In the context of fraud detection and RiskOps, Open Source Intelligence tools (OSINT) are great for manual investigation. Let’s see which ones are worth it.
Table of Contents:
1. What is Open Souce Intelligence (OSINT)?
2. What are Open Source Intelligence (OSINT) Techniques?
3. Why Do We Need OSINT Tools?
4. Why Not Just Google It?
5. A Note on Google Dorking / Hacking
6. The Best OSINT Tools for Manual Fraud Investigation
6.1 Best for Identity Proofing
6.2 Best For Email Verification
6.3 Best for Phone Number Verification
6.4 Best for Reverse Social Media Lookup
6.5 Best for Income Verification
7. OSINT Tools – Choice Versus Efficiency
In fraud prevention, the key goal of manual investigations is to match data with someone’s real-life identity. It’s useful to verify a sign-up, to accept a transaction, or for a credit check, to boost online lender fraud prevention rates.
Because fraud analysts and risk managers know their user base quite well, they’re often adept at quickly knowing whether they’re dealing with a real person or a fake or synthetic ID.
But what about those grey areas when a bit more groundwork is required? What about those cases where the profile looks 80% legitimate, but your gut feeling says something is off?
Enters the open-source intelligence framework.
What is Open Source Intelligence (OSINT)?
Open Source Intelligence, abbreviated as OSINT, is a process involving the collection of information that is publicly available. In the context of fraud detection, it covers the variety of tools and techniques used to confirm something about a user, such as their identity, social media presence, income or email address.
What are Open Source Intelligence (OSINT) Techniques?
One of the key challenges of OSINT is avoiding information overload. Because there are so many places to search and so many potential databases to scan through, it’s important to have a clear strategy and framework in place.
That is to say, you must have an idea of what you’re looking for before you begin. The sheer volume of information can drown the signal in noise, and send you on the wrong path.
Broadly speaking, there are then two kinds of tactics. Active and passive open source intelligence tools:
- Passive: the most common way of digging for information. An investigator will enter the data they already have into a search tool, and gain extra information. It’s akin to fishing with a wide net.
- Active: a more focused way of acquiring data based on information that may be initially hidden. For instance, befriending a target’s acquaintance on Facebook to learn more about them in the long run. Going back to the fishing analogy, this is more like spearfishing.
Once your goals and techniques are established, you will have to select the right open source intelligence tools to seek out the information you’re after.
Why Do We Need OSINT Tools?
We’ve already covered how useful open source intelligence tools are for fraud investigators. Here are specific examples:
- Accepting a transaction in a CNP (card not present) scenario.
- Onboarding a new user on a platform (neobank, financial institution, iGaming).
- Accepting a withdrawal (iGaming, crypto exchange).
- Performing a credit check for a loan.
It’s worth noting that the same tools are also leveraged in other industries. For instance, OSINT is also a process useful in cybersecurity, to identify external threads or for ethical hacking and penetration testing.
Law enforcement agencies, private investigators, and journalists also rely on the same techniques to learn more about a crime, suspect, organisation, or person of interest.
Similarly, HR professionals can perform searches on potential candidates by scanning background checks open source directories.
Marketing and sales teams can use OSINT tools when they need to target a specific user, or simply need to check if an email address is valid.
Sadly, it should also be acknowledged that fraudsters and criminals can use the same tools and techniques for exploits. For instance, when building a synthetic ID, a fraudster can stitch data they have acquired from a darknet marketplace, and combine it with data acquired through public records.
Why Not Just Google It?
Search engines such as Google, Bing or DuckDuckGo are indeed useful free OSINT tools. Fraud analysts can use advanced filters to refine their searches and benefit from the indexing power of some of the best algorithms on the planet.
There are shortcomings though. Search engines cannot access proprietary databases and only look at clear net sites. In fact, the indexed surface web is estimated to only contain around 5% of the entire worldwide web.
A Note on Google Dorking / Hacking
Over the years, talented investigators have managed to reverse-engineer search engines. The method is called Google Dorking, or Google Hacking, and it uses “operators” or functions to expand the capacity of the tools (it works with search engines beyond Google too).
The method is controversial, because it may cross the line in terms of how “public” the information is. For instance, you may find a link to a PDF file containing a list of passwords, but downloading it may be a prosecutable offence.
Examples of “operators” include:
- Specific file types.
- Searching for terms on a specific site.
- Find RSS feeds related to a term.
- And much more.
You can read more about GoogleDorking here.
The Best OSINT Tools for Manual Fraud Investigation
For those who need more than search engine results, we’ll segment the best OSINT tools based on the kind of action you want to perform. Some of them are free, while others are paid services.
However, we’ve disqualified all the products that only work via API integrations, such as the industry-standard Maltego, as this article focuses on manual queries. Tools that help you learn more about companies, websites and organisations, such as SpiderFoot, also didn’t make the cut.
These tools scan databases to help you confirm someone’s identity based on a full name. You usually get extra information such as a residential address, and maybe some contact details too.
More importantly, they could help confirm a lack of identity. If no information is available, you could be dealing with a non-existing person.
The phone book is almost 150 years old, and 192.com is probably your best option for finding a number based on their name. It’s not a full confirmation of someone’s identity, but if you get a positive result, you can at least triangulate the information with more searches. Best of all, it’s completely free.
Sometimes, the most obvious methods are the best. It’s certainly the case with the online version of the White pages, which allows you to get an address based on a name or phone number.
Results may vary, but it is a reliable, free and trustworthy OSINT tool. The main issue is that it’s not a global database, so you’ll need to search through each local version of the site depending on your use case.
BeenVerified, Pipl, Spokeo, Intelius
We’re lumping these four tools together because they perform more or less the same searches, under the same business model. You usually get one cheap search with a free trial and you’re then invited to purchase a monthly subscription.
Most of the information with your first search will be hidden behind a paywall, as it is their incentive to sell you a package. For instance, Intelius costs $0.95 per initial query, but you can pay an extra $39.95 for a background check.
These services are mostly US-centric. On the plus side, they can pull out a wide range of results from official public records, such as marriage licenses or criminal offences.
You can read more about how they work in our article on free email lookup.
Need to see if an email address exists in the first place? Use these reverse email lookup tools to confirm their deliverability (and possibly check how old they are).
Email Hippo, which you can also access through VerifyEmailAddress.io has been operating since 2009. Sure, it looks like the website hasn’t been updated since, but the fact is that it works. Simply type in an email address, and the service will check MX records to confirm whether it exists or not.
We’ve previously written about how you can use a data breach for user verification, but it’s particularly useful when looking at whether an email address exists or not. In fact, you can even infer how mature the address is depending on which data breach it’s been found.
And HaveIBeenPwned is still the best site to quickly search for email addresses that appear in said data leaks (you can now also do the same with phone numbers).
Aside from the aforementioned tools like White Pages and HaveIBeenPwned, here are some solutions designed specifically to learn more about a provided number through reverse phone lookup.
You may need to brush up on your Python to run PhoneInga, but you’ll be hard-pressed to find a better open-source tool for OSINT on phone numbers.
Confirming IDs via social media accounts is increasingly popular for a number of good reasons:
- It’s a high barrier of entry for fraudsters, who don’t have the time or resources to create fake profiles.
- It’s a fantastic way to find a user’s digital footprint.
- It can help establish an idea of the socio-economic background, even in markets where financial information is scarce.
- The type of social media linked to the user can also reveal more about who they are.
Of course, you can manually search directly into your target network, by typing a name into LinkedIn, Facebook or Twitter. For scalability reasons, it’s easier to use a specialist solution.
At the time of writing, SEON is the only fraud prevention that lets you check more than 20 social media networks. The checks are based on an email address or phone number.
Because they’re part of our email and phone data enrichment modules, you’ll get a lot more information, including a risk score. The other good news is that you do get complete flexibility in how you query the service, manually, via API, or through a Google Chrome extension.
What it lacks in options and efficiency, Social Searcher makes up for in terms of ease of use. Just type in a name into the search bar, and the online or IOS tool will search a handful of social media networks for that person’s name.
When it comes to modern credit scoring, you have two options: go through the official channels (Experian, Equifax, Transunion…) or look for alternative options. The advantage of the former is that you get what you pay for: it’s expensive, but the results are trustworthy and thorough.
In terms of the best OSINT tools, though, here’s where you could look for financial information.
People post their salaries to Glassdoor. Provided you can confirm someone’s identity, this is as good a place as any to start. You might be able to find someone’s precise job title and salary, or at least to compare it with similar posts in the same area.
This one is US-centric, but you should easily be able to find equivalents in other countries. It’s a good place to find general estimates for earnings in various industries.
OSINT Tools – Choice Versus Efficiency
As previously mentioned, the problem with OSINT tools isn’t that they’re hard to find. It’s that you often have to use them fast, especially for real-time manual reviews.
In fact, the list we’ve compiled above is barely the tip of the iceberg. There are dozens of websites that specialise in compiling every possible tool you can use for your searches, in categories as varied as image and video search to geolocation searches.
Still, we hope this article will be a good primer on the topic, especially with a focus on manual review for fraud prevention.
Learn more about our products
Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.