Turning a Paper Check into Cryptocurrency: Fraudsters' Newest Trick

Chris Colson: Hello, and welcome to the Economy Matters podcast. I'm Chris Colson, and I'm responsible for payments innovation here at the Federal Reserve Bank of Atlanta. This episode is the third in a series spotlighting an Atlanta Fed strategic priority that's focused on safer payments innovation. The Atlanta Fed has extensive payments expertise resulting from our roles as a network operator, supervisor, and researcher, and we're seeking to amplify that expertise by partnering with select academic institutions like Georgia State University to conduct research and experiments. Our goal is to share what we learn to help educate the payments industry, with the objective of identifying better solutions and operational practices. Before we begin, I want to emphasize that the views expressed today are my own and do not necessarily represent those of the Federal Reserve Bank of Atlanta or the Federal Reserve System.

In today's episode, we'll talk about how cybercriminals are turning paper checks into cryptocurrency, and we'll discuss how criminals are stealing checks and selling them online using various media platforms. To help me explore this troublesome trend, I'm joined by David Maimon, associate professor and director for Georgia State University's Evidence-Based Cybersecurity Research Group

David Maimon: Sure thing—and thank you, Chris for having me. I really appreciate the opportunity to talk about the group, and the interesting collaboration we're having with the Fed. The Evidence-Based Cybersecurity Research Group is a group of scholars from various disciplines—including criminology, computer science, computer information systems, psychology, even communication—who are essentially trying to understand what works and what doesn't in the context of cybersecurity.

As I assume the listeners understand, we have so many cybersecurity tools—cybersecurity policies are being advocated for, but at the end of the day, we are not really clear with respect to the effectiveness of those policies and tools in achieving their goals. What our group tries to do is produce evidence with respect to the effectiveness of those policies and tools. We do that by collecting our own data from the cybercrime ecosystem. We do that by focusing efforts on the humans who drive this type of crime, as well as the technology that they use in their different types of activities that they engage in on the clear net, the dark net and other platforms they engage in. The group works from Georgia State University, and we have a fairly large cadre of students working with us on a wide range of areas starting from conspiracy theories, going through understanding hackers' behaviors, and of course monitoring dark net environments.

Colson: Wow, great—thanks for the recap. Before we dive in, I want to underscore something you said about the importance of the data your team has uncovered. We know, from our ongoing Federal Reserve Payments Study , that check usage in the United States has actually been declining for the past two decades. Furthermore, our recently released 2021 study showed that the share of checks by value has also decreased from 2018 to 2020. Additionally, we haven't seen any change in evidence that check theft and fraud in the consumer data from 2015 through 2020—it's actually holding steady at less than 1 percent. With all this data, some may wonder: Why even talk about checks when the usage and average value is in decline?

Maimon: It's a great question, and a great premise as well for me to try and address. First of all, I just want to make sure that folks understand—I don't have any horse in this race. I'm not advocating for folks to use either checks or online payments, or any type of currency or payments. As a scientist, what I do is I just describe what I see and then I leave it for the audience, the policymakers, to do what they want with this data. But two important things that I would like to refer your attention to in the context of the two pieces of stats that you just provided. First, the data that you guys are seeing is from 2020. What we're seeing is an increase in the volume of stolen checks starting 2021, so I'm not sure whether you guys have data about 2021. The second important thing I would like to emphasize in this context is that as a criminologist who deals with crime statistics and underreporting, we know that victims tend to not report their victimization. That goes for individuals, but it also goes for large organizations who have a reputation to maintain, who want to make sure that their customers do not run away if they reveal sensitive information. These are two key things that we need to put in the right context when we talk about the stats. But even if we believe the stats you just brought, that we see that there's a decline—and we know that there's a decline in the volume of check usage here in the United States. The question is, even if we see this decline: Should we care about this? And I can refer you to another really interesting decline that we're seeing here in the United States, in the users of USPS mail services. We know that from 2000 to 2020 there is a very substantial decline in the volume of envelopes and packages that USPS has been processing—we're talking about a 50 percent decline.

So if we take the stance that we talked about, we shouldn't really care about the fact that the mail that we send does not reach its destination because of the decline we're seeing. I mean, based on the premise that we just had with respect to stolen checks, maybe the answer is "no." I don't think that is the case. I think people still want mail to reach its destination, because at the end of the day they're paying money for this service. And at least to me, if you can't provide the service, (a) don't offer it for people to use, and (b) don't charge them money to use the service. If you think about it in the context of the topic we're focusing on today, which is stolen checks, you can take a very similar posture there. If we don't want people to use checks anymore, and if the usage of checks here in the United States is on the decline, does that mean that we shouldn't really care about stolen checks and the fact that this type of financial activity is subject to criminals taking advantage of the paper slips that we're using? If we don't want people to use checks, and if we believe that this is not an issue or it's an issue that we don't want to deal with, then simply don't offer people the opportunity to use checks. Because again, checks cost money, and sending those checks costs money as well. Again, I'm not saying that I'm advocating for using checks or not using checks. I definitely understand that there is a decrease in the volume of check usage here in the United States, but that to me doesn't necessarily mean that we shouldn't care about crimes that could be committed, and which are committed, using those checks that folks innocently send to their loved ones, the companies that they do business with, and so forth.

Colson: That's why I thought it was really fascinating when you brought that to our attention, the increase in the volume of stolen checks. What's really interesting to me is that in this digital age, checks—paper checks, in particular—are still targeted. Why do you think that is?

Maimon: Well, it's easy to use those slips to commit crime. It's easy to use those checks to get cash. It's easy to use those checks to pay for a new TV, or anything pretty much that you would like to get and pay money for.

Colson: Can you elaborate a little bit on that? You said they get the stolen checks and they buy TVs. What entails in that process? What happens once they get these checks? What do they do with them?

Maimon: One of the things that folks do is they simply take the checks, they remove the content that the victim originally had on the check, including the payee's name, including the amount on the check. They simply wash it.

Colson: How do they do that? You use the term "washing." What does that mean?

Maimon: They use nail polish remover to remove the contents from the check, and then you have a new blank check you can work with. You can go to Target to buy some groceries or buy a new TV. You can go to Best Buy and buy a new TV. You can do pretty much whatever the legitimate owner of the check could have done with the same check, because you simply have a blank check to work with.

Colson: Right, literally. You've talked about the increase that you're seeing in the number of stolen checks. Where are they getting them from? How are they obtaining these checks?

Maimon: Based on what we see in the online underground markets that the group oversees, we see that they are getting those checks from USPS mailboxes, the blue boxes that are on the streets.

Colson: And how does that work?

Maimon: It's very simple. What the criminals do is…there's really no simple way to say it: they rob mail carriers of the arrow keys that are used to open the blue boxes.

Colson: Okay, so it's key access.

Maimon: They take the keys, and they start opening mailboxes in relevant ZIP codes that the keys will work in.

Colson: And you've seen videos posted of this, correct?

Maimon: We've seen videos of keys being offered for sale on the platforms we oversee. The prices of those keys vary from $1,000 to $7,000 depending on the volume of mailboxes the keys can open, the ZIP codes, the location. We know that some areas are very lucrative, so the criminals will charge high prices for those arrow keys. What's interesting is that the arrow keys come with guidelines and instructions with respect to which mailboxes and where exactly the arrow keys will essentially work.

Colson: On the dark web, what do you see? Is this pretty much, you can purchase the whole scheme on how to do it, from soup to nuts—or do you have to piece it together yourself? That's the interesting part to me.

Maimon: What you see is, you see people advertising those keys. You can purchase those keys. You will get those keys over USPS or UPS mail after two or three business days, and you usually will pay for those keys using bitcoin. Once you have the keys, you can start opening the blue mailboxes and start stealing mail. And that's essentially what we're seeing on videos that the criminals are essentially filming. They use their smartphones to take shots of themselves stealing the mail, videotape themselves stealing the mail. We see videos of them taking the mail from the blue box, putting it in a car, and then driving to their hideout where they start sorting through the mail, finding the checks. That's essentially what we see. And what's interesting about this is the fact that criminals sold you the arrow keys doesn't necessarily mean that another vendor or another criminal will not get the key because they can generate replicas of those keys. So one of the things that maybe we'll begin to see…

Colson: So, you could bump into somebody else at the same box? [laughter]

Maimon: Yes, definitely. Because one of the things that is important to understand is that this is a very organized type of crime. There's a supply chain of the individuals who essentially rob the mail carrier of the keys, and then you have the group of people who go to the mailbox and empty it, and then the group of people who wash the content from the checks, use the checks. And they can't use all the checks, so what they do is they offer the checks for sale over the platforms we oversee. And so, you can be in Minnesota and buy a check from someone who lives here in Atlanta and simply use that check to purchase a new iPad, or a new TV, or whatever.

Colson: The title of the podcast is "Turning a Paper Check into Cryptocurrency." Could you talk a little bit more, because you alluded to it a little bit—you said they sell the keys for bitcoin and things like that. So that's what is actually happening, correct? They're not accepting any other form of payment? Is that true, or is that their preferred?

Maimon: The folks we see and that we are aware of on the platforms we oversee—and it's not necessarily the dark net. We're talking about encrypted communication platforms. They love to work with bitcoin because they think that it will be more complicated for law enforcement to track who they are and their geographic location. So the arrow keys that these guys are selling—yes, they will sell, and they will prefer to use bitcoin. The other things that the vendors will sell over the platforms—and that's essentially how we get the estimates in respect to the volume of stolen checks—are the checks themselves. We had a conversation with a few actors trying to understand exactly what would be the method of payments, and the prices on those checks, and we got estimates for personal as well as business checks, and the preferred method of method of payment was bitcoin.

Colson: So besides actually getting the checks, washing them, and using them to make purchases, what else are they doing with the information on the checks?

Maimon: As I indicated earlier, they can't use the thousands of checks that they have access to and that they stole from the mailboxes themselves, so what they like to do is they like to take a picture of the check, upload the checks on the platforms we oversee, and that other criminals see. This doesn't mean that we're criminals, we just oversee those platforms. There will be a buyer for the check, and so they will be able to send the check and as I indicated earlier, you should expect the check two to three business days after the purchase. What's interesting is that there's no limit.

Colson: Just curious: do they send them through the mail? [laughter]

Maimon: I actually asked them. I actually asked a few of them—they don't send them through USPS—not the checks. They send those through UPS, which is really interesting. So that was a really interesting anecdote on some of the conversations we had with them. They will definitely send the checks, with no limit to the number of checks that you can purchase. In fact, the higher the number of checks that you ask to purchase from a vendor, the better price you will get. You can actually negotiate the price of the checks.

Colson: Interesting. What about the data itself? Like the name, the address—what are they doing with that information?

Maimon: We mentioned that they take screenshots of the checks. Other than making the checks available on an online environment for folks to see what it is that they're getting, the criminals will use the information on the checks to potentially in the future steal someone's identity. As I assume the listeners know, in the top left corner of the checks there's complete information: full details of the target, their place of residence, and so that information could be used to manufacture new driver licenses, or to look for information on legitimate driver licenses—and that information could be used to steal someone's identity. In addition to that, we believe that we are on the verge of—and it'll be really interesting to test this empirically with the Federal Reserve Bank database in the future—another wave of stolen checks, because these guys at the end of the day have access to the entire information on the check, including the bank account number and the routing number. So, for them it will be really easy to simply create replicas of the checks, start forging checks.

It will be really interesting, at least in my shop, to see whether we see an increase in the volume of forged checks in 2022. We've seen this increase, at least from where we sit, in the volume of stolen checks that are uploaded on underground markets in 2021. It'll be really interesting to see whether a second wave of forged checks—because again, once the victim's information is in the hands of the criminals, that information could be used to engage in other types of crime, including identity theft, manufacturing of synthetic identities, which is something that the bureaus are working on and trying to come up with a few solutions to the manufacturing of forged checks, and selling those. So what we're seeing nowadays, in my opinion, is just the beginning of potentially other waves of crimes we will see in the future.

Colson: Interesting. I have one final question today: What can people do to protect themselves? What advice would you give our listening audience?

Maimon: So again, I'm not advocating for either sending checks or not sending checks as a form of payment. As I assume the listeners know, it's fairly easy to pay online but that comes with issues as well. I think that the best suggestion I will have now for folks who really want to use checks: if you really want to use a check, you might as well just go in the post office and leave your mail—with the checks in them—with the clerks. Don't leave your mail on the street, in the blue boxes, because we know that the criminals have access to those. Simply go inside the post office and leave your mail with the clerks.

Colson: Great, thank you. And thanks so much, David, for being our guest today and for sharing your insights with Economy Matters. I look forward to future conversations and discussions about what else you and your team are finding on the dark web and how we can better protect ourselves. And I'd like to give a special thanks to our listeners. To learn more about Economy Matters and the Atlanta Fed's Promoting Safer Payments Innovation strategy, please visit atlantafed.org. Also visit fedpaymentsimprovement.org. To learn more about the Evidence-Based Cybersecurity Research Group at GSU, please visit ebcs.gsu.edu . Thank you.