Detect and prevent banking application fraud
Analytics and artificial intelligence uncover the real challenge – synthetic identities
Dan Barta, Principal Solutions Architect, SAS Global Security Intelligence Practice
The financial services industry won’t soon forget the headlines about a 63-year-old New Jersey jeweler charged with leading a fraud ring that colluded with merchants getting kickbacks. One of the largest credit card fraud schemes prosecuted by the US Department of Justice, this case involved more than 7,000 fake identities and 25,000 fraudulent credit cards obtained through banking application fraud. It resulted in more than $200 million in losses.
Early-detection analytics can redefine the odds of discovering banking application fraud. For example, in our work here at SAS with an Asia Pacific bank, network analysis found:
- 60,000 contact phone numbers referencing immigration agents.
- 5,000 contact numbers referencing casinos.
- 2,500 phone numbers referencing the bank branch at which the application was made.
- 1,500 numbers referencing a meat processing plant.
These signs pointed to fraudsters flying below the radar with high-volume, low-value credit applications. Using SAS® software, the bank found four times more banking application fraud, valued at $3 million a month, compared to its former techniques.
The analytic methods that help detect banking application fraud also apply for other credit-granting organizations, such as telcos, online retailers and auto finance organizations.
Synthetic identities: The gold standard for banking application fraud
Fraudulent applications can start with stolen or manipulated identities, but the preferred approach is to use synthetic identities – a combination of fabricated credentials not associated with a real person. Hence, no one complains about a new unauthorized account, credit card or line of credit.
This dissociation from a real person makes banking application fraud via synthetic identity fraud particularly attractive to fraudsters – and more challenging to detect. Gartner estimates that synthetic identities are behind 20 percent of credit charge-offs and 80 percent of credit fraud losses.
A common pattern in the US is to create fake Social Security numbers or get them off the “dark web” – preferably SSNs of the deceased or children, not likely to notice unauthorized credit activity. Once an identity is created, the fraudster builds the appearance of a real person by:
- Applying for credit, which triggers a credit bureau record whether the identity is real or not.
- Adding the synthetic identity as an authorized user on an existing account, which may itself be a sham.
- Getting merchants, real or fake, to collude in creating bogus credit accounts and credit bureau reports.
For all three approaches, the underlying theme is the same: The fraudster exploits the services of the credit industry – banks, other creditors and credit bureaus – to build a credible identity to gain access to yet more credit. That’s banking application fraud at its core.
Gartner estimates that synthetic identities are behind 20 percent of credit charge-offs and 80 percent of credit fraud losses.
How to detect bust-out fraud
That New Jersey ringleader and his associates had honed the art of a bust-out scheme: open a line of credit for a fake identity, cultivate a good history for that account, then grab the big payoff. In insider terms, it’s “make up,” “pump up” and “run up and cash out.”
Analytics and machine learning are empowering banks and other creditors to fight back more effectively – and earlier in the game. The trick is that the best analytical methods will vary depending on available data, the type of fraud and the phase of the endeavor. Multiple methods used together can very effectively find fraud while managing false positives.
At the make-up stage, the fraudster manufactures identities and uses them to gain access to credit. Financial institutions can spot the seeds of future fraud by:
- Monitoring application data to see if the same information or device is being reused across multiple identities that otherwise appear unrelated.
- Assessing past experience for existing or closed accounts that shared the same data element, such as device ID, address or SSN.
- Searching for “proof of life,” well-rounded details for the identity, such as driver’s license, voter registration or property ownership.
- Analyzing the social network to spot unusual or suspicious connections (or lack thereof) among applicants, devices, accounts, credit files and application data.
At the pump-up stage, the fraudster uses credit lines in a normal fashion, making small purchases and paying off the account each month, thereby creating the appearance of good credit, which is used to request further credit.
Even though the fraudster is building a good credit file, there are ways to identify suspicious or high-risk activity on these accounts through rules and models. For example:
- Are payments from the same source (bank and account) being used to pay otherwise unrelated accounts?
- Is the same device being used to access and/or make payment on what appear to be unrelated accounts?
- Are credit lines fully used soon after account opening?
- Is the bank offering the credit line increases, or are the requests coming from the “customer”?
- Given the demographic data on the credit application, would the credit-holder be likely to purchase from the type of merchants where the account is being used?
At the run-up and cash-out stage, the fraudster (or organized fraud ring) maxes out the cards and disappears. In some cases, the fraudster will make a final payment with a counterfeit check and quickly max out the accounts before the bank realizes the payment is worthless. This results in an even higher loss than the credit limit on the card.
It would be optimal to uncover the scheme before the run-up and cash-out stage. Rules and models can detect late-breaking indicators, such as:
- Increased transaction frequency.
- Repeatedly maxing out a credit line and paying it off in full without carrying a balance.
- Payment on a card significantly before the payment due date.
- Payment by check when prior payments were made online.
- Network association with other accounts showing high-risk activity.
If a charge-off occurs, forensic analysis of the account can help you tune the rules and models for ever-greater precision and support smart collection efforts. You can use the experience from previous scenarios as inputs for unsupervised or supervised machine learning, where the algorithm finds and learns from patterns in the data. By uncovering what you didn’t know to look for, machine learning has been shown to detect more fraud, even rare events that don’t follow common patterns.
On the positive side, fraud detection analytics can also affirm legitimate applications that can then be fast-tracked to approval for a more positive customer experience, lower friction and fewer abandonments. With better application screening, good customers get expedited service, and bad ones are detected before they cash out.
Recommended reading
- Australian Superannuation at RiskWith over $2tn of assets, Australians’ retirement savings are under attack from Fraudsters and Hackers, even more so as Superannuation providers move into Digital with customer portals and faster processing. However, it is not all doom and gloom as behavioural signals of fraud are typically there well before the actual fraud occurs.
- How can analytics change the world of 'Narcos'?Surveillance, wire-taps, interrogations, informants… all valuable intelligence gathering techniques. But modern law enforcement and federal agents are now aided by a new technology to zero in on drug trafficking: analytics.
- Mobile payments, smurfs and emerging threatsM-payment remittances are replacing traditional banks and money services that have historically charged high fees for small transfers. Former US Treasury Special Agent John Cassara maps what he sees in the road ahead and gives advice for protecting your firm.
Ready to subscribe to Insights now?