How Merchants and Banks Can Work Together to Eliminate New Account Fraud
Imagine for a moment that a customer arrives at your site, fills up a cart with hundreds of dollars’ worth of merchandise, then completes the checkout process to submit an order. Sounds like a good deal…right?
It’s natural to assume that the person on the other end of that sale is who he or she claims to be. Unfortunately, due to one fast-growing fraud tactic called new account fraud, you may actually be dealing with an imposter attempting to make off with a bunch of merchandise before anyone notices.
Now, eCommerce fraud is nothing new. In the scenario we outlined above, though, even some of the most advanced anti-fraud tools may not be able to identify the buyer as an imposter. This is because many of those tools will try to validate the alleged cardholder based on indicators on file with the issuing bank.
As far as the bank is concerned, the buyer’s identity reflects the name and information on the account. The problem is that the individual attached to that account doesn’t exist.
What is New Account Fraud?
- New Account Fraud
New account fraud occurs when a fraudster adopts a false identity to create a new payment card account. This often occurs at the banking level, with fraudsters using stolen or synthetic identities to secure new credit or debit cards, which they can use to make purchases.
[noun]/* nu ● əˈkaʊnt ● frɔd/
New account fraud occurs when a fraudster uses stolen information to either impersonate an existing individual or to make up a new, synthetic identity from bits of information stolen from multiple individuals. The fraudster then uses that new identity to open an account with an issuing bank and secure a payment card. In some cases, they will open multiple accounts at a time. The fraudster can use these new accounts to make purchases.
Fraudsters who engage in new account fraud know that, eventually, the bank will notice the fraud. As a result, they want to get as much use out of their fake identity as possible before the fraud is discovered.
The goal for the fraudster is to max out the credit offered to them by the bank before disappearing to avoid getting caught. That’s why, in most cases, the fraud occurs over a period of fewer than 90 days between securing a new card and disappearing.
New account fraud is not a new tactic; it’s been around for years. However, these incidents have been growing at an alarming rate recently. According to the FTC, incidents of new account fraud tied to credit cards in the US increased 24% year-over-year between 2017 and 2018
What Can Banks Do?
Here’s the truth: fraudsters are much more sophisticated than most people tend to give them credit for. These criminals are always looking for new methods to take advantage of loopholes and shortcomings in security and industry practices.
Aite Group recently surveyed a number of professionals in the fraud prevention and anti-money laundering space about new account fraud. Roughly two-thirds believe that new account fraud tied to synthetic identity creation is now a bigger issue for banks than more conventional identity theft. Fraudsters latched on to new account fraud as a golden opportunity…and they intend to leverage it.
Take a Dynamic Approach to Fraud Management.
Give Chargebacks911 a call and see how much you could save today.
This is a big problem; unfortunately, there’s no single comprehensive solution. Banks are taking some proactive steps, such as focusing on fraud detection at the account creation stage. There are a number of tactics they can employ as part of this process. For instance:
Banks can keep a list of bad assets that have already been identified as attached to fraud. The financial institutions can then try to detect fraudsters based on their repeat use of these same assets. Some examples include:
- Shared Device Connections
- IP Address
- Keystroke Analysis
On one hand, this tactic can help prevent repeated abuse by the same bad actor. It limits the fraudster’s ability to use the same assets like a phone number, email address, IP address, etc., over and over. At the same time, it’s a reactive approach; they can only identify fraud after a first incident occurs. There’s also the risk of generating false positives, while skilled fraudsters still manage to slip by.
Banks can cross-reference the customer’s historical information—the “paper trail” they leave across the internet. The assets listed above can all be traced to a common identity, suggesting that the user is legitimate.
This allows banks to detect bad actors while minimizing friction for users at the time of account creation. There could be hiccups in the process, though: if a user relocates across the country, for example, the bank may get mismatches in their results.
While they may try to imitate human processes, bots actually behave differently from humans when they attack a site. This fact makes behavioral analysis very effective at detecting bot attacks.
Bots tend to fill out and submit forms in a fraction of a second, for instance. They may also move cursors in straight lines, or type in odd patterns. That said, bots are getting smarter every day, which makes it harder to tell the difference between them and humans. Also, this method relies on client-side code, meaning it’s ultimately at the control of the fraudster.
Each method outlined above has its strengths and weaknesses. While implementing these options at the banking level may help prevent some new account fraud, it’s far from a foolproof answer.
Is There Anything Merchants Can Do?
As we mentioned earlier, this is a form of fraud that occurs primarily at the banking level. It still concerns merchants, though: if the bank is able to determine that you failed to exercise due diligence in trying to identify fraud, you might be held liable for the resulting chargeback.
You can help limit your risk by engaging in fraud management best practices. There are two key fundamental components to this:
Deter Fraud Without Adding Unnecessary Friction
Tracking customer data can help you stop fraud without negatively impacting friction or false positives. For example, you might try streamlining the checkout process for customers who already have a positive history with the company. This is what we describe as taking a “dynamic” (as opposed to static) approach to friction.
This strategy encourages return visitors. At the same time, the additional fraud detection technologies deployed for new customers can help deter fraudsters from attempting an attack. It’s important that you solution does not cause any more friction in the user flow than necessary; you should aim to collect data and deliver a verdict without any additional steps for the user.
Adopt a Multilayer Approach
Only a multilayer fraud solution is capable of targeting the myriad different fraud threat sources. Multilayer fraud detection can include fraud filters, user authentication, and chargeback mitigation, just to name a few.
Of course, you have a finite pool of resources you can devote to in-house fraud detection, analysis, and prevention. You may also lack the expertise necessary to effectively diagnose and prevent fraud. If that’s the case, we recommend seeking help from professional third-party fraud management solution providers.
In this post, we took a look at new account fraud. We looked at what constitutes new account fraud, and why it’s becoming such a problem in the payments space. We also examined what banks can do to better validate users, and how merchants can defend against fraud.
Have additional questions? Our team of chargeback and fraud management experts is ready to help. Click below and get started today.