Account Takeover: When the phone is baloney
Criminals have always figured out new ways to perpetrate account takeover (ATO) fraud, and a popular new method exploits a very common method of authentication: customer phone numbers.
A new report released last week indicates that account takeover on mobile phone became nearly twice as prevalent in only one year. Mobile phone accounts represented 12 percent of all takeovers in 2016, up from 7 percent in 2015. In each case, cybercriminals sought to monetize mobile accounts and leverage them to compromise the mobile-based alerting and authentication solutions that financial institutions, issuers, and other businesses rely on to prevent fraud.
While address change is still a preferred path for fraudsters, phone number changes are increasingly becoming a setup event for ATO. Conversations with several ID Insight clients uncovered that account takeover schemes associated with fraudulent phone numbers were becoming prevalent.
The scam often works like this:
- When large money transfers are requested, banks place an outbound call or text message to the customer to confirm the transaction
- Once fraudsters have access to customer account information, they change the pertinent contact details – including address and phone number – to ensure that any attempts at verification are routed directly to the criminals
- When the bank contacts the “customer” to authorize these changes or transactions, they’re just confirming the details with the fraudster
- Once the transaction is approved, the criminal drains the account and moves on to the next victim before the customer realizes that the bank’s well-meaning security processes only enabled the fraudster
Since several of our financial institution clients were already providing ID Insight customer phone numbers (as input to our fraud prevention solutions), we were able to investigate the emerging phone scheme. Our analysis revealed interesting patterns that – when taken together – often point directly to fraud:
- The greater the geographic distance between the old and new phone numbers, the greater the fraud risks. A change from San Francisco to Sacramento might not draw scrutiny but a change from Baltimore to Spokane may be more indicative of fraud.
- Greater distances between address and phone number. While customers sometimes keep out-of-town phone numbers when moving to a new area code, a phone number that doesn’t match the city or state of residence deserves added scrutiny.
- Changes in phone type. Customers continue to “cut the cord” with landline phones, so any change from a mobile phone number to a landline suggests higher risk than mobile-to-mobile changes.
- Changes in carrier type. Due to their transient nature, repaid phone numbers and voice-over-IP (VoIP) numbers are far riskier than landlines or post-paid mobile phones when it comes to fraud.
- Urban versus rural. A customer who has spent years using a phone with a rural area code before suddenly changing to an urban area code is worth additional scrutiny.
- NPA NXX (Area Code/Exchange). Many U.S. overseas territories have three-digit area codes and prefixes similar to those in the 50 states, and a basic validation check can reveal whether a phone number has been issued in the U.S.
- Many customers legitimately keep their phone numbers when changing service providers, but new phone numbers that have been recently ported are especially high risk.
- Business phone numbers. If a customer suddenly changes a phone number from a residential or personal number to a business (particularly businesses with a high incidence of fraud, such as check-cashing stores or private mailboxes), then further investigation is necessary.
- Phone number verification. Consumer names can easily be associated with specific phone numbers using independent verification sources. If a customer requests a change to a number that’s already associated to another individual, then the risk of fraud is increased significantly.
These are just some of the individual characteristics and peculiarities of phone number changes that are indicative of suspicious activity. When these individual attributes are combined together in a predictive model, the results are powerful. Paying close attention to phone number changes can alert banks to potential account takeover schemes and help them mitigate risk, while ensuring they can continue to leverage the mobile channel to benefit their businesses.
As with other forms of fraud, only a small percentage of customer-initiated phone changes are fraudulent. But by scrutinizing these changes using data-driven analytics, banks can more easily determine when the phone is baloney.
To learn more about ID Insight’s new phone change solution and the company’s full portfolio of anti-fraud technology for financial institutions, contact us to schedule a demonstration.
Written by Adam Elliott
ID Insight President, Co-Founder
Adam has a passion for creating data-driven solutions that produce positive and measurable business results. A recognized name in the analytics area, Adam has won numerous awards for marketing and training, including “Minnesotans on the Move,” the Gold Award at the Houston International Film Festival for analytics training and an award from the American Marketing Association for leading the creation of the largest B2B Webcast in Yahoo’s history. When he’s not inventing new products, he’s on the ice coaching his daughter’s hockey team.