Identity theft involves illegally acquiring and using sensitive personal information, such as Social Security numbers or bank account details, with the intent to perpetrate fraudulent activities. Technological advances have also led to even more sophisticated ways of committing identity theft. In February 2024, a finance worker at a large firm released $25 million after a conference call with fraudsters who had used deep fake technology to impersonate the firm’s Chief Financial Officer.
Financial services employees must be vigilant in verifying customer identities to prevent unauthorized account access. Rigorous customer authentication processes and continuous monitoring are essential to safeguard against identity theft, ensuring the integrity of financial transactions and maintaining customer trust.
Scammers employ numerous techniques to engage in identity fraud. Common examples include:
- Phishing: Using deceptive tactics to trick individuals into divulging sensitive information – typically executed through fraudulent emails or messages. Phishing schemes often impersonate trusted entities such as banks, regulators, or colleagues. The malicious intent behind phishing attempts ranges from stealing login credentials to gaining unauthorized access to confidential financial data. Recognizing and thwarting phishing attacks is imperative, as falling victim to these scams can have severe repercussions, compromising personal and institutional security.
- Physical theft and mail interception: Scammers often resort to physical methods such as stealing wallets and purses from individuals. This straightforward yet effective tactic provides access to personal identification and credit and bank cards. Additionally, criminals may dig through mail and trash to uncover sensitive information like bank statements.
- Data breach exploitation: Malicious entities can also capitalize on large-scale data breaches to obtain sensitive information, including clients’ or employees’ personal and financial records. Exploiting vulnerabilities in cybersecurity measures, criminals gain unauthorized access to databases, exposing a vast array of confidential data.
2. Payment fraud
In the US, the Automated Clearing House (ACH) network facilitates the secure and efficient movement of funds between banks and financial entities. ACH is pivotal in modern American banking and is a backbone for direct deposits, bill payments, and person-to-person transfers.
In instances of ACH fraud, perpetrators manipulate or gain unauthorized access to the ACH system, initiating fraudulent transactions that divert funds from legitimate accounts. Tactics such as account takeover, phishing, malware, and social engineering are common avenues for criminals to compromise sensitive account information and misuse the ACH system.
The repercussions of ACH fraud extend beyond financial losses, encompassing reputational harm and regulatory consequences. To safeguard against this, FIs must implement stringent authentication measures, continuous monitoring, and advanced fraud detection technologies to ensure the security of electronic fund transfer systems.
4. Account takeover fraud
Account takeover fraud (ATO) occurs when a criminal gains access to an individual’s online account to steal money or sensitive information. There are many ways in which cybercriminals can do this, ranging from buying details from the dark web to using keylogging software to capture a password and email address.
While there are differences between the two, ATO has many parallels with identity theft, and a 2021 survey concluded that 64 percent of US individuals who had their identity stolen also experienced account takeover fraud.
ATO is usually conducted via credential stuffing or brute force attacks:
- Credential stuffing is the term applied to automated tools and bots to test lists and databases to find a match. This is particularly problematic as many individuals use the same email and password combinations for multiple websites, meaning that one breach could lead to many.
- Brute force attacks involve bots deploying random words to guess a customer’s password on a site.
FI employees should be trained to recognize the following red flags:
- Multiple password reset requests and login attempts.
- Changes to contact details such as addresses and back-up email addresses.
- Requesting new cards or checkbooks to a new address.
- The set up of a new authorized user.
Customer education is also vital in ensuring account safety. Staff should encourage customers to turn on multi-factor authentication (MFA), change passwords regularly, and offer the option to be contacted when a credit limit request has been made.
5. Advance fee fraud
While various forms of advance fee fraud have existed for a long time, the growing adoption of digital communication channels, including social media services, encrypted chat platforms like WhatsApp, and the continued popularity of email, has amplified its prevalence.
Perpetrators of advance fee fraud often entice their targets with unrealistic investment opportunities or promises of substantial rewards, such as a fictitious lottery win, all based on an upfront payment. Once the payment is made, the victim loses contact with the fraudster or is coerced into providing additional funds to unlock even greater returns.
FIs are crucial in mitigating the risks associated with advance fee fraud – firms must raise awareness among their customer base regarding the indicators of advance fee scams:
- When encountering communications from a business, it is imperative to ensure the sender’s authenticity. Verifying the organization’s legitimacy is also critical when dealing with entities unfamiliar to the recipient – checking business registrations on reputable online services, such as Companies House in the UK, to confirm their status. Additionally, attentiveness to details such as misspelled URLs or addresses within the message is crucial for detecting potential fraudulent activities.
- Common types of fraud include loans, overpayments, lottery or cash prize wins, vacation rentals, unexpected inheritance, and investment opportunities. Customers should be encouraged to be particularly vigilant when receiving these communications.
- The general content of the message should also be studied – key indicators include an offer that seems too good to be true, an unusual sense of urgency, frequent typos, and the general mention of up-front payment.
Romance scams have also become more common. Typically, scammers will pose as a potential romantic partner via social networks or dating apps and employ emotional manipulation to gain their victim’s trust. A 2023 study conducted by Lloyds Bank revealed that the number of victims of romance scams has increased by 22 percent compared to 2022.
Once trust is established, scammers typically ask their target to send them money or invest in a lucrative business opportunity, often involving cryptocurrency. These schemes are called pig butchering, likening the victim to a pig fattened before slaughter – FIs should use customer relationship management (CRM) channels such as email or social media to increase customer awareness of these ploys.
6. Credit card fraud
Credit card fraud is one of the most popular types of identity theft and fraud. It is defined as the unauthorized use of an individual’s debit or credit card to withdraw cash or make purchases. In the US, in 2022, there were 440,666 reports of credit card fraud – marking a thirteen percent increase from the previous year.
Credit card fraud encompasses two primary categories: card-not-present (CNP) fraud and card-present fraud.CNP fraud is on the rise, facilitated by stolen credit card details to make multiple online transactions. This may involve substantial purchases or bulk buying to exploit any potential time lapse before detection.
Offline instances of CNP fraud include completing payment forms with stolen details and submitting them via email or phone – incidents leading to CNP credit card fraud range from theft in physical locations to phishing via email or text and exploiting public Wi-Fi vulnerabilities.
Card-present fraud, though less common due to chip, PIN, and mobile payment technology, also still occurs. Examples include the theft of credit cards from homes or persons, losing cards, cloning through skimming at ATMs or establishments, and interception of new or replacement cards during postal delivery.
It’s essential that FIs actively monitor and detect suspicious credit card activities, implementing robust transaction monitoring and fraud detection systems while educating customers on safe card usage practices.
7. Investment fraud
Investment fraud and scams involve many techniques mentioned in this guide. Some will be easier to spot than others, as scammers will go to lengths to ensure any websites, documents, or details discussed seem as legitimate as possible.
Educating customers and staff to watch out for the following can assist with protection against illicit investment opportunities:
- Stay vigilant when receiving cold calls, particularly from a company or organization with which the individual has never interacted.
- Investigate online reviews for any company offering investment opportunities, and check with the relevant local financial authority, such as the FCA in the UK, to ensure they are correctly regulated.
- Ask for legitimate documentation detailing any proposal, and seek expert advice if unsure.
8. Consumer fraud
Consumer fraud is the umbrella term for illicit activities conducted to cause financial loss or harm to a consumer or group of consumers. Common examples include:
- Identity fraud: This is where a perpetrator steals an individual’s identity or card details, either via the internet or through physical theft. Once the identity is assumed, malicious actors will attempt to access a bank account and transfer unauthorized funds.
- Mortgage/real estate fraud: Real estate and mortgage fraud encompasses deceptive practices in the real estate sector. The Boston division of the Federal Bureau of Investigation reported that over 11,000 individuals nationwide in 2021 experienced average losses of $350,328,166 due to real estate scams, a sixty-four percent increase from 2020. Among the most notable fraud types is mortgage fraud, involving intentional deception in mortgage lending, where consumers provide false information to obtain a mortgage loan or influence loan terms.
- False advertising occurs when a business provides inaccurate information regarding the quality or benefits of a product or service, violating legal obligations that mandate honesty in advertising, governed by watchdogs such as the UK’s Advertising Standards Authority (ASA). Such practices include false assertions about a product’s capacity to enhance health, mental faculties, or cognitive abilities.
9. Fraudulent charities
Fraudulent charities exploit goodwill by asking victims to donate to a good cause. Sometimes, these charities may not even exist, or fraudsters create fake campaigns using the names of reputable organizations or established causes.
Victims who enter their card or personal information on a website to donate may also inadvertently expose themselves to identity theft or credit card fraud, as scammers can exploit the collected data for illicit purposes.
FIs can contribute significantly to protecting customers from losing funds to fraudulent charities and organizations by:
- Using transaction monitoring to detect unusual patterns associated with potentially fraudulent charities. Many software options allow FIs to set up alerts for large or irregular donations.
- Ensuring there is a robust customer due diligence (CDD) process set up to thoroughly vet charitable organizations setting up accounts.
- Conducting real-time screenings of charities against global watchlists and sanctions.
- Advising customers to watch out for red flags such as urgency, vague mission statements, and unsolicited contact from charities they’ve not previously dealt with. Firms should also encourage customers who wish to donate to do so through verified channels, such as a charity’s registered site.
10. Return fraud
Return fraud refers to illegal practices where individuals exploit the returns process of goods and services to gain a financial advantage – usually a significant problem for retail and e-commerce businesses.
This can involve returning stolen merchandise, using counterfeit receipts, or manipulating the returns systems for illegitimate refunds or retail store credits. Some of the most common methods include:
- Receipt fraud: Stealing or falsifying receipts to return a product and profiting from the refund. This can also involve purchasing an item from a retailer at a lower price and attempting to return it to another store with higher retail value.
- Bricking: This is where a malicious entity purchases an electronic item, renders it unusable, and returns it for profit. This can also include switch fraud, which involves buying a working item and then attempting to return a previously damaged version of the item to profit from the returns policy.
- Stolen items: Occurs when an item is stolen and returned for a full refund.
Top prevention and detection practices include transaction monitoring to identify patterns indicative of returns fraud, such as frequent or unusual returns behavior. Organizations should also be encouraged to employ biometric authentication and MFA to enhance customer screening processes when making a return.
Collaboration with retailers is also essential to share information on known return fraud cases and work collaboratively to educate and combat future attempts.
11. Chargeback fraud
While many chargebacks are legitimate, chargeback fraud occurs when a customer disputes a transaction with their payment provider for illegitimate reasons. Chargeback frauds can have serious financial ramifications for FIs and retailers, with unnecessary costs and the enablement of other illegal activities – experts have reported that chargebacks cost merchants over $100 billion in 2023.
Before a chargeback can be classified as fraudulent, it’s important to distinguish whether it’s legitimate.
- Legitimate chargebacks, aimed at protecting customers, involve billing errors, unauthorized charges, or undelivered goods, supported by regulations like the Fair Credit Billing Act (FCBA) and the Electronic Funds Transfer Act (EFTA). Customers have a specified timeframe to dispute, usually 60 days under the FCBA, ensuring protection against unauthorized transactions.
- Fraudulent chargebacks, also termed friendly fraud, occur when customers falsely claim legitimate dispute reasons, such as unauthorized charges or non-received goods. Resolving these requires firms to navigate a process proving the legitimacy of the charge. Merchants suspecting misleading claims can challenge the chargeback, emphasizing the importance of understanding legitimate and illegitimate grounds to manage resources and protect against unwarranted claims efficiently.
Firms must integrate preventive measures into a comprehensive risk management system to prevent chargeback fraud effectively. Customer documentation, diligent onboarding processes, and detailed customer and transaction records form the foundation for validating dispute claims.
A robust transaction monitoring system can also help identify subtle patterns indicative of fraudulent behavior, particularly with repeat offenders.
12. Cybercrime
Cybercrime is one of the biggest emerging threats to FIs, businesses, and individuals worldwide – it has been estimated that money laundering from cybercrime could reach $10.5 trillion by 2025. The general term cybercrime encompasses a wide range of criminal activities conducted online, including:
- Phishing: As mentioned earlier, this involves fraudulent attempts to obtain sensitive information or steal an individual’s identity. Phishers usually pose as trusted entities and use emails, messages, or websites to gain a target’s trust.
- Malware: Short for malicious software, this is where negative entities use viruses or computer programs to harm or exploit vulnerabilities in an individual’s computer system or device.
- Cryptojacking: Hackers illicitly use a victim’s system to mine cryptocurrency without their knowledge or consent – this is often a byproduct of successfully installing malware.
- Ransomware: Ransomware is software that locks a user’s files and devices, rendering them inaccessible. Cybercriminals will demand a ransom, usually in cryptocurrency, to unlock them.
In alignment with Financial Action Task Force (FATF) recommendations, banks, and financial institutions must establish risk-based AML/CFT programs to combat cybercrime threats effectively.
This entails conducting comprehensive risk assessments of customers and implementing proportionate responses. Specifically, in cybercrime, firms must focus on customer identification and ongoing monitoring.
How to detect and prevent fraud
In the ongoing battle to prevent fraud in its many forms, FIs should employ the best practices in this guide. Ongoing staff training and customer awareness initiatives are crucial to a firm’s defense strategy. Fraud detection software is also vital. These programs help keep businesses safe from the continuously evolving nature of payment fraud scenarios with the application of AI and bespoke rules.
With the right software, FIs can establish customized thresholds and promptly receive alerts upon detecting potentially fraudulent behavior, effectively thwarting payment fraud, ACH fraud, and other illicit activities. Smart alerts not only identify fraud but also provide insights into the reasons behind each alert’s creation, resulting in enhanced analyst efficiency and a potential reduction of up to 70 percent in false positives.
Fraud and AML teams often face common challenges when working in silos, which can lead to occasional oversight of connected persons or entities. Fortunately, dynamic fraud software seamlessly integrates into an FI’s existing systems, ensuring alignment between personnel and software. This alignment has been shown to result in a 25 percent reduction in all payment fraud-related losses with some software.
Empower your firm with cutting-edge fraud solutions
ComplyAdvantage has helped 1000s of financial institutions detect fraud more efficiently and effectively. Get a personalized demo and see how to streamline your compliance team’s workload through automated processes.
Book a personalized demo
Originally published 04 April 2024, updated 04 April 2024