The Story of Two Steves: How Proactive Monitoring Helps Us Expose Fraudsters After Your Money

If it walks like a duck and talks like a duck, it’s a duck. 

Or so it goes. 

You can count on this adage in most situations. But in an era of AI, deep fakes, and data breaches, a surface-level analysis isn’t reliable for identifying fraudsters online. Digital identity is becoming easier to spoof, and using only what is seen and heard is dangerous business.

Take, for instance, a fraudster trying to steal funds in a mortgage payoff real estate transaction. On the outside, everything sent by the fraudster appears legitimate: the email has the company’s actual letterhead, the mortgage payoff letter has nearly all the correct details, or — in cases of business email compromise — the email was even sent from the expected email address. You wouldn’t think twice if this was the only criteria you evaluated. But unfortunately, you’d send the funds only later to discover that you’ve become a victim of wire fraud.

‍

The fraudulent case of the “Two Steves”

If you had a mortgage payoff or wire fraud protection solution, you would have been able to catch the bad actor at the closing table. But what if you could identify the criminal from the very beginning? What if you didn’t have to wait until closing to know if they were real? What if the duck, masquerading as a whale, didn’t have to quack for you to know it’s indeed a duck? 

To illustrate, let’s examine a recent series of real transactions or “The Story of Two Steves,” made possible by proactive monitoring, a systemwide fraud analysis feature of our solutions, and a core component of CertifID Match.

‍

Meeting “Steve C.”

In July 2024, “Steve C.”, a home buyer doing business with a title company, received a Match identity verification request. The title company logged Steve’s attributes into our system to send this request. However, Steve never engaged with the Match request, and the transaction ended.

Shortly after, CertifID’s Trust & Safety team received insight from a partner that they were investigating “Steve C.” with local law enforcement for a separate $300,000 real estate wire fraud loss and asked if we could investigate it. So we flagged Steve as a “High Risk” end user. While our system had data from when Steve received that Match request in July, no additional similarities were found between Steve and other end users. 

That is until “Janet A.” entered our system.

In September, “Janet A.,” another prospective homebuyer in another state, received a Match request from a title company, which she ignored. Two weeks later, “Samuel T.”, a third homeowner on another side of the country, received a Match request, which went ignored, too. 

At a glance, one might only see three unrelated Match requests or three different fraudsters trying to infiltrate transactions. But this wasn’t the case. Our system rang alarm bells.

Our proactive monitoring found that a single attribute linked all three end users: Steve, Janet, and Samuel. This attribute told us that a central source — a solo fraudster or criminal group — was using multiple aliases to try to trick their intended targets. Each time, they produced fraudulent identities, but our system, which had stored and analyzed their signals, found commonalities and connections between all the end users, raising a red flag. We marked all users as “High Risk” within our system and began to pull on the thread.

‍

‍

Discovering “Steve D.”

This was only the beginning. In addition to the first shared attribute, Janet and Samuel also had another attribute between them. This new shared attribute was found on two other accounts: a “Lana S.”, who had received and ignored a Match Request in August, and an “Amanda G.” who had failed two CertifID Confirm requests five months prior. What did that tell us? These five different end users were linked by the same fraudster or criminal organization.

What we began to piece together was a cluster of people who shouldn’t be connected. Why would a customer in one state share the exact same unique attribute as a customer in another state, doing a separate transaction? When we see this chain happening, it signals that fraud is at play.

‍

‍

As the roster of criminals revealed itself, our algorithm began analyzing data across our entire database, searching for these attributes and other linked signals. It found three more users, connected by yet another shared attribute: “Tommy R.,” “Danny P.,” and — finally — our second Steve, or “Steve D.”. These three end users all failed Confirm transactions earlier this year in a joint sting operation by the US Secret Service, and we had stamped their names in our database as fraudsters.

By linking all these end users together by their shared attributes, we knew that a network of fraudulent actors was trying to steal the funds of title companies around the country.

‍

‍

Unraveling the fraud

A web of fraud unfolded before us. Eight different end users, all fraudulent but connected, had attempted to steal funds from six title companies throughout the year. These fraudulent attempts occurred across five states and eight property addresses and signaled several potentially fraudulent end users. Steve C., our first fraudulent user, was just the tip of the iceberg that revealed a more extensive network of criminal activity, seemingly linked by the same fraudster or fraud organization.

‍

Fraudsters are trying to adapt

While all these fraudsters stopped interacting with our products after some early failures, they attempted to skirt through security by creating new identities. Unfortunately for them, they left digital breadcrumbs that proactive monitoring and Match were able to spot, helping us link and track their movements across multiple transactions. 

Now, with these confirmed fraudulent attributes, we can continue to identify them if they attempt to infiltrate future transactions. When any of these shared attributes are used, we’ll immediately know. It’s a compounding network of security that keeps fraud out and your funds safe.

‍

Stopping fraud early

Unfortunately, the FBI IC3 anticipates a stark rise in fraud attempts in 2025. As interest rates dip, buyers are expected to enter the market, and more borrowers will refinance their mortgages from the high rates of 2023 and early 2024. This transaction volume increase is expected to bring more fraudsters back into the industry, looking to capitalize on the rebounding market.

That means it's even more important to leverage the latest available fraud monitoring features to keep your business and clients safe. CertifID is constantly building its data and analytics capabilities and human-based expertise to help you stay ahead of whatever fraudsters can come up with next. If you’d like to learn how to integrate CertifID into your business, request a free demo.

‍