Identity Theft Victimizes Businesses as Well as Consumers
By Jeremy Henley, - Article on February 27, 2017
- Cyber Security
- Data Breach Notification
- Data Privacy
- ID Experts Services and Software
- Identity Theft and Fraud
No company wants to be in the news for a data breach. But did you know that your business may be a victim of data breaches at other companies? Stolen identities are often used for new account fraud, and criminals are making fraudulent accounts harder to spot. Not only are businesses losing money on those bad accounts, they may also be losing future business because identity theft victims see them as complicit in the fraud. New account fraud is a growing problem, and businesses of all kinds need to step up to better protect their revenue, their reputations, and the consumers they serve.
In working with identity theft victims, my company’s identity recovery team sees all kinds of new account fraud. Identity theft victims often have credit cards taken out in their names, but we also routinely see fraudulent mobile and broadband accounts, loan applications, property rentals, and even strange scams such as heavy equipment leases. Victims are typically shocked at how easily thieves can exploit their personal information, and they often ask us, “Why do companies make it so easy to take out an account in my name?”
The problem is that criminals have so much stolen personal information available to them that it isn’t difficult for them to fill out an account application. According to a 2016 Javelin study, criminals used stolen personally identifiable information (PII) from 1.5 million consumers to create fraudulent checking, credit card, loan, and other accounts in 2015, more than doubling new account fraud over 2014. And more than 7 million people reported having their Social Security Numbers (SSNs) breached, a 63 percent increase from the previous year.
The move to EMV or chip credit cards is also contributing to the rise in new account fraud. Crime rings used to steal credit card numbers, manufacture counterfeit credit cards, and then sell them or use them to buy goods that could be resold. Chip cards are difficult to counterfeit, so criminals are going to the source instead, applying for legitimate chip cards using stolen credentials.
The move to online account applications has also made it easier for criminals to use stolen PII because they don’t have to present picture IDs, and they can quickly and easily apply for many accounts from different businesses.
New accounts is the fastest growing form of identity fraud, and Javelin says it already accounts for 20 percent of business losses from fraud. Businesses often don’t realize how much money they’re losing to new account fraud because of new criminal tactics meant to delay detection. For example, fraudsters may use the identities of elderly or deceased people or children because no one is likely to be checking their credit reports. They also use what’s called “synthetic identity fraud” which combines a real name and date of birth with a SSN that isn’t actually associated with an individual; again, because the SSN has no owner, no one is likely to notice the deception. Criminals are also becoming more deliberate and patient, opening bank and credit accounts, making small purchases and paying on time, building up a good credit history and higher credit limits before suddenly making a bunch of large purchases or withdrawals and disappearing.
American Banker reports that banks often underestimate losses due to fraudulent accounts because of the difficulty in identifying them. Javelin found that businesses tend to write these losses off to bad debt issues unless a consumer or law enforcement official contacts them and reports the fraud.
New account fraud has additional business risks and costs beyond revenue loss. The Association of Certified Fraud Examiners reports that fraudulent accounts are sometimes used for crimes such as money laundering, which can bog your organization down in criminal investigations. There are also regulatory risks, since both the FTC Red Flag rule and the Patriot Act require businesses to verify applicant identity thoroughly before opening new accounts.
New account fraud makes us all victims—the individuals whose identities are stolen and the businesses who face losses. And experts expect the threat to grow. Al Pascual, research director and head of fraud and security at Javelin, told American Banker that he expects the trend to accelerate. “I predict we’re going to go from 1.5 million to well over 2 million new account-fraud victims next year.” In a recent American Banker survey, almost a third of bank chief information security officers said the overall increase in identity theft was one of their top five challenges. And banks aren’t the only businesses who should be worried about this growing threat.
Among our risk management goals should be to better detect new account fraud, to understand its impact, and to strengthen identity validation in the account approval process.
Fraud prevention is a cross-organizational effort, and I’ll talk about it more in a future article. In the meantime, there is one organizational improvement that the privacy team can lead immediately. Too often we hear that when identity theft victims call about account fraud in their names, they are treated as if they are deadbeats trying to avoid paying or they find that the business has no process for clearing their names. And when they have a bad experience, believe me, they share their frustration with a wide circle of family and friends.
Until we can prevent new account fraud, it’s going to lose us money, but it doesn’t have to also lose us future business and consumer goodwill. As privacy professionals, we understand that identity theft is a frightening and stressful experience. We are in a great position to advocate for account fraud victims and to help our organizations develop a process for handling their issues quickly, competently, and respectfully.