Behind the mask of third-party fraud

While digital transformation has created greater convenience for customers, it’s also created opportunities for criminals to commit third-party fraud. For financial institutions (FIs), the question isn’t necessarily whether fraud will occur, but when.

In this post, we’ll take a closer look at what’s known as third-party fraud. We’ll review its impact on financial institutions and present some specific ways to mitigate the threat to your FI.

What is third-party fraud?

Simply stated, third-party fraud is when a fraudster, working alone or within a fraud ring, appropriates information about someone else, especially personally identifiable information (PII), to commit fraud. It can occur in a number of ways:

• Identity theft — A fraudster steals someone else’s PII. Identity theft often happens during a data breach caused by a cyberattack against a mobile device, personal computer or computer network.
• Social engineering — An fraudster reaches out to their victim, possibly using a phishing email, a swishing text message or a vishing phone call. Duped into thinking the fraudster is a legitimate third party, the victim shares their PII or unwittingly allows access to their accounts.
• Synthetic identity — A fraudster fabricates an entire identity—name, DOB and SSN—to commit fraud. These synthetic identities are sometimes created using real bits and pieces, such as SSNs that belong to children or incarcerated people.
• Account takeover (ATO) – A fraudster, a fraud ring or a bot manages to steal someone’s online credentials or login information and then commandeers the person’s existing accounts.

The expensive impact of fraud

We’ve just reviewed a few examples of third-party fraud. Although specific methods vary, there’s a common thread running through many instances of third-party fraud: a connection to fraud rings and organized crime. Sophisticated criminal groups rely on third-party fraud because it scales, and because the sums involved can be significant. Account takeovers, for example, result in an average loss of $12,000 according to some estimates.

The scale of losses associated with third-party fraud should be cause for concern. Every $1 of fraud loss costs U.S. financial firms $4 in revenue—up from $3.25 in 2019 and $3.64 in 2020. As of April 2022, in the U.S., identity theft has seen a 43% year-over-year increase, while synthetic fraud has seen a 45% year-over-year increase. So not only is fraud becoming more commonplace—it’s also costing FIs more each time it happens.

Detecting third-party fraud

At Alloy, we believe third-party fraud is a solvable challenge. There are two key areas to focus on: fraud that occurs at origination (during the onboarding process) and fraud that’s ongoing (among existing accounts).

Origination

As part of a thorough KYC process, you should conduct fraud checks by verifying every piece of customer PII against effective data sources.

Which data sources are most effective for detecting third-party fraud? It depends—but in general, the most effective fraud defenses involve multiple, complementary data sources which you can use in combination to protect your FI from different types of fraud schemes.

For instance: fraud scoring modules can be trained to assess submitted PII for signals of third-party fraud. Combining such an assessment with another, separate analysis of device data (like the IP address and browser that the applicant is using to submit their information) grants a more comprehensive view of the applicant than you might get from using either of these tools in isolation.

Ongoing

Fraud doesn’t stop at onboarding. You can fight third-party fraud on an ongoing basis by carefully monitoring customer transaction patterns and developing models which can alert you to potentially fraudulent behavior.

Fraud models can track numerous markers throughout the customer payment journey, such as how long it takes to initiate a payment or how long it takes for a customer to complete the Add Payee process. If fraud appears to be involved, your model will flag the customer’s account. Some platforms even allow you to create custom rules (for instance, flagging specific industries, activities, or transaction amounts) which can anticipate fraud patterns as they emerge.

Preventing third-party fraud

Although third-party fraud is a global problem, you can take steps to prevent it.

With total visibility into each customer’s identity and behavior, you can:

• Make accurate risk assessments

• Protect the customer and their funds

• Stop fraud attacks before they inflict significant damage

• Protect your institution from fraud-related losses

Most promising of all, implementing a solid anti-fraud system doesn’t have to interfere with the experience that you want to provide for customers. On the contrary—using an identity decisioning platform makes it possible to process legitimate applicants quickly and with little friction while still running fraud checks and sending applicants into manual review or step-up processes when necessary.

The future of financial fraud

No one can predict what third-party fraud will look like a year from now, five years from now—or even six months from now. Even as new technology is being innovated, fraudsters are busy refining their methods of attack.

Third-party fraud is fluid and complex. At Alloy, we also think it’s solvable. Despite advances in fraud techniques, good defenses can still outmaneuver the bad guys thanks to the availability and effectiveness of modern data sources. Using the right tools will make fraudsters work harder.