I’ve been developing technology solutions that mitigate fraud and identity scams for almost 35 years. With that historical perspective, I see the war against fraud being more active in 2022 than ever before, with both the “good guys” and the “bad guys” having new tools to use against each other. While countering fraudsters can seem like a game of whack-a-mole, technology remains the most powerful foundation to innovate and combat the next generation of fraud attacks.
Truth be told, the bad guys have a leg up in technology innovation. Fraudsters can exploit open source malware to scam consumers, bots to make fraud attacks more efficient, a new attack vector in buy-now-pay-later (BNPL), and a wealth of breached consumer data.
All of these tools are available to the bad guys in the new digital paradigm accelerated by the global pandemic, while the good guys are playing catch up to accommodate new consumer needs and desires to move more of their financial lives online.
Now more than ever, to stay ahead, the good guys will have to continuously identify vulnerabilities and subsequently deploy technologies to combat them, maximize automation for identity validation, and take advantage of advanced machine learning models to combat emerging fraud patterns.
Instead of profound predictions, the following are observations about the battle against the bad guys and how we (the good guys) can address it. Shame on us if we don’t make the investments to win the fight!
Growth in alternative payments will add fuel to the first-party fraud fire
While there is no consensus on how to define first-party fraud (FPF), there’s no denying its growth across financial services in recent years. By using their own identity (or a slight variation of it), bad actors have shown the ability to take advantage of customer-friendly policies and credit bureau reporting practices. And we believe FPF will continue its rapid growth in 2022, driven by product innovation and increasing customer expectations across digital banking and commerce.
Consider the explosive growth in the Buy Now Pay Later (BNPL) industry. Cornerstone Advisors has estimated that BNPL sales will reach $100 billion in 2021, up from $24 billion in 2020 and $20 billion in 2019. This holiday season appears to have fueled growth of FPF and, as a result, bad actors perpetrating FPF have a leg up on the BNPL industry because many players do not generally report accounts (tradelines) to the national credit reporting agencies (CRAs). Additionally, BNPL often uses prequalification “soft inquiries” to gather information from the CRAs when evaluating credit worthiness, which are not reflected on a consumer’s credit report. The lack of inquiry velocity reduces the usefulness of FICO and other credit scores.
The broad adoption of prequalification by BNPL and other lending industries, coupled with another potential economic downturn resulting from incremental COVID variants, will lead to further increases in FPF in 2022.
FTC ID theft rate increase will make 2022 the year of the asterisk
Asterisks attached to data have a way of obscuring some significant sneaker waves. The FTC’s Identity Theft Rate hides one particularly important finding that is buried in the overall trend for identity theft reports.
Last year’s report indicated an increase of over 100% in the reported number of ID theft complaints by consumers (the numbers show 1.3 million complaints in 2020, as opposed to 2019’s total of 650,523 complaints). What’s the root cause here? While the economic downturn related to COVID was undoubtedly a contributing factor, it obscures a crucial source of that increase. Most fraud experts agree that it is mostly related to fraudulent FTC affidavits that were submitted in attempts to remove legitimate bad history from credit reports. This is referred to as “credit washing”.
Credit washing occurs when a borrower fraudulently disputes negative information in a credit report, prompting the credit reporting agency to “clean,” or temporarily delete, the information from the report and artificially boost the borrower’s credit score. Credit washing isn’t new, but it ballooned out of control when the FTC tried to make it easier for consumers to file reports of identity theft by removing the requirement of an accompanying police report. This change inadvertently made it easier for fraudsters to conduct credit washing.
The problem of credit washing at the FTC continued during 2021 and one can expect another sharp increase in ID theft claims from consumers when the new FTC numbers come out in February 2022.
Like Major League Baseball statistics, sometimes an asterisk is needed so that history understands the significance of a certain number as the years go by. The FTC will probably identify in the upcoming 2021 report that credit washing played a significant role in ID theft complaint increases over the last several years and may apply an asterisk (or a verbal equivalent of one) to 2020 and 2021 FTC ID theft numbers.
The industry quickly counters emerging fraud vectors, and in 2022, you can expect to see the emergence of solutions developed to solve this issue.
Bot attacks will increase in new account operations
There has been an increase in the amount of large-scale fraud attempts in new accounts especially during the last half of 2021 and such attempts will likely accelerate. Bots attempt to create new accounts quickly and at scale using techniques like “PII tumbling” to enable a fraudulent application to slip through.
These massive scale attacks in new account fraud attempts can overwhelm scoring systems and manual investigation teams such that they have difficulties in handling the larger volumes of suspect applications.
Deploying bots is simple for bad actors, even those with limited technical skills. A basic internet search will return several different bot marketplaces, and each marketplace offers many different forms of bots touting each of their individual successes.
These bot-powered tools are used for attacks ranging from phishing to content scraping, new account fraud and registration, and even to obtaining popular goods at the lowest price.
Will there be regulatory scrutiny on use of these bot marketplaces for new account fraud in 2022? Probably not, but there might be legislative activity. On the most recent Cyber Monday event, Representative Paul Tonko (D-NY), Senator Richard Blumenthal (D-CT), Senate Majority Leader Charles E. Schumer (D-NY), and Senator Ben Ray Luján (D-NM) announced the introduction of the Stopping Grinch Bots Act. The act seeks to restrict the use of bot technology to quickly buy up whole inventories of popular holiday toys and resell them to parents at higher prices. While not focused on new account fraud, it does appear that regulators are paying attention to the harm that bots can cause in marketplaces.
Bots are driven by data and there continues to be an abundance of stolen PII and credentials available to bad actors. According to the ITRC’s Q3 First Half Data Breach Analysis, the number of publicly-reported data compromises through September 30, 2021 has exceeded the total number of events in FY 2020 by 17%, even though the number of compromises dropped by nine (9) percent compared to Q2 2021. The trendline continues to point to a record-breaking year in 2021 for data compromises.
If fraud scoring technologies are not up to date, oftentimes large-scale attacks can create high volumes that fall in marginal scoring populations and consequently defeat stale models. As always, it is important to update fraud models often, either internally or with your outside third-party vendor, to ensure these large-scale accounts don’t thwart your defenses. Additionally, moving away from manual investigation queues in a digital production environment and adopting automated forms of identity proofing, such as document validation of drivers licenses, or selfies with liveness detection, will help overcome large-scale, short-term attacks.