Article 5 min

Shocking Results from Trulioo’s Online Fraud Experiment

Trulioo's Fraud Experiment

November 13, 2018  

Trulioo's Fraud Experiment

Close to 2.7 million fraud complaints were reported in 2017 in the United States, according to the Federal Trade Commission (FTC); these complaints related to different types of fraud, with debt collection fraud, imposter scams, and identity theft, being the most reported ones. Even if we don’t consider the cases that went unreported (and it’s entirely plausible that a large number weren’t), 2.7 million is a staggering number. The findings seem particularly perturbing as we reflect on them during the International Fraud Awareness Week, which is being observed from November 11 to November 17 this year.

Alarming as the numbers are, it’s not unreasonable to say that we, as a collective, still tend to think of fraud as a remote possibility; indeed, “fraud is prevalent, but the chances of it happening to me, are slim” seems to be a common refrain. Arguably, this is because we tend to assume that we are unlikely to be duped into wiring money to the proverbial prince living several continents away, or that we can easily see through the devious tactics of some questionable company sending us an invoice for things we never ordered. We are smarter and more aware, we believe, than the average person who is victimized by such cliched subterfuges. It was this attitude that got us thinking: What if the perpetrators of online fraud upped the ante and got a little creative?

To understand how this scenario would play out, we did a little experiment; it’s safe to say that the results of this experiment were well beyond what we could anticipate: a landing page, a Creative Commons licensed image – all this, and just a few hours of your time is all it takes to phish out personally identifiable information (PII) from completely unsuspecting individuals.

Here’s what we did:

We created a webpage for “Aurdentity”, a mobile app that we marketed as “Shazam for voice identification” – essentially, an app that retrieves the identity and background information of anyone when exposed to their voice. Obviously, the function of the app, including its name and branding detail, were deliberate – we wanted to present a product that would not only draw curiosity but also raise questions relating to the safety and privacy of personally identifiable information (PII). We also did some reading on the field of aural research and carefully concocted a persuasive, if inaccurate, explanation of the ‘science’ behind the app. Additionally, we also contrived a fake company, Agile ID Technologies, as the producer of Aurdentity; adding that minor detail, we realized, would also help give the application a veneer of legitimacy.

Over the course of eight days, we monitored traffic to the webpage, along with keeping a daily tally of how many users signed up for the app, and, in turn, disclosed their name, last name, and email to Aurdentity.

As we neared the end of this experiment’s timeline, we arrived at the following results:

  1. Over 2,139 people visited the Aurdentity website
  2. Of these, 66 people filled the sign-up form; in other words, they provided their name and email address to a fictitious company offering a fake product
  3. Therefore, had this actually been an online scam, 3.1 percent of the targeted individuals (which included educated and well-informed individuals possessing increased awareness of fraud and data privacy laws) would have become victims to it.

But, a larger question remains: How do we make sure that fraudsters don’t get the better of us?

Needless to say, this was an innocuous experiment; but had Aurdentity been conceived with malintent by malicious actors, the data collected would have been misused for nefarious activities.

In the case of Aurdentity, a simple Google search could have easily put the matter to rest; there is little to no information on the app – a red flag which, no doubt, alerted at least a portion of those individuals who visited the website but refrained from signing up for the app.

Indeed, there are any number of ways in which one can distinguish a fraudulent website from a legitimate one; checking the website’s related social media accounts, looking for comments by users, and other social media activity can help in determining the legitimacy of the website. One can also make an assessment based on the encryption status of the website: in other words, a HTTPS website is, by definition, more secure that an HTTP one, which is often vulnerable to data theft.

Of course, another way of vetting a website, an application, or indeed any product or service, would be to do your due diligence on the organization that owns it. In Aurdentity’s case, it was Agile ID Technologies. Doing a Google search, or looking for the company on Crunchbase, would have easily confirmed that the company doesn’t actually exist.

In practice, however, vetting a business entity is an intensive and searching process; there are multiple moving parts and actors within in a company, so it becomes imperative to conduct a more comprehensive examination. Looking at company registers, watchlist records, uncovering the ownership structure etc. — these measures need to be taken to identify any suspicious activity. In such cases, a Know Your Business (KYB) solution, which automates this process to conduct a comprehensive verification of the identity of the business, becomes a necessity.

If you’re interested on doing some further reading on combating fraud, here’s a list of some helpful resources:

Hacks, Attacks, and Other Identity Risks

Fighting Online Fraud: Email Intelligence

Identity Fraud: Fraud Prevention and Risk Mitigation