Fraud and the Laws of the Internet

Why is fraud such a problem online? The answer goes pretty deep.

Classic hacker vibes. Photo by Jefferson Santos on Unsplash

We all know fraud is a problem online, but the scope is beyond what most of us realize. Globally, fraud cost over $5 trillion in 2019, a full 7.15% of expenditures, and it is on the rise. Identity fraud cost Americans $56 billion in 2020, and fraud is the biggest driver of consumer complaints in the U.S. Let’s not forget that a ransomware scheme recently brought much of the southeastern U.S. to the brink of a gas shortage. Fraud is a big business.

It’s easy to attribute the phenomenon of online fraud to “bad guys” casually engaging in criminal activity. However, as I underscored in my early days managing fraud at Venmo, it is a more systemic phenomenon than this. Fraud is an international industry foundationed on the weaknesses of the laws (not legal, but metaphysical — governing the nature of “how things are”) of the internet. The fact that the internet is not subject to the natural laws of our everyday life makes it a breeding ground for fraudulent activity.

The Basic Laws of Everyday Life

We don’t think about it much, but our material world is governed by natural laws that make navigating daily life possible. (We’ll exclude quantum quandaries, since they don’t impact our day-to-day experience.) These real-world laws include the fact that, as a practical matter, things only exist in one place at one time. Even something that appears to have an exact duplicate, e.g. a tennis ball, only exists in its exact configuration (a certain scuff, a certain manufacturing characteristic, exact dye color, anything unique to its agglomeration of molecules) in one place at one time.

As such, our world is profoundly detailed and complex, and everything is different and unique. Think of every leaf on a tree — no two are the same. A limited number of atoms constitute everything that exists, these entities change over time, and as such it is hard for any two things to be exactly the same. This near-infinite complexity is what makes it possible for a person to discern between their mother and someone who looks like their mother in a split second — it’s the foundation of human intuition. Our brains are highly attuned to this level of detail in our daily lives.

The internet is not governed by any such natural laws. It is a universe of our own creation, and there are few metaphysical laws — far fewer than in our daily lives. While there are limits encountered on the hardware front, where the universe of the internet and our natural world collide, and some governing bodies like the IANA (Internet Assigned Numbers Authority) oversee things like IP address allocation, our day-to-day experience of the internet is based on far fewer variables and less complexity than the real world. Even the most sophisticated software has fewer discrete component parts than say, your face, with its endless array of muscle fibers, nerves, cell alleles — the list goes on when it comes to what constitutes our unique existence. One square inch of skin contains far more information than the pixels that constitute a 1x1” square image online.

Fraud in an Online World

This is why fraud is such a huge problem online. Fraud basically happens when an entity is not what it claims to be — when an illegitimate entity poses as one that is legitimate — and takes action. This is true of card and bank fraud, where someone steals card information, loads it online, and pretends to be the owner; account takeovers (what we sometimes call “hacking”), where someone gets into someone else’s account and uses it; and scams of various kinds, which rely on social engineering, where fraudsters gain leverage against targets by posing as someone trustworthy.

Online, unlike in real life, the exact same thing can exist in more than one place at the same time. My credit card can appear to exist in the United States, Turkey, and Cambodia simultaneously. Why not? It’s just a string of numbers. The same is true for any line of code. Similarly, any entity can claim to exist anywhere as anyone on the internet with just a photo, a few words in a bio, and a purported location. There are few variables constituting “existence” in the online world.

Contrast this with real life, where pretending to be someone else is much harder. For instance, I am a woman from the United States. If I were to go to Bolivia and claim to be from there, it would be a hard sell. It would even be a hard sell in Australia — there are subtle “tells” that suggest a person’s identity and origin, and I wouldn’t fool anyone for long. Yet anyone from anywhere in the world can claim to be the U.S. holder of a credit card, go online, send money around, withdraw it, and generally appear to be the legitimate holder of the card. The barrier to entry to an online identity is very low, due to the few variables that constitute online existence.

Democratic Implications

This metaphysical reality is meaningful beyond financial fraud. It also informs the social engineering phenomena afflicting democracies in recent years. It is relatively easy to set up a bunch of bots online and make them seem to have conversations, share opinions, and target a group of people based on shared characteristics. In real life, this is extremely difficult to replicate. It is hard for friends to hide when they’ve had a disagreement, and we easily detect when a family member or colleague has good news to share. In short, sincerity is hard to fake, especially over time and when it comes to deeply-held beliefs.

As much as some AI fans would like to imagine otherwise, we are far from a position where a bunch of robots could gather in real life, appear to have a relationship, and draw us in without us knowing the difference. But online, it’s the wild west — due to the fundamental nature of the online universe.

So What Next?

The metaphysical laws governing the internet make it an environment where fraudulent activity thrives. Of course, there are extremely sophisticated fraud detection systems in place designed to manage this phenomenon, and practices have been put into place across the industry, like tokenization, that have made a big difference. Imagine what the online world would be like without these.

However, if current trendlines are any indication, we need more. Effective mitigating factors like tokenization work because they specifically target the nature of the problem: online identities are highly simplified and, as such, it is easy to pretend to be someone you’re not. More identity variables that introduce complexity or time — mimicking the real world — can further address this in a way that is intuitive without burdening users.

Ironically, solutions find their limits back at the natural world, where people are easily scammed into believing what we see online. This is because we take for granted that our usual guidelines for discernment are sufficient for the online world, when they’re not. When we’re online, we basically don’t know who we are talking to. Keep in mind that, no matter how real things online may seem, the fundamental nature of the internet makes it a mere facade compared to the complexity constituting our everyday life.

Writing about technology, social impact, and the future of finance. London School of Economics, Venmo/PayPal/Amazon Pay.