How to stop a fraud attack

Unfortunately, fraud is common in financial services. And while no two fraud attacks look the same, there are some standard fraud mitigation processes that banks, fintechs, and credit unions should follow to effectively stop a fraud attack.

At Alloy, we believe in a future without fraud.

However, today the reality is that banks, fintechs, and credit unions alike come under attack frequently. (In Alloy’s Annual State of Fraud Benchmark Report, 98% of respondents reported that they experienced fraud last year.) Fraudsters are adept at finding and exploiting vulnerabilities; without a comprehensive response plan, it can be difficult to control the damage. 

Having a clear fraud mitigation plan in place also ensures that you collect the right data and learn as much as possible when you’re responding to an attack. That way, you can prevent similar attacks from happening further down the line. 

Our guide walks you through the three stages — triage, discovery, and remediation — of an effective fraud mitigation strategy, so you’ll be prepared to handle fraudsters when they strike.

To understand what’s at stake, read how one of Alloy’s client success managers helped a client navigate and work through a fraud attack.

Stage One: Triage — quickly assess the damage and shut it down 

When the fraud alarm bells sound, you first need to determine whether you are actually experiencing a fraud attack.

A common strategy among fraudsters is to continually test fraud protection systems for weak points. These tests — along with small-scale fraudulent activity from amateurs and first-party fraudsters — can expose banks, credit unions, and fintechs to a near-constant level of fraud. This doesn’t mean that your fraud protections are insufficient, nor does it suggest a big fraud attack is imminent. It means that all fraud attempts are different. You need to be sure of what’s happening before you waste resources or add increased customer friction to any of your processes.  

In a fraud attack, a coordinated group of individuals attempts to exploit a specific gap in your fraud protections. There are two main types of fraud attacks: fraud ring attacks and high-velocity attacks.

What is a fraud ring attack? 

A fraud ring attack is a coordinated operation conducted by a small but sophisticated group of fraudsters. Fraud rings study financial institutions closely and look for ways to exploit the design of your onboarding, money movement, or account management systems. These individuals have an expert understanding of banking and payments systems, and are also familiar with common fraud prevention systems.

When a fraud ring figures out a potential vulnerability, they want to extract as much money as possible. This means they may be prepared to wait weeks or even months before cashing out. They might display normal, responsible behavior for long periods of time in order to qualify for credit or earn your good standing before “busting out” all at once, and stealing large amounts of funds across multiple accounts.

Of the many techniques employed by fraud rings, stolen and synthetic identities are among some of the most effective. But because fraud rings operate in a coordinated fashion, these identities will oftentimes share uncanny similarities. Knowing how to look for these similarities is essential to stopping fraud rings.

Synthetic identities aren’t real, but fraudsters sure make them look that way. Learn how to tell the difference between a genuine customer and a fake one. 

What characterizes a fraud ring attack? 

Accounts or applicants with shared attributes like common zip codes or email addresses frequently turn out to be part of the same fraud ring. In other cases, multiple fraudulent accounts will be funded by the same bank (which will sometimes turn out to have been recently defrauded themselves). For this reason, allow/deny lists and velocity checks based on such shared attributes can be valuable in stopping a fraud ring attack.

Here’s how to triage in the event of a fraud ring attack:

How triage fraud ring attacks

What is a high-velocity fraud attack?

While fraud ring attacks involve precision and patience, high-velocity attacks rely on speed and brute force. A high-velocity fraud attack takes place when a fraudster discovers a vulnerability in your fraud defenses and publishes this information, usually on the dark web. In the most critical cases, it may even be necessary to temporarily take your entire application page offline as a last resort.

Remember, some fraud activity is actually fraudsters testing your defenses for weak points. Once a fraud ring runs tests and finds a vulnerability to exploit, fraudsters will use this to inform a larger, more deliberate fraud attack. But when an individual fraudster finds and publishes an exploit, what happens next?

Typically, you’ll see a surge of fraud volume at the very top of the funnel, often consisting of low-quality or clearly risky applications, which might trigger your fraud defenses. But even if your fraud defenses stop 90% of these applications, the remaining 10% that slip through still represent a considerable volume — and, therefore, a considerable threat.

How do you fight back against a high-velocity fraud attack? 

Because of the sheer volume of applications involved in a high-velocity attack, manual processes to approve or deny applicants can easily be overwhelmed. To prevent this, keep your automated fraud defenses up-to-date with best practices, and implement a pre-review, step-up verification process for risky applicants. 

Keep in mind: fraud ring attacks and high-velocity attacks may not be mutually exclusive. Some fraud rings employ cheap stolen identities to conduct high-velocity attacks. Even if a fraud ring attack is stopped, the ring may still share the strategy they used with other fraudsters, leading to high-velocity attacks against other organizations.

Here’s how to triage a high-velocity fraud attack:

How to triage high velocity fraud attacks

Stage Two: Discovery — figure out what happened and how it started

Once you’ve put a stop to the attack, the next step is to get to the bottom of what happened. These questions may help you uncover significant details about the attack:

  • When did the attack start?
  • How much volume did you see at the top of the funnel?
  • How did you determine the applications were fraudulent?
  • Which data sources were you using to run checks on new customers?
  • What step-up verifications did you require from applicants?
  • How were you enabling applicants to fund new accounts?
  • What other fraud controls did you have in place?

Two important callouts to remember: 

  • Fraud ring attacks are characterized by relatively fewer accounts or applications, but much higher dollar amounts. The fraudulent accounts may also exhibit certain shared attributes.
  • High-velocity attacks, on the other hand, involve a high number of applications that may not share any attributes.
     

What is entity feedback data? 

Entity feedback data is also known as fraud feedback data or final outcomes data. 

For a customer account, entity feedback data includes information used to assess whether the account may be fraudulent, beyond just the initial decision to approve or deny the account. This data provides visibility into how the risk profile and transactional behavior of the account changes over time. Entity feedback data is captured for all accounts, both ones determined to be fraudulent as well as legitimate accounts in good standing. 
For business accounts, entity feedback data includes a company's risk score, suspicious activity or anomalies in their transaction patterns compared to their peer group, and changes in authorized users or business information. 

Analyzing entity feedback data is the only way to know whether changes to your fraud risk decisioning will stop future fraud attacks. Having entity feedback data allows you to include your vendors and data partners in the remediation process — which is when you’ll make the changes that will protect you and your customers going forward. It’s important to compile entity feedback data in collaboration with your vendors and data partners as part of the discovery stage.

Stage Three: Remediation — take the actions to prevent future fraud attacks 

The specific steps you take during the remediation stage will depend on the details you uncovered during discovery. However, there are a few fraud prevention measures that are generally effective:

  1. Add a synthetic fraud and identity theft scoring module.
  2. Add behavioral biometric fraud detection for new applicants.
  3. Introduce adaptive step-up measures such as tamper-proof phone-based verification and/or document + selfie verification for higher-risk applicants.
  4. Introduce progressive onboaring for riskier customers using dynamic risk ratings that allow them to onboard with limited access to account features.
  5. Add a bank account verification model.
  6. Add ongoing fraud monitoring.
  7. Supplement your rules-based decisioning with a machine-learning-based model that can look at a wide variety of identity signals to predict the likelihood of fraud across an entity’s lifecycle.

By implementing these measures and continuously monitoring and adapting your fraud prevention strategies, you can significantly reduce the risk of future fraud attacks. However, it's crucial to remember that fraud prevention is an ongoing process that requires vigilance and proactive efforts.

Automated identity verification measures like step-up and interdiction help you mitigate fraud during high-risk periods — like in the aftermath of an attack. 

Identity is central to fraud remediation

Once you've stopped the immediate bleeding after a fraud attack, you’ll need to put identity at the center of your remediation efforts. By tracing back to the identity of the fraudsters and analyzing the tactics they used, you can gain valuable insights into the attack and fortify your defenses against future attempts.

When you focus your remediation strategy on identity, you can build a more resilient defense against future fraud attacks. After remediation, keep in mind that fraud hasn’t gone extinct. You’ll continue to experience a consistent drip of low-level fraud as bad actors look for the next vulnerability. And, you’ll likely need to take additional, specific steps with assistance from your data vendors or identity risk platform provider.

How Alloy’s omnichannel fraud solution can help

There’s no question that fraud attacks are scary and leave a negative impression behind. The good news is that life after a fraud attack can come with stronger protections and a clearer sense of how fraud works.

As an Identity Risk Solution, Alloy provides: 

  • Holistic visibility into identity to help prevent fraud before monetary losses occur. 
  • Streamlined data orchestration for a more efficient, automated fraud risk decisioning process.
  • Unified customer profiles that are synchronized across touchpoints. 
  • comprehensive testing hub where you can view the projected outcomes of new policy additions or changes prior to implementation. 
  • Friction-right step-up verification for high-risk clients while maintaining a seamless experience for your low-risk clients.

In short, Alloy helps banks, fintechs, and credit unions better identify fraud not only during onboarding, but throughout the entire customer lifecycle. 

Alloy is an end-to-end, omnichannel Identity Risk Solution that helps you manage fraud, credit, and compliance risks.

More on fraud

BLOG
8 min READ
Why is it so easy to misidentify fraud?

Prioritizing identity is the foundation of a strong fraud prevention strategy. However, so many financial institutions still struggle to classify fraud. Alloy knows how they can improve, quickly. 

Read more

REPORT
15 min read
Alloy’s 2024 State of Fraud Benchmark Report

Alloy surveyed more than 400 decision-makers in fraud-related roles at financial services companies in the US and UK to find out how fraud has impacted their business over the last twelve months, what they're doing to combat it, and their predictions for the year ahead.

Download now

GUIDE
8 min read
How to scale fraud prevention

This guide illustrates how to scale a fraud prevention strategy by balancing coverage, cost, and user experience.

Read more

CASE STUDY
5 min READ
Alloy helps Live Oak Bank decrease fraud and enhance customer experience

Alloy's holistic identity risk solution reduced Live Oak's fraud losses by 27%.

Learn more

See what you’re missing

First, we’ll learn about your needs, answer your questions, and then see how Alloy can help.
Back