Remember when the first iPhone was introduced? Back in 2007, many of us marveled at the iPhone but at the same time were skeptical of its usefulness. That was because back then we were not transacting so much of our daily lives online, let alone on a nifty handheld device. Fast forward to 2022 and our lives look radically different. Today, we are conducting most of our lives online, be it a simple task like looking up a recipe or shopping online to more complicated transactions like signing into our bank accounts to make financial transactions or applying for a loan.
The COVID-19 pandemic also forced consumers to transact digitally to a far greater extent, and financial institutions needed to quickly pivot to offer most of their services online in a “no touch” environment.
The digital evolution that was accelerated by the pandemic brought about an onslaught of identity fraud from 2020 to 2021, which according to Javelin Strategy’s 19th annual Identity Fraud Study: The Virtual Battleground, totaled upwards of $52 billion and affected more than 42 million Americans. The elderly among us, many of whom did not have prior experience transacting online, were and continue to be especially vulnerable to scams by fraudsters who have zero qualms about robbing the unsuspecting of their hard-earned money. So, it is no surprise that there has been an alarming rise in account takeover (ATO) fraud due to social engineering scams over the last year.
In the last 15 years, identity fraud losses in general have risen steadily. However, according to the report, we’ve seen concerning upticks in new account fraud (109%), ATO (90%), and peer-to-peer payment fraud (18%). The problem was exacerbated over the last couple of years, with the pandemic having far-reaching and lasting changes in our lives – the rise of working from home, distanced learning, video visits with doctors, and online shopping for everything from groceries to cars and loans. There were also major macroeconomic impacts that led to much higher unemployment numbers, and the federal government stepping in to provide stimulus packages to consumers and loans to small businesses that form the backbone of the economy.
These factors created the perfect storm for fraudsters who took advantage of the loosened identity verification controls and the need to disburse funds quickly. As a result, fraudsters used stolen and fake identities to open accounts, claimed benefits and took out loans for businesses that didn’t exist. The extent of such fraud by any estimate is in the billions.
Despite banks spending considerable resources towards educating their customers about how to avoid falling victim to scams, fraudsters always find unsuspecting users to scam successfully. While 42% of consumers consider it their own responsibility to keep their identity safe, 60% believe that it is their bank’s responsibility to make them whole again when an identity fraud loss occurs. It is but natural to feel that way – you entrust your bank with keeping your money safe, so you will want to go back to them if you lose that money. For good reasons, the consumer perception is that there is a tremendous need for better tracking of complaints and disputes.
Some ways banks can respond and improve the fraud resolution process include complimentary identity protection, easily accessible online tracking of fraud cases, and restitution of stolen funds while cases are being investigated.
We also have seen a significant rise in mule accounts during this time. These accounts are established with either stolen or fake data that is capable of passing traditional ID verification controls. With ample funds being available from government stimulus packages and unemployment benefits, fraudsters claimed these benefits and deposited their ill-gotten gains into the fraudulently opened accounts. While they laundered the money, banks were left with first-party fraud losses and investigations of suspicious activity. With plenty of money to grab and inadequate controls to detect such fraudulent activity, the per-incident loss amount spiked quite significantly from $201 to $1,551 between 2020 and 2021.
Financial Institutions have thus far been using personally identifiable information (PII) and device-based controls to detect fraud. However, for the newer fraud tactics like bot attacks, ATO, and social engineering scams, it would behoove financial institutions to consider adding behavioral biometrics as a layer of defense. When the stolen – but legitimate – data is entered and verified successfully, devices look clean, and step-up authentication is ineffective against clever social engineering attempts, user behavior provides unique risk signals. How the data is entered, how fast the user interaction takes place, and whether the user is behaving like they usually do or are showing signs of duress, constitutes precious data that can accurately assess these newer forms of fraud. Although fraudsters can steal data, have squeaky clean devices, and phish information, one thing they cannot do is imitate genuine user behavior – thus giving away critical clues in their online behavior. Modern behavioral biometrics monitors and analyzes these behaviors in real time to protect financial institutions and consumers.
In addition to gleaning valuable insights through cloud-based, data-rich behavioral biometric defenses, the report makes several recommendations for preventing these ever-creative scams. These include identity-proofing every account-based activity, investing in consumer education, and deploying technology to facilitate frictionless experiences. In short, criminals are getting more resourceful and technologically advanced with their scams- and if we are to prevent these losses from continuing to climb, banks must beat these criminals at their own game.
