Evolving online habits have paved the way for fraud. What can we do about it?
Information is power, and personally identifiable information (PII) is an extremely powerful asset that is fueling the rapid growth of online fraud (also known as the Digital Identity Crisis).
PII is any piece of data that someone could use to figure out who you are. Historical data such as your name, date of birth, or Social Security Number come to mind, but social media sites, e-commerce platforms, credit card companies, government agencies, and employers all collect and store data points that can be combined and processed to create a virtual picture of who you are.
Once considered a reliable way of verifying identities, PII has become compromised as privacy breaches have become commonplace. So much so that it has become a commodity on dark web markets for criminals using bots and organized fraud rings to help perpetrate fraud at unprecedented levels.
Each year, fraudsters get more calculated in their methods to commit fraud at greater scale, with 2021 being a record-breaking year for data breaches, according to the Identity Theft Resource Center. More than 1,862 reported data breaches occurred in 2021, showcasing a 68% surge from reported breaches in 2020. The severity of fraudsters attacking fragile systems is skyrocketing with over 290M victims in 2021, and already more than 20M victims in 2022 alone. While fraudsters won’t stop, enterprises can take key steps to protecting their users by understanding the evolving shift in their behavior.
Changes in consumer behavior expose PII
The pandemic has changed consumer behavioral patterns in countless ways. It has reshaped what, where and how individuals buy products and services, and it has provide industrious fraudsters with opportunities to take advantage of people and enterprises unprepared to deal with these changes.
New apps and tools
The rapid growth and mainstreaming of apps for personal and business use has created a vast treasure trove of new PII data targets for would-be fraudsters.
Each time individuals create an account for the latest social media platform or are required to connect to productivity and communications apps like Slack or Zoom for work, there’s an increase in the amount of their PII in the online universe. When factoring in a connected world of smart appliances and devices, a large attack surface is created, and in years past, it has been challenging for enterprises to defend against determined and sophisticated bad actors with legacy fraud stacks.
Convivence over caution
As more daily activities have moved online and integrated with mobile devices, automation has become an essential part of the user experience. Tools such as PII-prefills are often seen as consumer-friendly ways to speed up the creation of new accounts, assist in digital and mobile onboarding, and generally reduce friction within the online experience.
Unfortunately, fraudsters have been exploiting PII autofill features built into browsers and apps as far back as 2013, but the mainstream use of these tools, particularly on mobile devices, has created a boom for bots and fraud ring attacks.
The rise of fraud rings
Pre-pandemic, most online fraud was committed by individuals or small groups and were straightforward attempts to access individual’s data or business accounts or were applicant-level identity fraud. However, the pandemic-relief programs such as the PPP loans demonstrated the value of large-scale attacks to the tune of $100B, according to the U.S. Secret Service.
This jump in the volume and sophistication of fraudulent activity can be attributed to the evolution of fraud rings – organized circles of criminals that work in tandem along the spectrum of identity fraud.
While it is tempting to envision a dashing and daring crew à la Oceans 11, the truth is, fraud rings operate in a mundane, businesslike manner. On one end, they collect vulnerable PII through breaches, social scanning, phishing emails, and dubious websites. That PII is then sold via dark web forums and utilized by individuals and groups to create synthetic identities en masse. These virtual identities are then used to open accounts, purchase merchandise and services, or further distribute malware for other purposes (e.g., spyware, ransomware).
Fraud rings employ many of the same tactics as individual criminals and smaller groups, but by becoming organized and leveraging technology such as AI and bots, the scale at which they operate and the ill-gotten profits they can obtain is on an exponentially larger scale.
Relentless and repeatable
Whether for political or economic reasons, fraud rings also have the advantage of being relentless. An inexpensive labor pool and technology combine to allow them to test systems that easily access vulnerable PIIs to constantly steal and compromise. When fraudsters find one, they will exploit it with maximum efficiency.
It’s rarely one-and-done with fraud rings as they thrive like any other business by creating repeatable solutions and seeking out ideal “customers.” Once a fraud ring identifies a weakness in a technology, outdated legacy fraud detection stacks, or poor process and procedures in place, they’ll continue to commit fraud until the vulnerability is closed. They also look for other organizations with similar vulnerabilities (such as ones running outdated or unpatched software) where they can utilize the same tools and tactics. With legacy fraud stacks focused on post-submit data, these fraud rings are typically not identified until after the crime has already been committed.
The problem with the traditional fraud prevention stack
PII-based fraud detection technology is virtually useless to prevent synthetic identities using stolen PII.
The promise of machine learning hasn’t come to fruition as most current technology on the market can’t be trained to detect synthetic digital identity fraud models before the fact.
Traditional document-based identity verification also comes up short because the IDs used at the time of application may be genuine —they can still be in the hands of someone they don’t belong to.
In short, PII-reliant identity verification depends on historical PII data that is easily breached and/or compromised, with no identifiable way connected to the person using it at that moment. This means, with legacy fraud stacks, if a fraudster or bot input all the accurate information of a given user, they will not be flagged as risky.
Here’s where behavioral analytics comes in, and if integrated properly, adds a level of fraud protection for enterprises at the front gate, to stop fraud before it happens by analyzing users’ pre-submit data.
The shift from post-submit to pre-submit detection
The problem with even the most sophisticated fraud detection stacks is that using PII to confirm and verify identity still requires the user to submit their data before it can detect fraud. By shifting fraud detection to pre-submit data screening, organizations can potentially save the billions of dollars lost annually from fraud while reducing false positives and customer friction.
Using what is known as behavior-based digital intent signals, businesses can “prescreen” a user’s identity before any PII is submitted or considered. Some of these intent signals include:
- Users’ text, types, and swipes. These are all relevant to their intent (e.g., Do they misspell their name? Forget their phone number?)
- Comparison to the behavior of other verified customers
- Adherence to the behavioral profile of the user
- The sequence and timing of actions or behaviors
- Alerts of navigation data that resembles machine-like or bot behavior
This pre-submit behavioral screening data can be used to weed out customers who aren’t familiar with their own PII, drive genuine customers through onboarding more efficiently, and reduce the number of false declines, false positives, and account-opening friction.
Where do we go from here?
The pandemic has forever altered the way people communicate, interact and exchange goods and services. The fraud prevention and identity verification solutions we have been using are no match for the new vulnerabilities created, the volume of compromised PII, or the sophistication and tenacity of organized fraud rings.
In today’s digital landscape, PII can be easily obtained from online information, but behavior is impossible to fake. With the added layer of behavioral analytics-based security, digital enterprises get an in-depth look at each users’ risk from the top of the onboarding funnel, without adding friction.