How Fraudsters Take Loans with Stolen IDs

To truly know how to combat fraud, a fraud prevention company needs to develop a deep understanding of how fraudsters think and act.

Today, we’ll look at how fraudsters apply for a loan with a stolen ID. By examining each step they take to hide their real identity and intentions, we will consider what helps them succeed – and, importantly, how to stop them each step of the way.

It Starts on the Dark Web

Like with many other illegal online activities, it all starts with the dark web. This is the collection of websites on the internet that are encrypted, non-indexed by search engines, and require specific tools and software to access.

The darkweb’s main appeal is that it provides anonymity. Using the Tor browser, you can visit special .onion addresses that are only accessible via its hidden service protocol. Alternatively, fraudsters can use I2P, which makes use of a peer-to-peer-like routing structure.

It is where you will find most illegal marketplaces. However, it should be noted that some sellers of illegal goods and stolen information also function on the clearnet, on forums, social media and elsewhere – which means their fellow criminals can access them with a standard web browser (Chrome, Safari, Firefox, etc..)

Why Do Fraudsters Target Lenders?

Lending fraud offers ample opportunity for criminals to acquire cash that can be used right away rather than being subject to money laundering. It also takes a while to be found out as a scheme.

A fraudster who tricks a lender into giving them money can simply walk away and never pay back. The bank or lending organization will not know what has happened until at least a few months later, when they notice there are no payments being made.

We’ve already explored why fraudsters love payday and fastloan companies. But according to the description we found in a fraudster guide, this is how they see it in their own words:

“Payday and installment loan companies are generally low security as they charge such high interest rates and want to process as many loans as possible. Also due to their nature they are quick to pay out. This makes them ideal targets for loan fraud, and our guide will show you how to make EASY MONEY! Not just limited to payday loans, this guide also works EASY with other loan companies.”

How Fraudsters Apply for Loans Using Stolen IDs

All evidence points to the fact that loan fraud is rampant. For example, in the UK, an estimated 11% of approved loans have been obtained fraudulently. Though there are different practices that fall under this umbrella, today we are going to focus on fraudsters applying for a loan with stolen identities.

Unfortunately, our investigation shows that it is very easy to obtain all that’s needed for such a scheme. Keep in mind that the steps we describe below are just one of several ways to do this.

Step 1: Install the Tor Browser

The first thing a newbie fraudster will do is install the Tor Browser and head to a known darknet marketplace. Even if they are not familiar with these, detailed instructions published on searchable websites and forums will point them in the right direction.

From there, just browsing the products available revealed that beginner guides to this process abound as well.

Here’s How to Stop Them: Fraud prevention software uses browser and device fingerprinting, which includes identifying whether the applicant is using Tor. In fact, analyzing the individual’s IP address in the way SEON does will alert us to whether they are using what is called a Tor Exit Relay, whose IPs are well known.

Step 2: Buy Fullz

Fraudsters have coined the term fullz, to refer to a full combo of personal ID details that can be used. They usually include a first name, last name, ID documents and optionally a credit card number. 

Here’s How to Stop Them: A fraudster using stolen fullz will typically not have access to the legitimate individual’s actual email account. Instead, they will sign up for a new email address on Gmail or another free provider that seems to match the fullz they have bought. SEON’s email data enrichment examines the digital footprint linked to any email address, which means that it is able to pick up the fact that this email is newly created and has little, if any, activity online. This should be a very big red flag for the applicant.

Step 3: Purchase Credit Information

Traditionally, lenders protect their bottom line by deploying credit scoring systems. However, fraudsters have a way around this.

They simply purchase background and credit information with pre-existing high credit scores for their applications.

They will even pay for this using stolen cards, to avoid being tracked. Some of the savvier cybercriminals will even use stolen Social Security Numbers belonging to children to create a synthetic identity, which combines some stolen and some invented information because children have clean credit records.

Here’s How to Stop Them: SEON’s email data enrichment can help a lot here too, letting the lender know that something seems off and this person’s online activity doesn’t match that of a typical denizen of the internet. Meanwhile, velocity checks will catch any suspicious attempts are multi-accounting, as fraudsters are likely to make up several attempts in a short period of time.

Step 4: Deploy OPSEC Tools

At this point, the criminal will set up a series of tools to hide their real location in the form of their IP address, as well as sometimes spoof innocent-looking devices.

Another aspect of fraudster OPSEC involves putting in place a way to fool IP lookup tools and software. What they will do is purchase a validated IP address, or spoof it using proxies, emulators, Tor and other tools.

Here’s How to Stop Them: Fraud prevention software truly shines when it comes to catching the tools of the trade of fraudsters and cybercriminals. It is a game of cat and mouse but because more experienced fraudsters tend to use a lot of tools to hide their true identities at a time, they will appear more suspicious. Using sophisticated device fingerprinting, SEON will add points to the risk score of every applicant that seems, for example, to be spoofing their device, as well as their location.

Step 5: Get a Bank Account

Once they have approved a loan, lenders will pay directly into the applicant’s bank account, and so, a fraudster will look to acquire one to receive the loan.

Of course, they make sure this bank drop can’t be linked to their real identity, so they may instead conduct an account takeover on a lending platform or purchase a hacked account from a dark marketplace.

Here’s How to Stop Them: As a solution, SEON is industry-agnostic. One sector several of our customers belong to is banking, where fraud prevention is multi-pronged and has several touchpoints, at onboarding, transactions, sign-ins and elsewhere – catching fraudsters before they do harm and helping banks and their customers grow safely.

Step 6: Generate a Verified Phone Number

Multi-factor authentication is near-ubiquitous these days, especially so in fintech. Often using a one-time password to authenticate the account owner, this system presents another challenge for fraudsters.

Since the fraudster is mimicking the behavior of a legitimate applicant, they need to present the lender with a legitimate phone number to link to their application.

Unfortunately, fraudsters can easily download specialized tools from the App Store or Play Store to generate numbers on a burner phone – designed not to leave a trace of their real identity or location. There are similar tools for PCs.

Here’s How to Stop Them: SEON’s phone number-based data enrichment will take the phone number provided by the applicant and enrich it to give us dozens of data points that help assess their real intention – including details about the network, their online presence, etc.

Step 7: Use Photoshop to Pass KYC

At this time, fraudsters have deployed all the tools they need to conceal their real identity. However, lending companies have in place identity verification software and tools both to protect from fraud and fully comply with the law.

This means that they will ask to see documentation that serves as proof of the applicant’s name, address and sometimes age.

The method fraudsters have to stop this involves either buying fullz that include such ID documents as part of the deal or simply paying someone to create convincing documents that reflect the false identity.

Several services exist online that will help criminals with this pursuit if they don’t do it themselves, no questions asked.

Here’s How to Stop Them: SEON does not provide document verification services. However, our customers use our solutions to save on their KYC costs by running pre-KYC filtering. Thanks to SEON’s data enrichment, obvious fraudsters can be filtered out of the system before they reach KYC, so our customers need only run these expensive types of checks on users more likely to be approved.

Step 8: Apply for the Loan

Once all the above preparation is in place, the fraudster is ready to apply for the loan. It is not unusual for criminals to target loan companies that cater to specific demographics, have less meticulous affordability checks and due diligence procedures, or even come with higher premiums, as they will not be paying them anyway.

In reality, no lender is safe – from banks to those who cater to the underbanked, payday loan companies and other short-term lending institutions.

As they make their application, the fraudster hopes it gets approved – but remember, even if it doesn’t, they can try again using a different identity, phone number and credentials.

Here’s How to Stop Them: The software can provide hundreds of alternative data points for credit scoring, complementing the credit checks and helping underwriters make better informed choices. All of the aforementioned solutions, and more will work together to provide a fully explainable, granular risk score for each applicant.

Step 9: Cash Out via Crypto Exchange

Once their loan has been approved, the lender deposits the funds into the bank account the criminal has acquired access to in step 5. Now, it’s time to cash out the money.

This is one more step that technology has unfortunately made easier for fraudsters in recent years. It usually involves sending it to a cryptocurrency exchange, where they can buy bitcoins or other currencies, which can be used to continue purchasing goods or more fraud tools. 

Here’s How to Stop Them: This type of cashing out is preferred by fraudsters because it is less easy to track, and in general terms, anti-money laundering laws in the crypto industry aren’t as strict as in banking linked to fiat currencies. However, SEON does work closely with several crypto brands to stop fraud and help stay compliant with AML legislation, including CoinCash, which saw a 90% drop in a need for manual reviews and a 60% drop in fraud.

How to Protect Your Business from Loan Fraud

At every step of our research, we were amazed at how easy it would be even for a newbie to start defrauding lenders, including neobanks and microfinancing companies. No wonder it is one of the most targeted verticals by fraudsters. 

But the good news is that there are plenty of ways to catch and stop them. Using a combination of tools and processes, you should already have enough data points to create a much more precise of who your borrowers are:

• While some points are falsifiable, it’s harder to falsify all of them all of the time. By checking the connections between data points, a good integrated system can find red flags that would otherwise go unnoticed. This can stem from device fingerprinting, IP scanning, or even an applicant’s email address.
• Being proactive works to weed out bad applications. Consider what else can be done at the credit scoring and underwriting stages. Using the right combination of tools, it is possible to improve your fraud detection rate without sacrificing user experience. SEON’s data enrichment looks at an applicant’s email address and phone number, as well as their IP address, rather than their supplied documents, to conduct alternative credit scoring that will give you more confidence in the legitimacy of a person.
• Staying on top of fraud trends and doing your own research can also go a long way in understanding attack patterns and preventing them. If you have a fraud prevention solution, some vendors offer free ongoing support and advice to make the most of their products and your strategy.

Offering all of the above in tandem with modular APIs, unique insights and a Customer Success team made up entirely of fraud analysts and managers, SEON can be a valuable partner for lenders looking to stop fraudsters from wreaking havoc on their bottom line.

Sources

• Baines Wilson LLP: Bounce Back Loan Fraud