Financial online fraud and the fuel that feeds it has been growing steadily over the past decade, resulting in losses to banks, businesses and individuals, especially with cases of new account fraud (NAF).

The challenge online service providers face nowadays is not only an increase in NAF, but also in NAF’s sophistication and the difficulty to detect it in its early stages due to the convincing nature of the elaborate data sets criminals are using to open new accounts. The detection issue is compounded by the fact that 41 percent of NAF uses real identities with correct personal information.

The Value of PII and PHI

Personally identifiable information (PII) and personal health information (PHI) have been lucrative targets for cybercriminals for almost two decades. Different sets of information, including a person’s name, address, Social Security number, date of birth and other details are most often joined with financial information, such as payment card data or account credentials, and then sold online to enable criminals to falsely use compromised identities.

Cybercriminals commonly obtain these details through phishing attacks, information-stealing malware, keyloggers and data breaches from different sources. However, data can also be lost or stolen due to oversight or physical theft. Even the oversharing of personal information on social media has become a source of personal data for fraudsters. Similarly, threat actors steal private information by obtaining credit reports on potential victims, buying background checks and scouring genealogy sites.

Fraudsters typically use this stolen data for basic financial fraud, but cases of NAF have been growing and expanding to new verticals as more services are offered to customers online. With this growth in the scope of digital account creation, new customers arrive, but not all are legitimate.

Download the white paper: Transparently detecting new account fraud

Measuring the Rising Tides of New Account Fraud

By definition, NAF takes place within 90 days of a new account being opened. Most savvy criminals patiently wait at least 30 days before using the account to bypass common red flags that rely on account age to detect suspicious activity.

An upsurge of NAF has been a rising concern as banks move to more secure payment cards and new payment channels. As a result, fraudsters have been transitioning to the online channel to attempt to use the same data for opening bank accounts and applying for credit, loans, insurance and other types of accounts that can yield profit in the short term.

To that extent, Javelin Strategy & Research estimated in 2015 that new account fraud would soar from $5 billion in annual losses to a projected $8 billion by 2018. The firm also noted that NAF continues unabated. This makes sense, since more criminals rush to the online channel to keep their own identities concealed as they use their victims’ data to make illicit profits.

Stolen Data Sets Go Supersized

The fuel that propels NAF, like other identity theft scenarios, is stolen data. That fuel is experiencing a boost that has become a major risk factor in the past few years.

The leak or theft of large amounts of customer data from hospital breaches, for example, have led to more elaborate sets of data reaching the hands of criminals, especially on the Dark Web and in fraud-themed forums. Those supersized data sets are medical records.

With these detailed, often impossible-to-erase sets of data, criminals have been facilitating various identity theft scenarios encompassing financial fraud, insurance fraud, tax fraud and the use of stolen information to obtain goods and services. Health records are worth 10 times more to fraudsters than payment card data and can result in extensive damage to both the rightful owner and his or her service providers.

Moreover, the odds are rising: Accenture estimated that 1 in 13 patients will have their data compromised by a cyberattack between 2015 and 2019. Additionally, according to Crain’s Chicago Business, everyone in the U.S. will have had their health care data compromised by 2024 if online theft keeps accelerating at the current pace.

The NAF Attack Landscape Broadens

When it comes to targeting different sectors, cybercriminals typically take the path of least resistance. In the past, most criminals went after more obvious targets such as banks, credit providers and payday loan providers. Nowadays, they are diversifying and targeting any type of account they can derive value from.

Those accounts can be held with a medical insurance provider. They can also be e-commerce accounts, credit card providers, frequent flier miles, loyalty points, iTunes, gaming and, of course, online banking accounts, especially where providers allow customers to finalize the entire account opening process online. These services are being adapted across more and more banks, adding service offerings and opening fintech apps to API access. This is good news for customers, but it also widens the window of opportunity for cybercriminals.

In fraudster lingo, enrolling means opening a fraudulent account using stolen information. Before enrolling for online access to a bank, loan or credit account, cybercriminals typically make sure the legitimate owner has not already done so. Similarly, with NAF, threat actors tend to first check that the victim does not already hold an account with the same entity.

You Don’t Have a Twin, But Your Bank Account Might!

Although most cases of NAF involve first-time accounts with a given provider to avoid being tackled by previously verified customer information, some cases point to potential flaws in the process.

In a case reported in May 2017, a criminal managed to open a fraudulent account with a provider even though the victim already held a legitimate bank account. Due to a verification issue, the new fraudulent account was successfully opened, and the victim only later learned that he had been subject to identity fraud and had a second account with the same bank. This case was eventually attributed to the fact that the criminals were able to provide sufficient information to satisfy the bank’s requirements, which speaks to the ability of criminals to obtain high-quality, detailed information on potential victims.

Instances of this type can take place once criminals try them out with data they are willing to sacrifice or use as a test. If the test works, they know that the specific entity overlooks certain verification parameters and will go back to targeting it as much as possible until that loophole is closed.

Opening twin accounts is not the only way for criminals to find vulnerable processes. They may attempt to abuse a provider’s web logic by illicitly selling free trials for money, find a way to lock someone’s existing account and open another in his or her name, or employ other imaginative tactics to test different providers.

Nipping NAF in the Bud

To address NAF, it is most critical to detect it at its earliest stage: the enrollment process. This way, the provider can stop the process before any damage is done to the rightful owner of the stolen data or to the provider itself.

To shorten the time to detection, service providers need a proven way to assess the risk of a new digital identity, predict potential fraud during the enrollment process and detect issues without impacting the legitimate users that frequent the site. There are some challenges here, especially since fraudsters use valid or partially valid information to open new accounts, which can sometimes enable their scams to go unnoticed.

An effective detection process should rely on:

  • User parameter validation;
  • Fraud evidence collection; and
  • Early account activity monitoring.

User Validation

At first, the provider will be ingesting user data through the enrollment channel, enabling them to collect, compare and analyze it to expose potential issues. Fraudsters often reuse data as many times as possible to get the best return on investment (ROI) from what they obtained, which makes for an opportunity to identify fraud at the earlier stage.

This data does not have to only be validated by the provider, which has limited visibility into its own customer base and perhaps paid credit reporting agency data. It can help to contract a security provider that can add sources of intelligence to that application, correlating user and tracking history and linking identities across different financial entities to detect cross-organization fraud patterns. The criminals usually use the data set more than once in attempts to open accounts with different providers to maximize their potential profit from each stolen identity.

Fraud Analytics

Collecting data during the application process can also apply to the device the user comes through on and the relevant session elements created. Details such as IP address, mobile provider, indicators of device spoofing or an existing malware infection can be helpful in scoring a risky enrollment instance.

Adding more contextual data can further lower the risk of the enrollment with behavioral analytics, the customer’s journey pattern, geolocation mismatch, data inconsistencies or suspicious account opening velocity across different providers. These elements can easily apply to both PC and mobile channels with indicators of known fraudulent contact details, jailbroken or rooted devices, multiple accounts for the same device or existing malware on the customer’s mobile device.

Post-Creation: Early Activity Monitoring

After opening a new fraudulent account, cybercriminals typically let the account lay dormant for an average of 30 days before they make a significant withdrawal. The eventual fraudulent transaction is likely to take place within the first 90 days of the account’s creation.

Post-creation monitoring of new accounts during that critical period is important to help identify the telltale signs of a suspicious account that made it through the enrollment, the possible use of mule accounts and known fraud patterns that can expose a loss in the making.

Typical actions fraudsters might take include:

  • Depositing small cash amounts to the account;
  • Using forged checks to increase the account balance; and
  • Withdrawing funds as soon as possible after they become available.

Mitigate NAF With IBM Trusteer

To help banks and service providers minimize exposure to new account fraud, IBM Security now offers a new account fraud protection product, providing new tools to help organizations assess and predict the creation of fraudulent new accounts transparently and without affecting the customer experience.

Download the white paper: Transparently detecting new account fraud

ef=”https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-18547&S_PKG=ov60426″>https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-18547&S_PKG=ov60426

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today