More than half of Europeans experienced at least one type of fraud in the last two years, of which one-third was identity theft. So how was their identity stolen?
ID Fraud comes in many forms. In the classical scenario, the ID that the imposter uses is fake. The risk professional, bank employee, or customs officer must detect the inconsistencies in the document as part of Customer Due Diligence (CDD) and Know Your Customer (KYC) procedures.
However, in recent years, technology has gotten so good at detecting tampered or counterfeit ID documents that fraudsters are changing their modus operandi. Criminals have developed more sophisticated ID fraud schemes, enabling them to use legitimate IDs and making it harder to detect the fraud. What are these methods?
Social Engineering: when the victim isn’t aware of being abused
Social engineering fraud consists of abusing a legitimate ID obtained through deceptive tactics. The actual owner of the ID is the victim of a fraud scam. He isn’t aware that their ID is being used for illicit purposes. The goal is still the same; the ID predator tricks its prey into giving up sensitive personal data.
A Social Engineer fraud scheme strategy typically consists of four steps. First, the perpetrators start to collect valuable information to detect vulnerable targets, providing them access to sensitive data. They develop a relationship with these targets through various communication channels (i.e., phone, SMS, email, in-person). The target is then persuaded to share personal data, a PIN, a bank account, or a bank card, enabling the perpetrators to execute their ID Fraud.
Social engineering ID fraud uses six principal methodologies:
Phishing/Vishing/Smishing
happens when the attacker uses impersonation to exploit the target's trust via email, phone, or SMS.
Pre-texting or impersonation
is using a false identity to gain the victim's confidence to obtain information or access to a person, company, or computer system.
Phone spoofing
is when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity.
Spear-phishing or Business Email Compromising (BEC)
is Phishing custom-tailored to target key employees, particularly C-level ones, via social media or email. BEC often targets employees with access to company finances and tricks them into making money transfers to the fraudster's bank accounts.
Baiting
uses a lure such as planting an infected device or some promise to get victims to bite the bait and collaborate.
Like baiting,
Quid Pro Quo
attacks promise a form of service in exchange for sensitive, lucrative information, like when fraudsters impersonate the U.S. Social Security Administration (SSA).
Money Mules: when the victim is under pressure or motivated
Money mules lend out their data, either under pressure or motivated by the possibility to make easy money. Either the mule opens a bank account on behalf of the criminals, or the fraudsters open an account by using the mule's credentials. Criminals pay the collaborator a percentage of the money through the mule. The latter know that they are taking part in a scam, but they aren't always fully aware of the risk and the consequences.
If the bank suspects the transaction(s), the mule's bank account is frozen. They end up on a blocklist. The criminal gang won't pay out the percentage and may even threaten the mule to lose the money. The mule risks up to 14 years imprisonment for money laundering.
Fraud through money mules has financial task forces worried as recruiters or 'pickers' seduce or coerce young people to collaborate via social media (i.e., Snapchat, Instagram, etc.) by posting "Quick Cash" images.
Recently, Europol coordinated its 7th European Money Mule Action (EMMA 7), in cooperation with 26 countries, Eurojust, INTERPOL, the European Banking Federation (EBF), and the FinTech FinCrime Exchange. EMMA 7 resulted in 1803 arrests and the identification of over 18 000 money mules.
A continuous approach to KYC to combat social engineering
In “How humans get hacked”, we analyzed over 1.5 million bank account openings between June 2020 and June 2021, confirming malicious social engineering is one of the most significant risks to information security. Furthermore, our data showed that social engineering attempts increased by 37% between Q2 2021 and Q2 2020, and 47% of the detected financial fraud attempts in Europe involved social engineering.
Traditionally, a Know Your Customer process involved the verification of a snapshot of a customer’s Personally Identifiable Information (PII) during the onboarding phase of a KYC program.
New social engineering tactics call for a radically different, ongoing approach. Once the customer has been boarded and accepted, they require a continuous “movie-like” approach to customer verification. At Fourthline, we refer to this continuous KYC approach as “Identity Monitoring.”
Identity Monitoring takes a holistic view on fraud detection, creating multiple touchpoints to verify and authenticate a customer’s identity throughout the entire customer lifecycle.
If you are interested in how Fourthline can help you ensure compliance throughout the customer lifecycle from start to finish, visit this page or get in touch with one of our risk experts.