With Mobile Transactions Comes Mobile Fraud
With the increase of mobile commerce brings a parallel increase in fraudulent mobile transactions,...
• TABLE OF CONTENTS •
What is New Account Fraud?
New Account Fraud Stats
The Link between Identity Theft and New Account Fraud
Why New Account Fraud is so Attractive to Criminals
Why New Account Fraud is Difficult to Detect
New Account Fraud Prevention Tips
The term new account fraud describes an activity in which financial accounts are intentionally opened fraudulently or opened with the intent with which to commit fraud. Quantitatively, new account fraud is widely-accepted to be defined as “fraud that occurs on an account within the first 90 days that it is open”.
On its face, new account fraud seems difficult to successfully perform since it requires the ability to convincingly assume the identity of another in order to fraudulently open a new account. However, this seeming initial difficultly is not enough overcome the lucrative nature of new account fraud, causing it to grow at an alarming rate.
According to a report by Javelin Strategy & Research, between 2014 and 2015, incidences of new account fraud more than doubled:
“Crooks stole the identities of, or appropriated personal information from, 1.5 million consumers – up from 700,000 in 2014 – to create fraudulent checking, credit card, loan, and other accounts.”
- 2016 Identity Fraud: Fraud Hits an Inflection Point
In fact, new account fraud activity has ramped up so much the past several years that 20% of all fraud losses is now attributed to losses from new account fraud. And there are no signs that new account fraud will be slowing down anytime soon – instead, the uptick in identity theft via data breaches indicates that new account fraud will become even more prevalent.
Criminals get the information they need to perform new account fraud by stealing identity information. And thanks to the ubiquity of the Internet, identity theft is easier than ever.
It’s not just the increasing popularity of e-commerce that is causing the omnipresence of the Internet – it’s the fact that more and more actions are becoming more and more convenient to perform on the Internet. Actions that seemed cumbersome or even unrealistic to perform on the Internet are now increasingly becoming accessible to and demanded by the majority of consumers.
And unsurprisingly, there are many intersections between the above mentioned actions that further blur the boundary between the aspects of consumers’ lives that traditionally take place in-person and those that are able to take place online:
It’s obvious that the Internet enhances people’s lives by making a variety of tasks more convenient and economical. The caveat to this convenience, however, is the fact that this convenience almost always necessitates sensitive, personal information to be entered and stored online:
What this all means is this: the Internet is a treasure trove of identity data that can be used to fraudulently open new accounts – if the criminals know where to look and how to access the data.
“We have had so many breaches lately with very sensitive information being stolen hat this trend will continue, if not accelerate, and become more of a problem. I predict we’re going to go from 1.5 million to well over 2 million new account fraud victims next year.”
– Al Pascual, research director and head of fraud and security at Javelin
And once criminals get their hands on identity data, fraudulently opening new accounts is a piece of cake.
It’s not hard to see why criminals are so attracted to data breaches and, subsequently, new account fraud: using stolen identities to commit fraud is incredibly lucrative. Before new account fraud, criminals would likely commit fraud via stolen credit card information. Now, thanks to the versatility of new account fraud, criminals have a variety of fraud opportunities that were not readily available before.
In other words, due to the incredible popularity of the Internet, there are two activities that are not only easier, but much more lucrative:
By hacking to conduct data breaches, criminals can access the personal data of individuals across a variety of different identifiers. By seeing the types of industries that are most commonly the targets of data breaches, the types of data that is most in demand by identity thieves can be surmised.
The following is a list of industries considered most susceptible to data breaches according to the percentage of industry-based data breaches in relation to the overall number of data breaches:
Overall, there was an 8.4% increase in data breach incidents via hacking between 2014 and 2015, with the most notable increase in data breaches occurred in the Banking/Credit/Financial sector, which reported a near double increase in data breaches.
The reason why criminals tend to target businesses is obvious – consumers conduct millions of transactions everyday with businesses. However, the popularity of hacking the health/medical industry seems rather curious at first glance.
The health/medical industry exists at the intersection of several other types of industries, most notably, the insurance industry. In order to provide accurate, comprehensive, and streamlined healthcare, patient data is constantly being shared with one entity or another electronically; due to the overwhelming amount of healthcare data being shared electronically, HIPPA regulations have been readdressed in order to define the do’s and don’ts of transmitting healthcare information electronically.
In essence, it is within the health/medical industry that the most comprehensive supply of individuals’ identity data is housed. By hacking the databases of the health/medical industry, criminals can uncover the most valuable, sought-after type of identity data: the Social Security number.
Although hacking the most popular industry to hack – the business sector – may result with the stealing of millions of individuals’ names and debit/credit card data, it cannot result with the stealing of even one Social Security number since businesses do not need Social Security numbers to conduct transactions. However, of course, this is not the case with the healthcare industry, especially when insurance is involved.
The reason why Social Security numbers are so valuable is obvious: knowing the correct Social Security number is one method of verifying that someone is who he/she says she is, which is why the Social Security number is needed for a variety of different personal actions, such as opening a new credit card account.
New account fraud begins with the perpetrator stealing the identity of an unsuspecting consumer. The criminal obtains the name, Social Security number (SSN), and date of birth of an unsuspecting citizen. The targeted individual is unaware that his personal information is being used fraudulently until his bank accounts are emptied or he cannot get a loan due to poor credit from accounts in his name that he knows nothing about.
Not only can criminals open fraudulent credit card accounts once they get their hands on the Social Security number, they can now fraudulently open new checking accounts, open lines of credit, obtain a mortgage loan, and much more.
New-account fraud is one of the most costly fraud types because fraudsters can cultivate high-value accounts – acting like ideal customers until they leave issuers with massive losses.
With new account fraud, criminals are no longer tethered to only using stolen debit/credit card data to conduct fraud.
Victims can’t simply monitor their bank and credit card accounts regularly to thwart new account fraudsters just like they could to immediately thwart debit/credit card fraud.
Unfortunately, there is no method for an individual to monitor the way his/her identity is used. Instead, there are two options: Fraud Alerts or Security Freezes.
A fraud alert places a notice on your credit file so that lenders and creditors know to take extra steps to verify the identity of the individual attempting to open a new account. Verification most often takes place via a telephone call. Placing a fraud alert on credit files is free.
A security freeze places a hold on your credit file so that new accounts cannot be opened unless the hold is lifted using a secret code that is given at the time of the security freeze placement. Placing and lifting security freezes often require the payment of a fee. If an individual wants to open an account but has a security freeze on his/her file, he/she will need to pay to lift the freeze before the account can be opened.
With a fraud alert, lenders and creditors are still able to view individuals’ credit files and grant credits and loans. However, with a security freeze, lenders and creditors are not able to grant credit and loans, and only parties who had access to individuals’ credit files prior to the placement of the freeze will be allowed access to view the credit files.
Despite all the data breaches that have exposed billions of individuals’ personal data, consumers are not clamoring to place blocks on having their identity data used to conduct financial activities, such as opening new accounts. As it is clearly surmised above, consumers value convenience – and if placing blocks inconveniences themselves, they’ll hesitate, even if it means doing so would prevent fraudulent account openings.
That’s the double-edged sword of the modern world: convenience vs. security.
Not only is detecting new account fraud difficult due to the gap in time between the fraudulent account opening and the victim realizing his/her information was fraudulently used, it is difficult due to the fact that individuals may not know that a block needs to be placed on their information:
“These numbers are by no means the whole story, as breaches have become the third certainty in life. Since 2005, ITRC has tracked 5,810 reported breaches. Many continue to fly under the radar because many businesses aim to avoid the financial dislocation, liability, and loss of goodwill that comes with disclosure and notification. It is safe to assume that the actual number of breaches is much higher than what is reported.”
– Adam Levin, Chairman and Founder of IDT911
And the main, most obvious reason why new account fraud is so difficult to detect? Because all the pieces of data used to verify identities are now potentially in the hands of a criminal:
With the glut of information available from data breaches, even if an institution is able to confidently confirm that all identifiers provided belong to a single individual, there is no guarantee that the person completing the application is that same individual.
For lenders and creditors, new account fraud is and will continue to be a glaring, difficult problem. Short of running an FBI-level background check, all lenders and creditors can do is to remain vigilant on the details:
The following are 12 red flags, as determined by the Association of Certified Fraud Examiners, that can indicate the presence of new account fraud and warrants a much closer scrutiny of the new account applicant’s identity:
For consumers, as mentioned above, there are two methods that can be used to try to prevent new account fraud as much as possible: fraud alerts and security freezes.
There are actually three different types of fraud alerts, each defined by the length of time the fraud alert is placed on a credit file:
If you place an initial fraud alert on your credit file, lenders and creditors have to take additional steps to verify that you authorized any new account application before allowing the account to be opened. In addition, each of the three nationwide credit reporting agencies – TransUnion, Experian, and Equifax – are required to give you one free credit report.
An active duty alert is reserved for those who have been called to active duty military service away from their usual duty post and functions the same as the initial fraud alert with the addition that your name is removed from pre-screened offers of credit for 2 years.
An extended fraud alert is reserved for those who have established that they were victims of identity theft. When an extended duty fraud alert is placed on your file, creditors and lenders are required to verify that you authorized any new account opening by contacting you via telephone. An extended duty fraud alert entitles you to two additional free credit reports and to removal from prescreened offers of credit for 5 years. In order to place an extended duty fraud alert on your file, you have to provide credit reporting agencies with:
A security freeze prevents lenders and creditors from viewing your credit report at all, regardless of whether or not they took extra steps to verify your identity. The reason why blocking your credit report from being viewed is effective is that lenders and creditors cannot issue loans and credit – i.e. open a new account – if they cannot view the credit report.
A security freeze almost always requires a fee to place – typically $5 to $10, depending on where you live.
To place a security freeze, you need to contact each of the three credit reporting agencies – TransUnion, Experian, and Equifax – and give them your name, address, date of birth, Social Security number, and other personal information, in addition to paying the fee. After placing the freeze, each credit reporting agency should send you a unique personal identification number (PIN) that will be needed to lift the security freeze.
Lifting a security freeze requires the above mentioned PIN and the payment of another fee.
A security freeze, however, will not prevent the following:
Although a security freeze will not stop prescreened offers of credit, you can stop getting prescreened offers of credit by calling 888-5OPTOUT or by filling out the corresponding form here. The ability to stop getting prescreened offers of credit is available to all consumers, not just those with a security freeze, with prescreened offers being able to be stopped for 5 years or permanently.
It should be noted that neither a fraud alert nor a security freeze does not mean that you are in the clear for identity theft: fraud alerts and security freezes, especially, are effective at preventing new account openings – i.e. new account fraud – but cannot prevent the misuse of accounts that you already have.