then within three years, he’s finding himself making false passports for the local drug dealers and it goes on and on.

It was very interesting to see how people actually go into cybercrime and one thing I tell people to focus on is to think more like a detective; consider all aspects from the crime to the victim to the criminal to how you catch them all without showing any cards.

Often how fraudsters think they’ve been caught and how they’ve actually been caught, quite often, are very different things but you can’t underestimate them no matter what type of criminal you think they are.

What are the top kind of techniques to be aware of at this point in time?

The synthetic identities now are coming of age. A lot of them were being developed around 2017 so you’ve got aged identities with aged emails and even aged social media accounts. What they have cottened onto, because of the pressure from governments in terms of verifying identification, that it tends to be a three-year thing.

If you can give an email address that’s three to five years old then that will tend to get through. Social engineering is huge as well. There’s some really sophisticated stuff that goes on around that, and the easiest thing is to fool the user.

But the big, big one is to simply maintain your websites and your strategies.

If you’ve got a car, you service your car every so often, you have your MOT, you do a mini service, etc. You don’t wait till it breaks!

Companies spend a bit of money every couple years to get someone to pen test their site but often they won’t monitor the system for the things that the pen testers come up with.

One guy whose old email address was linked to an administrator role for a huge website left the company five years ago, and once the criminal gained access to the account had complete control over your account so policy control is key.

A final thing I’d add that seriously annoys me is to see multi-million-pound organizations that still haven’t got any device detection, email, age, or email matching – to me, that’s like having a house and not having a lock on the front door or the back door, you just would not do that!