Online activity has been rising worldwide for years, and with it, online fraud. The online marketplaces Ricardo, tutti.ch, and anibis.ch, operated by SMG Swiss Marketplace Group, are no exception. In this interview, Mostafa Hassanin explains how SMG Swiss Marketplace Group actively combats fraud on its online platforms. He has been working in IT security for 13 years, joined SMG Swiss Marketplace Group AG in 2019 as Principal Security Engineer (Security Lead) at Ricardo, and has been Group Chief Information Security Officer at SMG Swiss Marketplace Group since 2022.
Online fraud is increasing worldwide. Whereas in the past, fraud attempts mainly came from sellers, fraudsters today increasingly pose as buyers. How does this scam work, and why is it so dangerous?
The shift happened because buyer fraud is cheaper and simpler for fraudsters to execute, or in other words, is more rewarding. When one poses as a buyer, one can phish, trick, or scam victims, with the chance to even take victims off-platform, far from the security measures made to protect them. But when fraudsters pretend to sell, they need to prepare a listing, post it, and go through checks, instead of just starting a conversation.
In general, fraudsters will choose the path of least resistance. So if a platform has security measures on the seller side, they will try the buyer side, and vice versa and so forth.
A particularly dangerous form of buyer fraud usually unfolds as follows: Supposedly interested buyers pressure sellers to move the conversation outside the platform. They then send links or QR codes via WhatsApp or SMS, asking the sellers to enter their credit card, bank, or Twint details in order to supposedly receive a payment. The sellers are often redirected to fake but deceptively realistic marketplace, bank, or Twint login pages. Once they enter their access or card information, the fraudsters can easily gain access to their accounts and data. In this type of scam, victims are often manipulated and put under pressure in advance, causing them to override their common sense and logical thinking.
With the new Risk Score Model, suspicious messages are detected early and stopped before they can cause harm. How does this system work, and what was the biggest challenge in its development and implementation?
The system employs AI to analyze various parameters of the user and the message, and looks for anomalies, or what is not usual compared to the normal. And the strength of it is that it adapts itself. And this works as long as users stay on the platform, but as soon as they switch to WhatsApp for instance, then it cannot help.
Off-platform means outside of the security umbrella of the platform, and far away from the security measures. Therefore, I urge users not to fall for leaving the platform when possible.
And generally such systems will always have the challenge of initial and ongoing training to achieve better quality and less false positives, in addition to the increasing complexity.
Fun fact: When a message starts with “Hello?” It’s 70% fraudulent.
What specific successes have been achieved since the introduction of the Risk Score Model?
We could prevent 90% of fraud before it takes place. In other words, fraud decreased by 90% in just a few months. Not to mention, we got more automation, which takes away the advantage of fraudsters running their operations during out of office hours or on holidays.
Worth to mention that since it’s a cat-and-mouse game, and we may be a wild cat with sharp fangs at the moment, certainly fraudsters won’t stand still, and will change their tactics, ways, and techniques and adapt and come back again. That’s why in security, there’s no term as “Done”, security is always being assessed, adapted, and improved. As long as there’s a reward or return on investment for attackers, they will keep coming back.
Fighting fraud starts with prevention. How do you raise awareness among your users about fraud attempts, and which measures have proven to be the most effective?
This is a very good question. And I would take the opportunity to say, honestly, I think the root cause of fraud or phishing in general is, the lack of awareness among internet users.
At SMG, we try through internal and external collaborations and campaigns to educate users as much as possible about such topics. Moreover, in the «Sicherheitshinweise» section, we also update users with the latest tricks and trends and even on the platform itself with banners and tips as they go through the different funnels or flows.
The measures that work the best are the ones that stop the flow and make sure that the user is well-informed, however they are the worst for user experience. Or simply, not allow, for instance, we disallow creating or logging in with weak or leaked passwords.
With that said, due to the size and different demographics of our userbase, it’s very hard to guarantee that all users are educated and security aware. Additionally, fraudsters target certain users with certain offers and manipulate them. In a big user base, one will always find many who will still fall for the “Nigerian Prince” scam. Many don’t read emails, dismiss banners, ignore tips or think their case is different, or the deal at hand is the deal of a lifetime.
A look into the future: What measures are you planning to address the increasingly “creative” types of fraud?
Awareness is the key, so we will always spread awareness and educate the users, maybe we will find new ways to do so. Perhaps more effective, less boring, and creative.
We also plan to improve the risk-based models that we have, expand them, and scale them. Moreover, we will try to adopt phishing resistant login methods, e.g., Passkeys, and stronger KYC processes.
The challenge with creative methods is that they are quite new, so adoption is slow and users take time to start using them or get used to them (we’re still trying to normalize MoneyGuard), so there will be a percentage who will remain subject to fraud.
Last but not least: As an expert, what are your ultimate security tips for online users?
I personally use Ricardo, tutti.ch, and other SMG platforms and follow these rules:
- Activate multi-factor authentication (MFA).
- Never enter personal information through links you receive, especially credit card details.
- Always check domains and, if necessary, enter them manually before providing any personal data (ideally, avoid entering personal or credit card information at all).
- Especially on Ricardo, there is no reason to leave the platform for negotiations.
And finally: If an offer sounds too good to be true, it probably is. In addition to common sense, it also helps to trust your gut feeling.
Interview with:
Mostafa Hassanin
Group CISO
SMG Swiss Marketplace Group