By Amy Walraven - President, CSO, and Founder at Turnkey Risk Solutions
A spike in cybercrime over the course of the pandemic has become a huge cause for concern among enterprises. According to a report from IBM and the Ponemon Institute, the average cost of a data breach among companies surveyed reached $4.24 million per incident in 2021, the highest in 17 years. These figures emphasize why financial providers need to stay proactive with their data security.
In particular, knowing the difference between criminal identity theft and identity fraud is crucial in consumer protection against these crimes. The terms identity theft and identity fraud are frequently used interchangeably, but while they may seem similar, they are actually two different crimes that have different effects on your business and customers depending on their severity.
What is identity theft?
To put it simply, identity theft, also known as financial identity theft, involves stealing an individual’s personally identifiable information, e.g. social security number, and using that information to create new accounts in the victim’s name, leaving them with significant damage to their finances and reputation. Identity theft can result in bank accounts, credit cards, and significant loans being taken out in the person’s name. Once maxed out, the criminal moves onto another identity, leaving the real person attached to that identity to deal with the aftermath.
Below are some of the most common ways that criminals use to steal personal data with the intention of committing identity theft.
Phishing schemes: This is the practice of sending fraudulent emails to get access to personal data. Identity thieves will usually disguise themselves as a person’s credit or banking provider and ask for details such as passwords and account numbers. Even social media account phishing can lead to financial identity theft because the same security questions used to protect your social media accounts are often the same as those protecting your bank account. Malware attacks: Criminals will write scripts or programs that will install malware once a link is clicked. The software can do malicious actions like keylogging your passwords or more invasive spying into your computer activities.
Public network interference: Public Wi-Fi usually lacks security, so identity thieves can take advantage of these public networks to eavesdrop on other connected devices. If a person makes a banking transaction, a hacker might be able to intercept and steal the entered credentials.
Database attacks: Cybercriminals often target enterprises that handle sensitive and personal info, such as financial institutions. If sophisticated enough methods are used, or an organization's security protocols are weak or have gaps, criminals can potentially bypass a company’s security systems and steal both personal and financial credentials.
Theft of physical wallet, documents, and mail: The most direct way a criminal can access your information is by physically stealing your personal documents. Some may even scavenge through trash cans and dumpsters to acquire a person’s details.
Card skimming: Some criminals will attach a scanner to ATMs that copies bank card details. These devices also come with a hidden camera that can scan pin code, making it easy to steal your information.
Purchasing of credentials via the dark web: If a cybercriminal wants access to specific personal information to take over accounts and make unauthorized transfers, they can go to the dark web to see if anyone already has the information and is selling it.
What is Identity Fraud?
Identity fraud is the act of committing fraud with that stolen information. Cybercriminals will exploit an account you already have or use the information to create a new bank account, commit debit card or credit card fraud, create false IDs like a passport, and take out false loans or withdrawals. In contrast, Identity theft can be viewed as the action of stealing an identity, or personal identifying information.
Not only can fraudsters steal the identities of crime victims, but they may even create synthetic identities to conduct fraudulent transactions. Synthetic identity theft is when a synthetic identity is a combination of fabricated credentials where the identity is not associated with a real person. An identity thief may create synthetic identities using a potentially valid social security number with accompanying false personally identifiable information.
Below are some common examples of identity fraud.
Credit card/line of credit fraud: A fraudster uses stolen personal information to open a new line of credit or max out an existing one. Sometimes fraudsters play the long con by creating a “Frankenstein” identity. This involves opening a fraudulent credit card account and making payments over years to build up their credit score. Once they’re able to get a higher spending limit and unsecured loans from a financial institution, they max out the account, never paying it back.
Account takeover: Account takeover occurs when an unauthorized individual gains complete access to a person’s financial accounts. They lock the original user out by changing the login details and then steal money and leak recorded information. Scammers can also apply for fake ATM cards and make multiple withdrawals over time.
Government benefits fraud: Criminals may use an individual’s personal information to claim their government benefits. This has become more frequent since the onset of the pandemic and has resulted in billions of dollars being stolen from taxpayers.
Fake IDs: Criminals create a fake ID using an individual’s personal information. Apart from reputational damage, an identity theft victim may become liable for crimes they did not commit. Stolen social security numbers can be used to generate synthetic identities.
Home title fraud: This occurs when a scammer gains possession of a person’s property title. Combined with access to personal and financial details, they transfer ownership to themselves. Using the home equity as collateral, scammers are able to take out big loans under the person’s name.
First-party fraud: This occurs when a customer is the one defrauding a financial institution, such as taking out a loan or credit line without intent to pay the funds back.
The Need for Identity Proofing
Both id theft and fraud should be of great concern amongst organizations. With digital processes built on vulnerable infrastructure and a lack of current and updated regulations addressing identity fraud, it’s easy for fraudsters to commit crime and take advantage of the gaps and weaknesses in the system.
Falling victim to an attack can threaten a company’s financial and reputational stability and the safety of its customers. These consequences for potential crime victims emphasize the importance of identity proofing. Making use of biometric IDV security systems and linked, layered, and continuous multi-factor authentication will ensure that only verified individuals are able to conduct transactions, access systems, and manage sensitive information. There are so many ways to commit fraud, so utilizing a variety of solutions to combat it is key.
To ensure the security and safety of your customers and organization, learn more about Mitek’s comprehensive proprietary mobile deposit and SaaS identity verification software technologies or check out what other Identity Innovators have to say about identity fraud trends.
About Amy Walraven
Amy is the Founder and President of Turnkey Risk Solutions.