The hidden underbelly of the stimulus fraud crisis

The security failings surrounding the distribution of economic relief funds as a result of COVID-19 continues to be widely reported. From small business loans to stimulus payments and unemployment benefits, cybercriminals are making in one scam what most will never make in a lifetime. Massive data hacks, fake companies, forged business documents and multiple other efforts to take advantage of federal, state and local governments will ultimately cost billions in losses to taxpayers.

In the UK, the National Audit Office estimated fraud from the Bounce Back Loan Scheme programme could cost up to GBP 26 billion while scammers stole USD 36 billion in unemployment benefits in the US in 2020. Still, stimulus fraud shows no sign of slowing down.

While much attention has been paid to the reported fraud, not nearly as much has focused on how it is happening. There is a hidden underbelly to the crisis that continues to unfold in the world of consumer deposit accounts, and banks have been left in the unenviable position of fighting off these invisible digital enemies downstream.  

While some might believe these fraud schemes to be the work of sophisticated hackers, the reality is quite the opposite. The schemes are simple to perpetrate. Individuals and fraud crime rings are using stolen identities to apply in mass for benefits and then open deposit accounts to serve as mule accounts where they will receive and ultimately cash out or launder the money somewhere else. While the average rate of high-risk applications that get flagged in the account opening process is less than 1%, BioCatch has been witnessing some financial institutions experience rates between 10-50%.

So how is it possible that jobless claims continue to soar even as unemployment rates drop with more people getting back to work? The answer: fraud. Recently, in the US state of Virginia, jobless claims increased 58% in a single week. BioCatch saw a correlation in our data when looking at the proportion of high-risk applications for new deposit accounts originating from this state based on significant spikes in volume that cannot easily be explained by variation. Common sense dictates that if criminals are targeting unemployment relief programs, we can assume that they are also attempting to open new deposit accounts using the same identities to receive the funds.

In another example to demonstrate the magnitude of the problem, at one bank, in just one weekend, 800 fraudulent attempts were made to open new deposit accounts. While many failed initial identity verification checks, 223 attempts, or 27%, were successful in creating deposit accounts. BioCatch identified these accounts were high-risk as indicated by the patterns associated with cybercriminal behaviour during the account opening process, and they were promptly locked by the financial institution before they could be used for fraudulent purposes.

Criminals step up their game with hybrid bots

In one cluster of high-risk applications, we worked directly with one of our customers to investigate the matter further. In doing so, we saw one group of criminals had stepped up their game looking to gain efficiencies in their process. The attack strategy operates in a hybrid bot model where we observed a combination of human and robotic interactions in the sessions. The mouse movements are completed by a human, but many of the important elements are filled out by a bot.

When we compared the mouse movement patterns of a genuine applicant to one of the hybrid examples, it is obvious that the mouse patterns are the result of human interaction. However, when we looked deeper into the behaviour exhibited across other data entry points in the application process, there were strong indicators of bot activity. When comparing the entry speed of First Name and Social Security Number between a ‘fast human’ and a representative bot session from the fraud population, the characters are entered at a speed that cannot possibly be attained by a human.

In studying the patterns associated with this attack, we found that 75% of all fraudulent applications were completed using this hybrid bot method. There were also several other commonalities uncovered specific to copy and paste events and the use of the clipboard after an application was submitted.

Conclusion

Stimulus fraud is still prevalent, and banks have been working around the clock to come up with innovative ways to stop it. One of the prevention tactics many banks have deployed is to stop fraudulent accounts from being opened at all. Simply put, if criminals have nowhere to send the money, they can’t steal it.

In all the cases we have observed of account opening fraud, there were no significantly linked devices in the samples, nor any device features that could provide the same accuracy for detection. Behavioural biometrics provided the extra layer of visibility needed to detect fraud in the account opening process and uncover new customers who really weren’t customers at all.

About Gareth Campbell

Gareth Campbell is Global Head of Threat Analytics at BioCatch. Gareth has over a decade of experience using data analytics to build models that help businesses solve complex problems.

About Andrew Dunn

Andrew is a Threat Analyst with BioCatch in North America. Andrew has over 10 years experience in the fraud industry with focuses around fraud detection, analytics and improving overall customer experience.

About BioCatch

BioCatch is the leader in Behavioural Biometrics, which analyses an online user’s physical and cognitive digital behaviour to protect individuals and their assets. BioCatch’s mission is to unlock the power of behaviour and deliver actionable insights to create a digital world where identity, trust, and ease seamlessly co-exist.