Application Fraud – From Identity Theft to First-Party Fraud

Identity theft is growing at an exponential rate, leading to a rise in application fraud. Javelin Research reported a 17% rise in reported US identity theft victims, from 13.1 million to 15.4 million in just the last year. AITE Group projected the cost of fraudulent applications to be $28.6 billion.

Identity theft, also known as third-party fraud losses, is just the tip of the iceberg. First-party fraud losses - including true name and synthetic identity fraud - can peak to 10 times the size of third party fraud. Depending on factors including region, a bank’s risk appetite, product, channels, target market, maturity of fraud control measures, and portfolio size, first-party fraud comprises between 10-35% of bad debt.

Where is the rise in identity-based fraud coming from? Due to the surge in data breaches, Social Security numbers, mailing addresses, passwords, health history, even the name of our first pet is all for sale on the Dark Web. When you combine this phenomenon with the economic pressure applied on fraudsters to find a new cash cow after chip and signature plugged a gap in card-present fraud in the US, there is a perfect storm.

As a result, we are seeing fraud migrate from card fraud to paths of least resistance. These include card-not-present fraud, such as e-commerce; other products and payment channels such as wire fraud, real-time payments, and other products and channels that are either net-new or have less sophisticated controls; different regions; and most significantly, identity-based fraud in the forms of account takeover and application fraud.

At FICO, we have observed an increasing number of brute force application fraud attacks, where banks lose tens of millions of dollars in a matter of weeks. Financial institutions are coming to us for help because these attacks are becoming a norm, not the exception.

Keeping Up with the Criminals

Fraudsters exploit business changes. Attacks follow events as trivial as the launch of a marketing campaign or as significant as the introduction or expansion of new channels, the targeting of a new market segment, the launching a new product, etc. With the rapid digitization of our world and the consumer pressure for instantaneous decisions, the anonymity and facelessness of the online channel is particularly vulnerable.

The criminals are professionals who systematically test fraud countermeasures and are armed with a barrage of identities - whether true, manipulated, synthetic, or stolen. Fraudsters use technology to implement bot net attacks that allow rapid exploitation of fraud control weaknesses before they are fixed.

The Fraudsters Are Ready. Are You?

I will be exploring just identity-based fraud through a series of blog posts dedicated to fighting application fraud. There will be more on fraud trends, including a piece on the much-feared synthetic identity. There will be interviews with respected fraud and security practitioner, who will give their thoughts on best practice strategy and operational frameworks. There will be insights into analytical innovations that FICO is bringing to market, including how machine learning is used to fight application fraud. There will be an exploration of the data and capability ecosystem required to build a picture of a holistic, layered and integrated approach to stopping fraud at the front door.

Am I missing a topic? Feedback is welcome and I look forward to sharing with you more.