At Alloy, we believe in a future without fraud.
However, today the reality is that banks, fintechs, and credit unions alike come under attack frequently. (In Alloy’s Annual State of Fraud Benchmark Report, 98% of respondents reported that they experienced fraud last year.) Fraudsters are adept at finding and exploiting vulnerabilities; without a comprehensive response plan, it can be difficult to control the damage.
Having a clear fraud mitigation plan in place also ensures that you collect the right data and learn as much as possible when you’re responding to an attack. That way, you can prevent similar attacks from happening further down the line.
Our guide walks you through the three stages — triage, discovery, and remediation — of an effective fraud mitigation strategy, so you’ll be prepared to handle fraudsters when they strike.
When the fraud alarm bells sound, you first need to determine whether you are actually experiencing a fraud attack.
A common strategy among fraudsters is to continually test fraud protection systems for weak points. These tests — along with small-scale fraudulent activity from amateurs and first-party fraudsters — can expose banks, credit unions, and fintechs to a near-constant level of fraud. This doesn’t mean that your fraud protections are insufficient, nor does it suggest a big fraud attack is imminent. It means that all fraud attempts are different. You need to be sure of what’s happening before you waste resources or add increased customer friction to any of your processes.
In a fraud attack, a coordinated group of individuals attempts to exploit a specific gap in your fraud protections. There are two main types of fraud attacks: fraud ring attacks and high-velocity attacks.
A fraud ring attack is a coordinated operation conducted by a small but sophisticated group of fraudsters. Fraud rings study financial institutions closely and look for ways to exploit the design of your onboarding, money movement, or account management systems. These individuals have an expert understanding of banking and payments systems, and are also familiar with common fraud prevention systems.
When a fraud ring figures out a potential vulnerability, they want to extract as much money as possible. This means they may be prepared to wait weeks or even months before cashing out. They might display normal, responsible behavior for long periods of time in order to qualify for credit or earn your good standing before “busting out” all at once, and stealing large amounts of funds across multiple accounts.
Of the many techniques employed by fraud rings, stolen and synthetic identities are among some of the most effective. But because fraud rings operate in a coordinated fashion, these identities will oftentimes share uncanny similarities. Knowing how to look for these similarities is essential to stopping fraud rings.
Accounts or applicants with shared attributes like common zip codes or email addresses frequently turn out to be part of the same fraud ring. In other cases, multiple fraudulent accounts will be funded by the same bank (which will sometimes turn out to have been recently defrauded themselves). For this reason, allow/deny lists and velocity checks based on such shared attributes can be valuable in stopping a fraud ring attack.
Here’s how to triage in the event of a fraud ring attack:
While fraud ring attacks involve precision and patience, high-velocity attacks rely on speed and brute force. A high-velocity fraud attack takes place when a fraudster discovers a vulnerability in your fraud defenses and publishes this information, usually on the dark web. In the most critical cases, it may even be necessary to temporarily take your entire application page offline as a last resort.
Remember, some fraud activity is actually fraudsters testing your defenses for weak points. Once a fraud ring runs tests and finds a vulnerability to exploit, fraudsters will use this to inform a larger, more deliberate fraud attack. But when an individual fraudster finds and publishes an exploit, what happens next?
Typically, you’ll see a surge of fraud volume at the very top of the funnel, often consisting of low-quality or clearly risky applications, which might trigger your fraud defenses. But even if your fraud defenses stop 90% of these applications, the remaining 10% that slip through still represent a considerable volume — and, therefore, a considerable threat.
Because of the sheer volume of applications involved in a high-velocity attack, manual processes to approve or deny applicants can easily be overwhelmed. To prevent this, keep your automated fraud defenses up-to-date with best practices, and implement a pre-review, step-up verification process for risky applicants.
Keep in mind: fraud ring attacks and high-velocity attacks may not be mutually exclusive. Some fraud rings employ cheap stolen identities to conduct high-velocity attacks. Even if a fraud ring attack is stopped, the ring may still share the strategy they used with other fraudsters, leading to high-velocity attacks against other organizations.
Here’s how to triage a high-velocity fraud attack:
Once you’ve put a stop to the attack, the next step is to get to the bottom of what happened. These questions may help you uncover significant details about the attack:
Two important callouts to remember:
Entity feedback data is also known as fraud feedback data or final outcomes data.
For a customer account, entity feedback data includes information used to assess whether the account may be fraudulent, beyond just the initial decision to approve or deny the account. This data provides visibility into how the risk profile and transactional behavior of the account changes over time. Entity feedback data is captured for all accounts, both ones determined to be fraudulent as well as legitimate accounts in good standing.
For business accounts, entity feedback data includes a company's risk score, suspicious activity or anomalies in their transaction patterns compared to their peer group, and changes in authorized users or business information.
Analyzing entity feedback data is the only way to know whether changes to your fraud risk decisioning will stop future fraud attacks. Having entity feedback data allows you to include your vendors and data partners in the remediation process — which is when you’ll make the changes that will protect you and your customers going forward. It’s important to compile entity feedback data in collaboration with your vendors and data partners as part of the discovery stage.
The specific steps you take during the remediation stage will depend on the details you uncovered during discovery. However, there are a few fraud prevention measures that are generally effective:
By implementing these measures and continuously monitoring and adapting your fraud prevention strategies, you can significantly reduce the risk of future fraud attacks. However, it's crucial to remember that fraud prevention is an ongoing process that requires vigilance and proactive efforts.
Once you've stopped the immediate bleeding after a fraud attack, you’ll need to put identity at the center of your remediation efforts. By tracing back to the identity of the fraudsters and analyzing the tactics they used, you can gain valuable insights into the attack and fortify your defenses against future attempts.
When you focus your remediation strategy on identity, you can build a more resilient defense against future fraud attacks. After remediation, keep in mind that fraud hasn’t gone extinct. You’ll continue to experience a consistent drip of low-level fraud as bad actors look for the next vulnerability. And, you’ll likely need to take additional, specific steps with assistance from your data vendors or identity risk platform provider.
There’s no question that fraud attacks are scary and leave a negative impression behind. The good news is that life after a fraud attack can come with stronger protections and a clearer sense of how fraud works.
As an Identity Risk Solution, Alloy provides:
In short, Alloy helps banks, fintechs, and credit unions better identify fraud not only during onboarding, but throughout the entire customer lifecycle.
Prioritizing identity is the foundation of a strong fraud prevention strategy. However, so many financial institutions still struggle to classify fraud. Alloy knows how they can improve, quickly.
Alloy surveyed more than 400 decision-makers in fraud-related roles at financial services companies in the US and UK to find out how fraud has impacted their business over the last twelve months, what they're doing to combat it, and their predictions for the year ahead.
This guide illustrates how to scale a fraud prevention strategy by balancing coverage, cost, and user experience.
Alloy's holistic identity risk solution reduced Live Oak's fraud losses by 27%.