Fighting New Account Fraud is Good Business

According to Javelin Research, from 2013-2015, businesses lost $7.5 billion to new account fraud, and annual losses are trending upwards. Between the move to EMV credit cards, the ease of online account applications, and the vast amount of stolen personal information, criminals are motivated and able to open new financial, rental, and other kinds of accounts using stolen or synthesized identities. They are even developing “best practices” for these scams, behaving like responsible customers for a time to build up better credit before skipping out with money or goods.

In a recent post, we discussed how new account fraud victimizes both businesses and the individuals whose personal information is used in the fraud. Not only do businesses lose money to the fraud itself, they can face regulatory action for not fully authenticating applicants, and they can lose reputation and possible future business if the identity theft victims have a bad experience in trying to have their names removed from fraudulent accounts. Given the growth and potential costs of new account fraud, it makes sense to strengthen account approval processes. Here are some things your organization can do to resist new account fraud.

Customers Come First: Tools of the Data Breach Trade

Measuring New Account Fraud

A recent article in American Banker notes that banks often underestimate losses due to fraudulent accounts, instead charging the losses off to bad debt issues. The problem is that unless a consumer or law enforcement official reports identity theft, it’s difficult for a business to know whether an account was fraudulent or the account holder simply didn’t pay his or her bills.

From a governance/risk management standpoint, it’s difficult to know how much to invest in fighting new account fraud if you can’t assess what it’s costing you. But that’s hard to assess without investing in tools and processes that identify fraudulent accounts. If your business has significant losses due to unpaid accounts, you could start with some of the easier, less expensive measures to review new account applications and invest in more sophisticated solutions based on what you find. You could also use simple tools to analyze a year or two of past delinquent accounts, both to assess current costs and as a baseline to measure the success of new validation efforts.

Fighting New Account Fraud

There are several broad approaches to fighting new account fraud. One easy step is to use multi-factor authentication for account applications. For example, applicants can be required to enter a code sent to a cell phone, or they can be presented with challenge questions to confirm their identity such as addresses where they’ve lived in the past. These measures aren’t 100%, as criminals could open a cell phone account or get answers to challenge questions from public records, but it can slow down criminal organizations trying to open large numbers of fraud accounts at the same time.

The second tactic is to strengthen validation of the personal information submitted on the account application. Your account application system may already have simple validation logic to reject obviously fake information—for example, SSNs like “123456789” or ones that have all zeros in any of the number groups. You can also use commercial services to verify that a given SSN was issued and the recipient’s death has not been reported to the Social Security Administration. (Most services only work for SSNs issued before June 25, 2011, before the Social Security Administration went to a randomized mechanism for issuing numbers.) Some businesses verify cell phone data, confirming how long the phone number has been attached to the applicant’s name and whether it bills to the given address. Reverse email lookup services can identify newly created email addresses that are more likely to be involved in fraud. In some industries, such as banking, institutions are also joining consortiums to share information about personal identifiers that have been used for fraud.

A third approach is to use analytics to spot patterns that may indicate fraud. For example, are there multiple applications coming in for the same address or cell phone number? Does an applicant 25 years old or older have a newly issued SSN? Or after a new account has been set up, is there a pattern of small deposits being made and then immediately withdrawn? These are all common indicators of new account fraud. These analytics can also be applied within a security consortium. If the same personal identifiers have been used to apply for accounts at multiple businesses on the same day, that’s a red flag.

Make Fraud Fighting Part of Your Culture

New account fraud is inevitable: Javelin Research predicts that losses from new account fraud and account takeover will skyrocket to $8 billion in 2018. As decision-makers, we need to acknowledge it and plan for it in our new account systems and processes. But we also need to consider the other victims of new account fraud, people whose personal information is misused, and we need to protect them in two ways. First, we need to have clear processes for handling fraud when it is reported by the victims. We need to make it easy for an individual to prove that they didn’t open the account, we need to be able to quickly close the account and take their name off it, and we need to quickly notify credit bureaus of the change so that these victims are not left for months or years with damaged credit reports that hurt their ability to get loans, jobs, housing, and other life needs.

The other thing we need to ensure is that our culture doesn’t encourage new account fraud. From the bad loans that crashed the housing market in 2008 to the Wells Fargo new account scandal, we have seen that a culture that values new business over good business is damaging for consumers and for the organization itself. So let’s find ways to reward not just the employee who brings in new accounts but the one who brings in good customers. It may take a little longer to measure and reward, but it will pay off in the end.

Customers Come First: Tools of the Data Breach Trade