08/15/2024
Blog
State business registrar leaders need high assurance unknown internet users match submitted registration information. Unfortunately, registrars face challenges due to widespread availability of stolen identity information — putting their organizations and constituents at high risk of fraud.
Many business registrars don’t have a dedicated fraud department, role or expert. They instead rely on technology partners supporting their missions for strong customer experiences — ideally while emphasizing friction-right fraud detection capabilities.
When you combine the convenience of the internet, increased availability of stolen and easily fabricated identity information and lack of fraud controls, it creates an environment primed for fraudsters to cause irreversible harm to business registrars, constituents and more. But often, existing first-party data (data provided by applicants) can be critical in taking a first step to analyze and identify fraudsters.
Before exploitative information ever gets to a fraudster, it often starts with a separate criminal who’s sophisticated in mining, breaching and collecting data to broker. Criminal data brokers often participate in widespread, organized crime rings that can operate with significant resources and support. They may capitalize on data exposure that’s inadvertent or unintended to enable fraud. For example, criminals can skim the web for publicly available information, such as certificates of good standing, to capture valuable information quickly without detection.
Data breaches have also become a particularly attractive catalyst for fraud because they potentially allow criminals to use stolen identities to commit crimes at scale. TransUnion’s 2024 Omnichannel Fraud Report concluded almost 5,000 publicly disclosed data breaches took place last year, representing an historic high.
This trend was driven by a 38% year-over-year increase in third-party breaches. Data breaches are one method criminals use to collect personal information for sales on the dark web. But criminals target organizations and consumers alike to harvest identity credentials for profit.
Last year, more than 2 million consumers were targeted in reports of investment scams, government imposter scams and other social engineering schemes, according to the Federal Trade Commission. Malicious software and hardware, penetration testing and web scrappers are a few other methods criminals can use to amass sensitive personal information and take advantage of system vulnerabilities.
Criminal outfits often seek credentials that contain robust data identity that can be used to obtain lines of credit from multiple institutions, apply for loans, enroll in government benefits like unemployment insurance or even register for a false business. Login credentials are often reused by consumers and can therefore enable unauthorized access to multiple accounts. Other types of valuable information can include:
TransUnion measures the ability of breaches to enable identity fraud and specifically, public sector fraud. Using a Breach Risk Score where stolen identity information had the potential to further public sector fraud, a proprietary TransUnion analysis found risk increased 73% from Q1 2020 to its highest point in Q4 2023. In the months following one of the largest attacks in recent history — the MOVEit breach which began in May 2023 — TransUnion also saw public sector customers experience consistent growth in the percentage of suspicious transactions they oversaw compared to all transactions.
When fraudsters purchase personal information, it can be used to perpetrate many or multiple criminal schemes.
Stolen personal information can be used in true-name fraud — which can include business identity theft. Multiple pieces of identity information can also be used to fabricate a synthetic identity to register a fraudulent business. Further, when a fraudster submits payment for their false business registration, they may use stolen or illegitimate payment information, causing a monetary loss.
The victims of business identity theft are widespread, including consumers, business owners, investors, employees, financial institutions and state agencies. By using a stolen or synthetic identity to apply for a business registration — or alter an existing registration — a fraudster can establish more legitimacy against a fraudulent identity to further their ability to apply for a business line of credit. They can also create shell companies that enable money laundering schemes, help conceal illegal activities from regulators or law enforcement, or falsify employment records.
Fraudsters use harvested information to target systems with minimal identity verification requirements. Knowing the difference between safe and risky interactions requires a holistic picture of identity to secure trust in the business registration and alteration process. A robust fraud risk assessment of digital transactions can reduce friction for legitimate business registration applicants while keeping fraudsters at bay.
A strong fraud prevention strategy starts with better signal diversity; robust, authoritative and reliable data; and intelligent, risk-based analytics and decisioning to help verify constituent identities.
Fraudsters can be distinguished from true constituents based on device reputation and insights. TransUnion, as an example, offers a global, multi-industry consortium of 6,000 fraud analysts, 10 billion+ known devices, and over 100 million detailed known fraud reports — including instances of credit card fraud, synthetic identity theft, corporate identity theft attempts and more — to distinguish risk levels associated with individual devices without additional personal information being required from the constituent.
Industries from government to banking, travel, ecommerce and more have decades of experience using identity verification to ensure users attempting to create or access accounts or make purchases are authorized to do so.
Verifying consumer identities with confidence starts by looking at the consumer-provided personal data and comparing it against authoritative and robust data sources. In instances such as new business registration, credit reporting agencies can help confirm personal details like addresses, phone numbers and Social Security numbers.
But in faceless digital channels, more device data can aide in determining the risk level associated with the device being used to initiate the registration or alteration request. More diverse sources of public record data can also help identify suspicious and known subjects or high-risk associations between the user and other associates.
A robust fraud solution will better secure trust across the business registration lifecycle from helping mitigate new registration fraud early in the application cycle to reducing the risk of alteration for existing entities. At each point along that journey, a fraud solution that identifies and helps separate safe from risky interactions can be used to effectively mitigate fraud and reduce chargebacks, ensuring genuine consumers receive the efficient services they deserve.
When suspicious activity is identified through digital insights or an identity cannot be verified, minimal step-up challenges can be implemented. As an example, you can request knowledge-based authentication or authenticate a user’s identity via a one-time passcode (OTP) sent as a text message to a mobile device.
Unfortunately, it’s relatively simple for fraudsters to hijack one-time passcodes via SIM swap, call forwarding or unauthorized number reassignments. To help ensure one-time passcodes are delivered to constituents and not fraudsters, one may leverage authoritative phone data from direct carrier relationships to promote a higher degree of trust regarding phone ownership when using OTPs.
If a user’s identity still cannot be authenticated, document verification is a natural progression to help securely and accurately validate constituent-provided data, and reduce the risk of fraud from stolen or synthetic identities.
By orchestrating identity, device reputation and device insights, fraud solutions can enable trust between business registrars, their states and constituents. The results include: continued, seamless experiences for good constituents; a reduction in fraudulent registrations and fraud losses; fewer investigative resources and cycles spent fighting fraud; and enhanced, friction-right constituent experiences across channels.
Learn more about TransUnion fraud and identity solutions.