<100 subscribers
Following up on my previous article about fraud using micro-deposits and banking bridges, I want to discuss how this applies to specific industries.
While high-risk sectors—such as cryptocurrency, banking, and investment firms—undoubtedly possess robust anti-fraud mechanisms, other industries are not nearly as well-protected. They either lack automated anti-fraud systems entirely or operate them on the lightest possible settings.
Let me give you a simple example from reality.
The Target: A Real Estate Unicorn Take Apartments.com, a "unicorn" in the rental market. The company provides software for realtors, as well as a web interface for landlords and tenants.
At first glance, how is it possible to commit fraud here? But let’s look at it from a different angle—the angle of a fraudster/carder.
What if we open one account using bought data for a property owner (Landlord) and a second account using bought data for a tenant? Suddenly, everything plays out in a new light.
The Setup The scheme is elementary:
The Drop: A "Fullz" (full identity package) is purchased. Using this data, a bank account is opened to receive funds—for example, the well-known Chime.
Insight: Have you ever wondered why neobanks change their Routing Numbers (issuers) so often? It is very simple. Because of the ease of opening these accounts and the availability of virtual cards, they are the favorite banks for fraudsters/carders to cash out stolen funds. For this reason, large fintechs begin to flag their routing numbers as "dangerous" and forbid their use in client applications with a "suspected fraud" tag.
The Funding Source: Next, a bank account (log) is purchased—specifically one that can be verified through a financial bridge in income-tracking apps (e.g., BMO).
The Execution
A "Tenant" account is created using the name on the compromised bank log.
The compromised bank account is linked to the Apartments.com profile using the micro-deposit method (refer to my previous article for the technical details).
The fake "Landlord" account fictitiously "leases" a home to the fake "Tenant" and sends an invoice for payment.
The Tenant pays.
The Result It’s in the bag. No fraud alerts, no high-risk operations. The attacker receives the money directly to their Chime account and cashes it out using a virtual card.
This is one of the most elementary fraud schemes. It is worth noting that payments on Apartments.com are processed by the fintech unicorn Stripe. You would think security would be at the highest level, but no—your money is still in danger.
What’s Next? In one of the following articles, we will focus specifically on Stripe and its feature, Link. Believe me, you will be unpleasantly surprised.
For any questions, feel free to reach out at scottcarrigg@aol.com (yes, really, it’s AOL. No Protons or anonymous burner emails here). I’d be happy to chat.
Thank you for your time. Stay safe.
Following up on my previous article about fraud using micro-deposits and banking bridges, I want to discuss how this applies to specific industries.
While high-risk sectors—such as cryptocurrency, banking, and investment firms—undoubtedly possess robust anti-fraud mechanisms, other industries are not nearly as well-protected. They either lack automated anti-fraud systems entirely or operate them on the lightest possible settings.
Let me give you a simple example from reality.
The Target: A Real Estate Unicorn Take Apartments.com, a "unicorn" in the rental market. The company provides software for realtors, as well as a web interface for landlords and tenants.
At first glance, how is it possible to commit fraud here? But let’s look at it from a different angle—the angle of a fraudster/carder.
What if we open one account using bought data for a property owner (Landlord) and a second account using bought data for a tenant? Suddenly, everything plays out in a new light.
The Setup The scheme is elementary:
The Drop: A "Fullz" (full identity package) is purchased. Using this data, a bank account is opened to receive funds—for example, the well-known Chime.
Insight: Have you ever wondered why neobanks change their Routing Numbers (issuers) so often? It is very simple. Because of the ease of opening these accounts and the availability of virtual cards, they are the favorite banks for fraudsters/carders to cash out stolen funds. For this reason, large fintechs begin to flag their routing numbers as "dangerous" and forbid their use in client applications with a "suspected fraud" tag.
The Funding Source: Next, a bank account (log) is purchased—specifically one that can be verified through a financial bridge in income-tracking apps (e.g., BMO).
The Execution
A "Tenant" account is created using the name on the compromised bank log.
The compromised bank account is linked to the Apartments.com profile using the micro-deposit method (refer to my previous article for the technical details).
The fake "Landlord" account fictitiously "leases" a home to the fake "Tenant" and sends an invoice for payment.
The Tenant pays.
The Result It’s in the bag. No fraud alerts, no high-risk operations. The attacker receives the money directly to their Chime account and cashes it out using a virtual card.
This is one of the most elementary fraud schemes. It is worth noting that payments on Apartments.com are processed by the fintech unicorn Stripe. You would think security would be at the highest level, but no—your money is still in danger.
What’s Next? In one of the following articles, we will focus specifically on Stripe and its feature, Link. Believe me, you will be unpleasantly surprised.
For any questions, feel free to reach out at scottcarrigg@aol.com (yes, really, it’s AOL. No Protons or anonymous burner emails here). I’d be happy to chat.
Thank you for your time. Stay safe.
Share Dialog
Share Dialog
Scott
Scott
No comments yet