The Saturday Fraud Strategist

I Used to Stalk People on Facebook

YouTube
YouTube

Back in 2009, when I started working in fraud prevention at PayPal, we had this saying: “Good people leave tracks.”

And honestly, that was kind of the whole job.

Fraudsters tried to erase themselves. Fake identities, disposable emails, wiped browser cookies, brand-new accounts. Legitimate users, meanwhile, usually left digital breadcrumbs everywhere because nobody really thought much about online privacy back then.

So yes, part of the job was basically social media investigation.

And honestly, I got weirdly good at it.

In this episode, I tell the story of how a random Facebook profile picture, a colonial-looking building, and an old backpacking trip through Vietnam helped us approve a transaction that initially looked like obvious fraud.

Now, if listening to that story makes you cringe a little, good. It should.

The bigger conversation here is not really about Facebook stalking. It is about how fraud prevention changed once online privacy, customer privacy, and data privacy became much more serious priorities across the internet.

And now we have this strange tradeoff.

As private citizens, most of us are probably happy that publicly available information is harder to access than it was 15 years ago. But as fraud professionals, we also lost a huge amount of visibility that once helped us understand identity intelligence, behavior patterns, and fraud risk.

Not a simple problem.

Social media investigation once helped fraud teams follow digital breadcrumbs, but online privacy and AI OSINT tools changed how scams are fought...

  • How social media investigation worked inside fraud teams in the early days of fintech fraud prevention
  • Why fraud analysts relied heavily on publicly available information and digital breadcrumbs
  • A real fraud investigation story involving Facebook, geolocation mismatch, and identity verification
  • How online privacy and data privacy reshaped fraud prevention workflows
  • Why social media OSINT became harder as platforms tightened customer privacy controls
  • How open source intelligence techniques evolved from manual investigation into AI OSINT tools
  • Why identity intelligence became more difficult once social networks reduced public visibility
  • A practical discussion about OSINT for fraud prevention and its limits today
  • How scammers and social engineering scams changed the privacy conversation entirely
  • Why fraud fighters may need to rethink their relationship with privacy regulations

A conversation that starts with an old-school fraud investigation story that turns into a broader discussion about whether losing access to personal data may have actually protected us in the long run.

Who should listen:

  • Fraud leaders and fraud investigators
  • Trust and safety professionals
  • FinTech fraud prevention teams
  • Risk and compliance professionals
  • OSINT and digital investigation practitioners
  • Cybersecurity and identity teams

Anyone interested in social media OSINT, online privacy, identity intelligence, or open source intelligence techniques.

Basically, if you ever used Facebook like an investigative database, this episode is probably going to make you a little uncomfortable.

Episode notes:

This episode starts with a fraud case from 2009 that, looking back now, feels slightly insane.

At the time, social media investigation was one of the most useful fraud prevention tools we had. Fraud analysts relied heavily on publicly available information, Facebook profiles, geotags, interests, photos, friend networks, and digital breadcrumbs users left behind online.

And honestly, it worked.

The bigger point, though, is how dramatically online privacy changed the fraud landscape.

Today, customer privacy settings, platform restrictions, and data privacy expectations make that same style of investigation much harder. Even with modern AI OSINT tools and better open source intelligence techniques, fraud teams still lost access to huge amounts of behavioral context that once helped explain suspicious activity.

But then the conversation flips.

Once you think about modern scam prevention and social engineering scams, you start realizing something uncomfortable: if fraudsters still had the same access to public data they had 15 years ago, things could be much worse.

So maybe privacy regulations are not just making fraud prevention harder.

Maybe they are also giving us a fighting chance.

Key takeaway:

Fraud prevention used to depend heavily on visibility.

The more digital breadcrumbs users left behind, the easier social media investigation became. But as online privacy and customer privacy evolved, fraud teams lost access to many of the signals that once helped validate trust and identity.

At the same time, scams evolved too.

And that leaves fraud professionals in a strange position: frustrated by privacy limitations while also quietly grateful those same protections exist.

Less convenient for investigators.

Probably safer for everyone else.

Episode transcript
Chen Zamir
Chen Zamir
00:09
In 2009, I started my fraud prevention journey when I joined PayPal as a fraud analyst. Back then, we had this saying: good people leave tracks. The idea was simple. Fraudsters were trying to cover their own tracks. They used fake identities, signed up with disposable emails, deleted browser cookies. Either way, the identities they used would actually appear as brand new. Legitimate customers, however, never bothered with cleaning the breadcrumbs they left behind. Why would they? Back in 2009, when we reviewed fraud cases, this mainly meant that we stalked people on Facebook. And boy, was I good at it. One day, a colleague of mine was reviewing a case she couldn't decide on. The account and card were American. The IP came from Vietnam, which was a known fraud hub. And the Facebook page linked to the account's email had nothing on it. No geotags on recent pictures. No status updates about traveling there. No liked pages that referred to the item purchased. Basically nothing that could connect the identity to that return. But there was one thing that caught my eye. The profile picture showed the person standing in front of a colonial-looking villa surrounded by what looked to me like tropical vegetation. Now, funnily, I happened to backpack through Vietnam just a few years prior to that. I got this strong gut feeling that the picture might have been taken there. So, I searched for “colonial building Vietnam” in Google Images. That was before you could do reverse image search.
Chen Zamir
Chen Zamir
01:43
And lo and behold, the very same building popped up immediately.
Chen Zamir
Chen Zamir
01:47
That's how we knew the account holder was indeed traveling in Vietnam, and we decided to approve the purchase. Now, why am I telling you this story? First, to brag, of course. Second, I bet you just cringed listening to it. Not because you suddenly remembered writing public statuses on your Facebook wall, that too, probably. But likely because you remembered how easy it once was to violate someone's privacy. And if you forgot or weren't around, then here's an image of Facebook's advanced search from 2008 just to illustrate the possibilities. But now we're in 2026, and people are more aware of the dangers of oversharing private information on social media. Even more so, the regulatory environment has also changed, and so did the privacy settings platforms like Facebook enforce, especially by default. As a private person and a parent, I'm glad to see these changes. But as a fraud professional, that makes my job harder nowadays. It's much harder to find those same breadcrumbs good users leave behind. Some would argue that you still have very similar capabilities today. There are plenty of vendors out there who collect identity information, including which online services you subscribe to. You can also still use Google search and the limited search functionality that different social media platforms offer. And lately, we've also seen how AI tools make OSINT analysis easy and fast. All these are great, but privacy settings will still limit your reach, mainly your access to the behavior and social network of the user. Now think about how important those are. Knowing where a person is right now can remove a suspicion of fraud in cases of geo mismatch. Knowing what they like to do for fun can show direct relation to a purchase made. Knowing who their close friends are can shed light on that suspicious P2P transfer. Today, it all sounds cringe-worthy, but back in 2009, it was our secret weapon in fighting fraud. So, is privacy obstructing us from fighting fraud? There's another way to look at how our culture evolved around privacy concerns, and that has to do with the rise of scams as the prominent fraud threat of our day. Just imagine what scammers and con artists could achieve if we had the same level of data security we had 20 years ago. Now that could make my skin crawl. You see, as fraud fighters, we tend to complain about privacy regulations and how they stand in the way of implementing effective fraud prevention solutions. But maybe it's the other way around. Maybe they give us a fighting chance.
View full transcript
Host
Chen Zamir
Chen Zamir
Head of Fraud Strategy