Socure analysis recently spotted an increase of a fraud trend affecting both neobanks and traditional tier one depository financial institutions.
We continue to observe an increase in Clean True Name ID Theft across a wide number of customer application flows, where fraudsters present pristine (stolen) personal identifiable information (PII) at the point of a new application. Because all of the PII is real, these fraudulent applications pass most new account opening checks, which have greatly improved over the last couple of years, led in many places by Socure’s capabilities. However, shortly after an account is successfully opened, the fraudster modifies the contact details on the account, including email, phone, and/or address, by calling into the call center, or going through mobile or online channels, whichever offers the least friction.
These bad actors are counting on two things:
- First, that the true owner of the PII won’t react to any notifications in time.
- Second, that post-day zero controls aren’t as stringent as those in place for new account opening, which we have found to be almost universally true.
Account Takeover or Clean True Name ID Theft?
This commonly presents as Account Takeover given that the non-monetary account changes appear after a fraudster has successfully opened an account and is able to make changes prior to the victims being aware that an account was opened. We also see a commonality where fraudsters discover a loophole in compensating controls where the original PII provided is not subjected to two-factor authentication during origination, such as email or phone.
The bad actors are using traditional ATO attack patterns, often changing the consumer’s real phone number with a non-fixed VOIP number. The IP address geolocation also places the person making the non-monetary change more than 100 miles from the physical address, or the email is tumbled to resemble the real email address but just slightly altered among a number of other signals that Socure is able to uniquely identify. In a recent study, a top 10 U.S. bank was able to capture over 50% of confirmed losses in just the top 5% of risk depth at a false positive ratio of better than 1:1. We are advising our customers experiencing either of these use cases to utilize Socure’s EmailRisk and PhoneRisk as well as our 100s of highly predictive reason codes during any non-monetary PII change events to verify both the ownership and risk of the new identity attribute. Socure customers who mail out physical cards or tax records are also recommended to validate any address changes post-origination. While we see that most of these account changes happen within the first 14 days, and often within 72 hours, we have seen instances where bad actors can wait for two months or more before changing the contact PII elements to avoid detection by the true consumer.
By using a combination of our Email, Phone and Address RiskScores and additional risk signals, Socure customers have seen outstanding performance in identifying and stopping Clean True Name ID Theft before it can cause financial loss to deposit organizations, and harm to the real consumer.
Steps to Address Clean True Name Identity Theft
We are asking our customers and the industry to remain diligent and constantly assess and reassess non-monetary changes that may come into the call center, via online channels or mobile. We also believe that it is important to label this type of fraud vector accurately. Our concern is that the industry will consider this to be Account Takeover (ATO) fraud, because that is what the pattern appears to be. Labeling this pattern inaccurately as an ATO will impact new application fraud and ATO models, and under-optimize our ability as an industry to target and catch this pattern.
Fraudsters are and will continue to evolve their behaviors and test to find weaknesses in your controls. Socure uses a combination of the most comprehensive phone and email datasets in the industry, predictive machine learning models, network velocity data and fraud feedback data from our customers to provide the most predictive solutions to identify and stop fraud from Clean True Name ID Theft and ATO. Let’s work together to stop financial loss and consumer harm in the U.S. banking system.
Johnny Ayers
Johnny Ayers is founder and CEO of Socure. Since founding the company in 2012, he has had a number of roles, including managing and leading strategy for the Direct Sales, Channel, Product, and Growth organizations. Johnny has been instrumental in building the company's tremendous customer base and suite of industry-leading digital identity verification and fraud prevention solutions. He is also a frequent expert speaker on fraud, authentication, and KYC/AML, and has been quoted in publications such as the WSJ, Forbes, Bloomberg, Thomson Reuters, Cheddar, PYMNTS.com, and more. In 2022 he was awarded Ernst & Young’s Entrepreneur of the Year, Finovate Executive of the Year, and has been named by Goldman Sachs as one of the top 100 Entrepreneurs of 2021 and 2022. Outside of Socure, Johnny is an investor in and an advisor to companies including; Acorns, Alloy, Astra, Bask, BillGo, Chipper Cash, Commerce Ventures, Curve, MoCaFi, and more.