Identity Theft in Banking: What You Need to Know

Identity theft is on the rise. Just in the US, criminals stole the identities of 15 million individuals in 2021 and used them for fraudulent schemes that affected 40 million Americans.

Today, let’s look at how identity theft impacts banking institutions – and especially online neobanks and challenger banks.

Why Is Identity Theft a Problem for Banking?

Identity theft happens in numerous ways but the goal is always the same: to leverage real people’s data for nefarious deeds.

Fraudsters and criminals who rely on stolen identities can then target banks in the following ways, for instance:

• opening bank accounts under someone else’s name
• taking out credit loans that they have no interest in repaying
• laundering money without linking transactions to their real-life identities

While flagging fake IDs is a key part of the KYC process, it becomes a lot more challenging when you’re dealing with a real person who is unaware their data has been stolen. 

This is especially true if the fraudsters are sophisticated enough to create a digital footprint that matches the person’s ID or to create a synthetic ID profile – a core strategy deployed when fraudsters open bank accounts.

The identity theft that fuels synthetic IDs comes from standard cybersecurity failures, such as data breaches, phishing, or fake job ads. However, there is also a growing market for “rent-an-ID” services, which see desperate punters sell their identities in exchange for a quick payment. 

In short, bank account fraudsters have no shortage of options when it comes to identity theft. And this makes it harder for banking institutions to separate criminals from legitimate users – especially if they want to acquire more customers online with as little friction as possible.

How Do You Detect Identity Theft in Banking?

In banking, like in any other industry, detecting stolen identities starts at the onboarding stage. In short, SEON can function as a frictionless pre-KYC filter to instantly assess the kind of customer you’re dealing with and raise any red flags.

While the traditional KYC process can help you flag suspicious IDs using identity verification software or document validation checks, there’s a lot of benefit to sourcing alternative data at pre-KYC stage.

This is the best time to find out the following, which the system investigates without introducing any friction to the customer’s journey:

• Is the user connecting with a suspicious configuration (emulator, VPN, Tor, etc.)?
• Are they employing suspicious tools commonly used by fraudsters (eSIM cards, disposable email address domains, etc.)?
• Do they have an online presence (social media profiles, accounts on popular platforms, subscriptions)?

Equipped with the answers to these questions, you can block obvious fraudsters right away. Not only will this help you keep your fintech organization free from fraud, but it can also save you money and time wasted on fully-fledged KYC verification and compliance checks for those who would never pass them.

Think of the score resulting from such a pre-KYC check as a traffic-lights system, allowing you to funnel customers who are confirmed to be legitimate through just the minimum (light) KYC checks required by law – keeping them happy and satisfied.

Meanwhile, those customers deemed to be suspicious but not certainly bad actors can go through a heavy KYC process that scrutinizes their identity very closely, so that you are ultimately only onboarding real people, without any false positive rejections.

Top 3 Custom Rules to Detect Stolen IDs in Banking

Let’s now look at three examples of risk rules where you can leverage that alternative data to spot suspicious users before they create an account with your bank or neobank. 

#1: User Has No Social Media Profiles

At the time of digital onboarding, every customer will provide a phone number or email address. Good news for risk managers: This can be enough to identify suspicious applications that most certainly point to a fraudster.

Using these to check 50+ social signals, you can quickly get an idea of whether that person has an online presence or not thanks to the comprehensive profiles created by data enrichment.

ID thieves might have a name, address and in some cases PII, but they will rarely have the full set of data related to the person. A phone number and email address is easy enough to falsify, but it is incredibly hard to make them link back to the real person’s digital footprint.

For example, it is easy to sign up for a new email handle that uses the victim’s full name but incredibly difficult to convincingly recreate that email account’s online presence on social media, web platforms, apps etc.

#2: The IP Lookup Returns Suspicious Data

An IP address check is one of the oldest tricks in the risk manager’s book, but over the years the technology has evolved to the point where you can pretty much profile users based on their connection details.

You may learn whether they are where they say they are, if their address points to the middle of nowhere or a commercial area instead of a residential one, and if they are trying to spoof this information with proxies and VPNs.

Then, you can feed the results to calculate an IP fraud score, which can be a strong gauge of how risky it is to continue the onboarding process. 

And, of course, you can combine the above with other data points to build an even more precise risk model to flag stolen IDs in real-time.

#3: The Device or Browser Data Appears Manipulated 

Understanding how users connect to your banking website or app can reveal enlightening clues about who they are. A device and browser fingerprinting tool will uncover important technical data relating to their configuration of software and hardware.

So what does an identity thief’s connection look like? In all likelihood, it’s going to be spoofed, controlled or manipulated. They will rely on emulators, anti-fingerprinting browsers, or even privacy-focused operating systems.

Here are examples of rules this may trigger:

As you can see, this person’s browser is raising a few red flags. Its version points to a five-year-old product, which is unrealistic for an everyday user, and there is a spoofing attempt of the user agent (UA). 

Of course, this doesn’t necessarily point to identity theft, but the likelihood that you’re dealing with an imposter increases drastically if they’re relying on these tools which SEON can detect.

Another way to think about it is to ask yourself: Why would someone try to hide their personal data when opening a bank account? 

There doesn’t seem to be much variation here: You are either dealing with a privacy enthusiast or someone who is attempting to fool your KYC process.

How SEON Helps With Banking Identity Verification

Spotting identity theft and synthetic ID fraud starts with an effective ID verification process. While most banks and financial institutions will have a strong KYC process that includes IDV, SEON is designed to let risk managers work with real-time alternative intel as well as in-depth technical data points.

There are key advantages there:

• All the data is enriched in real-time.
• You can perform pe-KYC checks to save on costs and labor. 
• Digital footprint analysis is becoming more important than legacy ID checks.
• Combining these with velocity checks and device fingerprinting allows you to catch more fraudsters.

Thanks to lightweight and frictionless integration, you can deploy SEON as a full end-to-end system, or simply as an additional layer on top of your existing KYC or IDV processes. 

FAQ

Sources

• McAfee: A Guide to Identity Theft Statistics for 2022

Related Case Studies in Banking

• FairMoney Onboards Better Neobank Customers Thanks To Digital & Social Footprint Check
• Leading Challenger Bank Eradicates Bonus Abuse Thanks to SEON’s Email Module

Related Articles in Banking

• 9 Best-Rated Banking Fraud Detection Software in 2023
• The Risks of Open Banking Fraud & How to Protect Yourself
• Digital Banking Fraud Detection Explained for Risk Executives
• Transaction Monitoring in Banking: How It’s Used to Fight Fraud