If you are thinking it, they are already doing it

When I lead risk management teams I trained them to think about what the bad guys are doing.

This is a derivative of Sun Tzu’s Art of War, and the notion of “know your enemy.”

However, there is a fundamental difference between the good guys and the bad guys when it comes to thinking about committing fraud.

The difference is that the bad guys NEED to be crafty to get their money. The good guys are not getting paid any more if they catch them or not. The bad guys are thinking about breaking a system, while the good guys think about protecting it from within.

The good guys do not come in every morning to work thinking “how can I steal from my bank?”

They are usually reacting to something that already happened, to a trend in losses that is visible and triggered an investigation. This is a reactive approach and “business as usual” for many risk management teams.

So, would we not benefit if we asked our teams to think “how would YOU defeat our security measures?”


In fact, there are Red Teams you can hire to do just that. The idea of a White Hat hacker is designed to attack your systems and security defenses in a way that will showcase where you are vulnerable.

Nonetheless, the difference between good guys breaking in and bad guys is vast. We, the good guys, are simply not wired to think about stealing and breaking the systems as if our lives are dependent on it. We will get our salary no matter what. The bad buys, not so much.

When we fix a hole in our system, its not like the crooks will say “gosh, I can’t get in anymore, better get a regular job…”

When I had sessions with my teams, I would begin by saying what my experience taught me:

“If you are thinking it, they are ALREADY doing it.”

What does it mean?

Even when the risk management team came up with the most inventive fraud attack methods, the most obscure ways to defeat the system – every time without fail, when we checked if this method is actually hitting us… the answer was YES.

Every time.

Why is that?

Risk management teams are amazing at finding anomalies and trends. They are trained, and their tools produce reports on what is new, different, odd, weird, an outlier. The systems are not looking for something that looks normal.

So when fraudsters are making a killing, they leave digital footprints after them, and the losses mount. That leads to the good guys opening an investigation to hunt the down, and plug the hole.

However, the “better” fraudsters, are not interested in making a killing in a short amount of time, as they already know what will happen… the watering hole will dry.

So what do they do? They fly under the radar. They steal $1 a million times instead of stealing $1M in one time.

They bleed the company slowly, and silently as to not cause enough noise to wake up the guard dogs.

Should the bank set a threshold of manual review of every wire over $10,000 – you will not be surprised to see the fraud cases hovering between $9,000-$9,999…

The good news is the that fraud detection systems work, and the bad news is that the fraud detection system work. The amount the threshold is set to is easy to ascertain with a few tries. By checking to see which wires flew by, which were held for review and took MORE time to arrive, and which got caught in the process and NEVER arrived.

Moreover, fraudsters are crafty and know that the bigger the company they attack, the less chance there is to be caught by fraud patterns that involve multiple channels. For example, if you login to online banking (one part of the bank) and click on the button to view cleared checks (a different part of the bank) – should you find a way to steal that requires the different bank units to cooperate, you are in luck.

Most likely, they are not cooperating as they have different management chain of command, different teams, budget, objectives, systmes etc.

Thus, it is beneficial to have Red Team exercises, and to hire pen-testers to find your vulnerabilities. It is essential to train your fraud team on how the bad guys think. It is prudent to have brainstorming session about how you can we break our own systems.

However, if you are thinking it, they are ALREADY doing it.