Catfishing, the practice of pretending to be someone else online, became a cultural phenomenon through MTV’s popular TV show “Catfish,” driving more attention to our obsession with our online personas. However, it’s not just social media that needs additional scrutiny. In the wake of several recent major data breaches of personally identifiable information (PII) such as Social Security numbers, dates of birth and addresses, cybercriminals have all the information they need to catfish their way right into your financial life in a process called new account fraud (NAF).

Our identities are being used for much darker purposes than creating fake profiles to lure online suitors. Cybercriminals are increasingly using PII to commit fraud, and it’s a big business. According to Javelin Strategy & Research, $112 billion was stolen globally through fraudulent means between 2009 and 2015, equating to $35,600 lost every minute. In 2016, identity fraud hit a record high with 15.4 million victims in the U.S. alone, up 16 percent from 2015.

This goes beyond what has unfortunately become a somewhat common occurrence of someone using an account to buy an expensive TV or 10 pairs of designer sneakers. Cybercriminals are getting savvier, leveraging stolen identity details to catfish banks and open completely new accounts under fake or stolen names and bypassing common red flags by waiting to use them. Javelin predicted that NAF will rise as much as 44 percent by 2018 in the U.S., increasing losses from $5 billion to $8 billion in just four years.

Download the white paper: Transparently detecting new account fraud

Many Ways to Skin a Catfish

In years past, if you wanted to open an account at a new bank, sign up for insurance or apply for a mortgage, you needed to go into a branch location and complete the registration process in person. An employee at the branch would take steps to validate that you are who you claim to be, usually using some type of physical document such as your driver’s license, a utility bill or a tax return.

In today’s digital era, however, nobody wants to be bothered to go into a branch location. We want the convenience of being able to open a new account online or from an app on our phones, and financial institutions are obliging. This digital onboarding can deliver a much better, frictionless customer experience, but it opens the business up to more risk. Perhaps more importantly, it puts all of us as consumers at even more risk.

Cybercriminals need only a handful of data to open a fraudulent account. These sets of information, such as security questions, names, Social Security numbers, dates of birth and other details, often joined with credit card or bank account numbers, are available for sale on the Dark Web at bargain prices, sometimes as low as $5 to $10 per identity. But it doesn’t end there: Personal details can also be easily collected from what we share on social media and other places, such as genealogy websites.

With valid, verifiable identity data in hand, fraudsters can take that information to financial institutions and open new accounts without ever stepping foot into a branch location. From this point forward, the fraudsters can begin depositing forged or stolen checks or transferring money from another account. Once the funds are available, they can be withdrawn as cash before the fraudulent activity is even detected.

So why should you care if this is being done under the guise of your name and your identity? Without being able to trace it back to the fraudster who perpetrated the crime, who do you think the bank will turn to?

Preventing New Account Fraud

While we can’t change our Social Security numbers, names, addresses or dates of birth, or turn back time to stop the flood of personal data to illicit cyber marketplaces — IBM’s X-Force Threat Intelligence Index 2017 reported that more than 4 billion records were leaked in 2016 alone — we can get smarter about how we handle our online identities to help protect ourselves from the repercussions of fraud.

IBM Security helps banks and other service providers protect consumers by making it easier to identify fraudulent accounts with its IBM Trusteer New Account Fraud offering. This new solution assists financial institutions leverage machine learning to transparently correlate the device and network information used to open a new account with analytics to help detect fraud. In real-world speak, this is a fancy way to say that we help banks assess risks and authenticate users.

Finally, some good news for consumers: You don’t even need to be a customer of the bank where a fraudulent account request occurs! Wherever IBM Trusteer New Account Fraud is running, analysis will be performed to help banks separate the fraudulent users from the legitimate ones by looking at the positive information they provide and comparing that with the negative indicators surrounding the transaction.

IBM Trusteer’s New Account Fraud looks at critical stages of the account creation process and uses behavioral analytics to help verify identity and potential fraud patterns. For example, details such as the IP address of where the account is being created, geolocation/time zone and the health of the device that is being used can all be helpful in detecting fraudulent activity. If these details differ from the usual appropriate user, it’s a sign that a new account may be fraudulent.

As consumers, it’s never been more critical to safeguard our online personas. In addition to taking steps to protect ourselves, it’s time for all of us to ask our banks, financial institutions and other holders of our information how they’re protecting us from identity fraud.

Click here to learn more about IBM Trusteer New Account Fraud.

Download the white paper: Transparently detecting new account fraud

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today