According to the report, The Evolution of New Account Fraud, produced by Javelin Strategy & Research, NAF tactics have shifted with the growing popularity of online accounts and payments. In addition, NAF continues to use more sophisticated identity fraud tactics, including synthetic identities and complete impersonations.
“New account fraud has become the most expensive form of identity fraud for businesses and consumers alike,” Kyle Marchini, senior analyst, fraud management at Javelin Strategy & Research, said in an emailed press release. “Fraudsters have found new and unique ways to bypass the biographical traps set up by organizations, rendering certain validation practices too weak to solely rely upon for protection. Fraud has also migrated, finding less conventional targets, such as loan products, as prime NAF candidates.
New Account Fraud
In fact, NAF hit its second highest level ever, affecting 3.2 million consumers in 2018. One factor contributing to the rise is the mobile phone. The report noted that “for fraudsters, new mobile devices are cheap and new service accounts are easy to obtain. This has made them especially cost-effective tools for committing new account fraud as banks, issuers, and increasingly lenders are not only extending prospective customers the ability to apply online and using mobile apps, but they are relying on increasingly unreliable data from mobile network operators to prevent fraud during account opening.”
And there has also been a rise in familiar fraud, which is where a fraudster personally knows the victim, whether it’s a family member, friend or caretaker.
“GIACT has been closely monitoring the evolution of all types of account-related fraud, including NAF,” said David Barnhardt, executive vice president of product at GIACT. “It’s important that any business processing payments, offerings loans, or exchanging goods and services, rethink and strengthen how they validate their customers’ identities. Enhanced identity proofing throughout the customer lifecycle — from enrollment, payment to a change event — should be applied if fraud is to be challenged.”
Moreover, if one wants to steal a lot of money, large enterprise-level transactions are the way to go because high-value wire transfers won’t stand out as unusual by themselves.
“There are certain companies where it would not be uncommon to see $100 million in wires between two entities,” Barnhardt explained. “What people often don’t understand about the wire is that a lot of money moves through there. A $29 million transaction is large, but it is also a very normal transaction for a lot of very large companies.”
A space where many high-value transactions happen between parties, with a limited ability to authenticate each other, is an unsurprisingly popular target for fraudsters. While that can be daunting, it’s not impossible to stop before the damage is done. In fact, he noted, GIACT has three steps that it advises every client to take, no matter what they do or how many transactions they make.
First, validate the email that made the request. Second, validate the payment account requested. Third, verify directly (or in-person, if at all possible) that they are actually making this request.
The first step, he noted, can happen in the background with technology. Did the email come from the right server — i.e. one associated with the company for which they work — or from some random server on the other side of the world? Does the contact information given match the contact information of the firm from which they claim to be contacting?
The same idea goes for the second step: Does the payment account match one that the firm has paid before? Is the account long-established or relatively new? There is a lot of data that GIACT and similar security firms gather from the background, meant to determine if the email looks right — once one digs past the surface-level information in the sender line. When that data doesn’t sync up right, odds dramatically increase that the transfer request is not legitimate.
The third step is the simplest.
“I almost hate to say this in the digital age, but pick up the phone,” he said. “If you have a number for someone, especially if they are within your own organization. The fraudster is often counting on the fact that, in [a] business context, if it just look[s] right, people won’t take that extra step and double-check that the request makes sense.”
While those losses aren’t as dramatic as what Nikkei lost in late-September (more or less, in a single shot), they are nothing to sneeze at either, Barnhardt told Webster. By his estimate, the type of wire fraud that tripped up Nikkei is a problem worth “hundreds of millions of dollars each year” that is going under-reported.
The U.K. has had instant (or immediate) payments in place for over a decade. Recently, the U.K. announced it is looking to ramp back that speed some for certain types of transactions. The first time a consumer sends someone else an instant payment, that payment will be held for 24 hours — just in case there is a need to claw something back.
“What that tells me,” Barnhardt said, “is that there is a big challenge, and should be our canary in the goal mine in the U.S. about just how tricky things can get when payments become instant and irrevocable. Sounds great when the right person gets the funds, not so good when the wrong one does.”
If we learn nothing else from this week, it is that fraudsters don’t sleep on innovation. They’ve been coming up with ways to combine biometric voice hacking and email phishing schemes to pull up a $29 million fraud in a rather sophisticated global enterprise.
“If I were a voice biometrics security firm today, I’d be sitting up, taking notice and then figuring out how to get ahead of this, because the criminal want[s] to get ahead of them,” he said.
There aren’t easy answers, but there are better tactics. GIACT’s newest tool regularly updates the personally identifiable information (PII) on its clients’ customers to reflect big, relevant changes to their profiles — they’ve moved, they’ve died, they’ve legally changed their name, etc. That alone can flag what might otherwise go undetected, or detected too late in the flow.
Fraudsters will keep on thinking bigger. Beating them back, Barnhardt noted, will be about thinking ahead, and being at vulnerable targets they favor before the attacks begin.
— via PYMNTS