New Account Fraud is Everywhere, and Not Going Anywhere
Every company should account for new account fraud. Here’s how to do it.
Every company should account for new account fraud. Here’s how to do it.
From basement-dwelling hackers to billionaire cryptocurrency moguls, fraudsters can be anywhere and anyone. The schemes employed by online identity fraudsters come in many forms—account takeover, credential stuffing, reservation fraud—but one subcategory continues to stand out more than others: New account fraud
As the saying goes, “a rising tide lifts all forms of fraud.” The pandemic-fueled surge in e-commerce over the past couple of years ($200 billion in 2021 and 2022) dramatically boosted online fraud, including a ~$2.5 billion hit from synthetic identity fraud in 2022 that’s projected to double by 2024. Expect more of the same this year, and for new account fraud to lead the pack.
Let’s take a closer look at new account fraud, why neglecting it is not a “$mart” idea, and how businesses can onboard new customers faster while neutralizing fraudulent signups.
Are you who you say you are?
So, you’ve ascertained someone isn’t a bot, that they’re indeed a someone. Great! The next step is to make sure this human is a genuine user and not a new account fraudster.
Similar to meeting your partner’s parents for the first time, new account fraud, from a security perspective, hinges on a crucial question: “Who are you really?” Parents want to know their potential son- or daughter-in-law isn’t an ax murderer; companies want to ensure a new customer is legitimate and won’t cost them millions in fraud losses and reputational damage down the line.
The major reason for new account fraud’s ascension is the widespread availability of stolen credentials, including PII (Personally Identifiable Information) data. For peanuts, fraudsters can obtain PII on the Dark Web and open new accounts in other peoples’ names. Or, if they’re particularly creative, they’ll open a new account using a synthetic “Frankenstein” identity consisting of stolen PII from multiple real identities.
Many times, however, security defenses simply aren’t up to snuff. For example, financial organizations reliant on device-based security and PII—otherwise known as static data intelligence—are prime targets for new account fraud. Fraudsters can easily bypass static data-based approaches by hijacking an email then resetting the user’s password, or outsmarting two-factor authentication (2FA) via sim swapping. Even newer security technology such as biometrics can be spoofed. For example, a stolen phone can be unlocked with facial recognition using a photo of the victim’s social media account.
New account fraud is easy for fraudsters to pull off. But the repercussions left in its wake? Those aren’t so easy to come back from.
A nightmare for operations and CX
Whether opening a credit card, applying for a loan, or creating an account to fraudulently splurge on sneakers, new account fraudsters bite B2C companies in a multitude of ways. The pain is palpable. In 2022, 69% of businesses lost over 6% of their revenue due to new account fraud, and 40% of businesses reported 10% or more in revenue loss because of new account fraud.
New account fraud’s nightmarish impact on companies’ operational budgets, bottom lines, and customer lifetime value (CLV) makes sense. In regulated industries, when it’s unclear if a loan or credit card applicant is legitimate, an analyst or investigator is often called upon to conduct the dreaded manual review and slog through loads of flagged applications and accounts, racking up labor costs and wasting precious time. Manual reviews also cause delays that frustrate applicants and potentially lead to churn or abandoned applications.
The customer experience, and by extension the company’s reputation, is equally ravaged by new account fraud—and static data intelligence that hurts more than helps. Exhibit A: false positives. One of the most common false positive scenarios is when someone moves and, upon applying for a loan or opening a new account, is mistakenly red-flagged because the credit bureau or other source has their previous address on file. Imagine applying for a loan you needed yesterday and having to take a selfie with your driver’s license—which also shows your old address, by the way—or worse, jumping on a Zoom call with someone from the bank. It’s easy to see how the added friction of unnecessary document verification steps can turn customer onboarding into customer offboarding real quick.
Thank you for your application. We are reviewing it and will contact you shortly. No thanks.
As long as companies verify new users via physical record checks with static attribute matching, new account fraudsters (and friction) will wreak havoc. Bad actors have every reason to continually outwit fraud defenses at the account creation stage, and one big reason in particular: money laundering. They need all the new accounts they can muster to drop their stolen money into, then move to other new accounts, rinse, lather, repeat.
Another online playground for new account fraudsters is crypto, a market that is weakly regulated and buttressed by funds uninsured by the FDIC. As consumer interest grows and wads of money are transferred every which way, all across the world, fraudsters can create bogus accounts with fake identities while authorities play regulatory whack-a-mole and figure out their security strategy.
In a landscape tailor-made for new account fraudsters, how can businesses fight back, salvage their bottom lines, and prevent genuine customers from jumping ship?
Real-time data: the ultimate truth serum
Scary as new account fraud may be, companies need a steady influx of new, authentic users to spur and sustain growth. But the problem with new users is just that: they are new. In this “first-look” scenario, when your business has no prior history with Nathan Newuser, how do you know Nathan is actually Nathan and not a stolen or synthetic identity, masterminded by some fraudster in his mom’s basement?
Deduce can help companies tell the difference, in real-time. Thanks to our network of 660 million US privacy-compliant identity profiles and 1.5 billion daily user events across 150,000+ websites and apps, in most new account opening use cases Deduce has previously seen 89% of new customers—43% of them mere hours before they enter the new account portal. Deduce’s real-time data, combined with historical behaviors—log in, checkout, password reset, online comments, etc.—help us discern just how risky (or trustworthy) a new user is. And, if we’re looking at a new user and aren’t stricken with deja vu, there’s a significant chance fraud is afoot.
Sure, most companies have a cybersecurity vendor (if not multiple vendors) in place, but the static data provided in the form of an email, biometric fingerprint, and the like can only confirm if a new user is human. Deduce is the additive, real-time component that completes the puzzle. Like a truth serum, Deduce injects its comprehensive breadth of data into the account in question and determines if they’re the genuine article. Remember that wrongly flagged new customer who moved to a new residence? Had Deduce been in the fraud stack, its Identity Insights would have seen online activities from the customer and cross-referenced these with device ID and geospatial data matching their new physical address. Deduce can also pull up the same data for a user’s prior address if need be, further ensuring that real customers aren’t thrown through verification hoops and banks aren’t subjected to pointless onboarding costs and (gulp) churn.
Fraudsters who think they can fake out Deduce will be unpleasantly surprised: they would virtually need to clone themselves to mimic the website browsing and online activity of a profile across multiple devices over an extended period of time—all while living in the same location as their chosen identity fraud victim.
New account fraud is real, really serious, and won’t go away without a solution that consistently identifies real users in real-time. Deduce intercedes at the riskiest fraud stage and stops a potential breach in its tracks, while saving significant time and money during the verification stage and, most importantly, creating a seamless UX for legitimate new users.
Tired of new account fraud? Contact us today and get up and running with Deduce in just a few hours.