Pettuste ennetamine ja IT

Fraud prevention is often perceived in modern society as one of the "buzz" words, used by high level officials justifying scrutinising controls over the public or by personnel from, usually, financial institutions. For wider public, however, fraud prevention as such is something distant and closer interactions happen only when effects of such occur for themselves, like having a transaction on hold with bank or having to verify a card whilst trying to book a holiday trip through Airbnb. Thus, misconceptions start to occur, including news articles about discrimination by fraud prevention systems ^[1] or inefficiency of such ^[2]. This article aims at defining fraud prevention and bringing outlook of new trends and usage of technology to combat fraud and increase customer satisfaction as a result of such.

Fraud is an offence where perpetrator intentionally uses deceit in order to make gain or cause losses to another person. In its baseline, definition of fraud across the globe is unified by relying on presence of deceit and having at least potential (intended) impact for others, which is essential, since this is used for distinction from hoax - intentional lie or misconception, but without purpose of making gain or causing loss.^[3] Fraud is usually referred as a type of a financial crime, however, it may include non-material gain, which goes against the wide-spread definition of financial crime - a crime which is committed against a property.

As an offence, fraud can be both civil and criminal, depending on how particular case is handled. In case victim of fraud decides to report a fraudulent act to the law enforcement and pursue punishment of offender, then it becomes a criminal case. Contrary, in case victim decides not to make a disclosure and pursue restitution by applying to a civil court, then it becomes a civil case. In its essence, both can exist simultaneously, for instance, when first victim brings offender to the civil court, but at the same time police is investigating the same offender over the same offence. There are advantages and disadvantages for victims in both scenarios:

• Civil cases tend to resolve faster, since they base on the principle of probability^[4], thus there can be much shorter period of evidence collection or investigation.
• Civil cases are focused on the claims of a victim, so there is higher chance of restitution - reclaiming the damages.
• Criminal cases involve formal investigation by law enforcement with more legal power, which is especially important on the evidence collection stage.
• As a result of successful criminal case, there is larger probability of offender not committing the same act again, for instance in cases, where offender is imprisoned.

There are beliefs that first instance of fraud has occurred at 300 BC. ^[5] Although, it is claimed to be one of the first recorded instances of fraud, it is fair to assume that fraud as such has existed since the beginning of human interaction, similarly to murder ^[6], in itself using deceit to make gain is very natural to human being ^[7]. Although we do not have a comprehensive overview on the full history of fraud, there are still noteworthy examples from the past.

William is claimed to be the first (securities) fraudster in the independent America. His earlier life consisted of multiple fails to establish business and trades (including ones with India and China), as well as notably failed plan to resell the land acquired through insiders to French farmers - his loss in this is estimated at 2.2 million US dollars (adjusted). The true fraud, however, happened after his friend Alexander Hamilton became Secretary of the Treasury. Subsequently to that William became Assistant Secretary and started to gain insider knowledge on dealings with governmental bonds. He then himself started speculative trading, whilst still holding a position in the Secretary.

Soon after, in 1790 Duer left Secretary and increased his volumes of speculative trades. Knowing insider information, he could buy bonds ahead of others and sell them on their rise, effectively creating false demand and inflating prices, making a cut out of buying bonds at their lowest. It would have continued so, if not the bond price fall in March 1792. This drop effectively nullified efforts of William and shortly after he will find himself in debtor's prison, where he would spend rest of his life. William Duer died due to illness in 1799.^[8]

Know as the "man who sold Eiffel Tower", Victor was one of the most dangerous and notorious conman in the history. He started his underworld career as a young child - pickpocketing, burglaries, street hustling. By the time he became an adult, reportedly, he knew every card trick and perfected scamming. Victor arrived to the US by the end of World War I and began his fraud operation. One of the most famous scams he managed to perpetrate was so called "Rumanian money box" - a simple wooden box with some mechanism inside it, which Lustig claimed to be able to copy banknotes using "Radium". In 1925, after series of success in America, Victor decided to embark to Paris. In Paris, using deceit, he managed to gather the biggest people of metal scrap industry. In a meeting with them, he claimed that due engineering faults in the Eiffel Tower, government needs to disassemble it, monument would be sold to the highest bidder. Fortunately for Victor, this scam was a success and he sold the Eiffel Tower to Andre Poisson for 250,000 francs. Andre even had to pay a bribe to the Victor and since government was known to be corrupt - this gave this deal credibility. Victor passed the paperwork and fled the country - whilst Andre was trying to claim ownership of the monument, unsuccessfully. Due to the fact that Poisson has never turned to the police, presumably out of shame, Victor decided to try the same scam for the second time. Although he managed to find buyers and convince them, this time supposed buyer went to the police, yet Victor managed to escape once again.

Victor went as far as being involved in producing counterfeit banknotes of highest quality. This fraud had attracted attention of Secret Service, who have later caught him. However, even after being caught, Lustig managed to escape from believed to be inescapable federal detention center. Only after 28 days he was caught again and finally. Officials have sent Victor to Alcatraz - a true fortress of a prison. Sadly for Victor, his reputation of conman led to undesired consequences - within 10 years in prison he made nearly 1,200 medical treatment requests, but all were denied, since it was believed to be a plan of escape. In 1946 he was transferred to medical facility, where it was discovered that Victor's condition was indeed serious. He died later of alleged pneumonia. ^[9]

Fraud as an offence has evolved from its original form over the time. Nowadays it is rare to see headlines about great con artists in fedoras, but nevertheless articles about fraud are still released on a regular basis. In fact, Google Trends show that since 2004 fraud as a topic is constantly of high interest, with lowest relative interest being 58^[10]. Moreover, New York Times have over 168 thousand articles available by searching for a key word "Fraud" ^[11].

Thus fraud in itself remains a relatively popular topic, despite absence of clear figures, like ones mentioned earlier. This is attributed in the industry to changes in the way people interact on a daily basis. Since the Internet was introduced, people gained access to cross-border communication, which in turn created a new branch of crime - cyber crime. In its essence, fraudsters rely on deceit and exploiting trust, often targeting vulnerable people, such as elderly or otherwise disadvantaged people^[12]. The Internet has connected millions of people, who fall under this description, hence from small street scams fraudsters have migrated to The World Wide Web.

In older forms of fraud, perpetrators relied on arsenal of tricks and utilising soft skills beyond average level, perpetrator should have remained persuasive at all stages of an act by directly communicating with the victim. The Web, however, removed that requirement, since it allowed to be distanced from the victim and should interaction needed, messages of victims could be analysed due to acceptable buffer - there is no expectation of receiving instant reply in an online conversation. This trait of online communication lowered the entry level for the fraudsters, although the main advantage for criminals was set to be scalability. Introduction of web technologies allowed simultaneous communications - dozens of emails could be sent within short time period, opportunity which has not existed before.

Moreover, with web technologies completely new forms of fraud appeared - card fraud, identity fraud, sextortion scams, advanced fee scams, dating scams, eBay scams etc. These typologies cannot be imagined without the spread of web technologies and rapid advancements in IT, such as social media, online markets, online payments systems. Whilst offering significant advantages for the good of humanity, they were also adopted and exploited by the criminals. In addition, The Internet offered anonymity for its users ^[13], which has attracted digital age fraudsters. Anonymity created an opportunity for fraudsters to not only hide their identity but create new ones or use existing ones and associate themselves with another person. Misrepresentation of the true identity meant that fraudsters could gain trust by pretending to be someone who victim would trust or have respect.

Email scams since their beginning have evolved to include multiple typologies, such as phishing, business email compromises (BEC), sextortion, romance scams and numerous variations of advanced fee scams - job offer scam, 419 letters, item sell scams, investment scams, debt scams etc. Email scams are generally put in two categories:

• Targeted email scams, such as BEC or sextortion and sometimes phishing attacks, where fraudster would prepare intelligence^{[footnotes 1]} on their victim and use collected data in order to force victim into wiring funds or assigning other assets to the fraudster. By gaining information about the target, fraudsters can come up with stories that would resonate, pushing victim to make reckless decisions.
• Mass email scams, where fraudsters would send same content email to a list of emails, either obtained from data breaches or by means of brute-forcing - tactic where criminal does not know exact emails and relies on generating existing email handles accidentally. These emails rely on probability of reply. For example, one could take probability of reply and following the scam to be one in ten thousand. By sending millions of emails at random, fraudster hopes that they would get at least hundred of people, who would fall for the email content and wire the funds.
  

Due to low cost of sending an email^[14], fraudsters adopted such scams to obtain illicit profit. In 2019 Australian Competition and Consumer Commission reported over 28 million Australian dollars of loss due to email fraud.^[15] Furthermore, by September 2019 spam messages account for 54.68 percent of e-mail traffic, majority of these emails are believed to be fraudulent containing scam content or spreading viruses.^[16]

Nature of email fraud also makes prosecution of criminals a nearly impossible task, since emails by design can be sent from anywhere in the world, but furthermore tracking fraudsters was proven to be ineffective. In fact, out of more than three hundred thousand complaints, out of which nearly a third can be attributed to email fraud, made in year 2010 in the U.S., around 1400 criminal cases were opened, which resulted in only six convictions.^[17] At the same time, communication company Verizon has reported in 2019 that over 30 percent of phishing emails are being opened in the U.S.^[18]

Advancement in payments by introducing technology to existing systems have lead to multiple breakthroughs, including invention of cards - a single object behind potentially indefinite amount of money. However, with convenience new opportunities were also opened for fraudsters. Initially, cards existed only in form of credit card^[19] and as such only small proportion of households had access to these. That changed with time and credit cards started to be widely adopted by general public, which has lead to creation of card fraud.

First types of card fraud were in itself card thefts - genuine card was stolen from the cardholder and used by a criminal. However, such tactic did not last long with introducing more checks for authentication of a cardholder, such as requesting to sign a receipt for cashier to compare signature on back of the card with the one presented. At the same time, magnetic stripes were introduced for increased security, although shortly after magnetic stripes have opened opportunity for fraudsters - information encoded on magnetic stripes was copied, often by use of skimmers^[20], and recorded onto magnetic stripes of "dummy" cards. These cards could be imprint of victim's card, including a signature that fraudster could repeat to avoid being caught by signature check. Such act included deceit, misrepresentation, thus is believed to be the first association with term "fraud", instead of card theft.

Card issuers have attempted to secure their cards by introducing chips on cards around year 1985^[21], however, these changes did not help to secure cards. For the purposes of backwards compatibility cards still had magnetic stripes with all of the security flaws, thus fraudsters were still able to steal information from credit cards. Major player in such security vulnerability were merchants themselves. Acquisition of a terminal and joining the payment infrastructure was a costly procedure, hence merchants were not willing to switch to more costlier options. In addition, cardholders themselves found that using magnetic stripes over chips was faster way to pay for the goods. Thus, even having sophisticated solution, which arguably cannot be easily avoided^[22], the cultural aspect has to be considered, as well as a cost and effort of change for the whole infrastructure.

Card fraud further evolved due to introduction of online payments and subsequently online retail. By beginning of 1990s, online payments were launched in multiple institutions, however, only after mid 1990s online payments started to get popularity as an alternative ways to pay, mainly due to the fact that infrastructure outside of the financial institutions was introduced, as well as general growth in users of World Wide Web.^[23] With that, first concerns over security were raised, hence companies offering online payments chose still to either pass credit card details over the phone or by fax, whilst some of the companies offered customers to download specialised software that incorporated PGP encryption^[24] for transferring card details.^[23] A year after, in 1995, Netscape introduced SSL as a new data security protocol standard for online browsing, which in turn allowed users to be independent from custom-made software and utilise browser for online payments, whilst not compromising the security and integrity of their data.^[25]

Albeit the measures taken, online card fraud found it's way to penetrate the security by finding the weakest link in the chain - human itself. Adoption of SSL secured communication between the user and server, however, it did not secure user from being targeted by fraudsters for example in phishing attack. Similarly, good end-to-end communication encryption did not guarantee service providers invincibility of their servers nor data held there, thus resulting in data breaches and further compromising securely sent card details. Unlike the physical or so called "card present" fraud, online cashiers are not present, hence no one could check whether user is, firstly, who they say they are and, secondly, whether certain payment method actually belongs to them. Furthermore, formation of online market places, such as eBay, also meant that physically stolen cards or details could be used for online purchases - details from magnet stripe contained information suited for these purposes - card number, expiry date and CVV/CV2 codes.

Other online card fraud tactics include creation of "dummy" web stores for collecting card details under false premises of good deals for the end consumer. Such websites are usually offering range of low value items and can even keep their end of the bargain by satisfying placed orders due to value of information that is being stolen. Fraudsters can capture additional information, such as device data to further mimic genuine cardholder.

By now card fraud losses are measured in billions, only in 2018 losses are estimated to be 27.85 billion US dollars.^[26] Although payment service providers have secured payment data acquiring and transfer, as mentioned earlier, major contributor to such high numbers are often cardholder themselves. Fraudsters employ such tricks as vishing, - phishing by telephone, - remote access control scams, - such are, for instance, Microsoft or Amazon update or refund scams, - and other typologies to lure out card details. Another problem is rather low control in regards to low value transfers, which usually add up to significant numbers - low value fraud is less frequently detected by the cardholders in timely manner. Even though cardholders do have protection from such fraud in the way of chargebacks, the loss is often upheld by card issuers or merchants themselves. Even after evolution of technology and security in regards to fears present in the mid 1990s, cultural and social aspects of online payments embraces card fraud - cardholders in general do not follow security protocols, such as not sharing card details, and merchants often do not invest in security, resulting in data breaches, effectively diminishing results of scrutinised security implied by card payments processors.^[27]

Fraud is evolving further and many new typologies appear on the fraud scene. Old typologies are gaining more traction with the further spread of technology, such as account takeovers, due to the fast nature of the Internet. People tend to forget and even if person in 2020 uses strong passwords, follows cyber hygiene and keeps secrets by themselves, then there is still a relatively big chance, that one of the accounts registered on the verge of their digital life was compromised multiple times and might be still in use by the fraudsters.

With growing fraud volumes and subsequent losses, resources were put into fraud prevention. Despite long history of fraud fighting it is still a relatively young area, especially for private sector. It is fair to conclude that before mid 1990s fraud "prevention" was nearly exclusively in law enforcement domain, although prevention as such was a side effect of detective work and prosecution of criminals, who could have caused further damage to the society and economic integrity. However, with bigger volumes of online payments, the burden of detection and prosecution was shifted towards financial institutions, payment processors and merchants themselves. It was assumed that private sector could prevent transactions, orders from execution due to their position - only they posses knowledge and data at that moment to make a decision whether transaction could be genuine or should be stopped and prevented.

Hence governments across the world began to enroll new legislation to force institutions to conduct better due diligence and apply preventative and detective controls in regards to movement of the funds. Not only it was a question of data availability but also the fact that law enforcement agencies had very limited capacity played big role in wide support of such regulations worldwide. This was further supported by changes in consumer protection legislation, shifting the responsibility for the fraud loss from the actual victims to their respective banks, card issuers and merchants. For instance Financial Conduct Authority of the UK has stated that "We give higher priority to the protection of consumers as potential victims of fraud than to the protection of firms themselves as potential victims."^[28]

Private sector has reacted to these changes by investing into measures that could help to mitigate such risk, since fraud let through meant reduced profitability, either by taking direct losses or indirectly due to fines for not complying by the overseer agencies - both scenarios also would bear significant public image damage.

In the beginning fraud prevention relied on manual monitoring of transactions or orders, depending on the institution type. Back in the 1990s and beginning of 2000s that wasn't seen as a big problem due to relatively low volumes as well as absent expectations on fast or near live experience by end consumers, hence tactic of manual monitoring was wide spread in the industry. At its core it meant that employees of specialised departments would have an outlook of all incoming or outgoing transactions and had to use their assessment to determine which ones should be reviewed. Bigger institutions, however, could not cope with such load and used simple alerting systems instead of human eyes. Such algorithms were limited by the capacity of systems they were built upon - at the times software engineering as a field was in the earlier stages, thus systems were non-optimised or hardly modifiable. These systems also suffered from inconsistent data storage formats and still required a lot of manual work. Despite that, rules set up by these firms were relatively effective, although having big cost attached.

Wide adoption of online payments and overall online activities lead to increased volumes, which meant that previously working tactics for fraud prevention were becoming less efficient - growing amount of manual work meant that cost of these operations would become unsustainable, departments should grow in head count, delays for customers would occur more and satisfaction with services could drop. This was especially becoming a problem for companies like PayPal, eBay, which later acquired PayPal, and other online payment gateways, like WebMoney. Growing amount of customers meant that subsequently amount of bad actors also increased.

The inherit problem with the Internet is presumed anonymity - whilst true that no one can really hide from the "big brother", criminals had covered "just enough" to make sure that unless there would be specific and targeted interest from "super agencies", like Federal Bureau of Investigations (FBI) or United States Secret Service (USSS), they could avoid getting caught. These agencies were feared by criminals around the globe for a reason - majority of fraud traffic was and still is coming from the United States of America, due to low nationwide security standards - this meant that the biggest economy in the world was an easy target for the cyber criminals because of proportional amount of households with decent income and available funds - in fact the USA is still the biggest player in terms of card fraud. ^[29]

With that in mind, financial institutions were forced to check who their customers actually are and processes for "know your customer" (KYC) were started to be implemented online. KYC outside of the web was relatively easy task, to open up a bank account or make a purchase with a card customer needed to be physically present, often recorded by CCTVs. Such was a filter for bad actors, since they had to show their identity or at least some part of it, in case of synthetic identity, e.g. fake documents under different name. However, online there was no means to physically check for the customer to even exist. The greater benefit of online realm was exploited by the bad actors. However, due to financial interest of companies to not loosing money due to fraud was stronger, hence such started with implementing alternatives. Within short period, majority of companies started to require providing valid email addresses, as well as valid phone numbers, that were needed to be confirmed. This was accompanied by so called background checks and silent information collection - checks against credit score providers, validating data against governmental databases and collecting data about logins, such as IP addresses and information about the browser.

These methods ensured that there's enough information to determine probability of a customer being genuine in case all data matches. That was, however, not true, since fraudsters were quicker to adopt to online world. The greatest benefit of the Internet was that it allowed to be a global citizen - registering and using services for people around the globe. Introduction of Skype and virtual phone numbers for travelers to bypass high roaming tariffs, e-money wallets for purchases online, PO boxes for ordering goods that are not shipped by the vendors to customers' addresses. The Internet and online services were rapidly developing with initial goal - removing borders and obstacles between people. These benefits of technological advantage allowed criminals to gain upper hand in battle against cyber crime fighters. Opening an email already in early 2000s was an easy task and there were no checks - anyone could open up an email account with Yahoo or Google. Virtual phone numbers gave fraudsters possibility to provide valid numbers for the desired country. PO boxes opened up possibility of hiding physical location behind proxy.

Fight against online fraud required novel methods from the risk takers. Problem got escalated by numerous breaches of sensitive data that could be used for verification - emails with passwords, bank statements, pictures of ID documents. Although this data being in circulation for many years - companies still relied on verifying their customers the old way. Changes started around late 2010s, with multiple companies introducing so called "liveness" checks. The idea behind liveness check is to mimic physical interaction and instead of verifying digital identity, which were known to be easily forgeable, focus was shifted to verify actual identity. These checks started with forcing customers to register their accounts and taking pictures of themselves holding identification document near their face, so that either automatically or manually on the photo of the document and face from the photo itself could be cross matched.

Despite the efforts, in just months cyber criminals started to penetrate this security by utilising software, which has helped many photographers, digital advertisers and alike to create images like perfect cheeseburger for the McDonalds advertisements. Fraudsters used PhotoShop and similar to edit their face to look either similar or exactly like on the picture of ID. At the same time, more fraudulent websites appeared, selling goods or assets also asking for their customers to provide such pictures, so they could reuse the very same pictures for fraudulent purposes with other merchants or institutions. Anti-fraud companies have picked it up and rolled next generation liveness checks - short videos of customers performing asked action - captures from that video were used to compare against the document photograph. By that time, next solution for cyber criminals was widely spread among the youth. This solution was responsible for creating many trends - digital facial masks. The very same technology was implemented by fraudsters to "put on the face of victim" in order to bypass liveness checks.

This battle is still ongoing and it is noteworthy that cyber criminals utilise means given to the digital age people for entertainment and genuine purposes. With latest advancements in "deepfake"^[30] technologies anti-fraud companies are alarmed that conventional means to verify the identity of users to prevent fraud from happening are jeopardised and are, in fact, already obsolete.

Fraud prevention relies on techniques used for analysing behaviour of actors and determining whether such are genuine or bad ones. As mentioned previously companies relied on static simplistic rules to pick up behaviour that could be potentially fraudulent. These rules relied on enclosing certain behaviour to single features. The problem of such approach is in both maintainability and low accuracy. First of all, to create such rules one would need to let set amount of fraud through, analyse these instances and write down unifying features. For example, a bank could experience a fraudulent "wave", where customers would send specific amounts to specific targets. These features would be picked up and monitoring system would be set in place to specifically look out for the users with such features, once a match would be found - an alert would be created for manual review. That, however, means that specialised departments need to monitor their user base, analyse fraudulent activity, reduce it to unifying features, update monitoring system. Once behaviour changes, the same process would be repeated. Should a genuine customer have same features - an alert would be created for manual review.

These techniques are rather not flexible and require either summing up whole fraudulent activity to single features or creating multiple set of rules. With increased amount of customers and subsequently increased amount of bad actors, the problem, whilst staying at O(n) would become a real world issue.

For demonstration, hypothetical experiment could be carried out:

• A company has 1000 customers at given moment
• The same company would have 100,000 customers by the end of next two years
  

Hypothetical formulas

• For fraudulent users amount (y) from the customer base: y=0.05*x, where x is amount of overall customers
• For different fraudulent groups amount (z), i.e. showing different behaviour from one another: z=y/100, where z is rounded to the next full integer
  

By the time company would reach 100,000 customers, they would have 50 different fraudulent groups, which would translate to the same amount of static rule sets. Moreover, in attempt to detect explicit fraudulent groups, a company could have many false positives, given that each group could have features specific to future customers. It is because of that companies started to implement more sophisticated techniques.

One of the biggest advantage that companies monitoring activity have over the fraudsters is resources and data to compare known fraudulent activity to known^{[footnotes 2]} genuine activity. Having the data, specialists started to implement statistical models, used for categorising data, namely a binary categorisation - fraud or genuine.

Usage of algorithms, such as decision trees or logistic regression, gave institutions flexibility and scalability back, whilst at the same time maintaining rather low volumes of fraud. However, major drawback of statistical approach is cost of implementation - the algorithms themselves are usually reduced to rather small set of code^[31], but the cost of maintaining data scientists and infrastructural changes to support monitoring with use of algorithms can outweigh increased accuracy, especially for smaller entities.

Another problem in implementing more sophisticated approaches is data itself. To implement simplest algorithms an initial data set is usually required for training, validation and testing purposes.^[32] Such data can be collected only through the time and, moreover, should be labeled for majority of the algorithms to work, which implies presence of manual labor and period of data collection. In addition, fraudulent activity would be underrepresented in the data set - that could be offset by using techniques such as overrepresentation, but in its essence the problem would still be present. Furthermore, oftentimes some of useful data would not be available for researchers due to some limitations, such as legal restrictions, e.g. collecting special category data^[33], or technical restrictions, e.g. not being able to collect digital fingerprint from specific devices. Limitations can sometimes play bigger role in fraud prevention, where complex behavioural profiles needed to be compiled and compared with the whole user base.

One of the most promising algorithms for fraud prevention is neural networks^[34]. Neural networks can understand hidden relations between data points and have more accuracy in predictions, if set up correctly. Since neural networks attempt to mimic human process of thinking and making decisions, it could be a breakthrough in fraud prevention domain, with promises to reduce needed head count of investigators. Unfortunately, neural networks are not yet developed enough to be fast for these purposes. Training times of such networks on large customer data set could take days running on powerful clusters of computers and scoring itself can take minutes, given how complex certain networks be. Investing in such artificial intelligence can mean increased costs in hardware maintenance and cost of personnel required to keep such model running.

Fraud prevention is becoming a popular domain, since more companies and merchants understand that having online presence and offering to use any online payment drives bad actors to said platform. More attention is also received from the public authorities, who are shifting focus to protect victims from the fraud^[35] and assisting private sector in setting up effective frameworks for cooperation and data sharing. Prevention domain recently has seen influx of standalone anti-fraud companies, offering solutions to fight fraud for everyone, starting from corporate banks to small e-commerce markets.

Usage of new technologies in identifying and tracking fraudsters promises catching up with lost time on ineffective measures or slow adoption of such in the past. New monitoring algorithms and solutions emerge, which indicates positive direction for the domain. Attention from the general public has also supported raising awareness of the problem and increased trust in agencies protecting customers from fraud.

Impact of new technologies and developments in IT is clearly seen on the example of fraud and, wider, cyber crime. Any society develops to introduce new knowledge on how to optimise old ways of living, in order to maximise the outcome, whilst acquiring more time for more sophisticated tasks to be completed. Throughout the history crime was inherit part of our lives, since it was a way to shortcut development and gain resources that could be not available otherwise. We have learned that any society should take reasonable steps in order to prevent crime from happening and prosecute existing criminals. For that we have developed complex constructs, such as laws and social norms. Our focus was to minimise the harm of having a bad actor and developing a way to restore justice for the good of society as a whole. We have learned that freedoms exist only when such are protected and respected.

We have taken steps to ensure our lives would be easier, that complex tasks could take less time by utilising computational power, outsourcing calculations to robust machines. We have seen a great promise in the information technologies - allowing us to visit places we would never be able visit, connect with other people we would otherwise not know and, more importantly, feel connected, safe and protected in our ways of thinking. We thought that introduction of the Internet and not enforcing strong control will benefit to ourselves under the promises of freedom of speech, which should have solved our biggest problems. One could say that we have achieved a lot since introduction of IT in our lives.

With that said, we have not thought about how such powerful technology can backfire and what could be consequences. Our builtin ethics often say to us that we should not let criminals to commit crime and we should work together to protect ourselves from bad actors, but we act against our moral compass. We never took time as a society to understand the Pandora box we were opening. Introduction of IT can be compared to discovery of fire or invention of wheel and has saved many lives, but in the same way it has taken many. Humanity has built systems, that now are used to exploit the others - innocent Snapchat "swap face" masks were used by fraudsters to bypass checks and create accounts to steal hundreds of thousands dollars, euros, pounds from other people. Technologies that we are developing are rarely thought to be potentially used incorrectly, fraudulently. We can only speculate what would happen, had we taken precautions and developed the Internet and all solutions utilising it from the approach of "this will be used to hurt", but it is seemingly so native to think about the future and mitigate the potential risks - to begin with that is one of the reasons why we have built our digital world.

Throughout the short history of the Internet, we see examples, where we, as society, neglected consequences of our actions. We could have prevented thousands of families to be broke because of investment fraud or hundreds of people ending their lives over romance scams they've fallen for, but one of the greatest features of the Internet has let us down - it allows us to distance ourselves from the real world. To live lives we don't have. Cyber crime goes unnoticed, it makes to headlines, but not much people take it seriously. People tend to react more to crime that happens outside of their houses, although falling a victim of scam or fraud online is far more likely to happen than to be assaulted on the streets^[36]. By now we have tools to be protected, but similarly to introduction of EMV chips on our credit cards, we do not want to give up convenience over greater good.

The problem is that online we cannot see victims or fraudsters, we do not have "live" interaction and we do not see immediate impact of our actions. It is easy to steal a card, when you cannot see your victim. But would one do so, if they would see a struggling elderly with last thousand on their bank account? The wall of screen between ourselves online made us so distanced, that people who could have never committed a crime choose to do so. We have heard about "skript kiddies" stealing cards for fun, but these are the same people who later on are caught up in massive online fraud. This happens because we do not pay enough attention to the Internet and risks coming from there. In fact, we rarely feel responsible for the actions online. We know the stories of someone consuming too much of alcohol and writing online inappropriate or inadequate things^[37] to people they would never say in person, even if they were in the same condition.

Lack of responsibility and "connectedness" online lead to fraud being valued more than budgets of Baltic countries. We opened up possibilities, but we did not think about them. This was an ethical and social decision that we have made wrong.

1. ↑ Often referred as "doing homework" by fraudsters
2. ↑ It would be more correct to use term "alleged", since defining genuine activity is relying on assumption that current behaviour is not matching known fraudulent one.

1. ↑ R. Jones, "NatWest closed my account with no explanation.", The Guardian, https://www.theguardian.com/money/2018/feb/03/natwest-closed-my-account-with-no-explanation (accessed May 7, 2020).
2. ↑ u/Designer-Lobster, "Stripe fraud protection is a joke", Reddit, https://www.reddit.com/r/stripe/comments/eyjaxq/stripe_fraud_protection_is_a_joke/ (accessed May 7, 2020).
3. ↑ Parliament of the United Kingdom, "Fraud Act 2006", 2006. [Online] Available: http://www.legislation.gov.uk/ukpga/2006/35
4. ↑ S. Davies, "Proof on the balance of probabilities: what this means in practice", Accessed May 7, 2020. [Online] Available: https://uk.practicallaw.thomsonreuters.com/2-500-6576
5. ↑ D. Kornitzer, "The evolution of fraud: From 300BC to the digital age", Gigabit, Feb 24, 2018. [Online] Available: https://www.gigabitmagazine.com/mobile/evolution-fraud-300bc-digital-age
6. ↑ R. Virtue, "Grisly end of 'first recorded murder victim' revealed… from 430,000 years ago", Express, May 27, 2015. [Online] Available: https://www.express.co.uk/news/world/580365/first-recorded-murder-victim-revealed
7. ↑ K. Fisher, "The Psychology of Fraud: What Motivates Fraudsters to Commit Crime?", March 31, 2015. [Online] Available: http://dx.doi.org/10.2139/ssrn.2596825
8. ↑ A. Brown, "The High Crimes And Misadventures Of William Duer, The Founding Father Who Swindled America", Forbes, June 4, 2019. [Online] Available: https://www.forbes.com/sites/abrambrown/2019/07/04/the-high-crimes-and-misadventures-of-william-duer-the-founding-father-who-swindled-america/
9. ↑ J. Maysh, "The Man Who Sold the Eiffel Tower. Twice.", Smithsonian Magazine, March 9, 2016. [Online] Available: https://www.smithsonianmag.com/history/man-who-sold-eiffel-tower-twice-180958370/
10. ↑ Google Trends. Trends for keyword "Fraud" as topic. Accessed 7 May, 2020. [Online] Available: https://trends.google.com/trends/explore?date=all&q=%2Fm%2F0g1jf
11. ↑ New York Times. Search for keyword "Fraud". Accessed 7 May, 2020. [Online] Available: https://www.nytimes.com/search?query=Fraud
12. ↑ G. Norris, A. Brookes and D. Dowell, "The Psychology of Internet Fraud Victimisation: a Systematic Review", Journal of Police and Criminal Psychology, vol. 34, no. 3, pp. 231-245, 2019. [Online] Available: 10.1007/s11896-019-09334-5
13. ↑ J. Palme and M. Berglund, "Anonymity on the Internet", Department of Computer and Systems Sciences, 2002. [Online] Available: https://people.dsv.su.se/~jpalme/society/anonymity.html
14. ↑ "What's the cost of e-mailing 1.8m people?", BBC NEWS, 2007. [Online]. Available: http://news.bbc.co.uk/2/hi/uk_news/magazine/6385701.stm
15. ↑ Australian Competition and Consumer Commission, "Scam statistics", 2019. [Online] Available: https://www.scamwatch.gov.au/scam-statistics?scamid=all&date=2019
16. ↑ J. Clement, "Global spam volume as percentage of total e-mail traffic from January 2014 to September 2019, by month", Statista, 2019. [Online] Available: https://www.statista.com/statistics/420391/spam-email-traffic-share/
17. ↑ Internet Crime Complaint Center, "2010 Internet Crime Report", NW3C, Inc, 2011. [Online] Available: https://pdf.ic3.gov/2010_IC3Report.pdf
18. ↑ Verizon, "2019 Data Breach Investigations Report", 2019. [Online] Available: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
19. ↑ C. Layton, "History Of The Credit Card", Credit Card Processing Space, 2013. [Online] Available: https://www.creditcardprocessingspace.com/history-of-the-credit-card/
20. ↑ L. Irby, "How Credit Card Skimming Works", The Balance, 2018. [Online] Available: https://www.thebalance.com/how-credit-card-skimming-works-960773
21. ↑ E. Sorensen, "The historical roots of electronic card machines", Mobile Transaction, 2019. [Online] Available: https://www.mobiletransaction.org/history-of-credit-card-machines/
22. ↑ "Chip Card Security: Why Is EMV More Secure?", Square. [Online]. Available: https://squareup.com/us/en/townsquare/why-are-chip-cards-more-secure-than-magnetic-stripe-cards
23. ↑ ^{23.0 23.1} A. Gilbert, "E-commerce turns 10", CNET, 2004. [Online] Available: https://www.cnet.com/news/e-commerce-turns-10/
24. ↑ J. Petters, "What is PGP Encryption and How Does It Work?", Varonis, 2020. [Online] Available: https://www.varonis.com/blog/pgp-encryption/
25. ↑ [13]"What is SSL?", Cloudflare. [Online] Available: https://www.cloudflare.com/learning/ssl/what-is-ssl/
26. ↑ "Card Fraud 2018", The Nilson Report, 2019.
27. ↑ "World’s biggest data breach! 30 million credit, debit card details up for sale online", The Financial Express, 2020. [Online] Available: https://www.financialexpress.com/industry/technology/worlds-biggest-data-breach-30-million-credit-debit-card-details-up-for-sale-online/1839242/
28. ↑ "Fraud", FCA, 2016. [Online] Available: https://www.fca.org.uk/firms/financial-crime/fraud
29. ↑ "Credit Card Fraud Statistics", Shift Credit Card Processing, 2020. [Online] Available: https://shiftprocessing.com/credit-card-fraud-statistics/
30. ↑ J. Porup, "Deepfake videos: How and why they work — and what is at risk", CSO Online, 2018. [Online] Available: https://www.csoonline.com/article/3293002/deepfake-videos-how-and-why-they-work.html
31. ↑ A. Bleier, "Coding Random Forests in 100 lines of code*", STATWORX, 2019. [Online] Available: https://www.statworx.com/at/blog/coding-random-forests-in-100-lines-of-code/
32. ↑ V. Roman, "How To Develop a Machine Learning Model From Scratch", Medium, 2018. [Online] Available: https://towardsdatascience.com/machine-learning-general-process-8f1b510bd8af
33. ↑ "What is special category data?", Information Commissioner's Office. [Online] Available: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-is-special-category-data/
34. ↑ L. Hardesty, "Explained: Neural networks", MIT News, 2017. [Online] Available: http://news.mit.edu/2017/explained-neural-networks-deep-learning-0414
35. ↑ "UK Finance responds to the publication of the Authorised Push Payment (APP) Scams Voluntary Code", UK Finance, 2019. [Online] Available: https://www.ukfinance.org.uk/press/press-releases/uk-finance-responds-publication-authorised-push-payment-app-scams-voluntary-code
36. ↑ European Institute for United Nations Crime Prevention and Control, "INTERNATIONAL STATISTICS on CRIME AND JUSTICE", Helsinki, 2010.
37. ↑ K. Tiffany, "The Drunk-Text Decade", The Atlantic, 2019. [Online] Available: https://www.theatlantic.com/technology/archive/2019/12/history-drunk-texting-texts-from-last-night/603325/