Black Hat USA 2025 | If Google Uses It to Find Webpages, We Can Use It to Find Fraudsters
•February 28, 2026
0
Why It Matters
Because TF‑IDF provides a lightweight, high‑precision method to surface AI‑driven fraud, organizations can defend against rapidly evolving attacks without costly infrastructure upgrades.
Key Takeaways
- •TF‑IDF can detect anomalous devices and fraud patterns efficiently.
- •Attackers now leverage generative AI, accelerating fraud volume and speed.
- •Google switched from TF‑IDF to BM25, but TF‑IDF remains useful for fraud.
- •Simple, low‑cost computation outperforms heavy GPU models in detection.
- •Real‑world deployments show improved detection confidence on unbalanced data.
Summary
The session at Black Hat USA 2025 introduced a surprisingly simple technique—term‑frequency inverse‑document‑frequency (TF‑IDF)—as a powerful tool for spotting fraudsters, positioning it as an alternative to the sophisticated AI browsers and agents that dominate today’s web search.
Speakers argued that generative AI tools like Worm‑GPT are lowering the barrier for attackers, leading to higher‑volume, faster‑moving fraud campaigns. Traditional models struggle with low‑confidence alerts, whereas TF‑IDF can quickly highlight anomalous attribute combinations such as unusual device‑OS or GPU signatures.
Live customer demos (names omitted) demonstrated that the TF‑IDF‑based engine runs on modest hardware, delivering clear clustering of suspicious entities without an army of GPUs. The presenters also noted Google’s migration to BM25 for web ranking, but emphasized that TF‑IDF’s deterministic nature makes it ideal for fraud contexts.
For security teams, adopting TF‑IDF offers a cost‑effective, scalable way to enrich detection pipelines, improve analyst confidence, and keep pace with AI‑enhanced threat actors, ultimately reducing breach risk tied to identity theft and synthetic fraud.
Original Description
If Google Uses It to Find Webpages, We Can Use It to Find Fraudsters: TF-IDF for Real-Time Fraud Detection
Fraud detection has traditionally relied on supervised learning, rule-based heuristics, and anomaly detection. However, these methods struggle against adaptive fraud schemes, emerging attack vectors, and low-frequency fraud patterns. This talk presents a novel, real-time fraud detection technique leveraging Term Frequency-Inverse Document Frequency (TF-IDF) as a similarity measure to link fraudulent entities.
Originally developed for Natural Language Processing (NLP), TF-IDF can be repurposed for fraud detection by treating transaction metadata, device identifiers, and behavioral signals as a "corpus." This approach uncovers hidden relationships between fraudulent activities, enabling a hybrid detection model that enhances real-time fraud identification beyond traditional heuristics or anomaly-based methods.
Through real-world case studies in financial services, e-commerce, and identity verification, we demonstrate how this method identifies unknown fraud patterns before they escalate into large-scale fraud rings. We will cover mathematical formulations, implementation steps, and a comparative performance evaluation against conventional supervised fraud models. Additionally, we will discuss potential evasion tactics and mitigation strategies to strengthen resilience.
Join us as we explore cutting-edge strategies in fraud detection and cybersecurity. With deep expertise in fraud prevention, identity security, and risk management, we will share actionable insights on leveraging TF-IDF and advanced machine learning for real-time fraud detection.
Attendees will learn how combining text-based feature extraction with behavioral biometrics and device intelligence enhances detection accuracy and mitigates sophisticated fraud threats. This session provides practical knowledge on applying these innovations to stay ahead of evolving fraud tactics and improve overall security posture.
By:
David Mahdi | CIO, Transmit Security
Ido Rozen | Head of Fraud Detection Engineering, Transmit Security
Full Session Details Available at:
0
Comments
Want to join the conversation?
Loading comments...