Catfishing, the practice of pretending to be someone else online, became a cultural phenomenon through MTV’s popular TV show “Catfish,” driving more attention to our obsession with our online personas. However, it’s not just social media that needs additional scrutiny. In the wake of several recent major data breaches of personally identifiable information (PII) such as Social Security numbers, dates of birth and addresses, cybercriminals have all the information they need to catfish their way right into your financial life in a process called new account fraud (NAF).

Our identities are being used for much darker purposes than creating fake profiles to lure online suitors. Cybercriminals are increasingly using PII to commit fraud, and it’s a big business. According to Javelin Strategy & Research, $112 billion was stolen globally through fraudulent means between 2009 and 2015, equating to $35,600 lost every minute. In 2016, identity fraud hit a record high with 15.4 million victims in the U.S. alone, up 16 percent from 2015.

This goes beyond what has unfortunately become a somewhat common occurrence of someone using an account to buy an expensive TV or 10 pairs of designer sneakers. Cybercriminals are getting savvier, leveraging stolen identity details to catfish banks and open completely new accounts under fake or stolen names and bypassing common red flags by waiting to use them. Javelin predicted that NAF will rise as much as 44 percent by 2018 in the U.S., increasing losses from $5 billion to $8 billion in just four years.

Download the white paper: Transparently detecting new account fraud

Many Ways to Skin a Catfish

In years past, if you wanted to open an account at a new bank, sign up for insurance or apply for a mortgage, you needed to go into a branch location and complete the registration process in person. An employee at the branch would take steps to validate that you are who you claim to be, usually using some type of physical document such as your driver’s license, a utility bill or a tax return.

In today’s digital era, however, nobody wants to be bothered to go into a branch location. We want the convenience of being able to open a new account online or from an app on our phones, and financial institutions are obliging. This digital onboarding can deliver a much better, frictionless customer experience, but it opens the business up to more risk. Perhaps more importantly, it puts all of us as consumers at even more risk.

Cybercriminals need only a handful of data to open a fraudulent account. These sets of information, such as security questions, names, Social Security numbers, dates of birth and other details, often joined with credit card or bank account numbers, are available for sale on the Dark Web at bargain prices, sometimes as low as $5 to $10 per identity. But it doesn’t end there: Personal details can also be easily collected from what we share on social media and other places, such as genealogy websites.

With valid, verifiable identity data in hand, fraudsters can take that information to financial institutions and open new accounts without ever stepping foot into a branch location. From this point forward, the fraudsters can begin depositing forged or stolen checks or transferring money from another account. Once the funds are available, they can be withdrawn as cash before the fraudulent activity is even detected.

So why should you care if this is being done under the guise of your name and your identity? Without being able to trace it back to the fraudster who perpetrated the crime, who do you think the bank will turn to?

Preventing New Account Fraud

While we can’t change our Social Security numbers, names, addresses or dates of birth, or turn back time to stop the flood of personal data to illicit cyber marketplaces — IBM’s X-Force Threat Intelligence Index 2017 reported that more than 4 billion records were leaked in 2016 alone — we can get smarter about how we handle our online identities to help protect ourselves from the repercussions of fraud.

IBM Security helps banks and other service providers protect consumers by making it easier to identify fraudulent accounts with its IBM Trusteer New Account Fraud offering. This new solution assists financial institutions leverage machine learning to transparently correlate the device and network information used to open a new account with analytics to help detect fraud. In real-world speak, this is a fancy way to say that we help banks assess risks and authenticate users.

Finally, some good news for consumers: You don’t even need to be a customer of the bank where a fraudulent account request occurs! Wherever IBM Trusteer New Account Fraud is running, analysis will be performed to help banks separate the fraudulent users from the legitimate ones by looking at the positive information they provide and comparing that with the negative indicators surrounding the transaction.

IBM Trusteer’s New Account Fraud looks at critical stages of the account creation process and uses behavioral analytics to help verify identity and potential fraud patterns. For example, details such as the IP address of where the account is being created, geolocation/time zone and the health of the device that is being used can all be helpful in detecting fraudulent activity. If these details differ from the usual appropriate user, it’s a sign that a new account may be fraudulent.

As consumers, it’s never been more critical to safeguard our online personas. In addition to taking steps to protect ourselves, it’s time for all of us to ask our banks, financial institutions and other holders of our information how they’re protecting us from identity fraud.

Click here to learn more about IBM Trusteer New Account Fraud.

Download the white paper: Transparently detecting new account fraud

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

How Security Teams Combat Disinformation and Misinformation

4 min read - “A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

4 min read - While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

4 min read