By Adam Elliott
Banks are getting better at making digital account opening faster, easier and more efficient. But improvements to reduce the friction for customers can also open the door to new ways of gumming up the works with fraud.
According to Aite Group, new account fraud rates in the online channel are “eight times that of accounts opened in the branch.” With Aite projecting that digital and mobile demand deposit account applications will represent 45 percent of total account opening volume by 2020, it’s critical that banks have multilayered methods of fraud screening.
One of the reasons NAF losses soared from $3 billion in 2017 to $3.4 billion in 2018, according to Javelin, is that many banks are not screening for out-of-pattern behaviors that only become evident when combining identity attributes with other data elements: otherwise hidden insights from phones, addresses and emails, for example.
Without integrating these data elements, fraudsters have the advantage. Because they have access to compromised data, their applications can look completely legitimate to traditional ID verification systems. If the applicant name, Social Security and mailing address match credit header data, then fraudsters can bypass the system.
Use email data to enhance fraud detection
With online account openings, there should always be an email address provided in the application process, and that’s where fraudsters can become vulnerable to detection. They typically do not use the email address of the legitimate consumer. To do so would risk victims receiving communication that would alert them to fraudulently opened new accounts. Instead, they must have a new or different email addresses to perpetrate their fraud schemes.
By examining email account data, institutions can uncover multiple characteristics that increase the risk of a digital application. The email may be disposable; perhaps it can’t be verified in association with the account holder’s name or has never been observed before; or maybe the email domain server is located overseas in a high-risk country.
ID Insight conducted retrospective research of digital account openings that were later identified as fraudulent and forcibly closed. The data confirmed many cases where traditional identity credentials matched completely. Therefore, the information provided on input did not raise any suspicion among institutions using traditional ID verification systems.
However, when integrating data on the email addresses—and combining it with other data associated with the applicant—there was clear evidence of out-of-pattern behavior. In hindsight, these accounts should have been flagged as potentially fraudulent. Knowing this information, financial institutions could have limited account access or privileges until the flagged application could be investigated further. Otherwise, ID thieves can use all the right data (name, SSN, date of birth, and the like) to get an account application approved, then alter the communications channels (address, email and phone) to disconnect the victim from the bank.
Communication channels are predictive
Just as email-specific data enhances fraud screening, so does IP, phone, and physical address information. These additional data sets, when brought together and compared to account application data, help to identify anomalies and out-of-pattern behavior, thus making fraud-scoring processes more accurate and predictive.
For example, for DDA applications via a mobile app, a cell phone number will be required. Again, to prevent detection, fraudsters cannot open new accounts in a mobile app using phone numbers that belong to legitimate consumers. They must submit new or unique numbers (or spoof the customer’s phone number) to prevent consumers from receiving texts or calls about the fraudulently opened accounts. Fortunately, financial institutions can use this necessary part of the fraud scheme for detection purposes.
For years, ID Insight has analyzed phone number data looking for risky patterns. The data reveal patterns that make intuitive sense—the phone is a burner phone with an area code nowhere near the applicant’s physical address, the phone number has been recently ported to a new service provider, or the phone number has not previously been associated with the applicant’s name.
These patterns alone may not prove to be risk factors. However, when used in combination with other identity-related data points, they help influence the risk assessment and become actionable for fraud investigators.
Fraudsters are using massive data sets and cutting-edge technology to update their schemes in the digital space. Banks must build a powerful arsenal of new tools to protect their investments in innovative new services.
Adam Elliott is founder and president of ID Insight, which provides verification, authentication, market research and fraud solutions to banks and other financial companies.
