We recently listened to an episode of the Freakonomics Radio podcast titled “In Praise of Maintenance.” This episode explores the tradeoffs between innovation and maintenance, and raises the question of whether this is just a false dilemma. Do we really need to choose between building new things and maintaining the things we already have, or can we have both?
This question reminded us of a common challenge faced by financial institutions (FIs) when contemplating their identity fraud protections throughout the customer account lifecycle. While the parallels between fraud prevention strategy and the question of whether to invest in space exploration versus bridge repair are loose at best, they both circle around the same core question… does the choice to actively maintain what is already established necessarily come at the expense of investing in what is new?
When it comes to identity fraud strategy, unfortunately, FIs don’t have any other choice but to walk and chew gum at the same time. When onboarding a brand new customer, it is critical for an FI to thoroughly proof the new customer’s identity and ensure that the person is who they say they are. Failing to verify the identity of a new customer could result in fraud loss, non-compliance, and reputational damage. And for these reasons, most FIs (to varying degrees) do a decent job vetting the identities of their new account applicants. But then what happens once that account is established? The FI has gone through all the paces to establish true belief of identity at the outset of the relationship, why not maintain the identity – making sure it remains solid and uncompromised throughout the entire account lifecycle?
A growing body of evidence suggests that many FIs are not approaching identity maintenance with the appropriate level of rigor. But as identity takeover fraud continues to gain steam, this issue is becoming more and more important. Fraudsters are exploiting this lack of focus on existing account maintenance events (e.g., phone changes, online account changes, address changes, etc.) to fly under the radar and commit account takeover. So what can you do to actively maintain your customer identities? In the simplest terms, when some aspect of your customer’s identity changes from what has previously been established… take a closer look and make sure the change can be explained.
Here a few examples:
- When you receive a request to update an existing customer’s account with a new phone number and you send account notifications via SMS, check to make sure that phone change is not subterfuge – a fraudster trying to route account alerts away from your true customer.
- When you a receive a request to add an authorized user on an existing account and they ask for a new card shipped to a different address, check it out to make sure it isn’t a ploy by a fraudster to get their hands on a working card.
- When someone adds an email address to an existing account and shortly after tries to tokenize their card in a mobile wallet app, make sure it isn’t a fraudster trying to hide the notification from the true account holder.
While each of these examples seem worthy of a closer review, the truth is that many FIs today are not screening for these kinds of events in an automated, score-based, cross-enterprise way. But there are solutions that can help. Operationally speaking, installing these tools is easier than you might think. The system of record for identity is most commonly the Customer Information File (CIF) on the FI’s account processing platform. As such, the ideal solution for identity maintenance interfaces directly with the CIF, monitoring for potentially high-risk changes to your customer’s identity or contact information.
Integrating a score-based solution that detects risky account changes to the CIF can yield the following benefits:
- It ensures that all identity or account changes are properly screened, regardless of channel. This puts you in a better position to detect cross-channel identity fraud attacks.
- It ensures that all identity or account changes are properly screened, regardless of product. This puts you in a better position to see across product siloes and detect instances of full relationship takeover.
- By automating the screening process, it removes the burden of manual review and staff training.
- By automating the screening process, it ensures compliance with Red Flag on every applicable account change (i.e., address changes).
As banking continues to shift away from branches to digital channels, FIs rely increasingly on phone numbers and email addresses as critical contact points for interacting with their customers. Having the right controls deployed in the right systems can ensure that the contact information in the customer profile authentically belongs to the actual customer, thus thwarting identity takeover attacks and maintaining trusted relationships with your customers. Some things really are worth the maintenance.
Criminals have always figured out new ways to perpetrate account takeover (ATO) fraud, and a popular new method exploits a very common method of authentication: customer phone numbers.
A new report indicates that account takeover on mobile phone became nearly twice as prevalent in only one year. Mobile phone accounts represented 12 percent of all takeovers in 2016, up from 7 percent in 2015. In each case, cybercriminals sought to monetize mobile accounts and leverage them to compromise the mobile-based alerting and authentication solutions that financial institutions, issuers, and other businesses rely on to prevent fraud.
While address change is still a preferred path for fraudsters, phone number changes are increasingly becoming a setup event for ATO. Conversations with several ID Insight clients uncovered that account takeover schemes associated with fraudulent phone numbers were becoming prevalent.
The scam often works like this:
- When large money transfers are requested, banks place an outbound call or text message to the customer to confirm the transaction
- Once fraudsters have access to customer account information, they change the pertinent contact details – including address and phone number – to ensure that any attempts at verification are routed directly to the criminals
- When the bank contacts the “customer” to authorize these changes or transactions, they’re just confirming the details with the fraudster
- Once the transaction is approved, the criminal drains the account and moves on to the next victim before the customer realizes that the bank’s well-meaning security processes only enabled the fraudster.
Since several of our financial institution clients were already providing ID Insight customer phone numbers (as input to our fraud prevention solutions), we were able to investigate the emerging phone scheme. Our analysis revealed interesting patterns that – when taken together – often point directly to fraud:
- The greater the geographic distance between the old and new phone numbers, the greater the fraud risks. A change from San Francisco to Sacramento might not draw scrutiny but a change from Baltimore to Spokane may be more indicative of fraud.
- Greater distances between address and phone number. While customers sometimes keep out-of-town phone numbers when moving to a new area code, a phone number that doesn’t match the city or state of residence deserves added scrutiny.
- Changes in phone type. Customers continue to “cut the cord” with landline phones, so any change from a mobile phone number to a landline suggests higher risk than mobile-to-mobile changes.
- Changes in carrier type. Due to their transient nature, repaid phone numbers and voice-over-IP (VoIP) numbers are far riskier than landlines or post-paid mobile phones when it comes to fraud.
- Urban versus rural. A customer who has spent years using a phone with a rural area code before suddenly changing to an urban area code is worth additional scrutiny.
- NPA NXX (Area Code/Exchange). Many U.S. overseas territories have three-digit area codes and prefixes similar to those in the 50 states, and a basic validation check can reveal whether a phone number has been issued in the U.S.
- Many customers legitimately keep their phone numbers when changing service providers, but new phone numbers that have been recently ported are especially high risk.
- Business phone numbers. If a customer suddenly changes a phone number from a residential or personal number to a business (particularly businesses with a high incidence of fraud, such as check-cashing stores or private mailboxes), then further investigation is necessary.
- Phone number verification. Consumer names can easily be associated with specific phone numbers using independent verification sources. If a customer requests a change to a number that’s already associated to another individual, then the risk of fraud is increased significantly.
These are just some of the individual characteristics and peculiarities of phone number changes that are indicative of suspicious activity. When these individual attributes are combined together in a predictive model, the results are powerful. Paying close attention to phone number changes can alert banks to potential account takeover schemes and help them mitigate risk, while ensuring they can continue to leverage the mobile channel to benefit their businesses.
As with other forms of fraud, only a small percentage of customer-initiated phone changes are fraudulent. But by scrutinizing these changes using data-driven analytics, banks can more easily determine when the phone is baloney.
To learn more about ID Insight’s new phone change solution and the company’s full portfolio of anti-fraud technology for financial institutions, contact us to schedule a demonstration.
Anti-fraud technology leader ID Insight has made significant enhancements to its renowned fraud prevention platform to detect fraudulent account activity by screening phone number changes.
In the company’s research of tens of thousands of customer phone number changes in the financial services space, it detected interesting patterns that distinguish legitimate phone number changes from fraudulent changes. The analysis uncovered the following key indicators that signal an elevated risk of fraud:
- Geographic distance. The greater the distance between the new phone number and the old phone number, the larger the risk. Likewise, there is an elevated risk for cases where the new area code is located a large distance from the customer’s current mailing address.
- Carrier type. Changing from a landline to wireless, or wireless to landline often indicates higher risk than going from a wireless number to another wireless number. Certain types of carriers, such as prepaid phone numbers and voice-over-IP (VOIP) lines, are much riskier than landlines or postpaid mobile phones.
- Urban versus rural. A change in phone number from a rural location to one that is tied to an urban center indicates a higher risk than a rural-to-rural or urban-to-urban change.
- Area Code/Exchange. A basic validation check of the area code and exchange confirms that the phone number has been issued to a U.S. customer.
- Local number portability allows customers to retain their phone numbers when changing service providers. New phone numbers that have been recently ported require a higher level of scrutiny.
- Business phone numbers. A change from a residential phone number to business. For example, a new phone number that is tied to a check-cashing outlet is highly indicative of fraud.
- Phone number verification. When the consumer name can be associated with the phone number through an independent verification source, the risk of fraud is greatly reduced.
ID Insight took the lessons learned from this research to develop a predictive model that combines individual risk indicators that help fraud investigators prioritize their queue and work the phone number changes that are most suspicious. By verifying the legitimacy of phone number changes, financial institutions are able to reduce the risks and constraints that may be holding them back from more fully utilizing the mobile channel.
Phone Change Fraud a Growing Problem
ID Insight, whose industry-leading anti-fraud solutions include address and identity verification tools for banks and credit unions, developed the new phone screen solution in response to the growing problem of fraudsters manipulating phone numbers as part of account takeover schemes. Criminals have recognized that when large money transfers are requested or other out-of-pattern account activity takes place, financial institutions are much more likely to place an outbound call or text to their customer to confirm the legitimacy of the requested account action.
Using an abundance of hacked personal data available on the black market, criminals pose as legitimate account holders and change the customer’s contact information, ensuring fraud alerts and other bank communications are sent unwittingly to the perpetrator and paving the way for complete control over their accounts before the victim knows it is happening.
“The mobile phone is a critical channel for bank customers and financial institutions that rely on mobile banking, on-line account opening and mobile wallet applications for convenience,” said Adam Elliott, founder and president of ID Insight. “Having controls in place to ensure the phone number in the customer profile actually belongs to the legitimate customer is critical for reducing fraud risk, which is why we added phone number screening to our portfolio of anti-fraud solutions.”
To learn more about its new phone change solution and the company’s full portfolio of anti-fraud technology for financial institutions, contact us to schedule a demonstration.