It seems like every few weeks there’s a data breach that exposes the personally identifying information (PII) of millions of people. Sadly, this may be our new reality. In its Account Takeover in 2022 report, Digital Shadows claims that over 24.5 billion usernames and passwords were exposed in 2022 — a 65% increase since 2020.
However, a stolen identity is just the beginning. While some fraudsters and criminal organizations may move down the attack chain to monetize the PII they steal, others specialize in theft and then sell the stolen information. Bad actors can then purchase the PII and use it to commit various crimes, including different types of identity fraud.
What is identity fraud?
Identity fraud is when a person or group uses an identity that isn’t their own to commit fraud. The specific type of fraud can range widely, from a teenager using a fake ID to buy alcohol to international criminal organizations creating identities to steal pandemic-related benefits and launder money.
How is identity fraud different from identity theft?
Identity theft is the act of stealing an identity, while identity fraud is committing a crime using someone else’s identity. However, many use the terms interchangeably to refer to criminal activity involving stolen or fictitious PII.
Identity theft and fraud often go hand-in-hand, but that’s not always the case. For example, rather than using someone else’s identity, a bad actor might alter aspects of their identity to commit a crime. That’s the case with the teenager, assuming their fake ID had their legitimate name and address, but a fake birthday. Bad actors can also create new identities and use these to commit crimes.
Different types of identity fraud
Identity fraud can be the result of a precisely targeted attack, bad actors indiscriminately looking for weaknesses and opportunities that they can exploit, or the purchase and use of stolen PII. It can take different forms depending on the bad actor’s resources and goals, but some common examples include:
Account takeover fraud
Account takeover (ATO) fraud is when an unauthorized person takes control of an account.
Bad actors often use credential stuffing to attempt to break into accounts, which is when they use stolen or bought credentials to try to access accounts en masse. This type of attack often works because people tend to use the same password — or similar modifications of passwords — for multiple accounts. However, bad actors can also gain access to an account after a successful phishing attack or by installing malware on a victim’s device.
Bank accounts are prime targets, as bad actors can transfer money out of them once they break in. However, ATO attacks can target other types of accounts, too. For example, bad actors with access to a social media account might blackmail account holders or try to get their followers and friends to click on malicious links. Loyalty accounts can also be juicy targets because the bad actors can cash out the accrued points, miles, gift cards, or rewards.
While an ATO obviously hurts the account owner, businesses may bear the brunt of the financial cost as they work to make things right. In fact, some organizations might have a legal obligation to reimburse users or an internal commitment to reimburse customers and protect their brand’s reputation.
Credit card fraud
Credit card fraud can refer to someone using stolen credit card information to make fraudulent purchases or using a stolen (or fake) identity to fraudulently open a new credit card. While federal laws and card issuer policies protect consumers from financial losses, depending on the situation, the merchant or the card issuer may need to cover the cost of unauthorized purchases.
Medical identity fraud
Medical identity fraud is when a bad actor uses someone else’s medical information to get medical services, products, devices, or insurance benefits. For example, someone might use stolen medical and personal information to buy prescription painkillers.
There is also insider medical identity fraud, which is when a healthcare provider fraudulently adds procedures or medications to a client’s records to collect insurance payments, and friendly medical identity fraud, which is when a person knowingly lets someone else (such as a family member who doesn’t have insurance) use their healthcare coverage.
Medical identity fraud can be especially harmful because it can lead to errors in medical records that could result in harmful mistakes when someone legitimately seeks care.
Synthetic identity fraud
Synthetic identity fraud is when someone creates a new identity, often by combining real information with fake PII, to commit crimes.
For example, bad actors might use Social Security numbers that belong to incarcerated people, the elderly, or children (i.e groups who don’t frequently use or check their credit) with a fake name and date of birth to apply for credit accounts.
An initial application could lead to a new credit file for the synthetic identity, and bad actors can then build up credit for the identity. Once they’ve established good credit, they can use the synthetic identity to apply for loans and credit cards before “busting out” by maxing out the accounts and taking off with the funds. Bad actors also use synthetic identities to commit other crimes, such as opening money mule bank accounts to launder money.
Synthetic identity fraud is a rapidly growing type of fraud that’s difficult to detect. Once an account is open, the activity often looks legitimate and it can be hard to distinguish between credit losses and synthetic fraud losses.
What can you do to prevent identity fraud?
Detecting and preventing identity fraud is a pervasive challenge for businesses. Implementing strong identity verification and authentication is important — and a legal requirement for some organizations. But bad actors are also quick to change tactics when they discover a new weakness or type of attack, so you need systems and vendors that can react quickly.
Identifying bad actors at account creation is ideal. But you have to find the right balance between fighting fraud and converting good users. Automating checks and processes based on your goals can help, as can dynamically adjusting friction based on each user’s risk signals.
For example, synthetic identity fraud is tough to detect because bad actors know and can confirm all the identifying information related to the fake identity they’re using. However, you can now detect if someone is using a stolen SSN to create a new identity by running eCBSV (electronic consent-based verification service) checks to verify the name and date of birth associated with an SSN. To limit customer drop-off and costs, use a rules-based approach to determine if and when an eCBSV check is appropriate.
Monitoring and authenticating existing customers is also important. Multi-factor authentication (MFA) can help protect accounts from takeovers, even if the bad actor has the correct credentials. But again, to minimize disrupting legitimate customers, you can trigger MFA checks based on specific conditions — such as when someone attempts to log in from a new device or location.
You can also use the user’s actions (e.g., placing a large order or transfer), passive signals, and behavioral signals to trigger additional verification and authentication checks.
At Persona, we understand how important it can be to fight identity fraud while creating an outstanding experience for your legitimate users. We’ve created a unique Verification solution that you can use to automate and customize your users’ verification journey based on your organization’s specific needs.
You can learn more and get started for free or request a demo today.