Share
Why collaboration is key to fighting fraud
For financial institutions (FIs), fraud may feel like it comes out of the blue: One day, you’re happily onboarding new customers to your product, the next, you’re seeing an unusual or bizarre spike in applications atop the funnel. You have to scramble to defend against the offensive, and if you don’t have an adequate response plan, the fraudsters could rob your company of both funds and identities.
For the fraudsters, this kind of attack is the result of collaboration between dozens of dark web-linked individuals, along with years of careful probing to identify institutional weak spots. Aided by new technologies, fraudsters are more active—and resourceful—than ever.
As a result, fraud will be the number one problem FIs face in 2023. In Alloy’s recent benchmark report — which polled fraud and compliance leaders at banks, fintech companies, and online lenders — nearly all respondents (91%) indicated that fraud has climbed over the past 12 months. It’s a pattern I suspect will persist if companies view fraud as just a cost of doing business. In this piece, I’ll explore emerging discrepancies around different types of fraud and offer tips on how best to address the threat.
First-party fraud on the rise?
While fraud is generally increasing across the board, specific types pose greater problems than others. First-party fraud, which involves the misrepresentation of identity, financial situation, or intent to repay as a way to defraud a FI, was named the most prevalent category, experienced by 62% of respondents in 2022. To better understand first-party fraud, consider a borrower withdrawing more money than they intend to repay from a new account. Neobanks without overdraft fees are particularly susceptible to this.
If first-party fraud really is the most prevalent form of fraud, it suggests customers are blatantly lying to their FIs at scale. However, I don’t think customer-driven fraud actually tops the list. What’s more, there are some discrepancies in the data we’ve gathered that calls this into question.
A high velocity of transactions was the most common indicator that a fraud attack was underway. Yet, if first-party fraud were the cause of these high-velocity spikes, it would mean hundreds of individuals were overdrawing their bank accounts – or reporting false disputes, etc. – on the same day, at the same time. It’s hard to believe that lone wolves have mobilized at this scale.
Fraudsters at work
What we’re actually seeing with high transaction velocity is a mix of other types of fraud attacks that are becoming so hard to identify that institutions label them as first-party fraud. These attacks may range from:
Third-party fraud: Fraud that is facilitated by the use of someone else’s (usually stolen) identity. Third-party fraud often involves a highly coordinated and well-funded group of individuals pummeling a financial institution at the same time, often from similar locations.
Synthetic fraud: A type of third-party fraud that may initially go undetected because fraudsters use synthetic identities, which combine made-up credentials, such as a fake SSN, with a name and date of birth stolen from a real person. The use of an authentic name can sometimes throw companies off the scent.
Second-party fraud: Also known as identity manipulation, second-party fraud involves one person exerting psychological control over another to commit fraud. This type of fraud includes money muling, vulnerable adult abuse, romance scams, etc., and has been facilitated by targeted attacks on social media and telecommunications platforms.
So, why do financial institutions think they’re seeing so much first-party fraud when the data makes it clear that the truth is much more complicated? The answer is that there are some fundamental misconceptions about fraud in the financial services industry. FIs are so concerned about reputational damage that they don’t talk about their fraud problems or share data openly with each other. This lack of communication has led to a culture in which fraud is frequently misidentified. In the worst-case scenario, the customer is blamed for an attack instead of the fraudster.
Of course, blaming the customer is never the optimal business strategy. Stopping fraud of all types is the key to maintaining openness, innovation, and inclusivity in the financial services industry. To do this, FIs need to work together to share data, correctly identify fraud, and use that information to combat fraudsters.
The danger of first-party fraud
This phenomenon of FIs misidentifying first-party fraud leads to an increased (and irrational) level of fear about first-party fraud in the industry. For instance, in March 2021, several car rental companies refused to accept Chime cards due to reports of Chime customers allegedly committing first-party fraud to avoid paying for a rental car. Normally, this kind of bank ban by merchants would violate Visa/Mastercard “honor all cards” policies, but rental car companies exploited a loophole by using a required "pre-authorization" transaction. Some other merchants have also treated neobank cards as "high-risk" and declined them as fraud at higher rates.
An even more alarming consequence of first-party fraud fears has emerged in the form of fintech companies blocking transfers from each other's accounts. In December 2021, Robinhood began blocking transfers from companies that displayed “a high pattern of return and fraud rates,” preventing customers from moving money from certain bank accounts—often neobanks—into their Robinhood brokerage account.
We are seeing this trend more and more, and it’s harmful for fintech, both reputation-wise and operations-wise. When customers can no longer easily access and move their money, it reduces inclusivity in the industry. Chime (and other neobanks like it) service traditionally underbanked, lower-income consumers. For a lot of those customers, Chime provides their only bank account. Making it more challenging for these users to purchase essential items or move their money makes the industry less inclusive of the underbanked overall.
Weaponizing PII
Third-party fraud is of greater concern to me than first-party fraud — and all financial institutions are susceptible. In 2020, fraudsters stole personally identifiable information (PII) from millions of individuals through scams related to the unemployment benefits rolled out generously, albeit hastily, by the government during the pandemic.
We typically see fraudsters wait a few years before using stolen identities. This waiting period gives them time to create and nurture synthetic identities—which are used to open and steadily fund bank accounts, build up credit scores to increase legitimacy, and finally carry out a fraud attack.
In 2023, I expect much of the PII stolen in early 2020 will be weaponized against unsuspecting FIs in the form of third-party fraud. These attacks will be devastating if FIs do not adequately prepare for them. Companies will lose money — 70% of our report’s respondents lost over $500,000 to fraud in 2022. Twenty-seven percent lost over $1 million. And these numbers only represent fraud that was identified and reported by the FI. There could be potentially millions more lost to fraud each year that FIs are overlooking due to misunderstanding the changing tactics of fraudsters.
Unfortunately, these numbers will inevitably increase this year. As someone who has personally witnessed businesses shut down entire product lines because they were experiencing so much fraud, I know how devastating these attacks can be. To preserve their money for launching great products, FIs must do more to prevent fraud.
A time for more collaboration
FIs simply need to be more collaborative in their collective fight against fraud. A part of the solution is more fraud consortiums where banks, fintech companies, infrastructure providers, and data vendors can share data and best practices. (Only 35% of our survey respondents said they planned to join a fraud consortium this year — that proportion must increase.)
Within these consortiums, companies need to share final outcomes data more openly – that is, the ultimate determination of whether a customer is fraudulent or not. Beyond the initial approve/deny decision, the final outcome looks at a customer’s behavior over time. This data can help FIs better identify various iterations of first-, second-, and third-party fraud based on the customer activity they observe.
Without a widespread, coordinated effort by FIs across sectors and geographies, fraud will continue to be misidentified and mismanaged, harming customers in the process.
91% of financial institutions said fraud increased year-over-year in 2022.
Find out how your peers are driving down fraud costs.