• TABLE OF CONTENTS •
What is New Account Fraud?
New Account Fraud Stats
The Link between Identity Theft and New Account Fraud
Why New Account Fraud is so Attractive to Criminals
Why New Account Fraud is Difficult to Detect
New Account Fraud Prevention Tips
The term new account fraud describes an activity in which financial accounts are intentionally opened fraudulently or opened with the intent with which to commit fraud. Quantitatively, new account fraud is widely-accepted to be defined as “fraud that occurs on an account within the first 90 days that it is open”.
On its face, new account fraud seems difficult to successfully perform since it requires the ability to convincingly assume the identity of another in order to fraudulently open a new account. However, this seeming initial difficultly is not enough overcome the lucrative nature of new account fraud, causing it to grow at an alarming rate.
According to a report by Javelin Strategy & Research, between 2014 and 2015, incidences of new account fraud more than doubled:
“Crooks stole the identities of, or appropriated personal information from, 1.5 million consumers – up from 700,000 in 2014 – to create fraudulent checking, credit card, loan, and other accounts.”
- 2016 Identity Fraud: Fraud Hits an Inflection Point
In fact, new account fraud activity has ramped up so much the past several years that 20% of all fraud losses is now attributed to losses from new account fraud. And there are no signs that new account fraud will be slowing down anytime soon – instead, the uptick in identity theft via data breaches indicates that new account fraud will become even more prevalent.
Criminals get the information they need to perform new account fraud by stealing identity information. And thanks to the ubiquity of the Internet, identity theft is easier than ever.
It’s not just the increasing popularity of e-commerce that is causing the omnipresence of the Internet – it’s the fact that more and more actions are becoming more and more convenient to perform on the Internet. Actions that seemed cumbersome or even unrealistic to perform on the Internet are now increasingly becoming accessible to and demanded by the majority of consumers.
- The ease and familiarity of e-commerce have enticed ever-increasing numbers of consumers to conduct transactions online:
- We are currently at the equilibrium point of commerce: 51% of consumers prefer to shop online and 49% of consumers prefer to shop in-store
- 67% of millennials and 56% of Generation X-ers prefer to shop online than in-store
- Ecommerce is averaging 23% growth each year
- 40% of consumers say ‘they couldn’t live without online shopping’
- The ease and costless nature of email means communication is increasingly happening online rather than over the phone
- There are over 4.35 billion email accounts and 2.586 billion email users worldwide
- 72% of consumers say that email is their preferred form of communication with businesses
- 30% of consumers read email exclusively on their mobile device(s)
- In addition to email, the Internet provides consumers convenient and free method of communication: social media
- There are over 2.3 social media users worldwide
- Each Internet user has, on average, 5 social media accounts
- The number of social media users grew by 176 million last year
- Facebook and Whatsapp alone handle approximately 60 billion messages per day
- Even healthcare is becoming easier to access and manage online
- 66% of consumers are willing to use a mobile app to manage their health
- 77% of consumers say that the ability to book, change, or cancel appointments online is important
- 76% of consumers believe that technology designed to manage health has the potential to actually improve health
And unsurprisingly, there are many intersections between the above mentioned actions that further blur the boundary between the aspects of consumers’ lives that traditionally take place in-person and those that are able to take place online:
- 49% of consumers expect to hear back from their doctor within a few hours of either requesting an appointment or requesting a follow-up discussion via social media
- 30% of online shoppers say that they are likely to purchase an item seen on a social media platform, such as Facebook or Instagram
- 68% of consumers say that an email marketing message directly resulted in an online purchase
It’s obvious that the Internet enhances people’s lives by making a variety of tasks more convenient and economical. The caveat to this convenience, however, is the fact that this convenience almost always necessitates sensitive, personal information to be entered and stored online:
- Every day, 1 million new active users open social media accounts – this breaks down to 12 active new users per second!
- There are currently an estimated 4.9 billion email accounts in use worldwide – this number is expected to reach 5.6 billion in 2019
- Between 2000 and 2017, the number of Internet users worldwide grew by 923.9%. Currently, there are 3.7 billion Internet users worldwide, which amounts to just under half of the world’s population at 49.2%
What this all means is this: the Internet is a treasure trove of identity data that can be used to fraudulently open new accounts – if the criminals know where to look and how to access the data.
“We have had so many breaches lately with very sensitive information being stolen hat this trend will continue, if not accelerate, and become more of a problem. I predict we’re going to go from 1.5 million to well over 2 million new account fraud victims next year.”
– Al Pascual, research director and head of fraud and security at Javelin
And once criminals get their hands on identity data, fraudulently opening new accounts is a piece of cake.
It’s not hard to see why criminals are so attracted to data breaches and, subsequently, new account fraud: using stolen identities to commit fraud is incredibly lucrative. Before new account fraud, criminals would likely commit fraud via stolen credit card information. Now, thanks to the versatility of new account fraud, criminals have a variety of fraud opportunities that were not readily available before.
In other words, due to the incredible popularity of the Internet, there are two activities that are not only easier, but much more lucrative:
- Obtaining a massive number of individuals’ identity data – i.e. identity theft
- Fraudulently opening a variety of new accounts
By hacking to conduct data breaches, criminals can access the personal data of individuals across a variety of different identifiers. By seeing the types of industries that are most commonly the targets of data breaches, the types of data that is most in demand by identity thieves can be surmised.
The following is a list of industries considered most susceptible to data breaches according to the percentage of industry-based data breaches in relation to the overall number of data breaches:
- Business – 40%
- Health/Medical – 35.5%
- Banking/Credit/Financial – 9.1%
- Government/Military – 8.1%
- Education – 7.4%
Overall, there was an 8.4% increase in data breach incidents via hacking between 2014 and 2015, with the most notable increase in data breaches occurred in the Banking/Credit/Financial sector, which reported a near double increase in data breaches.
The reason why criminals tend to target businesses is obvious – consumers conduct millions of transactions everyday with businesses. However, the popularity of hacking the health/medical industry seems rather curious at first glance.
The health/medical industry exists at the intersection of several other types of industries, most notably, the insurance industry. In order to provide accurate, comprehensive, and streamlined healthcare, patient data is constantly being shared with one entity or another electronically; due to the overwhelming amount of healthcare data being shared electronically, HIPPA regulations have been readdressed in order to define the do’s and don’ts of transmitting healthcare information electronically.
In essence, it is within the health/medical industry that the most comprehensive supply of individuals’ identity data is housed. By hacking the databases of the health/medical industry, criminals can uncover the most valuable, sought-after type of identity data: the Social Security number.
Although hacking the most popular industry to hack – the business sector – may result with the stealing of millions of individuals’ names and debit/credit card data, it cannot result with the stealing of even one Social Security number since businesses do not need Social Security numbers to conduct transactions. However, of course, this is not the case with the healthcare industry, especially when insurance is involved.
The reason why Social Security numbers are so valuable is obvious: knowing the correct Social Security number is one method of verifying that someone is who he/she says she is, which is why the Social Security number is needed for a variety of different personal actions, such as opening a new credit card account.
New account fraud begins with the perpetrator stealing the identity of an unsuspecting consumer. The criminal obtains the name, Social Security number (SSN), and date of birth of an unsuspecting citizen. The targeted individual is unaware that his personal information is being used fraudulently until his bank accounts are emptied or he cannot get a loan due to poor credit from accounts in his name that he knows nothing about.
Not only can criminals open fraudulent credit card accounts once they get their hands on the Social Security number, they can now fraudulently open new checking accounts, open lines of credit, obtain a mortgage loan, and much more.
New-account fraud is one of the most costly fraud types because fraudsters can cultivate high-value accounts – acting like ideal customers until they leave issuers with massive losses.
With new account fraud, criminals are no longer tethered to only using stolen debit/credit card data to conduct fraud.
Victims can’t simply monitor their bank and credit card accounts regularly to thwart new account fraudsters just like they could to immediately thwart debit/credit card fraud.
Unfortunately, there is no method for an individual to monitor the way his/her identity is used. Instead, there are two options: Fraud Alerts or Security Freezes.
A fraud alert places a notice on your credit file so that lenders and creditors know to take extra steps to verify the identity of the individual attempting to open a new account. Verification most often takes place via a telephone call. Placing a fraud alert on credit files is free.
A security freeze places a hold on your credit file so that new accounts cannot be opened unless the hold is lifted using a secret code that is given at the time of the security freeze placement. Placing and lifting security freezes often require the payment of a fee. If an individual wants to open an account but has a security freeze on his/her file, he/she will need to pay to lift the freeze before the account can be opened.
With a fraud alert, lenders and creditors are still able to view individuals’ credit files and grant credits and loans. However, with a security freeze, lenders and creditors are not able to grant credit and loans, and only parties who had access to individuals’ credit files prior to the placement of the freeze will be allowed access to view the credit files.
Despite all the data breaches that have exposed billions of individuals’ personal data, consumers are not clamoring to place blocks on having their identity data used to conduct financial activities, such as opening new accounts. As it is clearly surmised above, consumers value convenience – and if placing blocks inconveniences themselves, they’ll hesitate, even if it means doing so would prevent fraudulent account openings.
That’s the double-edged sword of the modern world: convenience vs. security.
Not only is detecting new account fraud difficult due to the gap in time between the fraudulent account opening and the victim realizing his/her information was fraudulently used, it is difficult due to the fact that individuals may not know that a block needs to be placed on their information:
“These numbers are by no means the whole story, as breaches have become the third certainty in life. Since 2005, ITRC has tracked 5,810 reported breaches. Many continue to fly under the radar because many businesses aim to avoid the financial dislocation, liability, and loss of goodwill that comes with disclosure and notification. It is safe to assume that the actual number of breaches is much higher than what is reported.”
– Adam Levin, Chairman and Founder of IDT911
And the main, most obvious reason why new account fraud is so difficult to detect? Because all the pieces of data used to verify identities are now potentially in the hands of a criminal:
With the glut of information available from data breaches, even if an institution is able to confidently confirm that all identifiers provided belong to a single individual, there is no guarantee that the person completing the application is that same individual.
For lenders and creditors, new account fraud is and will continue to be a glaring, difficult problem. Short of running an FBI-level background check, all lenders and creditors can do is to remain vigilant on the details:
- Make sure all new account applications are completely filled out
- Ask for identity documents, such as a driver’s license, whenever possible
- If available, use a consumer reporting system to verify individuals’:
- dates of birth
The following are 12 red flags, as determined by the Association of Certified Fraud Examiners, that can indicate the presence of new account fraud and warrants a much closer scrutiny of the new account applicant’s identity:
- The name provided by an applicant doesn’t match the name returned by a credit bureau search of a given Social Security number
- The applicant is over 25 years old but has a newly-issued Social Security number
- The applicant is over 25 years old and has an established Social Security number, but has a name and address that were established within the previous 6 months
- The applicant is over 25 years old but does not have any history with financial institutions
- Two different names with differing corresponding addresses are returned by a credit bureau search of a given Social Security number, with one name and address pair matching the applicant
- The applicant’s primary identity document, such as a driver’s license, was issued within the past 60 days
- The applicant’s home address (or business address) is not located in the same geographical region as the financial institution’s location
- The address on the applicant’s identity document differs from the address written on the application
- The opening deposit, on a new account opening that requires deposits, is given in cash and less than $500
- The applicant does not present a driver’s license as an identity document even though their listed occupation requires driving
- The applicant uses a mail drop address, such as a P.O. Box, instead of a physical address
- The applicant is overly friendly
For consumers, as mentioned above, there are two methods that can be used to try to prevent new account fraud as much as possible: fraud alerts and security freezes.
There are actually three different types of fraud alerts, each defined by the length of time the fraud alert is placed on a credit file:
- Initial Fraud Alert: 90 days
- Active Duty Alert: 1 Year
- Extended Fraud Alert: 7 Years
If you place an initial fraud alert on your credit file, lenders and creditors have to take additional steps to verify that you authorized any new account application before allowing the account to be opened. In addition, each of the three nationwide credit reporting agencies – TransUnion, Experian, and Equifax – are required to give you one free credit report.
An active duty alert is reserved for those who have been called to active duty military service away from their usual duty post and functions the same as the initial fraud alert with the addition that your name is removed from pre-screened offers of credit for 2 years.
An extended fraud alert is reserved for those who have established that they were victims of identity theft. When an extended duty fraud alert is placed on your file, creditors and lenders are required to verify that you authorized any new account opening by contacting you via telephone. An extended duty fraud alert entitles you to two additional free credit reports and to removal from prescreened offers of credit for 5 years. In order to place an extended duty fraud alert on your file, you have to provide credit reporting agencies with:
- The police report showing that you have been a victim of identity theft. This report is called the “Identity Theft Report”
- A daytime phone number and an evening phone number
A security freeze prevents lenders and creditors from viewing your credit report at all, regardless of whether or not they took extra steps to verify your identity. The reason why blocking your credit report from being viewed is effective is that lenders and creditors cannot issue loans and credit – i.e. open a new account – if they cannot view the credit report.
A security freeze almost always requires a fee to place – typically $5 to $10, depending on where you live.
To place a security freeze, you need to contact each of the three credit reporting agencies – TransUnion, Experian, and Equifax – and give them your name, address, date of birth, Social Security number, and other personal information, in addition to paying the fee. After placing the freeze, each credit reporting agency should send you a unique personal identification number (PIN) that will be needed to lift the security freeze.
Lifting a security freeze requires the above mentioned PIN and the payment of another fee.
A security freeze, however, will not prevent the following:
- Getting prescreened offers of credit
- Having your credit report released to lenders and creditors with whom you already have an established, current relationship; this extends to debt collectors acting on behalf of those lenders and creditors
- Granting access to your credit report to government agencies in accordance with a court/administrative order, subpoena, or search warrant
Although a security freeze will not stop prescreened offers of credit, you can stop getting prescreened offers of credit by calling 888-5OPTOUT or by filling out the corresponding form here. The ability to stop getting prescreened offers of credit is available to all consumers, not just those with a security freeze, with prescreened offers being able to be stopped for 5 years or permanently.
It should be noted that neither a fraud alert nor a security freeze does not mean that you are in the clear for identity theft: fraud alerts and security freezes, especially, are effective at preventing new account openings – i.e. new account fraud – but cannot prevent the misuse of accounts that you already have.