In this edition:

• Detecting suspicious environments is a superpower 🦸🏻‍♂️
• Live Event: Identity verification is make-or-break for your platform's growth
• Fraud-as-a-Service of the Month: WormGPT
• Our CEO André on unlocking the full potential of passkeys

Detecting suspicious environments is a superpower

Weeding out fraud can feel like you’re trying to work with a blindfold on. 🫣

Fraudsters are great at hiding their tracks. They use many devices and accounts. They leverage app cloners and tampering tools.

As a fraud fighter, you have a tough job. It’s hard to identify the connections between users, devices, and accounts. It’s hard to figure out the tactics fraudsters are using.

And if you’re using a legacy device fingerprinting solution, even if you do stop a fraudster they can simply reset their device and get back to their dirty work.

So what can you do to change this equation and tip the scales in your favor?

What if you could be alerted when there was a cluster of high-risk devices concentrated in a particular location, like an apartment? Or when a device logged in or created an account from an office that was previously associated with fraud?

Here’s a strategy many companies are completely missing:

By combining precise location data with device intelligence, it’s actually possible to map the suspicious environments where fraud is taking place.

Think about the new fraud prevention powers you could unlock if your location data was accurate down to an apartment level and you could classify specific locations as suspicious:

1. Accuracy. Detecting suspicious environments would reveal connections between accounts, users, and devices. What looked like a number of users exploiting a promo code might turn out to be one person with a dozen devices, operating from one house.

And detecting a suspicious environment with apartment-level accuracy would mean you could block that specific apartment, house, or office unit–or automatically assign high risk to all devices in it–without affecting good users with false positives.

2. Proactivity. If a new device suddenly appeared in a location associated with several other high-risk devices and previous fraud, the probability of that device also engaging in fraud or abuse would be high. This means you could stop fraud before it happens.

3. Adaptability. Fraudsters change tactics quickly. This means fraud teams are constantly trying to adapt and play catch-up. But if you had the additional context of being able to see hotspots of fraud or high-risk activity—”fraud headquarters” as we like to call them— it wouldn’t matter as much that they’re using new tactics. You would see through the deception, and you could take action sooner and act more quickly in the face of new attack vectors.

The ability to detect suspicious environments is a game changer for fraud teams. If this hasn’t been on your radar, it’s time to look into it.

To go deeper on this topic, check out our new blogpost.

Live Event: Identity verification is make-or-break for your platform's growth

Wednesday, September 13th, 10 AM PT / 1 PM ET

Register here

How do identity and fraud impact your platform's ability to scale?

Join our CEO André Ferraz and Garrett Olson, the Head of Insurance and Risk at Wolt, as they break down why identity is the foundation for trust & safety on platforms, and how getting identity right (or wrong) impacts the highest levels of company strategy.

Check out the short video below for a preview of the session ⬇️

FaaS of the Month: WormGPT

Fraud-as-a-Service: When cybercriminals sell their tools, services, and skills to help clients carry out fraud. Each month we highlight a FaaS tool that you should be aware of.  

Fast facts about WormGPT:

• A large language model (LLM) without the cybercrime restrictions of other LLMs such as ChatGPT
• Jailbreaks for white hat LLMs and other malicious LLMs are common 
• SlashNext found that WormGPT could be used to craft a convincing phishing email, and that it could even be effectively leveraged by bad actors whose first language is different than their target’s language 
• While AI-written phishing emails still won’t be effective against security-savvy users, they allow bad actors to maximize their range for these sorts of attacks

Deep dive on WormGPT:

Often described as ChatGPT’s “evil twin” or “ChatGPT for fraudsters,” WormGPT is definitely not your mother’s generative AI chatbot—instead, it’s built without all of the restrictions that more mainstream AI have in place to stop them from being used for more nefarious purposes. 

WormGPT first emerged on a hacker forum and marketplace called HackForums with licenses ranging in price from 500 to 5,000 euros. The creator of WormGPT, a developer going by the pseudonym 'Last', says that “everything blackhat related that you can think of can be done with WormGPT.”

Cloud security company SlashNext conducted an analysis of WormGPT’s capabilities with BEC (or business email compromise attacks) and found that WormGPT could not only craft a decent phishing email, but it could also be used to help fill in language gaps for attackers whose native language isn’t English. 

WormGPT and other malicious LLMs like it will drastically increase the volume and variety of phishing emails attackers can draft. Finding a vulnerable phishing victim is a numbers game, so fraudsters stand to gain a huge advantage from leveraging tech like WormGPT.

Takeaway: In the age of AI-backed attacks, using resilient, ATO-resistant authentication methods is more critical than ever.

Lead the Fight

Insights from fraud-fighting trailblazers

André Ferraz

CEO and Co-Founder of Incognia

Unlocking the full potential of passkeys

Are you hearing the hype about passkeys? It’s definitely a trending topic.

Will they release us from the password purgatory we live in?

First, let me say: I love that companies are replacing passwords with more modern technologies. Passkeys are a great alternative.

But most people are thinking of the ideal scenario with passkeys: The legitimate user logs in from the same device they always use, and everything is smooth and seems very secure.

In fraud, even if the ideal scenario happens 99% of the time, that 1% can hurt a lot.

So you have to have a plan to mitigate the 1% issues.

And there’s one thing in particular that’s challenging with passkeys right now:

Account recovery. How do you recover your identity if you lose your device? Or you forget your phone?

Most passkey implementations I’ve seen so far default back to a password or pass phrase for account recovery.

If your account recovery method is a password, at the end of the day you haven’t done much to improve security. You improved UX a lot, because people won't need to use a password all the time. But they’ll still need to have a password.

Just to be clear, this issue isn’t a showstopper for passkeys. It’s something that needs to be accounted for.

And it can be accounted for. For example, location can really help in this situation.

Incogia’s research has found that 85% of the first legitimate logins to a new device occur from a trusted location (a location they visit frequently, like their home or workplace).

If they’re setting up a new device or recovering their account on a new device and they’re at a trusted location, that’s a strong signal you can rely on in place of a password.

Passkeys are a great alternative to passwords, but you need to make sure you’re designing for their limitations as well. Do that, and you get the best of both worlds: higher security with lower friction.

Other links you should check out:

Detecting suspicious environments

How to detect and block the location of fraudsters and bad actors | Incognia

WormGPT

WormGPT – The Generative AI Tool Cybercriminals Are Using to Launch Business Email Compromise Attacks | SlashNext

What did you think of this newsletter?

Incognia, a digital identity company, detects fake account creation and account takeover attempts for gig economy, marketplace, and financial technology applications. Benefits of using Incognia’s location-based digital identity include reduced false positives and a low friction user experience.