Ep 5: Michael Vergara

Podcast

In this episode of In a Pinch, we sit down with Mike Vergara, a fraud and risk leader with more than two decades in the space, for a wide-ranging conversation on product-led risk, the evolution of adversaries, the rise of first-party abuse, and what great risk leadership looks like in the AI era.

Mike traces his career from product management at RSA in the early days of public key infrastructure, through a transformative run at PayPal building the multi-tiered risk systems that still define the industry, to leadership roles at Blackhawk Network and now Trustly. The throughline across every chapter is something rarer than it sounds: a product-first approach to risk. Mike describes himself not as a risk person but as "a business person that does risk," someone who uses data to make good business decisions, not a defender waving a red flag.

That framing leads directly into one of the episode's sharpest critiques. Mike argues the traditional InfoSec mindset (protected or not, binary, built on fear-uncertainty-doubt) fundamentally misses the point. Risk isn't a switch; it's a scale. Every control should be cost-justified. His favorite pushback to a security colleague selling on fear: "How much is that New York Times article actually worth, a million dollar problem, a five million dollar problem, a hundred million dollar problem? If you can't evaluate the problem, how do I know the solution you're proposing is appropriate?"

The conversation then turns to how those principles translate into building actual risk systems at scale. Mike walks through the fundamentals of multi-tiered risk: interoperability, communication between layers, and the two non-negotiable inputs, good people and good data. He shares a favorite story from PayPal's Brazil expansion, where perfectly reasonable global models mistook a local norm (Brazilians casually sharing credit card numbers with family and friends) for organized fraud, producing a wave of false positives no one saw coming. The lesson: global scale and local nuance are the same problem, and the data alone won't save you. It's also where he makes the case that great risk systems are business enablers, not just cost centers, powerful enough that you can sit across from a CFO and commit to revenue and loss numbers with confidence.

On the shift from third-party fraud to first-party abuse, Mike is clear-eyed about why the new problem is so much harder. Third-party fraud, for all its professional sophistication, is a problem of identity, and identity can be modeled. First-party abuse is a problem of intent, and no model yet can look inside a customer's head. He and Arthi dig into the rise of the "affluent abuser" (the customer who buys a fan from Costco in March and returns it in October, or returns a couch the week before moving apartments) and the debate over whether policy abuse is fraud or simply customers taking advantage of what's offered. Mike's framing is that the effective response isn't better detection alone, but a combination of investigation, education, and visible deterrence. As he puts it: "Like a police officer walking in the street, everybody seems to behave a little better. Not because they're evil, but because they know someone's watching."

On AI and modeling, Mike resists the industry's framing of ML versus LLMs as a cage match. Good risk teams want every tool on the bench. ML models are strong at pattern recognition at scale; LLMs are powerful at classification and parsing unstructured data (imagine handing one your credit card statement and asking what you actually bought). But both have limits, and for Mike the one that matters most is explainability. You can't tell a regulator "the model said so," and you can't reduce false positives if you can't explain why the model got it wrong. He also shares the story of how his team at PayPal built what the industry now calls "human-in-the-loop" back in 2015 to 2017, before anyone had a name for it: a system that captured expert investigators' real-time signals and fed them directly into model strategy, closing the weeks-long gap between labeled outcomes and adversary adaptation.

The episode also digs into Mike's time at Blackhawk, where the most damaging frauds weren't brute-force attacks but victim-assisted scams, elderly customers walking into stores to buy a thousand dollars of Apple gift cards to "pay off their taxes." He explains how systems that were never designed to talk to each other (online ordering, returns, in-store redemption) create the exact seams that sophisticated abusers exploit, and why connecting those pipes is one of the biggest unsolved problems in retail risk today. It's also where Jayan brings up Pinch's "three strike" problem: a stolen card used for a purchase, an empty-box return processed as a refund to a gift card, and a chargeback that lands weeks later. Three systems, three teams, and no shared view of the customer.

The conversation closes with Mike's "In a Pinch" round, including his own most-scarring crisis memories, the importance of empowering teams in moments when there's no time for analysis, and reflections on the PayPal "risk mafia," the unusual concentration of fraud and risk leaders who came out of PayPal and now shape much of the industry. His answer on the most underestimated risk vector lands as a warning: in a world of AI-generated deep fakes and perfectly polished phishing, consumers may simply lose trust in the system entirely, and he's genuinely not sure how to educate his own mom or friends to navigate it. It's the kind of honest, hard-earned answer that makes this episode a must-listen for anyone building or leading in fraud, risk, product, or fintech.

Download