How to stop identity fraud before it starts

Like those of their larger counterparts, community banks’ customers are increasingly falling prey to identity fraud. Is there more that community banks can do to mitigate the risk of this type of fraud?

By Karen Epper Hoffman

Community banks have always prided themselves on knowing their customers. And yet, just like large banks, community banks and their customers are feeling the sting of identity theft.

Identity theft, or identity fraud, is nothing new. Since before the mainstream internet even existed, crooks have been stealing personal information, including addresses, phone numbers, Social Security numbers and other data, to hijack customer accounts or create fake accounts in order to defraud banks. However, where fraudsters used to steal mail and use phone scams to collect the information they needed, they now rely more on spear-phishing emails, fake websites or culling personal details from social media sites to flesh out their scams. Application fraud is “a major problem for large financial institutions and is becoming a big problem for smaller ones,” says Shirley Inscoe, senior analyst for Aite Group. “Much of this fraud is fueled by identity theft and the use of synthetic identities.”

But why now, and why still? Inscoe says many banking executives “attribute much of the uptick to the rollout of [more secure] EMV cards in this country. Fraudsters are looking to replace $4 billion in counterfeit card losses, and application fraud is one way they will do so.” Checking and deposit accounts, credit cards and other loans are all targets for application fraud, she says. 

Fake accounts
Account takeovers are also on the rise. Here, fraudsters impersonate bank customers and often use social engineering methods in contact centers to gain access to a customer’s account. Impersonating customers is another form of identity theft, and if the fraudster is successful, he may drain the accounts, Inscoe explains.

“Every day there’s a new version of identity theft coming from a different angle. As all these new processes come through, banks are not as proactive as they are reactive.”
—Paul Schaus, CCG Catalyst consulting group

Opening fake accounts using stolen information or made-up identities more than doubled between 2014 and 2015—from 700,000 cases to more than 1.5 million, according to Javelin Strategy & Research.

Gary Wagers, executive vice president, retail products and services at $10 billion-asset Banner Bank of Walla Walla, Wash., says he has seen an increase in fraud rings convincing outside individuals to open new accounts on behalf of the fraudsters. The fraudsters then manage those accounts and use the accounts for further schemes and to obtain information about legitimate customers’ accounts. These schemes involve using a real person whom the fraudster has manipulated regarding the account-opening process. “The bottom line is that this works,” Wagers says. “They find a weakness in the banking system and they will exploit it until we fill it.”

Banner Bank has reduced fraud’s impact by finding patterns among the fraudulent accounts. It found many address changes were being made from West Coast to East Coast addresses, particularly to locales in Georgia. Bank employees were alerted to look out for this and other telltale signs of potential fraud, and also began doing more aggressive screening on address changes.

“The combination of these efforts has made a significant difference for us,” Wagers says.

Galen Gough, IT director for $350 million-asset Jonah Bank of Wyoming, agrees that “identity theft has definitely gotten worse over the last two years, as the sheer volume of data being stored online has increased.” A determined attacker can find almost all the information needed to commit identity theft from online resources, and the technical skill needed to commit identity theft is decreasing as black-market data stores continue to sell “portfolios” of individuals. The raft of big data breaches makes it even more difficult for customers to keep personal information private, Gough adds.

By mid-2017, breaches are nearly 30 percent higher than 2016, according to the 2017 CyberScout ITRC Breach Report, cited by Adam K. Levin, chairman and founder of CyberScout (formerly IDT911) and cofounder of “The [thieves’] purpose is to monetize the information,” he says. And, by using this breach-stolen data to commit identity fraud, they can.

While community banks and their customers may be smaller targets in comparison to their larger rivals, they are still targets, according to Paul Schaus, president and CEO of CCG Catalyst Consulting Group. “Every day there’s a new version of identity theft coming from a different angle,” Schaus says. “As all these new processes come through, banks are not as proactive as they are reactive. And community banks are relying on solutions that they don’t control.”

Whereas big banks may operate their own information security and fraud systems and processes entirely in-house, smaller banks typically outsource much of these functions to outside vendors, he explains.

“Community banks may face a little higher risk, because their solutions are lagging,” Schaus says. “When a community bank gets hit, the impact is often greater than if a large bank gets hit.”

As much as community banks want to protect their interests and their customers, Inscoe points out that “the idea of private personal data is becoming a myth due to the myriad and ongoing data breaches on retailers, restaurants, government entities, health care providers and universities. Any entity that operates online is at risk of a hacking attack, and the data stolen is often monetized on the dark web.”

1.5 million

Fake accounts opened using stolen information or made-up identities in 2015, up from 700,000 in 2014

Bolstering tech defenses
Paul Tomasofsky, partner with McGovern Smith Advisors, says it’s essential to keep customers plugged in to the risks—and the ways to avoid them. He encourages banks to push access to free credit reports and alerts, so that customers can take a more active role in watching and managing their accounts for possible identity theft activity.

Many new technologies can also help community banks “better understand who they are dealing with, particularly in digital channels or contact centers,” Inscoe says. “The use of biometrics is growing—Touch ID, voice, facial—as well as other technologies that can assist with new account applications and verifying identity documents via mobile devices, using information about incoming calls and devices customers use to access their accounts.” As banks implement these technologies, Inscoe believes identity fraud will decrease, though she notes fraudsters will likely launch different modes of attack.

Tim Francis, enterprise cyber lead at Travelers, believes another key prevention opportunity is when a community bank informs its customers that the bank will never send emails asking for credit card information or financial records. This way, Francis explains, “if and when a spoofing email attempt takes place, the customer might have a chance to remember, ‘Wait a minute. That doesn’t sound right. They said they weren’t going to do that.’”

Similarly, Wagers agrees that educating the bank’s employees is of utmost importance. “We need to be aware that the client may be involved in fraud that they don’t even understand. And we need to stop and help them before they get stuck,” he says.

Gough credits community banks with being among the first to adopt automated tools for anomaly detection and fraud detections. “This has been coupled with additional layers of protection around customers’ accounts,” Gough says, “and any ability to transfer funds out of the institution.”

Karen Epper Hoffman is a writer in Washington state.