Agile identity fraudsters expected to pivot toward the merchant sector

Historically, financial fraud in all its various forms has grown in lockstep with transaction volume. In keeping with tradition, COVID-19 has been the ultimate accelerator of financially motivated identity crime. With millions transacting at a distance — outside the watchful eye of human merchants and their EMV-equipped POS machines — the threat surface widened dramatically nearly overnight. Compounding the risk, economic stimulus initiatives were launched rapidly, often prioritising assistance over security.

Fraudsters capitalised on the chaos, honing their identity theft skills to new levels of efficiency and effectiveness. Using stolen identity information, internet-age criminals got even better at masquerading as legitimate consumers to open a broad range of accounts. Leveraging a series of synthetic, true-name, and hybrid identity theft schemes, these adaptable criminals wreaked unprecedented havoc.

Identity criminals enrol in 2021’s master class for benefits fraud

Government benefits programmes were a siren call to greedy opportunists. The ease with which benefits fraud could be committed – from Paycheck Protection Programme (PPP) to Economic Injury Disaster Loan (EIDL) to unemployment – attracted a whole new generation of instant-gratification crooks. As they tried their hands at the craft, their strategies became finely tuned and their schemes well-oiled. Moreover, dark web criminals prolifically socialised what they learned across their underground communities.

Of course, the good-guy response has been far from flat-footed. Fraud analysts have made significant progress in terms of spotting smoke and dousing it before the fire starts to rage. Added motivation came in the form of embarrassing headlines and the ire of elected officials, motivating state agencies to deploy better controls. That’s the good news. 

The bad news is that as vulnerabilities opened by the pandemic begin to close, fraudsters will move again, targeting other victims – including merchants – with the same skills and methodologies. A mass of new and tenured fraudsters is right now getting into position to strategically redeploy freshly acquired or honed skills. Sadly, the merchant space presents an enticing target for eager identity-theft masters to leverage their COVID-era investments. 

What does this mean for today’s retailers and the providers who support them? The call to dramatically improve the detection of fraudulent identities has never been louder. Specifically, merchants must adopt solutions that penetrate the veneer of synthetic, true-name, and hybrid identities.

Synthetic, true, and something in between

Synthetic, true-name, and hybrid identities are three different approaches to the same crime. Cyber and other criminals pack stolen identity data into bundles that enable them to pose as legitimate consumers. It is a profitable tactic and one that’s getting easier by the day.

As the first of these bundles, synthetic IDs have arguably received the most notoriety of late with increased attention from the Federal Reserve. While they may contain a few true elements, synthetic identities do not represent a real individual. 

True-name fraud, on the other hand, does. It is a scheme through which a fraudster attempts to impersonate a real person using that person’s actual data. 

Somewhere in between the two is hybrid identity fraud, for which fraudsters use a mix of real and fictional elements, but the core elements are typically real. Other aspects, such as contact info, are false. 

Merchants face threats from all three approaches. However, the increasing ubiquity of electronic consent-based verification service (eCBSV) will make synthetic IDs less of a go-to approach for identity cons. As a result, we expect to see a seismic shift to true-name and hybrid attempts in 2022. So, what can merchants and their partners do to mitigate the emerging threat? 

Identity-savvy merchants take strategic action

Two action steps rise to the top of the pile:

• First, anticipate – Identity fraudsters will focus efforts anywhere they can buy or borrow. Therefore, merchants that offer lines of credit or private label cards can expect account opening fraud to heat up. Against this backdrop, it’s a good idea to revisit fraud detection and prevention investments to be sure they are allocated appropriately.

• Second, push – Merchants rely on a quilt of partners to deliver digitally-transformed experiences. While some providers are intrinsically motivated to innovate, others need a nudge. Particularly as fraud shifts to true-name and hybrid ID schemes, providers should have the expertise to analyse data breaches or compromise histories of identity credentials that show up on account applications. That enables a provider to efficiently apply the appropriate degree of authentication, achieving a good balance of security and customer experience. 

There is plenty of innovation underway that promises to advance identity theft mitigation. Things like electronic verification with the Social Security Administration and blockchain-based identity solutions will undoubtedly go a long way toward thwarting crafty identity thieves. Until those developments reach maturity, however, criminals will continue to morph, adapt, and exploit the skills they acquired during COVID-19 to enrich themselves and their cronies. The time to act is now. Think like a criminal: morph, adapt, and exploit the lessons you’ve learned to enrich your organisation and the lives of the people you exist to serve.

This editorial is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Al Pascual

Al Pascual is SVP, Data Breach Solutions for intelligent identity security firm Sontiq. He can be reached at apascual@sontiq.com. A recognised expert in financial crime, Al’s insights on the effects of fraud have been published by hundreds of publications and shared with attendees at industry events around the world.

About Sontiq

Sontiq arms businesses and consumers with award-winning products and services built to protect what matters most. Sontiq’s brands, IdentityForce, Cyberscout, and EZShield, provide a full range of identity and cyber monitoring solutions, best-in-class restoration, and response products and services. Learn more at www.sontiq.com or engage on Twitter, Facebook, LinkedIn or YouTube.