New account fraud, also known as Account Opening Fraud or Online Account Origination Fraud, is when fraudsters use stolen or synthetic identities to open new bank accounts, with a view to maxing out their credit limits before disappearing into thin air, usually within 90 days.
The digital revolution occurring in financial services – with more and more people using cashless (EMV) payments and online banking – has created a situation where new account fraud is emerging as one of the biggest concerns for retail banks.
This is because fraudsters are constantly adjusting their operations in order to exploit new weaknesses and boost their profits. For example, while they used to specialize in illegal activities such as counterfeit credit card fraud, they are now committing new account fraud in order to obtain authentic physical cards, making it easier for them to extract cash. Indeed, the FTC estimates that in the US, credit card new account fraud was up 24% year-on-year in 2018; an illustration of cybercriminals’ ability to adapt.
Fraudsters will always seek out and exploit the weaknesses in a bank’s processes and security defenses. Existing anti-fraud prevention methods that are available to banks at the new customer onboarding stage create friction, negatively affecting the user experience to the point where legitimate prospects may quit the application process because it’s too cumbersome.
Banks would therefore rather take the risk of fraud rather than lose potential customers. Unfortunately for them, the criminal underworld knows this. With the rising threat of new account fraud, banks urgently need to find a way to keep the onboarding process as slick and easy as possible, while also identifying and stopping any fraudsters.
Why is new account fraud so hard to spot?
Just because an applicant’s credit report looks fine, doesn’t mean their personal information hasn’t been stolen. On the dark web, entire legitimate identities can be bought for as little as $20. A lot of people don’t even know their details have been either stolen or used inappropriately, and neither do the banks which are processing these applications.
What’s more, the ‘identities’ attached to fraudulent applications are mostly synthetic, where the personal details provided are not all from the same person. This means consumers may never know that their information has been exploited. In addition, since all the details included on the application are individually valid, banks find it challenging to spot any fraudulent activity.
Recent research from Aite Group reveals that 65% of fraud and anti-money laundering (AML) pros believe that synthetic identities are now a bigger issue for banks than regular identity theft.
How successful are banks at counteracting new account fraud?
Banks often rely on their customer service agents as their first line of defense. The Association of Certified Fraud Examiners (ACFE) reported 15 red flags that banks can watch out for when a new customer is opening an account, such as mismatched names and addresses, and even if the applicant is being overly friendly. This manual, human-driven identification process is not 100% reliable and is much less scalable.
New account fraud usually refers to theft from accounts that are less than 90 days. A great deal of damage can happen in three months, especially when you are dealing with an organized identity fraud ring. Plus, the use of real (or a blend of real) details means that fraudulent applications are usually only being detected weeks after the account has been opened.
So, even if the account is detected as fraudulent, criminals will have had plenty of time to cause the bank big losses.
Identity fraud rings exacerbate the problem
Individual fraudsters are likely to open an account, immediately withdraw cash up to the initial credit limit, and then disappear. However, more often it’s the case that the account has been opened as part of the operations of an organized ring of fraudsters. These can even be seemingly legitimate firms with a fully functional management structure. This makes it extremely difficult for banks who attempt to follow up on an individual who is suspected of committing new account fraud.
These criminals open several accounts with varying synthetic identities simultaneously. They have complete control over the accounts from day one (as opposed to when a fraudster performs an account takeover, which is easier for banks to detect) and can then work to build the account’s credit score, increasing their credit lines.
As these threat actors are all part of the same organization, a process referred to as ‘cash-cycling’ occurs, where money is circulated between the fraudulent accounts to imitate legitimate financial activity. As a result, traditional security measures will likely consider these accounts to be completely genuine.
Indeed, some accounts are only ever used as ‘mules’; they exist purely so that money can be transferred in and out again to help conceal the true purpose of other fraudulent accounts. It is likely that many of these mule accounts go completely undetected.
In this way, the crime ring manages multiple accounts, increases their credit lines, and after a short period of time they ‘bust-out’; withdrawing as much money as they can up to their new-and-improved credit limits before vanishing with the money.
To give an idea of the sheer scale of some of these illegal operations, a New Jersey crime ring, when finally arrested by the FBI and prosecuted, were found to be running 7000 synthetic identities, 25,000 credit cards, and to have stolen over $200million.
Reducing the impact of new account fraud
Banks advertising frictionless onboarding processes will be attracting new customers and new fraudsters alike. They now need new strategies which prevent these attacks without compromising their attractiveness to legitimate users. Stopping fraud at this point will save these organizations billions down the line. Simply relying on customer service agents to detect whether a new applicant has fraudulent intentions is clearly not the answer, as new account fraud continues to increase year-on-year.
The only way in which to combat new account fraud is with a holistic, multi-layered approach to security. By recognizing your standard user’s normal online interactions compared to both known legitimate customer behavior and known fraudster behavior, it is possible to weed out the criminals in real time through continuous profiling. Employing behavioral biometrics is an unobtrusive solution which can stop criminals from opening an account and stops them committing fraud before it has happened.