A New Jersey couple didn’t think much of the change-of-address card in their mailbox, even though they had no plans to move. And so began the unchecked delivery of bad news.
A few weeks later, someone in the Miami area went on a three-hour spending spree with the victims’ debit card, ringing up thousands of dollars in ATM withdrawals and purchases.
What happened? The couple fell victim to a new twist on an old scam: identity takeover fraud. About a week after the change-of-address card appeared in the mailbox, the fraudster called the couple’s bank to request a duplicate debit card. The bank mailed the new card to their home, but it was never received as it had been forwarded by the post office.
Two days after receiving the new card, the scammer called the bank again to request a new personal identification number (PIN) to be delivered by mail. Again, the new PIN was forwarded directly to the criminal’s address.
Meanwhile, the couple did not receive a single text, email or phone call from their bank to alert them to the fraudulent account activity.
Meanwhile, subsequent calls by the scammer to the bank raised the cash withdrawal limit and requested a travel notification. This allowed the crook to use the victims’ card unchecked until the customer notified the bank of the fraudulent charges.
Public entity number one: Your personal info, exposed
For innocent, unsuspecting victims, it’s debatable whether there are lessons to learn. But for banks, the implications are clear: In an accelerating digital age, the lines between public and private data are fuzzier than ever before. In 2016 alone, 1,093 reported data breaches left 36 million identities exposed, according to the Identity Theft Resource Center.
But it’s not just hacking that makes identities vulnerable; people share more personal information via social media. Unlike previous eras (when public info was limited to phone directories), today a fraudster has innumerable ways to glean even the most private details.
Simply put, we can no longer think of personally identifying information as private, and that lack of privacy puts a new twist on a classic form of financial fraud: account takeover.
Account takeover has plagued the financial services industry for decades. But today personal data is weaponized to an unprecedented degree. It’s given rise to a 60 percent rise in account takeover losses and a 30 percent jump in losses last year, according to Javelin Research.
What drives these alarming increases? Changing consumer banking habits likely have a major impact on fraud. As consumer relationships with banks become increasingly digital (with Braun Research reporting 62 percent of customers using digital as their primary means of banking), fraudsters exploit high-tech vulnerabilities by using customers’ own personal information to take over and drain bank accounts.
In particular, common customer changes to account information such as address, telephone number and email give criminals an irresistible opportunity. It marks the first necessary step fraudsters must take and often offers the initial indication that fraud is happening. Yet distinguishing legitimate, customer-directed changes from fraudulent changes can be difficult, particularly for small banks.
The plan behind the scam
Here’s how the three-step scam works:
Step one: Get the details
First, the fraudster obtains personal information through illegitimate means, including malware, ransomware or data breaches, or even public sources such as social media. Criminals will also cajole customer service representatives—who think they’re helping legitimate account holders—to relax security protocols and divulge personal information.
This has long marked the first step in account takeover schemes, but it’s the next step that has become much easier in the digital age.
Step two: Set the stage
Once the criminal has the personal details, they attempt to make non-financial changes to the account. These edits don’t involve transactions yet modify details in the customer information file (CIF) that include:
- Online bill payees
- Authorized account users
- Passwords/PINs, and
- Mobile wallet enrollment
The criminal wants to make sure they can intercept any fraud alerts or authentication measures before they reach the customer. Changing the contact information is surprisingly easy for most fraudsters despite banks’ best attempts to add scrutiny.
Step three: Get paid and get out
Finally, once crooks gain firm control of the account, they access the funds and begin to drain the customer’s finances using:
- Card requests
- Online bill payments
- on-us checks
- Cash advances
- Wire transfers
- Check orders, and
- ATM withdrawals
Any suspicious activity alerts are quickly dismissed, since the criminal now controls points of contact between customer and bank. Even if the institution makes phone calls or sends emails, letters or text messages asking the customer to verify activity, the fraudster answers them all—giving the bank a false sense of security that everything “checks out” while the unsuspecting customer holds the bag.
This scam relies on one critical step: intercepting communications between the victim and their bank, made easier because non-financial account changes often fly under the radar. This is particularly true at smaller financial institutions that use manual processes to monitor administrative changes.
No need to be a fraud: From controls to vigilance
Banks are highly motivated to provide prompt and responsive customer service--but many do not scrutinize non-monetary events and thus leave a critical blind spot where fraud thrives.
How can financial institutions protect themselves and their customers from identity and account takeover fraud? First, banks of all sizes must consider whether their identity and fraud protection controls run multi-product and multi-channel.
For example, if a customer requests a change to personal information or account privileges on the deposit side and immediately applies for new products such as mortgage, brokerage accounts or credit cards, the bank needs a comprehensive fraud screening solution to determine any correlation between customer contact changes and new product applications.
Enterprise-wide controls can ensure the customer’s contact information actually belongs to the legitimate customer. Whenever possible, these tools should also be channel-agnostic—not specific to branches, call centers or digital banking portals. These solutions should also be highly automated and require minimal dependence on frontline staff, as front-line authentication can cause undue friction with customers and fail to analyze non-monetary account changes.
Finally, banks should stay vigilant about knowing their customers and keeping customer information up to date. Digital banking’s prevalence underscores how crucial it is to maintain accurate digital points of contact—including mobile phone and email—to fight fraud.
The current fraud environment creates a perfect storm of opportunity for fraudsters, and risk for banks of all sizes. The Aite Group estimates that account takeover fraud will increase 43 percent by the year 2020. Credit card application fraud could grow by 49 percent and DDA application fraud by 79 percent.
Without improved vigilance, fraud losses will continue to mount and consumer confidence will only erode. For customers, enhanced fraud protections focused on non-monetary account chances can strengthen confidence in their banking relationships and ensure critical fraud alerts get delivered without interference.
By using channel agnostic tools and strategies, and implementing fraud controls that require minimal dependence on frontline staff, financial institutions can proactively protect their assets in the face of a changing fraud landscape.
Account takeover fraud may have a new face, but it’s still ugly. When addresses change, the damage hits home. When accounts drain, customers feel empty. But such takeovers are not inevitable—not if banks take over the good fight.
Want more Banking Strategies? Sign up for our free newsletter!
Matt Schraan is vice president of product development for ID Insight. He has 10-plus years’ experience developing and launching products in the financial services and payments industries and has presented at numerous industry conferences on counter-fraud topics. Contact him at firstname.lastname@example.org