Skip to main content

TransUnion Live – 2023 State of Omnichannel Fraud

Digital fraud volume growth of 80%; 83% increase in US data breaches; and a synthetic fraud record. For these and other key trends, along with effective strategies for enabling trusted commerce across channels, watch this recorded TransUnion Live on LinkedIn episode. And for even more valuable takeaways, download the TransUnion 2023 State of Omnichannel Fraud Report.  

Full Transcript Below

Andrew Goss:

Welcome everyone to TransUnion live on LinkedIn. I'm TransUnion [inaudible 00:00:06] joined by my esteemed colleagues, Jim Van Dyke, Jason Lord, Lance Hood, Leslie Deniken, and last but not least, Richard Tsai, thanks so much for joining me, everyone. Well, we're here to talk about the 2023 State of Omnichannel Fraud Study that TransUnion recently released. But before we get to that conversation, just a quick housekeeping item. Wanted to let everyone know if you have a comment related or a question related to today's conversation, please put it in the comment area and we'll do our best. If we can address that question, get back to you today. Or if we can't get to it today, we'll do our best to get back it to you later on. So let's start the conversation now. Let's start first with Jason. Let's get to you and talk about the digital fraud findings in the study. Can you discuss a little bit about some of those key findings and how might businesses address some of those things?

Jason Lord:

Absolutely. Thank you, Andrew. So by this point, we're all pretty used to the idea that interactions have become more and more anonymous. And what I mean by that is more transactions and more customer support interactions are happening online and through the call center instead of in person and more so than ever before. And yes, that's partially the result of the pandemic. But the pandemic only accelerated a trend that was already very much in place and fraudsters gravitate to where the action is happening and where the greatest points of weakness are. And right now that's online and in the call center. In fact, the total volume of fraud has increased 80% between 2019 and 2022. And we're talking all kinds of fraud. Everything from account takeover fraud to mobile fraud to call center fraud, synthetic fraud, every version of it. There's increases across the board. So if there's anything that has changed, it's that fraudsters are becoming more omnichannel.

So in the past, we tended to think of fraud as just a one-off activity. Maybe it's a sim swap here or a stolen password there. They get in, they get out. But fraudsters are smart and they're adaptive, and they realize that the greatest opportunity is the fact that many organizations don't have a holistic view of risk identity. They can't tell that the same person who socially engineered the contact center agent is now the same one that they just sent a one-time passcode to, and is the same one now logging into the website to send a wire transfer. And so fraudsters jump from channel to channel and they pick up little bits of information and they poke at the vulnerabilities across the channels. In fact, now over 60% of fraud starts in the call center before migrating to offline and digital channels. So as we look across all the industries, 4.6%, almost 5% of all digital transactions were potentially fraudulent in 2022 based on the data that we have.

So by itself, that's a huge number. But for many industries, the greatest risk to their bottom line isn't actually the fraud itself. It's what happens when they try to prevent the fraud. That same increase in anonymous interactions digitally and in the call center has also contributed directly to a rise in false positives, a rise in manual reviews, a rise in call handle times, and all of this means an increase in operational expenses, lower conversion rates, and a degraded consumer experience. So fraud is still very much an issue, absolutely. And you'll be hearing some of my colleagues talk more about the specific types of fraud they're seeing and what's causing those fraud types to increase. But equally important is how we are able to separate the safe interactions from the risky ones so that we're not treating our loyal customers like potential fraudsters to the detriment of our business.

Andrew Goss:

Thanks, Jason. I don't know how deeply you can go into some of this, but in this study we looked at fraud digitally in certain industries. Were there any certain industries that stuck out? Anything you want to touch on there?

Jason Lord:

Yeah. So you may not suspect that the highest hit industries in terms of rate are not the ones that we wouldn't normally think of. Maybe financial institutions or healthcare. They're actually some of the more niche like gaming and gambling and video games. And part of that too is because the rise of, again, post pandemic, a lot of activity happening in those sectors. Also, not coincidentally, a lot of younger individuals using those particular sectors. And so they're more vulnerable and at risk. And we've also found that in those individual sectors, let's say use gaming as an example, the fraudsters may be trying to use the vulnerabilities and get at the younger individuals, not because they are the ones who are holding the high value assets, but because they're part of the same IP that their parents are. And so it's an entry into fraud that they can then commit account taker fraud for the individuals holding the high volume assets.

Andrew Goss:

Interesting. And I think when you referred to gaming there, I think you were talking about video gaming and not what a lot of folks would think of as gambling. Is that correct?

Jason Lord:

Right. Those are two separate sectors, but both of them are actually the highest hit in terms of fraud trends according to our 2022 report.

Andrew Goss:

Interesting. Okay. Well, let's not let you take up all the time here, Jason. We have plenty of other people to get to. So I guess when you think of fraud, it generally originates from the credentials that are obtained in a data breach. And we have someone here today, Jim Van Dyke, who is extremely familiar with data breaches through his work, both at TransUnion and with other organizations. So Jim, when it comes to data breaches, what did we find in this study? And again, how can businesses put some of this information to use? I think you're on mute, Jim.

It always happens.

Jim Van Dyke:

Apologies for that. Yeah, yeah, Andrew, you're right about what I call a two crime nature of identity theft and fraud. In almost every case, there's two separate criminal acts, often by two different actors. And one is compromising the data, as you said, it's often a breach. And we have this holistic database of all US publicly reported breaches. We're seeing some fascinating trends in that. And of course, we know that criminals are always shape shifting in their methods. So what we're seeing is really interesting and scary trend is that criminals as often happens, they find a new method and then they just leverage the heck out of it until new defenses are put up. And this new method that they're exploiting are what we call third party breaches. So that's where increasingly organizations, especially mid-size and smaller, rely on third party vendors to process data for them.

So unfortunately, you're getting these third party breaches in the sectors that rely on these third-party service provider relationships the most. Number one, healthcare. Number two, education, especially K through 12. Where they're underfunded, they don't have a lot of operational resource or excellence and in some cases, and so hackers have figured it out. So the startling statistics here is over the prior year, there is a 3x increase in these third party breaches. So to now half of all breaches, I'm sorry, are occurring through these third party vendors. And so criminals, they're not hacking at the primary organization. They're not hacking the hospital or the physician's office or the educational institution. They're hacking the third party organization that primary organization relies on to process this data. And what's also happening over time is that they're successful in getting more data. They're finding targets where they can get more data from, and that's causing what we call our breach risk score. Think of that as the Richter scale of data breaches, like works on a one to 10 and a higher is worse. The average breach risk score of these third party breaches arising, which all means they're more likely to cause fraud, and they're more of these breaches, they're more likely to cause fraud.

Richard Tsai:

I want to jump in there.

Andrew Goss:

[inaudible 00:08:57], Jim.

Richard Tsai:

Oh, sorry.

Andrew Goss:

Yeah, go ahead Richard.

Richard Tsai:

I want to jump in on that comment of more likely to cause fraud. One thing I want the audience to actually be aware is that there is an economy for fraud. And this is sort of the starting point. Data breaches are really a starting point that builds up a pipeline for future fraud attacks. And so I think it's really interesting, Jim mentioned that the top two targets are healthcare and education. And one of the things that I try to stress a lot about in is that if you hear healthcare and education, it doesn't mean that if you're in a different industry that you are safe. That's actually not the point at all. It's actually the opposite. Anytime that there is a breach in any industry, they have in a way, it's the weakest link collectively in all industries, we're going to suffer because those are the identity attributes that are out there. That's the starting point that criminal organizations use in order to collect the identity to really start attacking consumers and attacking businesses.

Jason Lord:

In many ways, it's a legging indicator, right? The increase in breaches now means the tools are being accumulated, the personal information that will later be used to create a tax, either through account takeover, account origination, or synthetic fraud.

Leslie Deniken:

And I should mention that the target in many of these, and that's why they're targeting education in healthcare organizations, is children's social security numbers because those cannot be detected until somebody turns 18 because that's when you're allowed to open your own credit account.

Andrew Goss:

Yeah, interesting, Leslie. We might want to get back to that a little bit more when we get to synthetic fraud. I know that certainly has an influence there. I guess let's switch directions here. And Jason talked a little bit about call center fraud. So I'll turn over to Lance here. And we all know fraudsters don't know any boundaries, right? There isn't one specific channel they go after, they'll test everything, right? So what did we document, Lance, when it came to call center fraud landscape? And again, business implications, what can businesses be doing?

Lance Hood:

Yeah, absolutely. And I think Jason hit a key one, which was how frequently the call center is the origination of an actual account takeover. And even beyond that, while they may not be the origin of it, they're often a source of how fraudsters do research. So when Jim was talking about this increase in the amount of data breaches that is taking place with third parties, that data ends up finding its way to the fraudster as the answers to a lot of knowledge-based authentication questions, which unfortunately is still the primary mechanism by which in call centers, that we seek to identify people, despite the fact that every year, as Jim indicated, just gets easier and easier to answer those questions. So in essence, with all of the data breaches as well as by the way, the proclivity of people to put a lot of personal information in their social media sites and make that available to the public, it becomes easier and easier every year to answer questions.

So naturally, one of the things that we look at is, well, how do we protect accounts if knowledge is no longer really predictive of identity? And historically, if you were to look at that, a lot of organizations have tried to examine how phone calls are made into their organization because fraudsters, like any other criminal, they want to be anonymous and untraceable. You rob a bank, you wear a mask, take the license plate off your car, and that's basically the game. And the same is true if you're going to try to commit fraud in a call center, you want to be anonymous and untraceable.

So four or five years ago, what we would see is that the vast majority of successful fraud was committed using spoofing tools where you could pretend to be calling from a number you really weren't calling from, and ideally you'd call from a number of an actual customer. What we've been seeing more and more over the last couple of years as organizations deploy tools to try to look for spoofing attacks is that fraudsters are using what I'll call virtual calling apps more and more that are not detected at all by these spoofing tools. And a virtual calling app is something you might be familiar with Skype or Google Voice for example.

These are tools that you can subscribe to and you can use them on any kind of device. Unfortunately, there are a lot of niche-y tools that the fraudsters prefer, not necessarily Google and Microsoft for these kind of attacks where the registration requirements are either non-existent or very late. So they can get access to these tools, they can pick the phone number they want to call from, and then they can start their attacks. And then once they've started those attacks, they can start to research and figure out what questions they need to answer in order to pass a knowledge based authentication process. And using the data they can acquire from all the data hacks, they can complete that loop. So I think the biggest trend we're seeing is new types of tools are being used. There's still too much reliance on, I think knowledge-based authentication techniques across a variety of different industries. We need to move to harder approaches that use device-based authentication mechanisms, for example.

Jim Van Dyke:

If I could just add onto that too, what's fascinating about looking at what happens in call centers and other forms of social engineering, which could even be the consumers themselves, and I think businesses or government entities, that could be the place where identity fraud happens, need to assume total responsibility for stopping fraud. But the fact is you can't take the consumer out of the equation in many cases. You want to just consider the consumer like a tool or an ally, you can empower.

My point that building off the call center discussion is that if you look at even the worst data breaches that are out there, like the ones that score a 10 in our breach risk score, and then you compare the data that were exposed, any of those really bad breaches to what any fraud prevention leader will tell you is generally required to conduct any form of fraud, like new credit, new deposit, IRS refund, existing account takeover, whatever. You almost never get a hundred percent of the data exposed in any breach that's required to commit those crimes. And you have the crimes are happening. So how does it happen? Well, call center or spoofing, that's one of the key answers. And that's where people go, "Well, I've got 80% of the dossier, if you will, that's needed on any one identity fraud victim. Now I need to get that other 20%. Where do I go?" It's call center. It's social engineering, the victim themselves through a phone scam or what have you.

Lance Hood:

Yeah, and I'll just add on, sometimes we do things that make it even easier for the fraudster. So there are organizations that'll play a customized greeting if you call from a number that belongs to a customer that's in the CRM. But that basically, if you can look and get that customized greeting, then that number belongs to a customer. And then you can go offline and find out who owns that phone number. And now I can start doing my research to line up that dossier. And in the sense organizations, by playing these customized greetings to every caller are helping the fraudster identify the victims that they're going to go after. And so really, it's really appropriate if you're going to play a customized greeting, check the nature of that phone call first and make sure that it's not a suspicious call, but a legitimate call before you start playing custom greetings. It all kind of fits together in terms of identifying who the customer is and then building out that portfolio and then coming back to use it.

Richard Tsai:

One of the things I want to add is from a personal perspective as a consumer, if I put my consumer hat on, this is the one area where it comes to the call center that frustrates me the most because I know the tools are out there to make the experience much better for a consumer. So for example, I know for myself, I rarely make phone calls. I don't like making phone calls. I like to get everything answered. \.

So when I actually do need some service and I can't get it in any other channel, that's when I'll actually call into a businesses call center for travel, for shopping, whatever it is. And the most frustrating thing to me is one, getting to the IVR. I know they're great from a cost perspective, but I hate that experience. And then finally when I actually reach an agent, they usually pass me on to another agent or they pass me on to another agent. All I really want is a human, but I have to go through these re-authentication steps over and over and over again and it just destroys the experience that I have with it. And next thing I know, I'm on the phone for half an hour to an hour for something that should have just taken five minutes.

Lance Hood:

Yeah, the irony that a lot of the stronger authentication tools, whether it's the device you're calling from or some biometrics are actually more seamless for the customers once they've subscribed to these than going through an interrogation process. And I would also add for a call center, you have to keep you in mind, it's also very frustrating for agents. Agents got into the business of being call centers to help people not to be detectives interrogating them. So it's a real conflict in just the job satisfaction, which is one of the reasons there's a lot of turnover in call centers.

Jason Lord:

Well, and that's a great point, Lance. Because when we look at why fraud is gravitating toward the contact center, we need to keep in mind that contact center agents are not fraud prevention agents. They're actually designed to help people as much as possible. So when fraudsters are looking, where is the vulnerability? Well, socially engineering people who are designed to help of course over time is going to be more successful. And that means if you let the fraudster get into the IVR or talk to the agent, whether or not they commit fraud at the time you've already lost because they're already exploiting any vulnerability they can. You have to prevent the fraudster from ever getting to the IVR agent. That has to happen pre-answer.

Andrew Goss:

And this actually brings up when we started, right, Lance, talking about these non-traditional channels. One thing that when I was reading the report that I found, right, 3% of the total call volume came from this non-fixed VoIP channel, but 62% of all high risk calls came from it. So that was one stat that jumped out at me and you certainly spoke to. And then when we were talking about these social engineering, AI, deep fake, that's been a lot of the talk lately. Is there anything more to talk about in that area? We already talked a lot about social engineering, but I'd love to hear a little bit about that from anyone here.

Jason Lord:

So I'll start and feel free to weigh in. AI is of course changing the game all over again, and one of the things we've been hearing about is using deep fake voices as a way of getting around voice biometrics. Voice biometrics, any form of authentication is good in of itself, but by itself is very dangerous. So if your primary way of understanding whether a consumer is who they claim to be has vulnerability, because now AI can fake that voice, well, sorry, you're back to square one again, which is why we always, always recommend a multi-layered strategy. It's similar to a lock on a front door is good, but if it's the only way you're protecting your bank, you're in big trouble. It's the same with your call center. It's the same with your digital sectors. You need a multi-layered approach.

Lance Hood:

And I would just add on to that, I think when we talk about sort of biometrics voices, the FTC released kind of a warning letter I guess I would call it this week, just noting the significant privacy implications of organizations storing these digital representations of biometrics. And in addition to that, I think there are close to a dozen different states now creating biometric laws so that the investment and in biometrics as an authenticator or risk detection mechanism is going to get more significant. You're going to have to be more diligent if use these technologies. So just adding that into the equation that there is this contest between almost the biometric vendors, AI versus now the fraudsters use of artificial intelligence. And there's a race going on now that really didn't exist 18 months ago.

Andrew Goss:

Great. Good conversation. And certainly something that is bubbling up a lot here. We started talking to Lance about one specific channel certainly has implications across channels. What TransUnion does in the synthetic fraud area, right? We've been tracking that a lot across channels. And Leslie, I'll turn to you and talk about what were some of the findings in the study and again, what businesses can do.

Leslie Deniken:

Sure, Andrew. And what's surprising is that of the five types of digital fraud that TransUnion tracked in this study, synthetic fraud was the one that rose the highest over the past few years. And what's even more shocking is the amount of debt that can be attributed to synthetic identities, $4.6 billion. That's basically the GDP of California. That includes credit cards, retail cards, auto loans, and consumer loans. And you ask the question, how can people protect against synthetic fraud? And the most important thing is to stop synthetics at the front door because once they get in your portfolio, it's extremely hard to get them out. How do you do that? Well, you use tools that can take a look at the identity elements that are supplied to you as a financial institution and make sure that they all belong to each other, not just checking each one separately, the SSN, the address, the phone number, the name, the date of birth.

But when you take a comprehensive view of all these identity elements and see if they actually belong to the same person, then that's where you can uncover the risk associated with all these identity elements. For example, multiple people using the same SSN or date of birth combination or somebody who's moved many times in the last six years or says that they've moved, those are suspicious risk patterns and anomalies. One of the biggest risks with synthetics is what we call bust out fraud, which is when an individual opens up multiple lines of credit, has a positive pay history, everything looks good. So they continue to open up additional lines of credit, but then within one and a half years to two years, they bust out. They default on all of them. And although this does happen with real identities, what we found is that synthetic identities actually have a much higher amount, five times amount of charge-offs than a real identity.

Jason Lord:

One of the things that is really interesting about synthetic identities is unlike other forms of fraud, it's sort of a Frankenstein of fraud, right? Because instead of impersonating an individual, what you're doing is you're taking, for instance, a child's social security number and maybe you're joining in with the mailing address or the personal information of an incarcerated individual and you're creating a whole new fake individual. And that fake individual might apply for a retail card, something that a very low bar to entry. And so then over time, there's slowly building credit, slowly building credit. Maybe after a while they get a debit card from a major retail bank and maybe they apply for a car loan and their credit line is growing bigger and bigger and bigger. And these fronts are very patient and they're building credit over time until at some point, maybe five years down the road, that's when they bust out, which as Leslie said, which means that they might spend hundreds of thousands of dollars at once and then get out before anyone can find them. And of course they can find them because that individual doesn't exist. And that's why synthetic fraud is such a big deal and why it's growing so greatly is because there's no one to track it back to.

Leslie Deniken:

And we're calling it what we think is a potential bubble that could burst because we see it getting bigger. So watching it, all of that debt that I mentioned, of all of those different types of credit that are out there that can be attributed to synthetic identities and if companies are not really trying to track that better, what's going to happen as it continues to grow?

Richard Tsai:

I think that's the big fear because that's my personal concern, is that criminal organizations have penetrated into our US financial infrastructure. They're there. We just might not necessarily see it or specific institutions might not see it, but they're in there and they are building up these accounts. They're synthetic, so they look real, but they're obviously fake. But if they're staying within the accounts, they're also behaving like real users or real consumers. And the reason they're able to stay in there for multiple years is that they're actively building up the credit in those accounts. And so when they can actually build it up, build it up, that's the real risk. They'll eventually use up all the balances that they have. And actually when you talk about that bust out, that's when they'll actually get the prize. But it's something that's slowly building. There is a concern that certain institutions may not be finding it, and by the time you find it's going to be a little bit late. But just imagine one institution and then multiplying it by the thousands of institutions that reside here in the country. It's not a small problem.

Andrew Goss:

Yeah. And we circled back to kids getting their identities stolen before they're 18 and how it fits into the whole synthetic fraud model. We actually have a viewer question, I'm not sure if we can answer this, but I'll try. I'll throw it out. How does a parent check to see if their kid's ID has been compromised prior to 18? Are there any tools that we can think of or et cetera? Throw it out there.

Jim Van Dyke:

I work a lot on the consumer facing side of fraud, including looking for early trends in breach data. That's such a challenging area because criminals love to access accounts of people who are less likely to be monitoring either because they haven't yet entered the active world of transacting and adulting, or they're transacting less like my 93-year-old mom and not on the internet or anything like that. You can try to check the dark web, but the reality is that dark web represents just a small fraction of all the breaches that are out there, and there are almost no breaches of SSNs or payment cards that ever hit the dark web. And so that is a good idea to do that.

If you've got access to someone who's monitoring the dark web, that's not a bad way. Like say, add somebody to your family plan if you're getting identity protection. A lot of times there are options just add people in that people haven't even looked at that they already have access to. We can expand their plan, but also if somebody has no reason, like a dependent child or an elderly adult or somebody else has no reason to be using credit, make sure you freeze their credit and in addition to expanding them to whatever protection plan you're already using. And lastly, a lot of the monitoring services that are out there aren't just monitoring credit. They're monitoring things like public records. And sadly, sometimes people will make major purchases take out a mortgage in the name of a young child because you had the record mash up that Frankenstein that was talked about. So monitor and block, however often you're able.

Leslie Deniken:

Another option is for parents to add their children if they're old enough and trust them as an authorized user to an account. So that establishes them in the credit database as themselves before it can be stolen.

Andrew Goss:

Interesting.

Lance Hood:

And not to be morbid, but what's interesting about taking the information from children is that the lack of awareness of that, right, which is really the root behind the question, the same kind of principle holds when people die. And we've had some interesting scenarios where people passed away, they're not monitoring their accounts anymore. A lot of organizations use phones as ways of sending onetime passcodes, and some fraudsters are able to swap or port those phone numbers to their own devices, which normally is something we would detect pretty quickly if your phone stops working. But you're not monitoring it if you've passed away. And so we've had several fraud scenarios that took advantage of that, and which I think highlights the importance of really looking at mobile devices that you're using for authentication and not relying completely on every one of your customers to be able to notice that they may have been compromised.

Jason Lord:

Yeah. And it points to a larger point, which is that it's good for consumers to be aware, it's good for consumers to protect themselves. We want to encourage that. At the end of the day, I personally really believe it's up to the businesses to protect themselves. You can't put the burden on the consumers, especially for situations like Lance describes, where there's literally no way to protect against it. You need to know before you send that one time passcode if that belongs to that consumer. There are tools and technologies that allow you to do that, but only if you invest in it.

Andrew Goss:

Okay, well, that's an interesting conversation there. And also from the same person, they also have a comment here, I'll just read part of it and then summarize the rest. I work as a fraud analyst in a retail setting. We get a lot of fraud that have IPs that come from out of the quote billing address area or IPs that are from mass locations. Are there tools that can address this at all to validate identity?

Do we have anything out there that we can talk about?

Jason Lord:

So I'll talk very broadly. So IP information is one of many sort of inputs into understanding the relationship between a device and identity, right? So I'm not sure if the interaction we're describing here is a person, for example, logging into a website to go make a purchase, but let's just assume that for the sake of conversation. So if a person is purporting to be from Bismarck, North Dakota, but their most recent browsing behavior suggests they're in Estonia, that's a mismatch. And it's one signal of many that might include other things like when the device was recently activated, whether SIM swap has occurred, whether it's a burner phone versus a long-term phone from a reliable network that can be used in combination to determine the risk. At no point would TransUnion, for instance, say, "This is definitely a fraudster." What we do say instead is that there's a combination of factors that make it more likely that this is something you should put additional friction against. It's really about separating safe interactions that you should allow to go through with less friction from risky interactions that we're not saying are fraudulent, but you just don't want to let them go through with the same amount of friction as you do the safe ones.

Richard Tsai:

[inaudible 00:33:29].

Andrew Goss:

Oh, Richard, do you want to say anything?

Richard Tsai:

Okay, just [inaudible 00:33:34], just echoing what Jason just actually said. The original question talked about basically the location of where that activity is actually coming from versus where their domiciled address is, which are common types of fraud checks that take place that are based on distance rules. That's one type. And Jason, I think you're expressing the many different things that you sort of have to bring together to really get a true view of what the actual risk is. And it's not just based on one thing, but there's a lot of different types of geolocation capabilities that are available that can be used to determine distance, but distance is only one signal and location is only one signal. There's a lot of different signals that are available that can be used to score the risk of some type of digital interaction that's happening between whatever that online application is connected to the user that it is actually talking to. It's a general [inaudible 00:34:37].

Jason Lord:

We recommend taking approach that when we talk about device proofing, device proofing is using a combination of the reputation of the device. Has the device been associated with fraud in the past? That's one. Two is what is the likelihood that the device belongs to that person based on the signals we have and the identity of data. And three, is the person interacting with the device in the way that a normal person would or the way a fraudster would. If they're filling in their name address in a normal cadence that suggests a regular sort of interaction. But if they're cutting and pasting that information or filling it out in a weird way where there's pauses where they're clearly looking for new information, that's another signal. And using those things in combination is a much safer approach that identifies more of the safe transactions while holding back on some of the risky transactions.

Jim Van Dyke:

I think one of the opportunities I'd like to add in as well is because I agree with what you said, Jason, about the place where fraud is threatening to occur. The bank, the merchant, the government tax agency, et cetera, it's their primary job and always will be and always should be to stop the fraud and to monitor the fraud to catch it at the earliest point. Having said that, consumers their motivation to be involved at least so far has never gone away. So I don't expect that it ever will go away. And they feel the most comfortable when they have just a healthy level of engagement, which is really about just having a great experience where they have visibility. And one of the things, just listening to the conversation about validating information, there's some information that's behind the scenes like IP address, no consumer ever wants to or should be involved in that.

But other kinds of information like the address and alternate phone number and other people from family who are users of the account who should be listed on the account like say a spouse or something like that, that needs to be updated and the service provider needs to make sure that they have an ongoing problem to educate the account holders on the full use of all available tools that they've already spent so much money on. And I say this because I think in most cases that isn't being done effectively. So two factor auth, alerts, card controls. Just complete information about where you're going, making it easy for someone to tell you they're traveling to a new location that is surprisingly absent at most providers. So there's a lot of opportunity there and desire.

Andrew Goss:

Got it. Okay. Well, I don't want to finish this conversation without getting to Richard because he poured through. Wow, Richard's already spoken up a bunch. But his area of expertise when it came to this study was really digging into a survey we conducted across thousands of consumers in 18 regions and countries globally. Richard, what were some of the key findings that really popped out of there? Yeah, so let's get to that part of the conversation.

Richard Tsai:

Okay. So I'll try to keep it short and sweet and try to keep this sort of summarized. But out of all the information we sort of scoured throughout of surveys that TransUnion has done, we have a lot of information that we can tell about consumer sentiment. And consumer sentiment is very clear when it comes to this discussion. What we're talking about is that users or consumers do care a lot about security and convenience. And so both those things are sort of almost very opposing requirements for businesses because to have really good security or have really good fraud controls, that generally means you're going to introduce a little bit of friction to some kind of consumer experience. And then on the other end, users care very much about convenience. And convenience usually means you want the least amount of experience possible. So you have this problem where businesses are trying to sell consumers have this type of thing, requirements going opposite directions.

And so it's a delicate calculus that businesses need to take in order to put the proper controls into place. So we can take a look at a few different types of online experiences to sort talk about that. So one way to look at it is if you have a consumer and they're trying to apply for a new bank account, or opening up a new account to do some shopping at site A, or you you're trying to get a quote for some new insurance that you want. In all these cases when you're trying to apply for something, the top three reasons that consumers have stated that they'll just give up on that process, they'll give up, they'll abandon the process altogether. Top three things, too much information is asked of them. They're very concerned about security, and the overall amount of time that it takes for that entire process.

So that tells you right there, those two things are a problem for where you have existing accounts or where you have your accounts to, again, could be a bank account, could be your Amazon account, whatever it is. The majority of consumers have stated that very high likelihood they would switch businesses if they did not enjoy the customer experience. If the user experience is poor, they're happy to go take their business elsewhere. And so the data says that the vast majority, the only demographic, and I'm talking about generational demographic that is not in the majority that says they'll switch, happens to be baby boomers. But baby boomers as we know I think are aged like 57 and up. It probably makes logical sense that they're the least to want to switch, but it's probably because they're probably the ones that the least that do most of their transactions online. But overwhelmingly, everyone's willing to switch.

And then for existing accounts, if you're going shopping, consumers will tend to abandon their shopping carts. And this is an interesting thing. This is one takeaway from the survey that I found really interesting. So you would think that if you're buying something you want to abandon your shopping cart, you would think it'd be price related. That's actually pretty low on the list. It's a little bit less than a third that abandon because of cost of goods. But abandonment will be high if there are high shipping costs, but shipping costs are at the top really followed alongside by fraud and security concerns or friction related to the payment processing that's happening. So payment processing, for example, you're trying to pay with your credit card, but then you get challenged, the consumer gets challenged, and consumers don't like that. They'll just decide, "I'm not going to complete this transaction, I'll just take my business elsewhere." So overall, that's some of the key highlights of what we see in the survey from consumer sentiment.

But one more thing that I would like to add to it is the concept of authentication. One of the things that we always focus on because businesses will have to do some kind of authentication, you have to determine who you're actually dealing with, especially in an online world. From an authentication perspective, super interesting point. Consumers actually like having authentication at the front door, like when you're going to enter into some kind of service you're connected to, users have no problem with having to log in and provide some method of authentication. In fact, users have said over 78%, which is an extremely high number on a survey, are absolutely okay at the front door to have a second factor authentication.

And it could be some of these authentication methods that we start to talk about in the biometrics that we talked about, or even one-time passcode. All of them are very acceptable as consumers. However, what consumers really do not like is once they log in, they do not want to be challenged again. They really dislike being challenged the second time because once they authenticate themselves and through their regular user journey, whatever it may be, if you're in your bank account trying to do something, you're trying to pay bills or if you're on a site and you've logged in, you're trying to complete your transaction. Users really dislike being challenged when it comes to the event they're trying to complete.

Jason Lord:

When we talk to organizations, a lot of them think about fraud and customer experience as opposite sides of the dimension, almost like a seesaw. And so it might seem like an oxymoron to say that fraud solutions can actually improve the customer experience. But I'm here to say it's a false dilemma because effective fraud prevention isn't just about finding more fraud, it's about finding more of the good customers and the good transactions and letting them through faster. And in fact, sometimes we talk organizations that say, "We're actually okay with the level of fraud we have. We're not trying to find incremental fraud." What they're trying to find is more of the greens, the good transactions. And as a result of working with the solutions that we offer, they will reduce manual reviews, which will make more applications go through. They'll reduce false positives, which means more completions. They'll improve the customer experience, which means more customer lifetime value. So I don't want us to think just in pure terms of fraud because fraud is important, but equally important is finding the good transactions in customers.

Richard Tsai:

And actually that's a super important point, finding the good transaction. Is finding the good transactions relies on having really good fraud detection that is highly accurate. Because having good fraud detection is what gives you the signals to indicate that, "Hey, we can make this a seamless experience. These are good transactions. You don't have to apply any additional friction." That's really the key is the intelligence that you have to be able to make a highly accurate fraud decision. And in order to really do that, to have a good fraud analysis is really backed. You need good data. You need good data. You need good intelligence on the identity that you're connecting to on the device that you're interacting with and about the history of what the behavior is in terms of what you're interacting with. So there's a combination of things that you really need in order to have really high accuracy in the fraud detection that you have. And that's what actually sets the stage for deciding what kind of treatment you're actually going to put in place where you're only applying some level of friction to which are essentially the risky interactions as opposed to the good ones.

Andrew Goss:

Well, interesting. I will never look at a seesaw the same. So thank you Jason. So I want to circle back to synthetic fraud. We had a really good question that came in through the comments, so I'll just read it back. And maybe Leslie, you can start off here. Related to accounts set up with synthetic IDs, as you mentioned, this is a significant problem across financial institutions. What are your thoughts around the risk of these accounts being used for mule activity?

Leslie Deniken:

So there have been a lot of reports of a lot of bank accounts being open using synthetic identities because it is easier to open a bank account than it is to get a consumer loan or open a credit card. And what many of these synthetics are doing is opening up multiple bank accounts, putting in only a few hundred dollars there just to establish it, not only to establish identity, but to use it for illicit purposes. And I'll give you several examples. For example, if you are in the market for a puppy or you're looking for a vacation home for a week or even for a rental, I've read about where the person advertises this and then you respond and they say, "Hey, I need a deposit a thousand dollars or $2,000. Here's my Venmo account or my Zelle account."

Which is of course attached to that mule account. And as soon as the person, the unsuspecting consumer does that and finds out that it was fraudulent that there is no puppy that they can buy, or the vacation home that was advertised actually belongs to somebody else, then it's too late. That account has been closed, the money is gone, and there's no way to trace that person because it was a synthetic identity. So yes, that has been an issue that has been in the news lately, and that's again why it's very important to be able to use some of the fraud detection tools that we have, especially for banks when opening these accounts to make sure that it is a real person and not a synthetic identity that can commit these types of fraud.

Richard Tsai:

And it's a big compliance issue, which should never pass KYC.

Andrew Goss:

Yeah. Okay. Well, unless there's anything else that our viewers, any questions they have or anything that our wonderful panelists want to share, I think it's time to up. I appreciate everyone for joining us today and appreciate all the panelists for joining us and sharing their insights. If we didn't get to your question today. We'll do our best to get back to you soon if we can answer that question. And for more insights around what we talked about today, you see the URL up on your screen, visit transunion.com/omnichannel-fraud-report. Appreciate everyone, have a great rest of your day, and thanks so much.

Leslie Deniken:

Thank you, Andrew.