transunion article

Prepare for Emerging Identity Fraud Schemes and What to Do Next

Identity fraud looms large for every organization. The algorithms and machine learning methods we used to combat fraud are the same types of tools fraudsters can easily deploy. Combined with nefarious, automated bots, cybercriminals are employing sophisticated identity fraud schemes to gain access to consumer accounts or directly create fraudulent accounts with both real and fake identities. The speed of cyber attacks powered by automation can be difficult to detect until it’s too late. 

Identity fraud is a universal problem

Fraud endangers the financial integrity of organizations and consumers alike, but it also erodes trust — a fundamental element of commerce. Identity fraud resulted in $24 billion in combined US consumer and financial institution losses in 2021, a 79% increase from 2020. In an increasingly omnichannel commerce environment, consumers prioritize trust, safety and security features of the businesses they choose to use. At the same time, they won’t abide by unnecessary and onerous authentication experiences to prove they are who they say they are. The result of that is poor customer satisfaction and lost business. 

To stay ahead of the curve, businesses should proactively identify new fraud schemes specific to their businesses, and rapidly deploy updated fraud detection solutions that help ensure smooth customer experiences and hold operational expenses in-check.

Growing identity fraud threats 

As technology continues to evolve, so too do the tactics of fraudsters. With every advancement intended to bolster security, malicious actors find new ways to penetrate defenses. It’s a cat-and-mouse game — and the stakes are higher than ever.

TransUnion determined 4.6% of its customers’ digital transactions screened for fraud worldwide were suspected fraudulent attempts in 2022. Digital fraud grew 80% from 2019 to 2022 for transactions measured by TransUnion. Cybercriminals are targeting businesses and consumers more frequently and successfully to obtain identity information, then weaponizing it using automated tools in every digital customer service channel. 

Emerging identity fraud schemes

Their goals haven’t changed; fraudsters still want access to money — and consumer identities hold the key. It’s the speed and sophistication of the tools employed by fraudsters that create new risks. The fact criminals can now attack any organization of any size in any industry is causing the most alarm. Identity fraud touches everyone, and organizations should  continuously review existing fraud detection tools and protocols to look for emerging risks. 

  • Account takeover: Automated bots can run thousands of password combinations in mere seconds, potentially gaining access to a user’s account.
  • Synthetic identity fraud: Instead of stealing one individual’s identity, fraudsters combine real and fake information to create an entirely new identity. This makes detection harder as the identity isn’t directly tied to an actual person.
  • New account fraud: Automated bots mimic human behavior in opening new accounts en masse. They use stolen and fabricated identities (synthetic identities) to provide enough information to successfully open accounts fraudsters will control.
  • Deepfake technology: Advanced software can now create hyper-realistic but entirely fake images, voice recordings and videos. These deepfakes can be used to impersonate legitimate users or staff.
  • Prefill data harvesting: In instances where consumers must fill out forms to get online quotes, organizations often use prefill applications to speed up transactions. Bots can be trained to discover prefill usage, collect personal identifiable information (PII) and use it later in other fraud attacks.
  • PII harvesting: Fraudsters create programs to perform reconnaissance; testing fraud prevention controls to gather information for use in future attacks.

Detecting and preventing emerging fraud

The answer to increased fraud risk isn’t to reject more transactions, nor is it to put legitimate customers through onerous and unnecessary authentication protocols. That will just result in lost conversions, soured relationships, and higher operational costs. 

What’s needed is better data signals to more confidently let your customers transact with the right amount of friction to help ensure trust — while rigorously scrutinizing risky identities. I’ve seen the most successful organizations implement a layered fraud solution that combines identity, device, and behavioral insights to defend against automated fraud attacks. The key is better data enabling a deeper understanding of the risk associated with the consumer device used during an interaction or application: 

  • Ability to pinpoint fake identities: Recognizing synthetic identities, typically fabricated using a combination of real and fake information, is critical to better detecting fraudsters posing as good consumers during account origination.
  • Robust and diverse signals: Understanding the true linkages between devices and personal identity is key to reducing fraud risk. Device reputation data, such as email and device ID related to the device phone number, is important to increasingly detect a compromised device. Safe consumers typically have longstanding behavior with these reputational attributes which match well to other identity attributes (e.g., all are associated with the same household address). 
  • Actionable device history: It’s typical for companies to only store device history for six months. Knowing this practice, fraudsters can recycle devices six months after they were previously used. Without information from a device consortium with broad visibility to risky devices with years of history, organizations might be at greater risk once their device histories are purged.
  • Monitoring form-fill behavior: Real people tend to interact with forms differently than automated programs. Malicious bots complete forms rapidly because they’re just pasting data from a table into the form without stopping. On the other hand, human fraudsters tend to fill out forms inconsistently, completing fields in an unusual sequence and moving slowly where they may be reading information from a document. Monitoring and understanding user interaction with online forms is key to flagging potentially risky applications.
  • Insights from early in the consumer journey: Organizations don’t realize risk is highest earlier in the customer journey. Consequently, they reduce their abilities to detect potential bot attacks and data harvesting tactics. This also limits the opportunity to understand the risk of consumers at onboarding to enable a friction appropriate experience for their good customers. 
  • Assess caller device risk: The vast majority of consumers use a mobile phone to reach a contact center— unlike fraudsters who prefer spoofed and Voice over Internet Protocol (VoIP) calling methods. A pre-answer risk assessment and/or authentication helps move trusted callers to a more streamlined call resolution (without the need for knowledge-based authentication (KBA)) and guides step-up authentication routines for only the minority of risky calls.

Adopt a unified view of fraud and identity risk to detect emerging threats

In the digital age, identity fraud schemes will continue to emerge. While it’s impossible to foresee every threat, businesses that prioritize proactive detection and a cross-channel view of risk will be best equipped to protect their assets and maintain customer trust. 

Effective fraud and authentication solutions like TransUnion TruValidate™ orchestrate identity, device and behavioral insights to help organizations secure trust across channels and deliver seamless experiences for consumers. By distinguishing safe from risky interactions, organizations can help increase customer conversions, reduce fraud losses and enhance the overall customer experience. Gain a unified view of fraud and identity risk across online, offline and call center channels with TruValidate™ fraud and identity risk solutions.

Tagged with:
Posted in: , ,
Author: Shai Cohen

Shai Cohen leads TransUnion's Global Fraud Solutions Group. Cohen has spent decades in the IT and cybersecurity industries leading business units and software engineering and product management teams. He joined TransUnion from RSA, where he was the general manager of its Fraud and Risk Intelligence business. Previously, Cohen served in leadership roles at EMC and Intel.