What are the most common ways consumer identities and credentials are compromised?

Identity fraud is often a two-part process. Identity theft occurs when consumer identities become compromised in data breaches or through consumer scams. Fraud attacks occur when those identities are then used to attack organizations by creating accounts to steal money or other items of value. It also occurs when consumer credentials are used to access existing customer accounts for financial gain. There are many different types of identity theft scams. Some of the most common examples include:

• Phishing occurs when an email or message that appears to be from a legitimate source, such as a bank or a social media site, tricks the recipient into providing sensitive information like passwords or credit card numbers.

• Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies to induce individuals to reveal personal information like passwords or credit card numbers.
• Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers.
• Quishing is the fraudulent use of malicious QR codes to trick victims into visiting fraudulent websites, downloading malware or revealing sensitive information like login credentials or financial data. 
• Malware is malicious software designed to gain unauthorized access to a device or network, steal sensitive information or cause damage to the system.
• Online scams are fraudulent schemes, including online auctions or investment scams, that trick victims into signing up and paying for goods or services they’ll never receive.

• Business email compromise (BEC) is a type of phishing scam that targets businesses by posing as a legitimate supplier or executive and requesting funds be transferred to a fraudulent account.

• SIM swap (also known as SIM splitting, SIM jacking or SIM hijacking) is a technique used by fraudsters to obtain someone’s phone number. With that in hand, hackers can take advantage of two-factor authentication to gain access to bank accounts, social media accounts and more.

Identity fraud can be both broad, impacting all organizations, as well as unique to specific industries. 

1. New account fraud occurs when a fraudster uses stolen or fabricated personal information to open new accounts. This type of fraud often targets financial institutions, with fraudsters opening bank accounts, credit cards or loan applications. They exploit these accounts for financial gain before the victim becomes aware of the activity.
2. Account takeover (ATO) fraud involves a fraudster gaining unauthorized access to an existing account. Once they have control, they can change account details, make unauthorized transactions and lock out the rightful owner. This type of fraud is particularly damaging as it often goes undetected until significant losses have occurred. ATO fraud detection requires robust identity verification tools and continuous monitoring.
3. Synthetic identity fraud entails a fake identity being created by combining real and fictitious information. For example, fraudsters may use a real Social Security number (often stolen from a minor or deceased person) along with a fake name and birthdate to create a new identity. This synthetic identity is used to build a credit history, eventually leading to fraudulent loans and transactions. Synthetic fraud is challenging to detect as it involves valid data points mixed with fabricated information.
4. Credit card fraud is a form of identity theft that involves the unauthorized use of another individual’s credit card for the purpose of purchasing goods, services or cash advance. This includes “friendly fraud,” where a person’s family member uses their credit card without prior authorization. 
5. Card-not-present (CNP) fraud happens when a fraudster uses stolen credit card information to make online purchases where the physical card is not required. This type of fraud is prevalent in ecommerce and can result in significant financial losses for businesses due to chargebacks and lost merchandise.
6. Tax refund fraud takes place when fraudsters file false tax returns using stolen personal information to claim refunds. Victims often don’t realize their identities have been stolen until they attempt to file their legitimate tax returns. This fraud type highlights the importance of secure identity authentication methods.
7. Government benefit and service fraud occurs when an individual or business entity submits false information (in the form of an application, claim or tax return) to secure financial gain from a government agency program, including: unemployment insurance, medical insurance, Social Security, student loans, business loans or grants, temporary relief programs and social welfare benefits (food or housing).
8. Medical identity theft takes place when fraudsters use someone else's personal information to obtain medical services or insurance benefits. This can lead to inaccurate medical records and significant financial and legal consequences for victims. Protecting medical data with strong identity verification measures is essential to prevent this type of fraud.
9. Payment fraud is the unauthorized use of payment methods, such as credit cards or bank account details, to make purchases or transfer funds without the account holder’s consent.
10. Shipping fraud happens when fraudsters exploit the shipping process to receive goods without paying or intercept deliveries. Tactics include using stolen credit card information to order goods and shipping them to an alternate address or rerouting shipments to different locations.
11. Promotion abuse occurs when individuals or organized groups exploit promotional campaigns, discounts or loyalty programs using false or stolen identities to take advantage of these offers multiple times — or in other ways not permitted by the promotional rules.
12. Bonus abuse involves individuals exploiting bonuses offered by companies, typically in online gaming or gambling. Fraudsters create multiple accounts to claim sign-up bonuses or unfairly manipulate gameplay to maximize rewards.
13. Gold farming is the practice of intensively playing a multiplayer online game to acquire in-game virtual currency or other valuable items used in the game — to then be sold to other players for real money.
14. Money mules are people who, at someone else's direction, receive and move money obtained from victims of fraud. Some money mules are aware they’ve been recruited to assist in criminal activity. Knowingly moving money for illegal activities can lead to serious consequences, including criminal charges.
15. Profile misrepresentation is the creation of false or misleading profiles (for example, using fake photos, fabricated personal information or false credentials), often on social media or dating sites, to deceive others.
16. Policy violation is a breach of the terms and conditions of a service provider or platform. This can include using bots to enable or engage in fraudulent activities.

17.      Third-party seller scams occur when bad actors use an ecommerce third-party marketplace to collect payment for merchandise they never intend to ship. These types of fraud can lead to chargebacks and loss of brand reputation in communities and platforms.

Identity fraud inflicts significant financial losses on consumers and businesses each year. Identity fraud currently results in $22.8 billion of annual losses worldwide. For businesses, particularly in the financial sector, these losses aren’t just limited to immediate financial outlays to cover fraudulent transactions. They also include substantial investments in strengthening security protocols, legal fees and even potential fines for compliance failures. Worse still, repercussions extend beyond immediate financial damage to include influence over credit scores, consumer trust and long-term business reputation. 

• Customer experience: Many organizations introduce stringent identity verification processes in an effort to better prevent fraud, but this can introduce friction into the customer experience. Customers are required to undergo multiple steps during account creation, login or transactions, which can be time-consuming and lead to frustration, especially if the process is perceived as overly complicated. Possibly more damaging is the frustration from false positives — legitimate transactions incorrectly flagged as fraudulent as the result of very high-risk thresholds. False positives present risk to current business but may also impact future business and a brand’s reputation. 

• Direct financial losses: Companies face direct losses when fraudsters successfully access credit lines, drain accounts or make unauthorized purchases. Direct financial losses due to fraud can be substantial: an average loss of 6.5% of revenue equivalent or USD$359 billion, according to business leaders surveyed by TransUnion.

• Impact on consumers: For individuals, the consequences of identity fraud extend beyond unauthorized financial transactions. Victims may face long-term credit damage, making it difficult to obtain loans, secure housing or even gain employment. The process of restoring one's identity and credit status is not only cumbersome but also emotionally taxing, often leading to significant stress and anxiety. Victims of identity theft often experience a loss of trust in digital transactions, becoming hesitant to engage with online platforms. This reluctance can lead to reduced customer engagement and loyalty, impacting revenue streams of businesses.

• Increased security and compliance costs: In response to fraud incidents, companies typically increase their spending on security technologies and systems. This includes investments in more advanced identity verification tools, secure data storage solutions and enhanced encryption practices. Additionally, as regulatory bodies tighten data protection and privacy laws, compliance costs also rise significantly to meet these new standards.

• Operational disruption: Following a fraud incident, companies often need to divert resources to investigate, update security measures and handle customer concerns. This diversion can lead to operational inefficiencies and increased costs in workforce allocation and technological updates.

• Reputational damage: Beyond the immediate financial and operational impacts, identity fraud can severely damage a company’s reputation. A single incident can lead to loss of customer trust — which is difficult and expensive to rebuild. This reputational damage can have long-term effects on customer retention and acquisition, influencing a company's market position and ultimately, its financial health.

Measurement is critical in the evaluation of fraud prevention performance and identify trends to fine-tune systems as necessary to maximize sales and combat criminal activity. It’s important to measure and monitor important fraud metrics, including:

• False positive rates: Percentage of times a legitimate transaction is flagged as fraudulent
• False negative rates: Percentage of times a fraudulent transaction is passed as legitimate
• Fraud occurrences: Number of times fraud occurs
• Fraud losses: Dollar value of merchandise lost for each case of fraud
• Abandonment losses: Dollar value of abandoned transactions due to false positives
• Manual review costs: Time and resources used to investigate and respond to potential fraud cases, including step-up verification or authentication of risky transactions
• Fraud investigation costs: Time and resources used to investigate each case of fraud 

Organizations managing a high volume of digital transactions should implement a robust identity verification process as a critical component of combating identity fraud. Identity verification helps ensure individuals are who they claim to be. A more effective way to implement identity verification is to adopt a multilayered approach which may include:

• Identity verification: This involves using technology to better confirm an individual’s identity through authoritative database cross-references, document verification, device reputation and digital authentication. These methods help ensure a person is who they claim to be, reducing the risk of fraud.

• Biometric identity verification: Utilizing unique physical characteristics like fingerprints, facial recognition or iris scans, biometric verification adds a layer of security that’s difficult to replicate, better ensuring the authenticity of the user.
• Device intelligence: This process is used to authenticate and help verify the identity of a device being used to access an online service or perform a transaction. Device intelligence helps ensure the device itself is recognized, trusted and not associated with fraudulent activities.

• Document-centric identity proofing: This method verifies the authenticity of government-issued IDs and other documents using technologies like optical character recognition (OCR) and hologram detection to ensure integrity.

• Multi-factor authentication (MFA): Requiring multiple forms of identification, such as passwords, one-time passcodes (OTP), security tokens and biometrics, MFA enhances security by adding layers of verification, making it harder for fraudsters to gain unauthorized access.

• Identity risk modeling: This approach employs predictive models to assess and score the efficacy of an identity or its potential for future damaging behavior. This should be done at critical decision points throughout the consumer journey, such as account creation; during an application for a service, benefit or claim; or for high-value transactions.

• Continuous monitoring and behavioral analysis: Identity verification is an ongoing process. Continuous monitoring of user behavior and transaction history helps detect anomalies that may indicate fraud, enabling quicker responses to potential threats.

To combat increasingly sophisticated identity fraud, there are some important fraud detection techniques every organization should consider. Most importantly, you must deliver seamless user experiences — speeding up transactions for legitimate consumers with a multifaceted view of identity, device and behavior. Some common fraud detection techniques include: 

• Digital risk assessment for new users: Use device-based risk models to help ensure devices being used by unknown shoppers belong to them and aren’t associated with known fraud or fraud rings. Help verify identities at appropriate points in the customer journey using phone, email, device or document verification, especially if users are setting up accounts.
• Authenticate customers in every channel: Establish a framework of trust. Help ensure smoother, omnichannel customer experiences by better authenticating accounts across all touchpoints, including website, mobile app, contact center and in person with device-based authentication tools.
• Monitor account changes: Help identify suspicious account changes or behavior that may indicate potential account takeover or fraudulent accounts, including bill-to-address and ship-to locations. Better protect your customers with multi-factor authentication and step-up authentication protocols for critical account changes.
• Ensure transaction legitimacy: Test device, account and customer information during transaction processing, and monitor for association changes and other suspicious behavior that may indicate potential fraud (including within existing accounts). For example, for ecommerce, compare names and ensure the payment instrument belongs to the account owner. Use email, phone number, shipping address and device reputation services to determine if additional authentication steps are needed before completing transactions.