Deep Dive: How Identity Fraud Targets Banks

Fraudsters leverage an array of schemes to conduct financial crimes, including digital methods like botnets and brute force hacks as well as old-school ones like social engineering. One of the most pervasive — which also affects customers as much as or more than banks — is identity theft. This tactic can do more than just compromise customers’ bank accounts: It can also cost them untold hours by forcing them to meticulously change their account passwords and contact customer service to have fraudulent charges revoked.

This damage done to banks as well as the customers they serve has forced financial institutions (FIs) and security companies to make curbing identity theft a top priority. However, identity theft methods are as numerous as they are diverse, ranging from trial-and-error password checks that fraudsters use to test stolen identities purchased in bulk to opening accounts or applying for loans with fictitious identities. The following Deep Dive explores the myriad identity fraud schemes that bad actors harness as well as the technologies that banks are leveraging to keep them at bay.

Methods Of Identity Theft

Identity theft is well-known to Americans, who have been educated their entire lives to keep their personal data secure so strangers cannot impersonate them. Data shows that U.S. consumers made approximately 651,000 identity theft complaints in 2019, consisting of credit card fraud, mobile phone account fraud, impersonations for personal loans and a host of other scams. The rate of identity theft fell by 24 percent from 2015 to 2017, but it skyrocketed 46 percent from 2018 and 2019. Fraudsters used these stolen credentials to pilfer $16.9 billion last year, up 15 percent from 2018.

Consumers often think of identity theft as involving fraudsters hacking directly into customers’ accounts, for example, but most bad actors do not acquire stolen identities themselves. They instead buy them in bulk from dark web marketplaces, where stolen credentials are sold for as little as $15 each. A recent study found that there are more than 15 billion such credentials available on the dark web, of which 5 billion have never been used and are considered much more valuable. Unique bank credentials, for example, can be sold for as much as $500 each.

The identities circulating among these dark web marketplaces are often acquired from large-scale data breaches, which can leak hundreds of millions of credentials. Many individuals use the same username and password combinations for multiple accounts, meaning their bank accounts could be put at risk due to breaches at completely unrelated companies.

Synthetic Identity Fraud 

Some identity fraudsters utilize fabricated synthetic identities instead of leveraging customers’ credentials wholesale to open accounts or pose as them. These synthetic identities often incorporate disparate elements of real identities to look more realistic, such as using a valid U.S. Social Security number and address but with each detail being stolen from different victims. Banks hit by synthetic identity application fraud often have no victims to notify them that fraudulent applications were made in their names, making this fraud type difficult to notice until it is too late.

One 2016 study found that identity theft resulted in up to 20 percent of all credit losses for a total loss of $6 billion. The Federal Reserve has also pinpointed synthetic identity fraud as the fastest-growing financial crime, with industry watchdogs estimating that it costs banks and other FIs $6 billion annually. Boston-based Aite Group asserts that each instance of synthetic identity fraud costs lenders between $10,000 and $15,000, and Brian Vitale, Notre Dame Federal Credit Union’s chief risk and compliance officer, said it cost the credit union roughly $200,000.

Banks and other FIs are deploying numerous tools to keep identity fraud at bay, but individual users can also employ proper password hygiene to take their security into their own hands.

Identity Theft Prevention Methods

One of the most promising technologies in the identity fraud fight is artificial intelligence (AI), which can be taught to look for minor inconsistencies in customer identities to see if they are stolen or fraudulent. AI-based systems can even scan physical identity documents like driver’s licenses or Social Security cards to ensure their authenticity faster and much more accurately than human analysts can. Biometric tools — especially those with liveness detection, which cannot be fooled by a static picture — can also hinder identity fraudsters.

Many of these identity theft prevention methods have seen success. Synthetic fraud, for example, rose from $1.01 billion in Q2 2018 to only $1.02 billion in Q2 2019. This is its slowest growth in years and marks a sharp contrast from Q2 2016, when it skyrocketed to $854.4 million from $524.5 million in Q2 2015 — a staggering 62.9 percent jump. The decline in growth is largely attributed to the rising prevalence of identity databases, which track whether identities have previously been used to commit fraud.

Bank customers can also take the initiative to protect their identities from theft. Many leaked credentials are used for services from which they did not originate, meaning that utilizing different passwords for different accounts can limit the damage done if an individual’s password is breached. Two-factor authentication is also effective because fraudsters cannot access customer accounts with stolen passwords alone.

Curbing identity fraud’s rise will require the marriage of advanced technologies at FIs and due diligence from customers. It may never be stopped entirely, but even stalling it could save millions of dollars and untold hours.