Fraudsters are creating fictitious people. Is your organization ready for that?
Frankenstein was a monster built by a scientist in Mary Shelley’s classic 19th century novel. Today’s fraudsters are inventing their own “Frankensteins” through data pieced together from many sources.
Increasingly, fraudsters are combining real and fictitious consumer data to create false identities — synthetic identities we call them — to commit fraud. In this scenario, fraudsters combine one true piece of identity with fake information; or they piece a Social Security number from here and a former address from there, and a monster (a synthetic or fictitious identity) is born — a monster that can wreak havoc on your organization by interacting with your business in a number of ways that expose your organization to risk and loss if not addressed.
For example, in the healthcare industry, “stealing patients’ identities is lucrative. Medical records are worth more to crooks than credit card numbers. They contain more information and can be used to obtain prescriptions for controlled drugs.”[i] While in financial services, synthetic fraudsters might apply for credit card accounts using “scraps” (a name, a Social Security number, etc.) of stolen identities.
It is estimated that synthetic identity theft resulted in at least $6 billion in loss to banks in 2016 alone.[ii]
Before the holidays, I first addressed cyber fraud prevention in this blog. Today, I’d like to deepen that conversation. Here are two ways to innovate in cyber fraud prevention and detection, tearing apart those Frankensteins before they come to life.
- Validate Existence and Establish a Confidence Score
Establishing and maintaining a trust-based relationship with a customer is foundational. How do organizations do this? How can organizations determine the likelihood that a Social Security number (SSN) represents a real person and not a Frankenstein?
First, you need to validate that the person exists in the real world and has been seen as a customer over time. By using entity resolution technology from organizations such as Acxiom, you can determine if a SSN has been seen in the past.
Next, you can use data element scoring algorithms to establish a confidence score about the SSN — this number indicates how confident you can be, based on the data, that this person is who they say they are. There are three tiers to this analysis:
- Validity of SSN (numerically valid, not deceased, etc.)
- Relationship of the SSN to an individual
- Relationship of a person to the SSN
If the confidence level does not raise any alarms about a potential Frankenstein, then you can let the customer proceed. However, if there are signals of synthetic identity, then you should introduce friction such as the knowledge-based authentication (KBA) exam strategy.
- Use First Party Data in Your KBA Exams
I’d like to suggest a new twist on an old fraud prevention strategy, and that’s the introduction of first-party data — your own customer data — into your KBA exams. Think of it as a modern Q&A test that uses your customer information, which may include names, addresses, phone numbers, website data and information about products purchased. First-party data represents a huge opportunity for your organization to be more current, real-time, and relevant.
The general rule of thumb is this: you don’t want to disenfranchise (annoy, irritate, disgust) your customer — you want them to still like your organization by the end of the “exam.” You want them to feel protected (against fraud) by you, not hassled and prevented from conducting business with you.
While synthetic identities can “blend” into the general population, the use of first-party data from your organization has the power to introduce knowledge that the fraudster will find more difficult to obtain. And, this first-party data represents information that is more personal, fresh, and top-of-mind for your customers so they don’t have to think super hard about it.
For example, you can use first-party data to ask specific, fact-based questions:
- When was your last trip on our airline?
- What was your last purchase at our store?
- Where was your last hotel stay with our organization?
Not many brands are using this approach today; however, it’s much more relevant than obscure questions such as: What was your home address 20 years ago? These questions force the customer to think really hard and introduce a high level of friction that, as I said before, organizations should avoid when possible.
By using first-party data, your KBA exam questions can reach beyond the easy and the familiar, the low-hanging fruit that even fraudsters can grab. When brands use first-party data in their KBA, they empower their own strategies.
So, as you can see, there are ways to prevent Frankenstein from getting up off that table and walking through the digital doors of your organization. Start today.
To learn more about best practices for risk mitigation and fraud prevention, download our new eBook here.