Last month I wrote about the surge in unemployment fraud (thank you, COVID-19). What you may not realize is that unemployment fraud is an example of a type of fraud known as account opening fraud.
Account opening fraud is one of essentially three high-level classes of fraud; the other two are account takeover fraud and payment fraud. While not every type of fraud fits into these three types, understanding each one can go a long way toward demystifying the topic as a whole — and combatting the threat.
Account Takeover (ATO) Fraud
As you might expect, ATO fraud occurs when a fraudster takes control of a legitimate account that belongs to someone else. While there are many ways this can happen, here are a few of the more common ones:
- Credential theft through phishing and phishing sites
- Credential theft through malicious code (e.g., keylogging malware)
- Session hijacking or man-in-the-browser malware
The volume of stolen credentials and the rate at which they are stolen make it impractical, if not impossible, to keep up with which accounts have been compromised. A far more practical approach is to look for signs of account takeover. A few notable ones are:
- Anomalous activity in the user journey (e.g., visiting unusual pages or pages rarely, if ever, visited in prior sessions)
- Anomalous behavior in the session (e.g., excessive cutting and pasting, erratic mouse movements, click speed)
- Anomalous environmental factors (e.g., connecting from a new or unknown device, mismatched ASN and time zone, strange language or user agent settings)
Of course, enterprises must have both mature controls and a robust fraud-monitoring capability to see these signs requires, neither of which is a given. Both capabilities require strategic planning, diligent implementation, and continued focus. Further, detecting ATO is one thing – doing so reliably enough to confidently block or deny fraudulent transactions is another thing entirely.
When thinking of ATO, our minds may go to bank accounts or other financial accounts. But it's important to note that really any online account can be taken over. Frequent traveler accounts are one example. As a result, the number of enterprises that need to protect themselves against ATO is larger than one might expect.
Account Opening (AO) Fraud
AO fraud, sometimes called fraudulent applications (FRAP) fraud, involves opening entirely new accounts. Obviously, fraudsters open these accounts in other people's names and with other people's information. They get this information from the Dark Web. Due to the large number of breaches over the past 10 years, a wealth of PII is available to attackers at a very low cost.
With PII in tow, fraudsters then turn their attention to opening new accounts. In some cases, they may directly use the stolen PII of real people. In other cases, they may combine PII from several people to create a new, fake person. However they arrive at a stolen persona, once the fraudsters are able to successfully open a new account, they can begin enjoying its benefits.
Among the most popular account types that fraudsters love to open:
- Unemployment benefits (filing for and receiving unemployment benefits using someone else's PII or the PII of a fake person created from different people's PII)
- Credit cards (opening credit card accounts and using those credit cards)
- Income tax refund (filing taxes using someone else's PII and receiving a tax refund)
As with ATO, detecting and preventing AO requires mature controls and a robust fraud monitoring capability.
Payment fraud is the type of fraud most of us are familiar with – when an illegal transaction is made. According to accounting firm Crowe, overall fraud costs the global economy in excess of $5 trillion per year. Payment fraud is a significant portion of this fraud, likely amounting to hundreds of billions of dollars per year.
A few well-known types of payment fraud include:
- The transfer of funds from a legitimate (victim) bank account to a fraudulent payee by a fraudster controlling both accounts
- Social engineering or scamming a legitimate user (victim) into wiring funds or sending cash to a fraudster
- Theft of payment account information and subsequent use of that information for fraudulent monetary gain
Generally, payment fraud is detected when an enterprise notifies a financial institution of a fraudulent transaction on its account. At that point, the money is long gone, and the enterprise has suffered a loss. Clearly, it is much better for the enterprise to detect and prevent fraud earlier – way before the fraudster executes the transaction. This, of course, goes back to why it's important enterprises have the proper security controls in place.
The merging of security and fraud into one central risk organization is already well underway in our industry. As this happens, security professionals may find themselves confronted by an unfamiliar subject: fraud. With a basic understanding, security professionals can apply similar risk management practices across both domains.