Share
Behind the mask of third-party fraud
From identity theft to account takeovers, third-party fraud is bypassing fraud detection daily
Digital transformation has created greater convenience for customers and new opportunities for criminals to commit third-party fraud. For financial institutions (FIs) and fintechs, the question isn’t whether fraud will occur, but when.
Unlike first-party fraud, which occurs when a person commits fraud using their own identity, the victims of third-party fraud are often a bank, credit union, or fintech’s real, paying customers. When a fraudster loops a third party into their scheme, they have often already cultivated a careful understanding of how to bypass fraud prevention measures like knowledge-based authentication (KBA) and credit card transaction velocity limits.
In this post, we’ll take a closer look at third-party fraud. We’ll review how this common type of fraud impacts banks, credit unions, and fintechs, and offer specific solutions for mitigating fraud risk in the face of this threat.
What is third-party fraud?
Third-party fraud is a form of financial fraud that happens when a bad actor appropriates someone else’s personally identifiable information (PII) to acquire funds illegally. Third-party fraud encompasses a wide range of fraudulent activity, such as:
- Identity theft — A fraudster steals someone else’s PII. Identity theft often occurs during data breaches caused by a cyberattack against a mobile device, personal computer, or computer network. Identity theft can also happen as a result of social engineering or blue box theft.
- Social engineering fraud — A fraudster reaches out to their victim, possibly using a phishing email, a swishing text message, or a vishing phone call. Duped into thinking the fraudster is a legitimate third party, the victim shares their PII, or unwittingly allows access to their accounts.
- Synthetic identity fraud — A fraudster uses a stolen social security number (SSN) and fabricates personal identity information — like name and date of birth (DOB) — to commit identity fraud. Synthetic identities are sometimes created using bits and pieces of personal data belonging to real people. It isn’t uncommon for a fraudster to hijack an SSN belonging to a child (or another vulnerable person) for use in a synthetic identity.
- Authorized push payment (APP) fraud — A fraudster tricks a victim into transferring money to a bank account via push payment under false pretenses, often following a successful social engineering scam. APP fraud was the most widely reported fraud type among banks, fintechs, and credit unions in 2024, according to Alloy’s benchmark report. It was also responsible for the most losses.
- Account takeover (ATO) fraud – A fraudster steals someone’s online credentials or login information and then commandeers their victim’s existing accounts. Fraudsters may program AI bots to perform ATO attacks en masse, using tactics like social engineering, phishing, credential stuffing, or even brute force to gain account access.
How is third-party fraud orchestrated?
For many people involved in fraud, fraud is a business. Like businesses, fraud operates in different ways. Here are some of the ways that third-party fraud attacks may be carried out:
- Solopreneur — These fraudsters work alone to commit third-party fraud attacks, often outsourcing advice from fraud playbooks found on the dark web or social media.
- Fraud rings — Calculated, well-funded, and often high-tech, fraud rings come in all sizes, from scrappy but nimble “fraud startups” to international fraud rings.
Many instances of third-party fraud have a common thread: a connection to fraud rings and organized crime. Sophisticated criminal groups rely on third-party fraud because it scales and because the sums involved can be significant. Account takeovers, for example, result in an average loss of $12,000, according to some estimates.
No matter the size of the fraud operation, tools like generative AI have made committing third-party fraud more accessible — and cheaper — than ever before. Fraudsters may wield AI to generate scripts for targeted fraud attacks and to fake identity information.
The expensive impact of fraud
Every $1 of fraud loss costs U.S. financial firms $4 in revenue—up from $3.25 in 2019 and $3.64 in 2020. In 2022, identity theft saw a 43% year-over-year increase, while synthetic fraud saw a 45% year-over-year increase. So not only is fraud becoming more commonplace — it’s also costing FIs and fintechs more each time it happens.
In Alloy’s 2024 State of Fraud Benchmark Report, 56% of FIs and fintechs surveyed lost more than 500,000 EUR/USD to fraud over a year period. A quarter of respondents lost over 1 million EUR/USD in the same timeframe.
Want more facts about fraud? Check out the current fraud trends in Alloy’s Benchmark Report.
Detecting third-party fraud
At Alloy, we believe third-party fraud is a solvable challenge. To mitigate third-party fraud, FIs and fintechs must focus on two key areas:
- Fraud that occurs at origination during the onboarding process, and
- Ongoing fraud impacting existing accounts.
Fraud that occurs at origination
In addition to a thorough KYC process, FIs must monitor for fraud by verifying every piece of customer PII against effective data sources.
But which data sources are most effective for detecting third-party fraud? It depends, but in general, the most effective fraud defenses involve multiple complementary data sources that you can use in combination to protect your organization from different types of fraud schemes.
For instance: fraud scoring models can be trained to assess submitted PII for signals of third-party fraud. Combining such an assessment with another, separate analysis of device data (like the IP address and browser the applicant uses to submit their information) grants a more comprehensive view of the applicant than you might get from using either of these tools in isolation.
FIs and fintechs should use a combination of traditional and alternative data sources to get the best coverage. This gives banks, credit unions, and fintechs, the best overall view of customer identity. Alternative underwriting data, like cash flow data on rent history, utility bill payments, or secondary income from a gig job makes it easier to spot falsified information that could indicate a synthetic identity.
Ongoing fraud
Fraud doesn’t stop at onboarding. You can fight third-party fraud on an ongoing basis by carefully monitoring customer transaction patterns and developing machine learning (ML) models that alert you to potentially fraudulent behavior.
Fraud ML models can track numerous markers throughout the customer payment journey, such as how long it takes to initiate a payment or how long it takes for a customer to add a payee. If fraud appears to be involved, your ML model will flag the customer’s account. Some platforms even allow you to create custom rules (for instance, flagging specific industries, activities, or transaction amounts) which can anticipate fraud patterns as they emerge.
Recommended for you: Your fraud model is broken.
Preventing third-party fraud
Third-party fraud is a constant global problem. But, you can take steps to prevent it.
When you have total visibility into each customer’s identity and behavior, you can:
- Make accurate risk assessments
- Protect the customer and their funds
- Stop fraud attacks before they inflict significant damage
- Protect your institution from fraud-related losses
Solid anti-fraud systems don’t have to interfere with the customer experience. On the contrary, Identity Risk Solutions make it possible to process legitimate applicants quickly and with little friction while running thorough fraud checks. At onboarding, risky applicants are sent to manual review, while ongoing transaction monitoring prompts step-up and other verification as needed.
The future of financial fraud
No one can predict what third-party fraud will look like a year from now or five years from now. What we can predict is that as new technology is developed, fraudsters will continue refining their techniques and modes of attack: the same thing they’ve done throughout the history of banking.
But despite advances in fraud techniques, good defenses can still outmaneuver bad actors thanks to the availability and effectiveness of modern data sources.
Third-party fraud is fluid and complex. That’s why Alloy’s Identity Risk Solution combines over 200 traditional and alternative data sources for a holistic view of customer risk. From online banking channels to in-branch and embedded finance fraud, our omnichannel solution was built to prevent fraud across touchpoints: at onboarding and throughout the customer lifecycle.
Alloy’s software development kit (SDK) makes it easy for banks, credit unions, and fintechs to streamline fraud, compliance, credit underwriting, and global expansion. We are constantly building new ML models and upgrading our risk management tools so that fraud prevention evolves with the landscape.