06/26/2024
Video
Watch our on-demand TransUnion Live on LinkedIn roundtable discussion where we shared insights and recommendations for implementing smarter, more effective fraud prevention strategies that build consumer trust. Don’t miss exploring more about these hot topics:
For more insights and trends you can use, download TransUnion’s 2024 State of Omnichannel Fraud Report.
Andrew Goss:
Welcome everybody to another episode of TransUnion Live on LinkedIn. I'm TransUnion's Andrew Goss and I'm joined by my esteemed colleagues, Leslie Deniken, Fernando Paredes, Richard Tsai, and last but not least, Jim Van Dyke. Welcome everyone.
Richard Tsai:
Hey, Andrew. Good to see you. Good to see you.
Andrew Goss:
Welcome everyone. Well, we're here today to discuss findings from our recently released 2024 State of Omnichannel fraud study. But before we get started, I have a quick housekeeping note. I always start these conversations off with, we welcome your questions and the audience related to today's conversation. Just put them in the comments area you see on the screen. If they're applicable and we don't get to the questions right away, we'll do our best to circle back around with the afterwards. Now let's get started.
Richard, let's start with you. What did TransUnion recently document in regards to the digital fraud landscape around the study we just talked about and how might businesses approach these findings?
Richard Tsai:
Okay. Thanks for the question, Andrew. It's actually a pretty loaded question that you just asked. So let me start with this. Digital fraud rates are continuing to outpace growth in digital transaction volume. So what do I mean by digital when I say that? So when we talk about digital, let's think about comparing back to the time of the pandemic and the pandemic now over. The pandemic really accelerated everything going online. So when we talk about digital here, and when we're saying digital, we're really talking about any activity that happens online. So digital through your smartphone, through a mobile app, digital from the standpoint of, hey, if you're accessing something online by going through a web browser, that's what we mean by digital and that's what we mean by digital fraud. So digital fraud, even while the volume is increasing for any type of transactional activity, what we're seeing is that the digital fraud rate is actually outpacing the volume.
So we know that volume has gone up, but digital fraud has actually gone up faster than the actual volume. That's what we mean. So there's probably three things I would drill into here when we talk about digital fraud. The first is really about where it happens in a consumer journey. So we generally think about consumer journey is the account creation stage is the riskiest. That's the first thing I would talk about. The second thing I would talk about is how account takeover on existing accounts continues to be a big problem. And then the third thing I would probably talk about is the variation in digital fraud, there's variation, and it's different by industry and I probably just would say something a little bit about retail having the highest rate of digital fraud. So I'll talk about those three things and I won't try to suck up too much of the airtime, but you asked a pretty big question.
So I have to define digital fraud first. Okay, so let's talk a little bit about account creation. So when I say account creation, I mean for businesses, for anyone that's doing business, you're trying to establish a relationship with some type of consumer. So that's what you want. You want to establish that. That's showing what we call the account creation phase. So it could be called account creation, it could be called account signups, it could be called account opening and financial services. Basically it's at the point in time where you're actually establishing a relationship with the consumer. And what we found in the transient network and the report that we published is that that is the riskiest stage. So there's that versus the existing customer. And it makes sense if you think about it because at this point in time you're establishing a new relationship with someone, you don't really know anything about them.
So it's actually in one way that's not really that surprising. But unless you really look at the data, you'll realize like, wow, there's a lot more risk there. It generates a lot more alerts to say, hey, we need to look at this a little bit closer. There's a lot more scrutiny you have to put at the account creation stage. So when we look at it, we generally look at it from three phases along that journey. The first phase is that account creation stage. That's when you're establishing that new relationship. Someone's opening up some type of an account. Then the second thing is to really look at it like, hey, you have a customer. Now they have an account and there's really two places to look at there, which is one, when they first log in, when they log in because they have to access their product or service, and then it's everything after the login, which is, hey, now you're actually using the product or service that you signed up for.
So when we look at those three phases, account creation, 13.5%, that's a really high number and it's a lot higher than the other phases related to login and any type of transactional activity. So login is at 3.2%. Everything after that transactional activity, it's about 2.5%. That's what we see globally across our network. And so there's obviously differences across the globe and by industry, so regional industries that are going to have a little bit differences. But for the sake of this conversation, I'm just going to focus on those particular numbers. So there are some specific industries that are having much higher numbers when it comes to that account creation stage. So overall we said it was 13.5%, already that's a very high number, but we've got other industries globally that are showing very significant numbers of risk account creation in the retail space, almost 45%, in travel and leisure over 36%. In the space of video gaming that's well over 31%. Really high numbers.
So we can actually take that and look at how some industries who might actually do a little bit better. So the interesting thing is in financial services, they're doing a lot better than that and they're doing it at account creation, at the suspected fraud and risk there is at 3.9%. Now that sounds like it could be a low number, but that's still automatically too high. So a lot of these industries I think can actually borrow and learn from financial services. Of course, it's going to be different though because in other industries that's not financial services. You don't really necessarily have the same type of scrutiny, there's not the same type of regulations like KYC or KYB regulations that exist there, but there are things that other industries can learn from there and do things similarly without the same level of... Without such heavyweight types of systems from a fraud controls perspective.
So that's one thing, that's about account creation. The second thing I would probably go back to is I think it was talking about account takeover. So account takeover is what we saw is for digital fraud globally. For confirmed frauds, account takeover still manages to be the highest type of confirmed fraud. And account takeover can manifest in many different ways, and it's a larger number than that because we'll have a lot of folks in a network that actually mark it off as something else that's related potentially to credit card fraud, to some type of payment frauds or to something that happens. But as a general bucket, it's still listed at number one. So that's going to be a big problem. The other thing I would say about account takeovers for existing accounts and existing customers is that the fastest growing type of thing that we're seeing that's for confirmed frauds is that synthetic identity fraud is still etching up higher.
So I know we're probably going to talk a little bit more about, so I'll leave it there for now. And I think the third thing I wanted to talk about really quickly is going back to the industries, the industries that we just talked about, retailers, travel and leisure, video gaming, communication sectors, they're all experiencing digital frauds, but retail is experiencing at the highest rate. And so for overall digital fraud rates, retail's experiencing that at 8.7%. So year over year, that's over a 21% increase from the previous year. So it's continuing to grow. And so there there's reasons for that happening. On the account creation side, it's not surprising because generally you can open an up account at a retailer or a merchant or some marketplace platform without a whole lot of verifying of who you are.
But I think the industries are trying to move in that direction. So it's generally going to be a little bit riskier when you have retailers that you're allowed to do transactions with just being at guest checkout, so you don't really need to set up an account. But I think the industry is starting to change there. And within retail also, besides that, the largest type of fraud I think that we're seeing there is promotion abuse. So there's quite a bit of promotion abuse in that area. So I'm being long with it here. I'm sorry for taking up so much air time. Go ahead.
Andrew Goss:
Yeah, no, I was just going to break that up before we get to what businesses can be doing here. To just let the audience know, I'm relatively familiar with this research and all the data that you're throwing out here is global in nature. It's based on transactions that TransUnion is seeing through its TruValidate platform everywhere, coming from every country in the world. So I just wanted to level set that. It puts businesses in quite a pickle in that sense that they're seeing transactions from everywhere. It's not just behavior in their country. So keep going. I just wanted to break things up and let the audience understand a little bit better in context.
Richard Tsai:
No, you're absolutely right, and it's certainly a challenge for businesses. So let's talk about what businesses can do and what their approach might be. So I don't want to get too prescriptive, so I'll keep it pretty simple. We do notice that there's a lot that happens at the account creation stage, and I think that's an area where a lot of industries can actually put a little bit more effort and scrutiny because there's a lot that you can do and to stop fraud that can happen downstream. You want to stop it at the front door. So I think there's a lot that can be done into look into integrating a little bit more into their identity proofing process, especially when a lot of industries are starting to move in that direction anyway. But when I talk about identity proofing, I also your traditional, I'm talking about identity proofing, which really incorporates, hey, you're going to be interacting your customers.
They're going to be interacting with this or this laptop that they have in front of me. So it's digital, so you have to have some device proofing concepts as part of that process during the sign-up. So there's a lot of extremely great fraud risk signals that can be collected from that area that you can use throughout the entire consumer journey. Other areas to handle up there is like when you're doing that sign up, is to look at helping the customer sign up. If you're going to collect information, make it easy for them. So you have to do some type of secure or pre-fill, but really what you want is to have a lot of accuracy there to understand, do we have risk with this person, with this device that we're going to be interacting with? You want to give them a very easy experience, but it's only the real minority sessions that you really have.
Those are the only ones that you want to subject to a little bit more friction, a little bit more greater scrutiny. So that's the first one. And the second part is really about authentication strategies. You need to have really good authentication strategies. I may feel like a broken record here because I think I say it a lot so I'm sure the audience probably hears about this quite a bit too, but multi-factor authentication, that should be a default. But it's not just about having multi-factor authentication, you really need to have risk-based authentication. What I mean by that is that you should use signals, really strong signals to be able to know continuously the moment that you're having this interactive session that you're constantly looking at, is this device risky? Is this device I'm interacting with risky? So there's a lot of ways to look at that, but it's also known as risk-based authentication.
And then if you have MFA set up, you need to make sure that that second factor that you're using, that you're actually safely providing it. The most common form today is an SMS one-time passcode. So you have to make sure that's actually safe because it's also the place where fraudsters are very adept at performing adversary in the middle of attacks. So there's ways to protect against that, but that's one area to really focus on it. So you really just need to know who you're dealing with. So those are the two areas I would recommend identity proofing, focus on your authentication strategies.
Leslie Deniken:
And if I could add on the authentication, Richard, the first factor authentication could be seamless. So the consumer doesn't even know they're being authenticated, and that is the device risk that you're talking about and the background to show is this person actually associated with this account and had they used this device before? So very seamless because one of the other things that came about in this survey is consumers want to be authenticated, but they don't want hassle. So that solves that problem.
Richard Tsai:
Yeah, completely agree with you, Leslie.
Andrew Goss:
Well, that's great. Lots of great insights. Yes, it was a loaded question and I have more loaded questions for everyone, and I want to turn to Jim on this because the tip of the spear often in a lot of the fraud that we're talking about is where are the credentials being gotten for lack of good grammar there?
So let's turn to data breaches. What did TransUnion find in that recent study that I referenced before regarding data breaches and how might businesses address some of this?
Jim Van Dyke:
Yeah. Sure, Andrew. Thanks. Great to be a part of this. So I like to think of this ultimate problem we're trying to stop, which is fraud and identity fraud as a two-crime crime, which means there are two, generally two separate prosecutable offenses. They may be done by the same bad people, like the same cyber criminal, but often there are done by two separate ones that work in a form of a supply chain. So the first act is compromising the data because there's no way you can impersonate somebody else unless you have their data. And the second one is actually conducting the transaction, whether that's opening a fraudulent new account or account takeover like Richard was talking about. It's generally this one two punch. And then with scams, sometimes we add a third, but not to complicate it. So the trends that we're seeing in the first crime of compromising the data so people can essentially foil the FI's controls and make it impossible for the FI or the merchant or other organization to be able to tell if they're not dealing with the real McCoy, the real identity holder.
What's going on with breach trends? Well, there's a whole lot, and bear in mind, we're working with the largest set of data on breaches that have affected US citizens or residents. So we saw in last year that the overall volume of breaches jumped and may sound like the same message before, but there's some important nuance inside of that that we haven't been seeing before. So there are more breaches than ever before. The quantity of breaches reported to state attorneys general, so that's the official mechanism that kicks in was essentially 2,500 data breaches last year alone. But when you hear that, you might be thinking, well, then it's time for enterprises to really tighten up. If you're a financial institution, that's true because financial institutions bucked the overall trend that we're about to go to next, which is financial institutions had more primary breaches and this is the method that hackers used to rely on several years ago.
Where if you want data, identity holder data, then you go to an enterprise that conducts customer transactions and you just attack it any way you can to get that data. Well, and at financial institutions, that's what hackers had more success doing, going directly to the enterprise itself, the bank, the credit union, the issuer, insurer, whatever. But outside of financial institutions, given that most breaches don't occur at financial institutions, not by a long shot, they primarily occur at healthcare institutions, number one, and educational institutions, number two, and then of course any other sector of commerce or nonprofit or government. So outside of financial services, the big growing trend was that third-party vendors to the primary entity were breached at a much larger rate than the primary entity itself. So let me restate that because that could be confusing. So if you take a very typical example, which is a healthcare firm, could be a small physician's office or a big HMO, while those kinds of firms, healthcare firms are breached the most, the increase in breaches is all in these third parties. So for example, let's just say I'll just use fictitious name, Acme Healthcare.
Let's say they're contracting to third parties as they routinely do for billing, or it could even be like a marketing database or something else. Those third-party providers to the primary healthcare firm or secondarily an educational institution, that's where we're getting this massive spike. So hackers have figured out that the weak spot, the spot with the poorest defenses are third-party providers to number one, healthcare, number two, educational firms. Because enterprises have really cracked down on their own full-time permanent employees in making sure that they have the best security procedures in place, but they haven't done so as effectively with their third-party vendors. It's harder to enforce standards with people who don't work for you and aren't a part of your network. So that's the overall trend in breach volume and where it's coming from. Again, if you're an FI listening, it bucks the overall trend. If you're an FI, you need to focus more on your employees.
If you're not an FI, you need to focus more on your third-party relationships. But I want to talk about another vital trend, just a couple more before pausing, and that is breach risk severity. So a couple of things that we exclusively do is one, have this massive database of all breaches. It's 14 times as powerful as the dark web, much bigger, much more powerful. But we assign, you can think about it like an earthquake magnitude-like or hurricane magnitude-like score to every breach that comes out. It's expert systems AI, happens instantaneously. So it allows us to give every breach a one to 10 score, which is... I won't try to explain how that works here, but it's done consistently every time, of course. And some breaches are a 10, meaning they create the highest identity theft and fraud risk as well as certain kinds of risk, like some breaches create risk of new credit account fraud. That would require an SSN, for instance, versus new deposit account fraud that requires oftentimes many different identity credentials.
So what's going on with the breach risk severity? Well, it turns out that the average severity of a breach, in other words, the ability of any particular breach to enable identity theft or fraud in all its forms has skyrocketed as well. So just think of this as how much squeeze the lemon has, if you will, or how much power that breach has. Not just how many identity records were exposed, how many consumer identities were compromised, but how powerful the identity credentials were themselves. Like a breach that has an SSN or payment card data, it's much more readily usable in identity theft and fraud than say a name or a mother's maiden name or a previous address. So we saw this huge spike at 25% over historical levels in the breach risk score. And then in first quarter, which the study we're talking about, just I saw some interim results on that.
We saw a big spike in SSNs that were exposed where fully half of all data breaches included an SSN, and that's unheard of. So given the big sample size we have of breaches, 2,500 and all those are required to report to state AGs and federal AG, we know that this is a significant trend and consumers are targeting databases that have the most powerful juice, if you will, the SSNs, payment card data, and other sensitive records. And so what that means is since we're talking about fraud, breaches wouldn't really matter if the data wasn't misused.
So we can actually look to the volume of data by credential that was exposed and more significantly the type of data like SSNs and say, well, if we saw this big burst in not just quantity of breaches but breaches with an SSN, then it's like using the same model that people, that experts use when predicting damage from a tsunami when they've detected it a long ways away or even the weather. We can expect now in the future a big increase in fraudulent new credit account activity and tax refund fraud, and even those ATO crimes that require a full SSN where FIs rely on that. So lots of changes are going on in the breach data that contributes to the level and the pattern of future fraud behavior.
Andrew Goss:
Hey, Jim, quick. Yeah, I have a quick question around the breach risk score. So we talked about the increase in volume of third party breaches. Do we have a breakout of how from a breach risk score perspective, enterprise versus third party? And if not, it's fine, we can move on.
Jim Van Dyke:
Yeah, we do. So breach risk score and the average breach has a breach risk score, BRS we call it, of about four, and that's held pretty consistently over the last four years. It's just barely inching up, not really significantly. So the overall breach risk scores for 4.1, but primary breaches were essentially flat in the breach risk score. But I mentioned earlier that the quantity of third party breaches are up significantly, but I'm glad you asked because this concentration power or breach risk score of third party breaches, that's where all the increase is. In the past they were weaker in risk, third party breaches were than primary breaches. I mean, that's historically been the case with primary breaches typically being about four in average score and third party breaches were in the threes and even a few years back in the twos.
And that makes sense when you think about it because if you're in my fictitious example, Acme Healthcare, you're probably only letting third party vendors have the absolute data that they need to do billing or marketing, right? Because if breach happens, you don't want to let any extraneous data be out there. But what hackers have figured out how to do is get at just the third party vendors and pools of data that have the most concentrated data. So third party breaches for the first time ever had a higher breach risk score than primary breaches. That's something we haven't seen before. And what that tells me is that hackers know exactly what databases they want to go for when they're doing their hacking or other activity to get the data, to get their hands on data they shouldn't have.
Richard Tsai:
I was going to add that as a fraud practitioner, the data points that you're bringing up is highlighting that future fraud attacks are going to continue to happen. It's going to happen for a long time because really anything you talk about from an industry perspective, whether it's healthcare, education, it just says, it goes back to the old adage of we're only as strong as our weakest link. These guys are the weakest link. It's going to cause a problem, it's going to cause a problem for everyone. Everyone gets hurt by this.
And I like what you said about... I like the term two-crime crime. I hadn't heard that before, but I like two-crime crime. That's exactly what this is, because you have hackers and then you have fraudsters. Sometimes they're the same. Lots of times they're not the same because the first part of it is you steal the data, you steal the PII, it gets on the dark web, what you're talking about, that breach score, the risk score, that has an economic value to it. The higher the breach risk, the hackers have a different value, they're selling that on their dark web. That data is actually worth a lot more because it's a lot more useful from an identity takeover perspective to go commit different types of fraud. So real interesting stuff. I just wanted to add to that.
Jim Van Dyke:
Yeah. I appreciate that, Richard. Well, we've had this available for just a couple of years, these assets with the breach risk score and other things. It would be I think a wonderful thing for... A wonderful advantage in anticipating, to your point, Richard, and then fighting fraud if industry leaders whose job it is to stop fraud would not increase their focus on the quantity of consumers who are affected by a breach, because that's easy, and that's an old method, but rather look at this level of fraud risk, this breach risk score, and then you can take it a step further to your point and say, "Well, was that breach that just happened, how risky was it? And is that primarily a breach that increases new credit account risk?" Because maybe you're FI or a tax collection agency that primarily focuses in a certain county or a city and a breach affected everybody in there. Then you should focus on the breaches that are known to affect everybody and raise the risk of the kind of fraud that has the potential to devastate your success.
Leslie Deniken:
It's nice, also important to point out that you said that the breach score is dependent on social security numbers being stolen and that the institutions being targeted mostly are education and healthcare where you can find a lot of children's information, and that is very popular with fraudsters because they can use that information and create accounts without the individual ever knowing for many years.
Jim Van Dyke:
Yeah, that's right. And these organizations just often lack the sophistication that if you're a hacker or a person that wants to commit fraud, of course you'd rather do one-stop shopping, if you will, and hack the data and use the data at the same place. Why complicate your efforts? But yeah, you're right. People are going to wherever that weakling is, as you said, Richard.
Andrew Goss:
Yeah, lots of great points. And Richard, I was racking my head. I knew that that saying was rattling around in my head, so glad you pulled that out of there. Okay, so let's get a little bit hyper-focused on a specific channel.
So Fernando joins us to talk a little bit about from the call center perspective, so we dig in a lot there. So Fernando, let's get into some of those findings around fraud in the call center, what we've been seeing and what businesses can do.
Fernando Paredes:
Yeah, thank you, Andrew. No, definitely a lot of our different insights, valuable insights from the report. I think we kind of start by just saying that we tend to see increased activity, increased number of attacks on the call centers. Essentially bad actors try to... Social and unity agents get access to credentials, take over accounts, and I think that's something that we have seen in recent times as organizations put a lot of focus on the digital channel and also with the pandemic, just the move to operate their call centers in different ways, maybe deviated the attention from protecting the call center well. So today, essentially organizations consider the call center as a strong source of account takeover. This is particularly important of concern for financial institutions. So while 33% overall of all organizations think this is a major source of account takeover for financial services, this is beyond half or around 60%.
Now, they believe that fraud starts in the call center and this can go into multiple channels. So oftentimes what we see is that there's a lot of concern of that multi-channel approach as well. So in terms of the call center, going back to the call center, we are seeing an increased rise on attacks coming from virtualized calling. This is a relatively unknown vector. Historically, there have been other more kind of a mainstream vectors, but virtualized calling is certainly on the rise. And when we talk about virtualized calling, we talk about calls that can be placed over the internet via an app, a computer, the same number can be used across multiple devices across multiple geographies in a very short amount of time. So there's a lot of mobility, but that also carries a lot of risk and that's applicable for use numbers and any other type of numbers popular with users, but also popular with bad actors.
Well, today we see that these virtualized calling is essentially associated with non-fixed voice over IP numbers. And by non-fixed, essentially what I was just saying before, these numbers are not really attached to a device. They are moving freely across the ecosystem. So in terms of volume, we can say that there's relatively small volume, today somewhere around the three to 4%, but continues to be on the rise. And out of these non-fixed voice over IP population, we see high risk for the most part. Now, let's say from a recommendation point of view. So something that we at TransUnion recommend is that organizations adopt an inbound call solution that can really identify risk that comes from, let's say, traditional historical vectors as well as new latest trends, latest techniques used by the bag actors.
And I found it interesting that in the previous conversation around the digital channel, we mentioned the word seamless. So that is a concept that is also very much applicable in the call center. If we can, let's say identify, authenticate a call as it is happening to certify its authenticity and sort of behind the scenes without caller having to enroll or answer any questions. And that's among the preferred approaches, and that's what we suggest customers that they adopt this sophisticated solutions that can really do the analysis in real time as early as possible and with a minimum amount of friction.
Andrew Goss:
Great, thank you, Fernando. And anybody else on call center before I've got another question that popped in my head as we were having this conversation?
Leslie Deniken:
Only the importance of being able to do this not only seamlessly as Fernando points out, but pre-call, pre-answer because a lot of times fraudsters are using the IVR to see what is required to be able to get into the system and potentially reach an agent. So having the risk assessment done before they get to the IVR or the agent really helps protect call centers and the accounts that they're responsible for.
Fernando Paredes:
Yeah, I would add that that's a really good advantage in terms of protecting that channel. And it can also bring other benefits just from a caller experience, it's a better experience for the caller and from an operational point of view. So call center operations folks can also see benefits as that reduces friction and just the time invested in authenticating these customers down the line later during the call. So from a consumer point of view, you get your questions answered faster because there's less friction upfront.
Andrew Goss:
Yep. The ongoing pickle and fraud, right? Reducing friction and keeping fraudsters out. So great. So let's move on to a question that again, we touched on a briefly earlier, synthetic fraud.
So I'm going to turn to Leslie on this one. What did TransUnion recently document regarding synthetic fraud across channels, not just in the digital fraud landscape, which Richard touched on and how might businesses address this?
Leslie Deniken:
So I'm fortunate because my colleagues, Richard and Jim already touched on some of the aspects of synthetic identity. Jim described the increase in data breaches that results in cyber criminals getting that stolen identity information to create fraudulent accounts including synthetics. And for those in the audience who don't know or hearing this term for the first time, a synthetic identity is when a criminal takes a combination of real, personally identical information like SSNs, and that's why children's SSNs are frequently targeted and why healthcare and education institutions are the victims of these data breaches. Then they take that and combine it with fabricated credentials like an address and a phone number to create a new identity. We sometimes refer to that as a Frankenstein because it's a person assembled from different parts. And then in terms of where a synthetic fraud is going, Richard touched on this because it is the fastest growing digital fraud type.
In fact over the past five years, it's grown nearly 200%. So it is something that businesses do have to be aware of, particularly at the point of account creation because that's where it's being used to create these fraudulent accounts to get access to money such as auto loans, bank credit cards, retail credit cards. And what's happening is financial institutions are essentially giving this money to these identities who don't exist. And that means when they default, you can't find them and try to collect the bad debt resulting in a charge off. In fact, some may actually create these identities and then take years to default because what they do is they build up that excellent payment history, then they keep getting credit line increases, they open up new accounts and they even buy a car. And what they do is what we call bust out.
They default on everything at once. They've maxed out the credit, they disappear, and there's nothing that the institutions can do to try to find them because it's not a real person. Unfortunately, what we're finding is fraudsters are getting very good at fabricating these identities and it's exposing financial institutions to billions of dollars of potential charge-offs. The analysis from TransUnion found that the potential exposure for the four trade lines that we track, auto loans, bank credit cards, retail credit cards, and personal loans is 3.1 billion and it's an all-time high up 11% from last year. And most of that is being taken up by auto loans, about a little over one half of that. So if said another way, if all suspected synthetic identities defaulted on all four credit lines, trade lines, the financial industry would be out $3.1 billion. And what's interesting is I used to wonder how that happens with auto loans because usually when you default on an auto loan, what do they do?
They come and they take your car from you. But I was just on a call with one of our auto lender customers and he was describing a rash of incidents related to synthetic fraud. So they have trackers on their cars, which makes sense because these are high-end cars and they're finding that these cars are located in places like Asia, Mexico, even South Africa, and that makes it extremely difficult for them to retrieve. So a high-price item, easy to get a loan on depending on the lender, like it's one of the online providers like CarMax and I forget some of the other names and easy to take and sell elsewhere once you've got that loan. So what can businesses do to mitigate this risk? And Richard mentioned this too in his description of digital fraud. The response is always stop them at the front door or at account origination.
These fraudsters are using multiple means to make themselves look real, like getting a burner phone or setting up a phone account from a smaller cell provider that doesn't require credit check, and then they get an email with the provider that's easy to get like a Gmail. They create a social media profile. And even though companies have fraud detection tools, what they need to do is make sure their vendors are getting not only the latest data insights because of all the new data breaches that are happening all the time, but they're linking this information, this disparate identity elements because it's not enough to know that yes, that address is real and there is that SSN and the phone number all exists, but you need to be able to connect the dots and make sure they do really belong to this person.
And there's not any strange anomalies like five to 10 addresses for one person over one year or 24 people with the same social security number. And that requires models who can take a look at that and judge whether or not there are red flags or these anomalies that spell risk. And those have to be constantly tuned and updated too. So that would be what I would recommend businesses need to do to keep synthetic identities at bay and especially during an account origination because once they're in your portfolio, they're hard to get rid of.
Andrew Goss:
Yeah. And before we dig in... Go ahead.
Richard Tsai:
Sorry, Andrew, if I could just kind of jump in on this one a little bit, synthetic identity fraud is a tricky problem. That itself, that's a real pickle because Leslie was actually talking about, she was saying, we have this exposure, we have a 3.1 billion exposure, but that's the problem. It's like we have a big number there, but where it leads to the actual charge off, it's a bit of an unknown because you have fraudsters that are going to eventually charge off on something, they're going to take that money or they're going to take some asset, they're going to run with it. But there's a big portion of the population that will use synthetic identities because they're part of a criminal network and it's not necessarily a problem where they're going to say, "Hey, I'm going to take a loan," or, "I'm going to get an account, deposit account."
They're going to use that synthetic identity for other nefarious purposes to really take a real fake identity, but behave like that in the real world and get access to the financial systems. So typically it's a fraud on the application end when you're actually applying for it. Then the actual use, this is a failure of KYC and it's also an AML problem because it doesn't always necessarily lead to a charge off. It may down the line, some will be much nearer, but some will be much further away. So I just want to sort of point that out. But synthetic identities are definitely a real problem if we're not addressing it from a fraud perspective, it's definitely going to be a compliance issue sooner or later. That's my prediction.
Leslie Deniken:
Yes, definitely.
Andrew Goss:
Yeah. And I was just going to throw an asterisk in here for some of the stats that we've been throwing out there from the synthetic fraud side, from the call center and data breaches. I believe all the data that we've been talking about is US specific as opposed to when Richard was talking. Those are some global data points. So just an asterisk when you hear 3.1 billion, that's just for those four trade lines and just for those that are "borrowing" in the US, right? So-
Leslie Deniken:
Correct.
Andrew Goss:
Anything else on the synthetic fraud side? And we can always come back to it later too.
Richard Tsai:
Don't ask, I could talk about that all day. Keep going.
Andrew Goss:
We could talk about all of this all day. A lot of loaded questions. Well, at least we gave Leslie a break because I'm going to go back to her again. So in this recent study, part of that was, believe it or not, even more data in here. We surveyed consumers in 18 countries and regions about their fraud experiences and concerns. So Leslie, let's get to some of the high and low lights there, and then how might businesses address some of these findings?
Leslie Deniken:
Sure. And they surveyed across those 18 countries, 14,000 adults. So it was a very good population to get an understanding of what they're feeling about fraud and how and where they've been victimized. Overall, they're concerned about fraud. Over half have fears of identity theft or being phished. And again, if that's a new term for people, that's a technique that's used by fraudsters who engage with you via fake email to get you to react by calling them, or it leads you to a fake website that looks like a real vendor, like a Nordstrom or your bank. Again, the purpose of that is to get you to input your credentials and then they collect that so that they can hack your account or use it across multiple channels to be able to try to hack into accounts and take money or funds from you. Another tactic that's used is social engineering, and that made the list, 27% expressing concern about being socially engineered.
And that's when you get a call from a fraudster pretending to be the good guy your bank and saying, "Oh, did you want to transfer these $1000?" And it's intended to create fear or anxiety. So the first thing you do is you react and say, "No, I didn't transfer those $2,000." Well now they've got you on the hook, they are trying to help you with that when actually the smart thing for consumer would be to actually hang up and call their real bank, in which case they find out that that actually didn't happen. But again, that's why it's called socially engineering because it is working quite effectively for multiple consumers to get them to then trust this person and go through the steps to turn over credentials so that they can get into their account and take away money.
54% fact of consumers said that they have been targeted by a fraud scheme, and fortunately only 43% said they didn't become a victim, but 11% did fall for the scam. So I thought that was interesting. And not surprisingly, the most frequent fraud scheme was phishing, which is what I just described, followed by smishing, which is the texting to get a response, and vishing, which is the actual calling. So lots of great terms in here. I would say that they're kind of fun to use, but it speaks to fraud, so truly it's not that much fun. Now-
Richard Tsai:
Let me just interject something really quick there, Leslie. So you said 54% have been targeted by a scheme. So obviously we survey consumers. This tells me that more consumer education is needed. There's no way it's 54%, it's going to be like 99.999999 have actually been targeted for some type of fraud or scam. So-
Leslie Deniken:
Yeah, maybe these are only the ones who are admitting that they've been targeted or maybe they didn't realize that they were scammed.
Richard Tsai:
Exactly. So more education is needed.
Leslie Deniken:
So we touched on this a little bit earlier too, and that's that the majority of consumers want to be authenticated when accessing online accounts because they want to have the feeling of security. In fact, many of them said that they would switch sites or companies if they felt that they were not secure when getting into their online account or even when shopping. The top three preferences for that authentication were fingerprint biometric, followed by a one-time passcode through text or email and facial biometric. Now of course, the biometric can only be done through a mobile device, but I thought it was interesting that they do want that authentication. And even though KBA or knowledge-based verification is still used by many companies, it was preferred by less than a third of the consumers that responded to the survey. So what's important for businesses to know, your users care about security and convenience for digital transactions, and that is at the top of the list when choosing whom to transact with online, but they still want ease of login and authentication.
They still want ease in filling out those forms and applications and ease in navigating in the site. And to finalize that, Andrew, you asked what should businesses do to keep their consumer customers happy? I think if they're using a solution with robust identity and device data that can keep out the fraudsters, but still by safeguarding the consumer data, but also help to recognize the safe and legitimate users so those users are not getting the friction that they're complaining about. And fraud solutions can do that seamlessly. We did touch on that earlier too. So same thing with call center, device online, multiple ways to do that seamlessly to avoid friction for legitimate users while still trying to capture the fraudsters who are illegitimately trying to take over accounts.
Andrew Goss:
Okay. Now that we've gotten to our data quotient, I think here, anything else here before we get to, I see we have one viewer question right now in the queue. Okay.
Richard Tsai:
Let's hear it.
Andrew Goss:
So it looks like, and apologies for the pronunciation here, Bobby if I get it wrong, but Bobby Galindo, he's with Allianz it looks like. So he appreciated, Leslie, your description of synthetic identities issues. I can answer the first question here. Do we have any gross statistics for South America? He says it is also around 20%. I can say as part of this study, we don't have those findings for South America, so apologies there, Bobby. But secondly, he asked, "Can you provide an example of how companies have managed to curb these types of attacks through the implementation?" And here's the buzzword of AI, and I don't know if this is an area that we can talk briefly about or not, but I'll throw it to you, all the experts here.
Richard Tsai:
I mean, I'll start a little bit. I mean, AI is a part of our lives stay. There's going to be usage of AI in everything. It's just a matter of time when we start using AI for everything that we do. So when we talk about fraudsters, fraudsters are going to use AI, that's a natural thing for them to do. They're going to take every opportunity to get an upper hand on stuff. When it comes to vendors and applying technology, it's a little bit different because we have to think about a little bit more stuff. When we talk about the businesses that if you're in a business that's listening up to this call right now, you have to go through certain types of due diligence on what type of AI you're actually allowed to use. So that's natural because there's always the threat of actually releasing some type of intellectual property that some legal team's going to have to go and look at.
Fraudsters don't have that restriction, so they're going to use what they can use to get on an attack, but it's not an easy question to answer. But the types of tools that are out there for fraud prevention are fully intended to combat any type of AI type of attack. There's no difference in it. AI just makes it a little bit slightly more efficient for some fraudster in the tools that they're using. But the tools that are out there, they're all being developed to be able to address that needs. I know I'm not getting very specific, but in all cases everyone's fighting AI.
Andrew Goss:
Okay, anybody else want to dip their toes into that? Otherwise, we have another question coming in here as well.
Leslie Deniken:
Well, machine learning is considered to be a form of AI and that's used frequently to help tune models using the latest data. And that's why it's very important to get feedback from customers because that tells what the latest... We get the feedback, it tells us what the incidents are, how it happened, and we can use that to continuously update models so that they're always better at detecting fraudsters.
Andrew Goss:
Okay. Anybody else on this topic before we go to the next question?
Jim Van Dyke:
I'll just mention since we touched a little bit on consumer motivation and a couple of the comments that we had so far, I think, Richard, yours and Leslie's, one of the things that as I talk to people whose fraud mitigation professionals, I hear a very pervasive belief that, an acceptance number one, that as has been said, consumers are very motivated to protect themselves from fraud because they see a fraud occurring in their name as their problem, which is good, right? They should. So they're willing to be a partner. But the problem is that as many leaders in the industry, fraud mitigation leaders understand is we don't have enough consumer action. So then the assumption that often really a logical fallacy is that this belief that consumers are lazy or hypocritical or just dumb or fill in your own adjective, and really it couldn't be further from the truth.
We have a problem that we need to address as leaders trying to stop fraud. And it's evidenced by some data from our consumer facing part of the TransUnion business. In a consumer Pulse survey that we do every quarter, it always shows the same results. That is when you take a cross-tabulation methodology and you look at consumers who are the highest motivated ones when it comes to wanting to look out, take action in stopping fraud occurring in their name, and yet haven't taken any recent action. So we give them a series of choices. Every choice we can imagine, we say, "Which one most applies to you? So why didn't you take action if this is your number one concern?" They always have the same pattern of responses.
Number one, they're not sure what to do. And number two, they're overwhelmed by information. And I've done separate research of the expert sites, like if you just simply Google what are the top 10 things I should do to protect myself against identity theft and fraud, I have to tell you, without dressing it up, the information that's provided to consumers is wildly inconsistent and it looks like it was created by junior interns rather than experts. So we're confusing the willing partner and what we need to do is get clear about what we expect them to do and make sure we user test that to make sure we're asking them to do something that is within their capabilities, whether it's two-factor auth or honestly 50, five, zero, other things that they can do, many of which aren't even known by experts themselves.
Leslie Deniken:
I know one stat that we see frequently is the how often consumers use the exact same username and password for multiple accounts, which of course it helps fraudster be successful when they do credential stuffing because they can just stuff that into multiple bank accounts, credit cards, and successfully take that over. But even with that, it's still the burden on the business to prevent that from happening by using things like device insight to see if this person logging in is actually associated with the account or is there fraud history associated with that device too, because we know that consumers are using the same username and password across multiple accounts. So even though they might do that, they're still going to blame the business if their account gets taken over.
Jim Van Dyke:
That's right. And I think a metaphor that I like to use in this case is medical advice. If every medical professional that works with individuals gave the same advice to every patient regardless of their diagnosis, we would have a huge problem, a huge drop-off in action on the part of people and for good reason. And yet that's what we do today, we give every identity holder the same advice as everybody else. And what we really need to start doing is helping people understand how their particular risk pattern maybe may be as specific to breaches they've been in or the type of transaction they're in the middle of doing when we're giving them that advice, but start tailoring that advice to their lifestyle or the stage of what they're doing. And I believe when we do that, we can narrow the advice we give them and get them past that feeling of being overwhelmed and confused.
Andrew Goss:
Sorry, hitting the unmute button has become very difficult to my computer for some reason. So I think we covered that relatively well. And we have a second question here. I don't know if it's something we can cover, but I will throw it out there to everyone. So Brian Grant with, I believe it's Genesis, says, "I have seen new fraud strategies asking the customer to take a picture of a driver's license and technology that can tell if it is fake or not when opening an account." Any new strategies similar to my example, you can recommend or just anything that you've seen similar to that?
Richard Tsai:
So I'm not sure that's something that's brand new, but it can be very effective. I think generally I think of that as sort of like... Shoot, I'm missing the term right now, but it's a liveness test. So that's obviously something that's actually very powerful to be able to compare against some documentation that actually has a picture and then in real time be able to compare against, hey, am I really looking at the same person against that document? That's good. That's a good test. It shouldn't be your only test. That's one test that you should have.
What you really have to do in the background is actually do a multitude of checks that happen in the background that compares all different types of data because you can tell like, hey, that picture is actually correct and it matches, but that's only one problem. The other problem is, is that document even authentic to begin with? Is the data, is it authentic? Does that data then match to one person, to two people, to three people? So there's a lot that actually has to go on, but it's definitely one layer of a fraud strategy that should be implemented. But you can't just pick one thing and just work with that. You always have to have a deeper, more layered strategy when you look at any type of verification, but good question.
Jim Van Dyke:
I'll provide another answer for existing account fraud, whether that's account takeover or just routine transactional fraud. And one way we can narrow down and tailor the advice we give to consumers so they don't have to sift through all of what they're hearing and they can instead get a tailored diagnosis or recommendation is, and this requires a little bit of coding and UX work, but do an assessment on a relative basis of how well the consumer is availing themselves of some of the most highly recommended behavioral practices.
Like I'm using strong passwords like you mentioned, Leslie, or two-factor auth. I mean, in the US everybody uses two-factor auth because of FFIEC regs, but there are a lot of two-factor auth capabilities that more advanced ones that FIs and merchants and others have that consumers have not yet chosen to use. So why not come up with some code that identifies how much of 2FA alerts, card controls, password hygiene, and a couple other capabilities people are using and give people a simple A through F score based on that so they know how well they're doing relative to either the recommendations or the average account holder.
Fernando Paredes:
And I wanted to also take Brian's question from a slightly different perspective. So while Richard was saying, well, in the case of document verification, we want to double check that there's a liveness to it, the person actually has the document with them on top of any of our checks. So I see that there's a comment also from Brian that the question was geared towards the voice channel, video channel. Well, I would say in the voice channel, maybe there is that type of liveness test is something that is kind of overseen. For instance, I've heard of organizations that in the call center, they ask the consumer to use document verification, but I would say, well, even before getting to that point, we could also check if that call is really happening in real time, if it's authentic even before putting that level of friction to the consumer. So especially in the voice channel, and I see the clarification from Brian on that regards, that liveness test certifying that the call is happening, I think that's key in the voice channel.
Andrew Goss:
Well, is there anything else on this? I think the questions have ended and we have taken this conversation, gone pretty lengthy. Glad that everyone could stick around for it. Okay, well, I'll take silence as no. So thank you so much everyone. Thank you, Fernando. Thank you, Leslie. Thank you, Richard. And thank you, last but not least, again, Jim, for all of these great insights. If we didn't get to your question today or if you have a question that comes up that you think about afterwards, please reach out on our event page and social team will connect you to the right person and we'll get back to you. And to download findings from our recent study we discussed today, I'll be putting the web address TransUnion.com/fraudreport up on the screen here soon along with a QR code and you can always go to the event page description on our LinkedIn live page as well. So until next time, we'll see you see in LinkedIn live. Thank you very much.
Leslie Deniken:
All right.
Richard Tsai:
Thanks for having us.
Leslie Deniken:
Bye.
Fernando Paredes:
Thank you very much.