“This is your bank. Did you request a $25,000 wire transfer from your Home Equity Line of Credit?”
Digital banking has changed the way customers interact with their financial institution. With more than 54 percent of customers using telebanking for some
or all of their banking interactions, phone number changes are increasingly becoming a setup event for account takeover fraud (ATO).
Here’s a prototypical scheme:
- A criminal accesses a customer’s account using stolen credentials, social engineering, password generation software or a combination of all three.
- The fraudster changes the primary contact phone number to a phone they control.
- The bank contacts the phone number to verify the change; the fraudster (not the actual customer) responds with OK.
- The crook now controls the entire account and may make small, legitimate-looking transactions to establish a pattern of activity.
- Finally, the fraudster cashes out by requesting a large balance transfer. When the bank calls to confirm the large withdrawal, it’s the crook on the
other end of the phone.
According to Javelin Strategy, 2016 saw a 31 percent increase in ATO fraud and a 61 percent increase in ATO-related fraud losses. But the real toll on banks is the time it takes to detect and resolve incidences of ATO fraud, particularly when a phone number change is used to disconnect the legitimate customer from their financial institution.
How can banks take a proactive approach to detecting and preventing ATO fraud perpetrated by using phone changes? First, look at all phone changes more stridently, including when a customer is adding a new phone number. Ensure the number is legitimate by assessing the carrier, device type and geography associated with the new number. Is your customer from Chicago switching to a “burner” cell phone number in Miami? Taken on its own, this discrepancy could be seen as harmless, but when compared to past patterns of customer behavior, it could seem more sinister. Looking at phone numbers in conjunction with other information changes enhances a bank’s ability to uncover more complicated schemes.
There are clear compliance requirements in place for banks governing address changes, yet the rules are less clear as to how banks should screen phone number changes. Now that a majority of customers (and criminals) use online banking, fraud has evolved to the point where a cash-out doesn’t require a physical address change. As a result, banks should apply the same rigor to phone-change screening as they do to address changes.
It’s important to remember that fraudsters are in the business of disruption: disrupting communication between the bank and its customers and disrupting the fraud detection and prevention processes that are well-known and already in place. Successful fraud schemes require this systemic disruption to succeed, so it’s rarely a single “red flag” that alerts banks to ATO fraud. By including phone changes in the mix of possible precursors to fraud, banks can help ensure that when they call or text a customer, it’s not a criminal on the other end of the line.
We are pleased to introduce our 2018 interns – two people who will be busy putting their skills to work with us this summer.
So Mang Han is a 2018 graduate of St. Olaf College in Northfield, Minnesota. With a Bachelor of Science degree in mathematics and an emphasis in statistics, So has a wide range of college research, leadership and additional work experience. Her data analysis and statistical theory skills will be put to good use as ID Insight continues to infuse more and more predictive analytics into its solutions.
Matthew Markose is an incoming junior at Iowa State University in Ames, Iowa. Matthew is earning a Bachelor of Science in computer engineering and has already completed two Silicon Valley internships. His software development and data manipulation skills plug in perfectly with ID Insight’s processes for continuous and rapid product innovation.
ID Insight interns work side-by-side with our technical and solutions teams to help us drive new product innovation. This includes conducting exploratory research, completing statistical analysis, developing statistical models, and assisting our IT technical team with building new data assets.
ID Insight internships offer an opportunity to develop technical and analytical skills to build your resume. Learn more careers with ID Insight.
Online banking has helped both accountholders and financial institutions communicate more efficiently, but it has also had a negative impact on fraud detection and prevention. With more account management tasks and transactions taking place online, the opportunity for fraudsters to impersonate legitimate customers
has grown exponentially.
With so many new technologies available to predict and prevent fraud, why is account takeover still on the rise? Simply put, fraudsters always take the easiest and most profitable path. If a financial institution puts controls in place to close one vulnerability, then the fraudsters will try and get past it. If bypassing the new control proves more difficult or not cost-effective, then they tend to migrate to other schemes. For example, implementation of EMV chips for U.S. credit and debit cards helped diminish point-of-sale fraud. Fraudsters simply moved on to ATO and new account fraud, aided by data breaches. Online banking is a lucrative channel for criminals as tighter controls eliminate or complicate other options.
Once a criminal obtains access to – and control of – an online account, complete account takeover (ATO) is imminent. How can banks distinguish legitimate customers from fraudsters before they gain control of an account? First, it’s important to understand how an online ATO scam works. We’ll also share a real-world example to help illustrate the strategy behind the scam.
Step One: Obtain Stolen Information
This is perhaps the easiest part of the scam, since millions of identities – including SSNs, DOBs, addresses, phone numbers and email addresses – have already been exposed by high-profile data breaches. Particularly troubling is the availability of “fullz” – complete sets of identity information – on the dark web. In our example fraud scenario, the perpetrator obtains the stolen information and credentials required to establish online banking as if he were the real customer.
According to a 2017 article, a typical fullz record sells for just $30, making it highly affordable and cost-effective for fraudsters. If criminals purchase 100 fullz for $3,000, they only need to be successful with just three out of those 100 identities to make a profit. According to Javelin Research, the mean fraud amount per victim is just over $1,000. It’s a numbers game for fraudsters – if a fullz identity lacks certain criteria (high credit score, no credit monitoring, etc.) then it’s easy for them to write off less-than-ideal fullz records
while profiting off only the most vulnerable identities.
Step Two: Change Contact Information
Once the fraudster has a full set of contact, identity and user login credentials (often obtained by other fraudulent means) for the victim’s account, they log in and change the mailing address, phone number and other contact details. This ensures that any fraud alerts, wire transfer authorizations or direct communications from the financial institution go straight to the fraudster. The goal at this stage is for the criminal to get between the legitimate customer and the bank. In our example, the fraudster requests checks from the victims’ home equity line of credit. The bank sends a text message to the fraudster, who verifies the request and confirms the address change.
This is a point at which the financial institution could have caught the fraudster – a comparison of the addresses could have flagged the address change as out-of-pattern behavior. The legitimate customer lives in a large executive home in Scottsdale, AZ but the address change shows the customer moving to a rented mailbox storefront in Northridge, CA. Taken at face value, the change looks legitimate, but after further analysis, more suspicions arise. Not every customer information change can be verified manually, but an automated solution using multiple sources of data could have helped detect account takeover fraud in the making.
Step Three: Cash Out
Now that the fraudster has successfully impersonated the customer, the payoff begins. In our example, the bank mails home equity line checks to the new address (the rented mailbox) after confirming the address change with who they thought was the legitimate customer. The fraudster then cashes in more than $250,000 worth of checks before the bank catches on to the scam, while the perpetrator moves along to the next opportunity.
Detection and Prevention
Preventative measures that take an automated and predictive approach to detection, including monitoring for non-monetary transactions, are one way to curb account takeover fraud. With some large financial institutions investing heavily in processes and solutions to stop both ATO and new account fraud, organized fraud rings will begin targeting organizations that have not shored up their defenses. The criminals will quickly find the most vulnerable mark and – like a wild animal stalking its prey – will persist until their goals are met.
The entire financial services industry – especially smaller banks, community banks and credit unions – must take note of the rise in ATO fraud and begin plugging holes in their fraud defenses. Online banking is rapidly becoming the path of least resistance for fraudsters, and while better controls will not eliminate fraud completely, they will make the cost and effort involved too rich for criminals that are seeking an easy score.
Learn more about how to prevent account takeover fraud.