New account fraud is when an account is used to make a fraudulent transaction within three months of being created. With the rise of data breaches and the subsequent ubiquity of stolen login credentials on the internet, banks and eCommerce merchants should treat it as a form of synthetic identity fraud.
The personally identifiable information (PII) of an individual is culled from various legitimate and illegitimate resources across the internet and then used by the fraudster to open what seems to be a legitimate account in that individual’s name.
New Account Fraud Prevention Challenges
New account fraud prevention requires banks and retailers to detect illegitimate accounts before they are used for fraudulent purposes. Therefore, traditional fraud prevention solutions that rely on detecting fraudulent transactions are not sufficient protection.
The inherent nature of these attacks as identity theft means the theft victim’s knowledge of them when they occur is zero. Victims can only discover their identity has been stolen much later on, leaving fraudsters significant runway time to commit attacks.
Consequently, banks and merchants cannot rely on victims shutting down the fraudster’s vector of attack as in the case in traditional chargeback prevention for CNP fraud, where victims can easily see fraudulent transactions on their credit card account balance.
In addition, the lack of a credit card limiting the amount of cash available to a fraudster, combined with no pre-established communication channels between the victimised individual and targeted merchant/bank, means a victim’s identity could be used to undertake many new account fraud attacks without the individual having any idea of what is going on.
All of these complications to the basic transaction/prevention model mean the question of how to prevent new account fraud requires relying on red flags at the point of the creation.
New Account Fraud Prevention Red Flags
The Association of Certified Fraud Examiners (ACFE), a leading authority on stopping new account fraud, makes excellent documentation available for banks looking for help with detection.
Verifying Documentation
In the United States, federal legislation requires banks to establish a customer identification program (CIP) that attempts to establish the legitimacy of an account owner’s present identity to the extent it is “reasonable and practical”. This includes verifying documentation, checking for falsified pieces of identity, and reviewing secondary documents that collaborate the potential account holder’s story such as articles of incorporation in the case of a business account.
Other red flags to look for in order to prevent new account fraud include:
- The applicant’s social security number (SSN) does not match up with the identity attached to that number by the three major credit bureaus
- Other aspects of the applicant’s SSN profile including age, name, address, and credit history don’t follow common patterns. Examples include a SSN with two names attached, without any credit history, or address information that has changed within the last six months
- The applicant presents identity verification documents (such as a drivers license) issued within the last half-year
- The applicant uses a P.O. Box or other mail drop point as an official address
Online cross-channel and cross-device
The proliferation of online accounts—and the necessity of offering them to customers in near real-time—makes new account fraud prevention even more difficult today. Cross-channel and cross-device digital identity verification has emerged as the solut. ion.
Similar to verifying new applicants’ formal identification documents, these digital solutions work together to cross-check the online behaviour and device usage of account applicant against known fraudulent patterns.
Advances in AI fraud prevention technology make this possible. Today’s banking and eCommerce fraud prevention solutions analyse millions of data points culled from the internet to create a profile of an applicant. They look at thing link behavioral biometrics, third-party data enrichment, device fingerprinting, and algorithmic matching of applicant provided information with verified records.
Here are some of the techniques used to detect new account fraud:
- Collect behavioral biometrics such as mouse movements, keystrokes, and site navigation to search both for known fraudulent patterns, as well as previously identified patterns of the identity presented as the account opener
- Build a profile of the applicant using their email address, IP address, and street address and cross-check it against a previously known online identities or fraud attacks
- Use data enrichment to check to see if the offline identity presented to open the account matches up with the online identity constructed by the behavioral biometric, identity attributes, and social media network accounts of an applicant
- Review the type of device and web browser used to open the account. Some web browsers that offer additional privacy protections, such as Firefox, are known to be more frequently used by fraudsters
Additional resources about new account fraud prevention:
https://www.fdic.gov/news/financial-institution-letters/2005/fil3405a.html