November 3, 2021
By Greg Woolf, CEO of FiVerity
By combining fraudulent theft with cyber tactics, Synthetic Identity Fraud (SIF) has emerged as the fastest-growing financial crime. How big is the problem? Based on insights from our Cyber Fraud Network, FiVerity estimates losses among U.S. banks grew to $20 billion last year.
A key factor in SIF’s growth is its ability to evade traditional fraud detection systems. According to ID Analytics, more than 85% of likely SIF attacks are undetected by legacy solutions. This failure is largely due to a rule-based, top-down approach that presumes to know what a fraudulent application looks like. Static rules determine how well each application matches this assumption, and the more boxes that are checked – for instance too many credit inquiries over a short time period – the higher the fraud score.
This approach served the industry well during the decades that bank fraud was a largely manual process – a single criminal could only steal so many identities, and enough of these would be detected by static rules and other safeguards. Today’s global criminal organizations however, leverage sophisticated technology that continuously change tactics as they create SIF identities, confounding rule-based systems.
With over 1.3 billion identities compromised via data breaches over the past five years alone, cyber fraudsters have extensive source data to work with. Their process starts with bots that mine the dark web for personally identifiable information, then stitches elements together to create a synthetic identity. This isn’t just a time-saver, however. It’s the engine that allows them to create tens of thousands of loan applications that go on to inform machine learning algorithms.
Each rejected and approved application then serves as a feedback loop for the machine learning system. The process is essentially figuring out thresholds for each of the rules used by legacy systems and creating new applications that are increasingly difficult to detect.
By their very nature, synthetic identities also evade the basic safeguards that alert banks to identity theft and other forms of fraud. As there’s no actual customer, there’s unlikely to be any abnormal spending that would trigger a double-check on a purchase. Similarly, there’s no customer that might notice a fraudulent purchase and call their bank.
The cost of SIF goes well beyond financial losses to banks as SIF accounts provide criminals with thousands of “aliases” to perpetrate all sorts of serious crimes. The Federal Reserve notes SIF has been tied to global crime rings active in smuggling weapons and drugs, as well as human trafficking.
Cyber Fraud Defense
How do we respond to threats that are virtually undetectable by the industry’s standard defenses?
Bottom Up Approach
Adopting the machine learning approaches used by fraudsters is the most effective way to counter their attacks. Instead of assuming what a fraudulent account looks like, machine learning takes a “bottom up” approach, searching profiles for patterns similar to those of recently confirmed fraudsters. Instead of checking against a set of static rules, these new systems learn what the fraudsters are up to and adapt as tactics evolve.
Human in the Loop
You may not be surprised to hear that AI is required to fight AI – but implementing an effective program might be easier than you’d think. Not all cyber fraud defenses require the massive amounts of data needed for most AI systems. Instead, they scale the work being done by the bank’s team of fraud analysts. The software analyzes applications, presents its findings to the human in the loop, and learns from the confirmations or corrections they provide – getting smarter over time.
An Existential Requirement
There’s no silver bullet to fighting fraud, and there’s still value in legacy systems – they can work alongside AI-driven systems to catch a wider range of fraudulent activity. Financial institutions do however need to modernize their approach to detecting new threats like SIF. Successfully taking on new and evolving crimes that combine fraudulent theft with cyber tactics is an existential requirement for every consumer lending institution.