How a cyber cop patrols the underworld of e-commerce

Primary goal is to review, monitor, investigate and help mitigate the risk associated with e-commerce

Melissa Andrews, a resident of Canada, is a cyber security "cop" for Payza, an international e-commerce payment platform operating in 97 countries. Her job, described by the company's public relations firm as "the worst security job on the Internet," is to protect the public from illegal, and many times revolting, content, by shutting the sites down and alerting authorities about criminal activity. She spoke with CSO this week about her job and why she is proud of what she does.

What drew you to this type of work?

It was a natural progression in my roles within the organization. I've always had an interest in the online world, and how websites truly function. After seeing the amount of fraud that happens online, I was intrigued in the number of ways to mitigate it.

What is your background and training?

I have a background in customer service, account management and fraud prevention, and have been working with the Merchant Risk team for about three years. I was lucky to work for a company that saw my potential and was willing to provide the necessary guidance and training.

Did you need special training before you took this job? If so, describe it. Did it prepare you for the reality of the work?

When I initially joined Payza, I received in-depth training on how the company functions, and started in customer service. The Merchant Risk department is cross-trained in CS, Fraud, and Risk, which are vital to understanding how someone might try and take advantage of our system. However, as industries and trends are always evolving it's important to keep up to date. Having good analytical skills, and a general curious nature is key to mitigating. That said, while it has prepared me for the reality of the job, I am still sometimes surprised at what you can find online. Some other skill sets that prove vital for this role are a good understanding of web technologies and a strong investigative drive.

How long do you think you can continue doing it, and why?

While, the job entails reviewing websites and content online that some many find disturbing, graphic or unethical, it remains rewarding, knowing that we can do our part to investigate, catch and help shut down the illegal ones.

Payza's has a global operation, and we work closely with various law enforcement organizations in different parts of the world, such as RCMP, FBI, Department of Homeland Security, Interpol etc. So, knowing that I am contributing to weeding out the bad players, and having them prosecuted if necessary, makes it worth it.

Do you really spend your days poring over some of the worst sites on the Internet?

For the most part, the websites that people submit to us for review are general e-commerce websites. However, there are times we have to review websites that make you question who comes up with that kind of stuff. Some websites go against our user agreement, whereas there are others that are very illegal.

Initially some of the websites I came across when I first started did pose a shock, however over time, you do get used to it. It's obvious that there are a variety of unique websites and ways people use them to make money online.

Describe a typical day.

I wouldn't say that any day is typical, which is one of the reasons I love this job. I'm never really sure what the day will hold. However, generally speaking my day consists of reviewing websites for both new and existing clients, mitigating our risk exposure by using the numerous tools and processes we have in place such as persistent website monitoring and our proprietary fraud matrix.

What does a job like this do to you emotionally and psychologically?

While it takes a certain type of person to be able to do this job, the truth is your can't un-see what you saw. There are times when you feel like going home to watch a cartoon to reclaim some innocence.

Have you ever sought therapy to cope with it?

Luckily, it hasn't come to that. We have a great HR department that is always available if I need them. While there are many terrible things out there, and not just online, I take solace in all the good people I have around me both at work and in my personal life.

Is your job to track down and catch predators, shut down bad sites or more than that?

Our primary goal is to review, monitor, investigate and help mitigate the risk associated with e-commerce. Our objective is to allow legitimate merchants to use our systems, while restricting illegitimate ones from getting in. We have numerous procedures and processes in place that allow us to monitor illegal and unethical use of our brand and services. When these are found, and some are found easier than others, we take the appropriate action on our side, along with advising the necessary governmental agencies.

Without getting too graphic, describe some of the worst sites on the Web. What are they trying to do?

Most bad sites will try and hide the true nature of what they're doing. They'll offer a simple product like coffee or shoes, but behind the scenes be selling illegal drugs, or promoting hate, racism, etc. But the ones that bother me the most are any that have pre-adult content. Unfortunately content like that exists and I'm happy to be able to help shut it down.

Do you know how successful you and your colleagues are in achieving your goals?

We've seen immediately response to our tips and action within days. Helping to shut down illegal websites, phishing websites, reducing credit card fraud and malware is what I strive for.

What are some of the more interesting stories that have come out of your work -- humorous, tragic, revolting or horrific?

I've seen all kinds of websites, and I am often surprised with the nature of products or content people choose to sell and or promote online, but there is a market for literally everything online.

One of the more recent was a "client" who sent us a website to review and wasn't trying to hide the graphic content involving gruesome videos and images related to death.

Another sold access to videos or images that were extremely graphic of people being brutally murdered, attacked, tortured, violated, etc., and also linked to other websites that offered underage pornographic content.

Another example is a website that was "selling" what first appeared to be car-washing liquid, but after digging deeper we found that it was actually the date-rape drug.

In all these cases, the accounts were immediately suspended and the information sent to the appropriate law enforcement.

What specific things give you a sense of pride?

As I've said before, once you see something you can't un-see it. However, you have to take it in stride. I know I do my job and we do our best to make the Internet a safer place.

How many people like you would it take to solve, or at least address, the problems you are addressing?

I belong to a team of dedicated staff that help me on a daily basis. While my job is unique and requires that I look at not the nicest things, I am pretty sure the websites we locate and report are only a portion of what is out there, as the internet is a vast environment.

Anything I'm missing that you think is significant?

Fortunately, even after a website has been on boarded to the Payza platform, Payza continues to monitor websites via a variety of methods which include secret shoppers, customer quality assurance calls, key word detections, and persistent website monitoring, etc.

We have seen cases where a website that was approached last month for something very mainstream became something illegal the month after. This is something we have to be vigilant for. We need to make sure we keep up with the ever-evolving methods that the criminals use.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuirtyPayzaapplicationssecuritye-commerce fraudsoftwaredata protectionmalwarefraud

More about CSOFBIInterpol

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place