The journalist’s nose can be relied upon to sniff out a good story — but can it also sniff out identity fraud?

Shir Levin thinks so. As a fraud analyst with IBM Trusteer, Shir spends her days detecting anomalies in financial accounts and tracking down the bad guys preying on society’s most vulnerable. Shir cut her teeth in news as a journalist for the Israel Defense Force’s radio station, Galei Tzahal (Army Radio), at the age of 18 — and the two roles are more similar than you might think.

“As a news presenter, you need to separate the wheat from the chaff and see the big picture,” Shir said. “And an analyst should also understand the data at a very high level while seeing the story behind the numbers.”

But news wasn’t always Shir’s calling. She applied to Galei Tzahal at 18 because “it sounded intriguing,” though she admits she knew little about journalism.

“Those years were amazing, and kind of crazy,” she said. “I was lucky to have the opportunity to learn from the best journalists in Israel, meet the country’s policymakers, and get my microphone in front of them to ask questions.

“I learned a lot, gained a lot of meaningful, character-building experiences and also made many great friends, including my husband. But it also led me to realize this was not the career for me.”

Understanding the Human Behind the Numbers

While government and law are fascinating fields, they just weren’t data-driven enough for Shir. After her Israeli national service, she went on to study statistics and psychology and fell in love with both fields. She said she was lucky to find a job that combines data with a great product while doing global good with fraud protection.

At Trusteer, Shir works on Pinpoint, a risk engine that detects digital identity theft and fraudulent activities on bank accounts. She writes new logic designed to detect those anomalies and monitor rules performance. She also investigates fraud cases and legitimate user activities to ensure the team has the best possible understanding of the current threat and fraud protection landscapes.

With a background as a legal correspondent, a passion for data and an education in psychology, it seems Shir was tailor-made for her role. Every day, she enters the mind of a fraudster, looking to predict criminal activities, understand how malware works, and identify behavioral anomalies and spoofing attempts while also performing analysis and operational research.

In other words, Shir’s job is to “understand the man behind the numbers.”

How Does a Fraudster Behave?

“Maybe it does have something to do with my news background,” she reflected, “because I always find it easier to get at the bigger picture when you’re telling the story, using the trails you find. When I investigate a fraudulent case or wish to create a new logic to our system, the most effective way would be to try and tell what I believe had happened or what should be caught.”

Shir uses her knowledge of psychology to understand not just the fraudster, but also the end user. She must ask herself, for example, whether it’s suspicious for a particular user to log in to his or her bank account using a hosting service, or to change internet service providers (ISPs) often. The user could be a fraudster, but he or she could also just have strong knowledge of security.

“This is a fast-growing and evolving field that involves both technical and human aspects,” she said. “As time passes and technology progresses, IT security becomes a bigger and more significant part of the everyday life of every person.

“I also find it very creative. Fraudsters change their methods fast, and we should be even faster to catch them. We live in an ever-changing world, and we need to take the opportunities we receive.”

The Psychology of Identity Fraud

Ultimately, Shir describes her role as a unique combination of psychology and statistics. She gathers a lot of data, builds profiles for end users and then tries to draw the line between legitimate and suspicious activity to enable fraud protection.

Knowledge of psychology especially helps in social engineering cases, which, according to Shir, total around 30 percent of fraud cases for some of Trusteer’s clients. Social engineering mainly targets elderly victims and other vulnerable groups and involves the fraudster manipulating the victim. Fraudsters participating in phone scams may even pose as bank employees and attempt to trick users into installing malware disguised as fraud protection software. These fraudsters prey on bank customers’ lack of knowledge and fear of losing savings.

“The challenge here is obvious,” Shir explained. “We can’t rely on device identification methods because the fraud is conducted using the known trusted user’s device, so we have to analyze the user’s behavior. How is he acting throughout the fraud? In which parts does he feel afraid? Nervous? Bored? And how can we use that to our advantage?”

As much as she loves the thrill of chasing down bad guys, Shir said the real satisfaction comes from making the world a safer place.

“Knowing that what I do not only maximizes profits, but also helps people, is just great,” she said.

This sentiment is typical of the Trusteer team. Not unlike journalists working a steady beat, these devoted security professionals are committed to exposing flaws in the banking system, tracking down the bad guys and seeking justice for all.

And for Shir Levin, preventing negative fraud headlines from making it to print is even more satisfying than reporting them to the world.

Meet worldwide technical sales leader Shaked Vax

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today