On February 11, 2019, attorneys general (AGs) from 31 states responded to the FTC’s request for public comment on the Red Flags Rule issued by the FTC in 2007.
When the Red Flags Rule was first issued, a major component required financial institutions to screen address-change requests to reduce account takeover fraud. The reasoning back then was sound, as the primary way in which identity thieves took over an account was to call the victim’s institution, change the address on record, and then request that a new card be delivered to that alternate address where the identity thief was waiting.
In their recent response to the FTC, the AGs acknowledge that this action taken in 2007 has had a significant positive impact on reducing account takeover and identity fraud. But they urge that identity theft is still a major concern and has been exacerbated by the large number of data breaches.
In addition to physical address changes, screening email and phone number changes could also help to reduce identity-related fraud, according to the AGs. Whether or not these additional screens become a compliance requirement, financial institutions should be aware that it is good advice; our data have shown that identity thieves will change the victim’s email address or phone number at the same time they change the address. These multiple changes are intended disrupt communications to the legitimate customer to evade or delay detection.
Although the Red Flags Rule didn’t mandate it, we’ve long encouraged our bank customers to screen email and phone number changes, and examine IP address, to look for suspicious patterns.
Emails and phones make fraud easier
It’s not at all uncommon for a fraudster to change their victim’s phone number on Monday, change the email address on Tuesday, and change the physical address on Wednesday. We have seen this phenomenon in our data.
Having successfully made these changes, the fraudster gets control of the victim’s account and uses a digital payment method to make a large withdrawal. This transaction will be flagged by the bank as suspicious, but when the institution emails or calls to verify the legitimacy of the transaction, they don’t reach the customer. Instead they reach the fraudster on the newly changed phone number or email. And the fraudster responds, “Of course I meant to transfer that $40,000!”
This is just one example of how fraudsters disintermediate account holders from their financial institutions. If the fraudster can take over the communication channel, their chances of successfully stealing money increase exponentially.
Screen every change in communication channel
In 2002, we founded ID Insight based on the knowledge that a successful identity theft typically involved a change of address. This was five years before the Red Flags Rule requiring banks to verify address changes. When digital banking adoption accelerated, we started seeing that additional customer communication channels were becoming part of the evolving fraud schemes. In response, we added email, IP address, and phone number screening to our suite of capabilities.
If financial institutions want to reduce their risk and stay one step ahead of fraudsters, they need to holistically monitor changes to customer communication channels and gain intelligence as to whether these changes are suspicious. The right data and algorithms can make this happen now – institutions don’t have to wait for an FTC action to start better protecting their business and their customers.
About the Author
Adam Elliott is founder and president of ID Insight. He has more than 20 years of experience creating solutions for the financial services and direct marketing industries. A recognized name in data science and analytics, Adam has also held leadership positions at ChexSystems, Deluxe and Time Life. Contact him at firstname.lastname@example.org.