TransUnion Live on LinkedIn: The State of Omnichannel Fraud, H1 2025 Update

Andrew Goss/Host:

Well, welcome, everybody, to another episode of TransUnion Live on LinkedIn. I'm TransUnion's Andrew Goss, and I am excited to be joined by my esteemed colleagues, Leslie Denikin, Carlos Sanchez, Richard Tsai, and last but not least, Jim Van Dyke. Welcome, everyone.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

Hey, Andrew.

Andrew Goss/Host:

So, we're here today. We're going to discuss finance from our latest State of Omnichannel Fraud study. But before we get started, I have a quick housekeeping note for the audience we always start off with. We welcome your questions as long as they're related to today's conversation, excuse me, in the comments area below. If they're applicable and we don't get to them today, we'll respond to you afterwards. Now, let's get started. Richard, let's begin the conversation with digital fraud. What did TransUnion recently document in this area, and how might businesses adapt to these trends?

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

Okay, so let's start off by baselining a little bit about what we mean when we say digital fraud. So, I would start and say that identity fraud attacks often involve digital channels, and hence that's why we focus on digital risk. When we say digital channels, we're really talking about all the activities that we're also commonly doing today, which is doing online activity either directly with our mobile apps on our phone or through a web browser online. So when we talk about digital frauds, we're really talking about the risks associated with the interactions that consumers or customers are taking in the visual channel. So, I just wanted to ground us in that first. Also, Andrew, please stop me if I go on for too long. I always have too much to say at the certain point, but it's always good.

I think there are probably three things I will point out when we talk about digital risks. The first one is about how cyber criminals really have the option to attack multiple points in the customer journey. I'll go into that a little bit more. Second, I think account takeover is up. Go into that a little bit. Then since we're talking about digital risk, digital risk happens to be a little bit different. You always have to take a different lens when you look at it from where you are in the world. So, it's always a little bit different where you are regionally. It's always a little bit different in the industries that you work in, and so they have varying levels of digital risk. So, I'll try to touch upon all three things. So, let's go back.

Cyber criminals have the option to attack multiple points. The reason I bring this up in a customer journey is because in the state of fraud report that we've published, we do look at digital risks from the simplest way of looking at it. We look at three points in time in a customer journey, and we think of those three points in time related to account creation or account signup or a registration for a product service. That's the point in time a consumer is going to interact with a business when they're signing up for a new product or a service. That's account creation. A second point is, "Hey, you've got an existing customer." They want to interact with the product or service, so they're going to log in to that product or service. That's the second point, a login.

Then there's a third point, which is anything that you're doing to interact with that product or service. So, that's after the login. Generally, those are transactional types of activities. So, these are the three points in time, account creation, login, and transactional activities. So when we look at it that way, fraudsters have the ability to take... They can decide like, "These are the main places where they're committing their attacks and to commit fraud. What our network tells us from a digital risk perspective is that account creation is generally the highest risk. Logins are the second level of risk, and transactional activities are at a smaller rate of risk. So respectively, that's 6.9% of transactions are suspected to be fraudulent at account creation, 6.2 for logins, 3.5% as a rate for financial transactions.

So when you look at it that way, it sounds like, "Hey, when you're doing an account opening, or you're doing a signup, that's where most of the risk is." Logically, it does make sense that it would be that way because as an organization or as a business, you have no idea who you're dealing with at that point in time. So, that's where most organizations are putting identity verification controls in place in order to figure out who they're dealing with. They're looking at digital signals to understand that. That's where the majority of the risk is. The interesting thing about that is that over time, that used to be a much higher rate of risk at account creation. That standardized down to 6.9, it's still the highest, but it doesn't mean the trend will necessarily stay that way.

Overall, the risks have stabilized about the past three years, but it's really not exactly all about the rate of risk. It's really about the volume of risky transactions that are occurring. So while it seems like things that happen after login are a smaller rate of risk, that's actually where the largest volume of fraudulent activities happens, because that's where the volume of stuff really, really happens. Because if you think about it, your existing customers are going to be interacting all the time. So, what we actually see is that account takeover volume, so this is the second point. Account takeover volume is definitely up. It's at least 20% based on the data that we have in our network over a year. Over a year, that 20% of account takeover attacks have gone up.

If I look at actually studies that are outside of here at TransUnion, I also see the same thing, but I actually even see much larger numbers in terms of account takeover. Account takeover is definitely a problem. Different industries are definitely experiencing it, and so there's a lot more focus once again on account takeovers. Now, that's that's bad for businesses, bad for those organizations that have to deal with it, because it has a direct impact on real customers. So, there is that threat that a poor experience with the accounts being taken over. Maybe there's mismanagement of how they deal with their particular customers. They may lose customers because of that type of activity.

The third point I want to point out is that digital fraud rates, they are different when you look at them from a different industry's perspective and different region's perspective. The highest rates of digital fraud occur in industries like communities, gaming, which is... I mean, gaming as in gambling industry, the video gaming industry as well and as well as retail. There are much higher rates of digital fraud that span from the high 7% of digital fraud rate to as high as the low teens, like 11.6 specifically for those industries. Conversely, you'll see other industries like financial services, telecommunications, and insurance have slightly lower rates of fraud risk. It sounds like that's probably good or better, but that doesn't actually give the full picture.

We could think of it this way, because the first set of industries that I talked about, video gaming, gaming, retail, communities, there's much higher rates of digital fraud, but they happen a lot more during account creation. There's a lot of fake profiles, a lot of misrepresentations. There's a lot of promotion abuse. Generally, in those sectors, there are generally less controls at the front door as compared to the other set of industries that I mentioned like financial services, telecommunications, insurance, which are much more heavily regulated. So, they tend to have a lot more regulated controls. They put a lot more investment in their fraud controls, particularly at the front door, so they see things a little bit differently.

So, there is a difference. We are seeing high rates of account takeover and financial services. We can generally use that as a baseline to see how other industries are doing, but they tend to be a lot more highly regulated, and they tend to actually put much more investment both into their identity verification controls, their identity proofing controls, as well as their customer authentication controls, but it's a good usage of understanding what's going on in the world. Then there's very different data sets as it pertains to different parts of the world. I'll pause there, because I'm spitting out a lot of different things. Give you an opportunity to challenge, move on or drill in.

Andrew Goss/Host:

I just wanted to also, Richard, throw in the point if I'm understanding everything correctly, this is based on our customers, what they're reporting back to us, right? We're not determining that these were fraudulent. So, that's also another good asterisk to throw in there as well.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

Yeah, and you're right about that. So when we talk about the data sets that we're looking at here in the report that TransUnion puts out, it is based on the network of subscribers that are using capabilities from TransUnion. So, we're able to look at that to be able to ascertain what's actually happening in different industries in different parts of the world.

Andrew Goss/Host:

Anybody else have any questions for Richard, or any points you want to throw in around digital fraud as he pauses?

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

So, I think one of the things that businesses have to realize is that... Richard did mention that login is one of the risky stages, but not as risky as account creation, but most of the financial losses are coming during account takeover, which is account login. So, it's important for businesses to think of continuous authentication. Just because you have a legitimate user who you think is a legitimate user log in with the right credentials doesn't mean that they aren't fraudulent. They may have stolen those credentials, and now they're doing these transactions. So, it's good to continuously authenticate and check the device that they're using.

Is there fraud history? Is there any other type of red flags based on what's going on? Should we use step-ups if they're trying to do a big transaction? These are things that protects consumer accounts, which more and more consumers are relying on businesses to do that for them, protect their accounts, and make sure that they are safe and secure.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

I would add to that. I think for those that are actually listening in right now, I'm not sure if everyone in the audience actually knows what continuous authentication necessarily means, but the simplest way to think about it is we're all accustomed to understanding what a login means, because we're all so used to doing it. We've logged in by providing user password. We're using passkeys now at a certain stage when we interact with a product or service. Continuous authentication is exactly like the term sounds. You're actually always... During the entire time you're connected to a product or service, you are constantly assessing that interaction risk but passively, but the difference is it's really done passively in the background of what's actually happening.

So, the end customer, end user doesn't really notice it, but it's like all these digital signals that are used in order for fraud strategies to be able to orchestrate the types of flows that they want to take when they're implementing their fraud strategies, but continuous authentication is really about continuous assessment of risk.

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

Two things came to mind hearing both of your comments. One is that me having run a couple of research shops prior to coming to TransUnion, and I look, your recent data happened to be U.S., a large scale from a company that only does research and remarkable corroboration to what we talked about. They're from a different lens. That lens was consumer self-reported, and so good to see, interesting. But when it comes to the question of what do we do about it? How do we keep the fraud under control? I always like referencing some of the data in our consumer pulse survey, a couple of questions with a very precisely focus at across tabs that confirm that consumers remain more concerned about cyber and identity security than anything else in the financial realm. Yet, as professionals know, the fraud prevention space that it's hard to get consumers to act effectively or act.

What we see in the consumer pulse survey data again and again is that when people don't act, and that is quite a few, or they don't act effectively, it's never due to a motivation issue. So, we have this latent motivation that we've been struggling in bringing to life, and to bring it to life, we have to address their primary stated reasons for not acting, which is they just don't know what to do. Fraud from their perspective is contradictory, confusing, overwhelming, and that's what they tell us in our consumer pulse survey data. So, it's like we have an army that wants to help, and it could be more motivated, but we have to equip them properly, and take the confusion and uncertainty out of it.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

I think it's a good point, because we don't want to put all the burden on consumers. I think that's the main point. As an industry, we do put some of that burden on consumers, because they have to take some accountability for what they're doing. But I think what we're pointing out, at least the data points that we do have, is that businesses also have a portion of that responsibility. Of course, the fraud losses they experience helps to motivate the businesses in order to do that. But certainly, at least in my conversations, I do know a lot of businesses, those that do work in fraud. They do take it a step beyond that in order to ensure that the fraud controls that they put in place are effective, protect consumers, and as well as could potentially even be a differentiator for them.

Andrew Goss/Host:

All great points. Unless there's something vital to get to, I've got three others to get to with specific questions, so I'm going to move on, but raise your hand if... Stop, Andrew. I have something really important to say.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

We will.

Andrew Goss/Host:

Okay, good. Let's move on. We got plenty of time to bring up all these points that are rattling around in your head by the way. So Jim, I'm going to turn to you. Let's turn to data breaches, where fraud often begins. What did we discover in this area, and how might businesses address these trends?

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

That was an interesting year of change of last year in data breaches. I like to reference the model of two-crime crying, and because I expect we mostly have anti-fraud practitioners on the line or on the call with us, but we may also have some security people. But either one of those realms, they're different, especially in larger enterprises. You have different people securing the data than are primarily tasked with stopping the criminal's access to the data from being used in fraud in all its various forms, new account, existing account, what have you. I just throw that out as a general backdrop to say, "Well, how do breaches exactly relate to identity theft or fraud?"

Because more often than not, the breach that exposed the data to the identity criminals was not a breach of your organization. If you're at a financial institution, which is where most fraud occurs because that's where the money is, it's most likely to have been... The data has been most likely breached at a healthcare institution, especially with the myriad in the U.S. with myriad of healthcare billing activity going on, but it could be anywhere of course. So last year, what we saw was after talking for two years at increasing volume about this out of control problem of third-party breaches, a third-party breach is when the data was hacked or somehow exposed when it wasn't under the primary care of the enterprise that the breach is sadly credited to. So, an example might be a third-party billing services organization or a marketing organization that works with real customer data or any number of others.

So, what we saw was it's fascinating to me. Looking at the data 2020, '21, the level of these third-party breaches as compared to primary breaches, the data is under the enterprise. It was breached in air quotes. It was under their custodial care or their full-time employees' custodial care. 2022, saw a spike in these third-party breaches, and then 2023, it got completely out of control. Last year, it just got back to historical levels. So, that's good news, and the takeaway on that is that enterprises learning to keep the focus on making sure their third-party vendors are just as rigorous in security as our primary employees or the servers are patched that belong to your own organizations and all those other things, that level of scrutiny must continue, but we also saw those...

So, think of that as a quantity issue about quantity of breaches, and the primary breaches, they're just back to a little bit higher than historical levels. So, that's where most of the concern keeps going up, but there's a... I don't like this term, but I don't know if that will make a quality, sorry, issue if you will. So while we saw a reduction in overall breaches, mostly in third-party organizations, not in primary service organizations relationships I should say, sorry, but what we did see of the big jump in last year was the ability of the average data breach to cause identity theft and fraud in all its forms, new account fraud, existing account fraud. That could be card fraud, account takeover, whatever. So, we have something exclusive here at TransUnion called a breach risk score, and that's...

You might compare that to, say, an earthquake magnitude score or a rating for hurricanes, and it's very structured. It has 1,300 elements that are very dynamic to fraud trends. Every breach is measured the same way. Why did breaches go up in risk score last year? Well, it's because more hackers found a way to get to the particular records that are more useful in fraud, like SSS in specific order went up quite a bit higher than the levels we've ever seen before. Driver's license exposures of second. Third-highest exposure of increase by identity credential again was in financial or other account data, some healthcare, but it could be financial account data like demand deposit accounts, checking, savings, that kind of thing, or cards.

So, when we... Last trend for you we found in fraud data is that we continue to see a lot of breaches from the healthcare sector. So at large, financial service institutions, if you're concerned about breaches, by doing a continued good job, stopping them on your own turf, noting that criminals are increasingly going to the account number credentials itself, healthcare is where we have the greatest vulnerability industry-wide and where we need to shore things up.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

I think if... Sorry if I just jump in. On everything that you said, Jim, I think if you're out there listening, in my head, there's two things. If you're on the cybersecurity side of things, and you're on the enterprise security side of things, you're basically saying, "Hey, do a better job of actually protecting your company's data and your customer's data." Fully agree with that. But if you're sitting out there, and you're on the fraud risk side, you're a fraud risk professional. We have to take a very different stance as a practitioner, because we have to take the stance of... Hopefully cybersecurity guys do the right things, but as a fraud professional, you have to take the risk posture that you can't trust anything that you're getting.

You can't trust the identity of someone passing to you. You can't trust the fact that your existing customer is coming back to you. I think there's a slightly different perspective, and I know Carlos who's sitting quiet. I know Carlos and I, we will look at data breach stuff that's being sold on Telegram channels. So, we see it happening. We have to assume everyone's data is out there. So, I think there's that difference.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

There is one thing that I want to add in everything that Richard and Jim mentioned. We can never let our guard down. We hear the word attack and attacked, and we may tend to think that hackers are attacking because they have a brute force attack into trying to figure out passwords. But if we have some type of username and password that is collected from one of these breaches, that means that constitute that is an attack. As simple as logging in with somebody else's credentials, that's considered an attack. So, we can never let us fraud fighters and as actual users for those of us listening that you have to sometimes, most times use common sense, even though I always say that common sense is a less common of all senses, because all the time, these things happen to us, but we can never let our guard down.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

I think it's no surprise that the industries that you cited, Jim, healthcare and financial services are the highest ones under attack. But other ones like education, all of those have a lot of PII information, children's birthdates, age, address, because those organizations need that information. So obviously, those are going to be the biggest targets for fraudsters.

Andrew Goss/Host:

Well, I think we all had a little bit to say there, so appreciate that. I'm going to move on. Again, raise your hand if you had something you wanted to get to here, and we can always circle back around, but I did want to remind the audience and I did see one question come through here. If you have any applicable questions, put them in the comments area, and we'll respond to them. We'll probably circle back on those questions at the end of my questions. But Carlos, love your point just about a minute ago. So, I'm going to turn to you now, and you are going to focus a little bit on the call center fraud landscape. So, talk about some of our findings there in the study, and then some advice around some of those trends for businesses.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

Sure, absolutely. Thank you for that introduction. The State of the Omnichannel Fraud is the name of the study. Okay, so when we're talking about omnichannel, we call it omnichannel because fraudsters are omnichannel. They use digital. They use voice. They use non-digital and non-voice media to try to get the information that they're actually coming or going to be used to perform these attacks or these hacking activities. So, I apologize, and I'm going to have to read because I have a lot of numbers, and it's impossible for me at my age to memorize them, but please stop me if you think I need to go back into this. But, this report was very interesting, and it touched me really, because it actually focuses on the technologies that I enjoy working with, which is mostly telephony.

Because believe it or not, there is a lot of information on the telephony network that we can actually take advantage of to determine the risk of a transaction. So in the recent report, it highlights that there's a significant price in fraud attacks on call centers, particularly on the financial industry with 90% of the financial respondents on the survey reporting that there has actual be an increase in those attacks. So, this is where the reading part is going to go. So, we have findings, and this goes back to what Jim and what Richard were actually mentioning. In the first half of 2025, several significant trends in omnichannel fraud has emerged. The fraudsters are evolving, and we need to keep up with them.

So, fraudsters are increasingly using exposed data for house success and short term payoffs, meaning that they're actually becoming focused on the information that is already out there available, instead of fighting the process of actually getting new and new and new breaches. So, they're actually becoming smarter. The severity of the data breaches in the U.S. reached a record levels with a 34% increase in breach risk severity from 2023 to 2024, despite up 45% in breach volume as I was just mentioning. They're actually using that information that is out there instead of actually having to perform an attack or provoke a breach so that they can actually take that information.

Last year, there were some massive breaches reported. In August of 2024, there was this famous NCR data breach in which supposedly billions of records were exposed, but it wasn't that many, but it's still over a billion records with all the breaches that were actually out there. So, we do see that there is... In terms of digital account takeover, as Richard was mentioning, the attempts have risen in 20%. This is usually the first integration point in which the customer has access to our service provider's databases. Usually, the information that's stolen is actually used here to commit these attacks, to create accounts with fake information or information that doesn't belong to you.

In addition, 53% of adults in 18 countries report being targeted by various fraud schemes from August to December. Me personally, I get targeted about five to six times a day, whether it's a text about the... I get them all, the text about the toll. There are so many different new things that you're actually seeing, and just a word for everybody listening, if you start getting those types of messages, that means that your information is actually out there. So, be mindful of what you click, what you say. Read things twice so that you are protected. So, financial transactions suspected to be digital fraud attempts increased by 11% last year, representing the transaction type with the biggest growth in digital fraud, just as Richard was mentioning.

This is one of the most interesting topics which Leslie is going to be covering soon about synthetic fraud, the type of user that doesn't exist as a human being, but it has some type of cyber exposure. It has a credit record, so they commit that type of fraud, and then they disappear. So, the thing is that... This is very alarming. 3.3 billion, with a B, dollars were actually exposed to synthetic fraud by the end of 2024, which actually highlights the importance in this type of modality that keeps growing and growing and growing, and not only in financial services, in pretty much all industries or verticals.

So, I get asked this probably 10 times a day, "What can I do to protect myself against these types of things?" So, I'm going to go with a few alternatives that have been successful in the past. We're going to be talking later about more solutions. But to combat these trends, there are few things that you can actually do. Number one, I always recommend multifactor authentication. I will always recommend that one of those factors is a biometrical factor, because that way, you eliminate the fact that you're probably going to have somebody taking over your account when you have to prove yourself that you are the person that is actually supposed to be executing that transaction.

Actually, I know sometimes it's a pain, but we need to do frequent audits of login, timing. Many times, we don't realize that, "Hey, this particular user has logged in five times in the last five minutes." That's something that's usually not typical, but if it happens, that adds as a sign of risk, and we see that in the contact center. We see that in the digital world. So, we need to be mindful according to this in addition to that consumer education. Education is the key of everything. It's the key of the future. It's the key of our children that are growing up. We want them to be educated and us also, so we need to be educated also. Read, understand, listen to the things that's actually out there.

AI has become a major benefit to a lot of us, but it also has become a major issue with all of these deep fakes and biometric cloning that we're actually seeing out there. So, we need to be aware. As Richard was mentioning, we cannot trust anything. Sometimes, we can't even trust ourselves with the way that we are reacting towards this. My favorite and the one... I'm focusing this actual comment into the inbound contact center data. There is technology out there that you can actually do a forensic analysis of that particular call that's actually coming in so that we can actually determine the riskiness of that transaction before the agent or before the IVR actually answers the call.

That's really important, because by doing that, you sometimes eliminate the necessity of doing some type of biometric verification, which brings a lot of other challenges when you're actually trying to deploy the solutions for protection, and relating to biometric... not biometric, network forensics, behavior analytics can help us to monitor the user activities, and detect unusual patterns, as I was mentioning a little bit earlier, the amount of calls that I'm making per minute, per hour, per day. How many times a phone number is actually making a call towards my contact center has switched names or has switched ownership in the past month, year. Those types of things and those types of behaviors are going to help the platforms protect the contact centers.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

I wanted to touch on a couple other risky aspects of call center or calls too, and that is the use of spoofed and virtualized calls to go into a call center. Obviously, if you are a legitimate consumer, you're going to be using your mobile device or a landline, and it's going to be detected that that is a real phone number, whereas spoofed and virtualized calls are what fraudsters use because they want to be anonymous. They don't want to be able to be traced. So, as Carlos was mentioning, that's part of the risk factor of evaluating these incoming calls to see if there is a red flag and whether or not that should be transferred to a fraud analyst, and not directed to the IVR or an agent who could potentially be socially engineered by that fraudster to take over an account.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

Absolutely. Social engineer is the key. It's one of my areas of interest, and it's probably the most dangerous out there. It doesn't require any type of technical knowledge. You just need to manipulate people. So, we also need to be aware of that.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

I would just add this. I'll be quick. The reason we talk about call center is because it is a threat factor to a business. So, the fraud itself may not actually occur in the call center. You may have social engineering like you're talking about Carlos and Leslie. But when you look at the overall anatomy of an attack, they generally involve multiple channels. It may not all happen on the same day. A lot of fraud rings will do reconnaissance work, and they'll do it, or they'll delve deeper into the information that they have, and they'll try to social engineer and get more identity information from customer service agents as a way to do that. They'll use that as as a jump-off point to go into the digital channels or where you've been to do something in person, but that's the reason we want to focus on that.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

The main thing I always say to my customers is that the purpose of us as fraud fighters is to frustrate the fraudster so that they actually abandon the transaction. Sometimes, the only way to do that is to know that there is a riskiness of that call before it actually gets to where it wants to be. People have no idea how much information there is on an IVR. Most of-

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

You just brought up... This is the challenge I think for most fraud professionals that are out there now, and if you're listening, it's like, "Hey, I'm putting on my business partner's hat, the one who actually owns the P&L for all this." I hear you say, "Hey, we want to frustrate the fraudsters," absolutely want to frustrate them, but we don't want to frustrate the actual legitimate customer because once that happens, that's when they say, "Hey, you're doing the wrong thing." So, that's the balance we have to find. Usually, what I say is it's not a balanced thing. You can actually do both at the same time effectively. That's what-

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

I'd like to add. I think an opportunity is to have informed and positive engagement with the identity holder, because I mentioned from our... It's from a pulse study where we continue to find that there's this paramount motivation and yet also predominant sense of confusion or overwhelm in this on the part of the legitimate identity holder. Obviously, what I'm talking about doesn't hold up for new accounts. But with legitimate identity holders, they want to feel engaged. If you think about times where you're highly worried about something, which is the case for a lot of people when they're transacting online, could be even more so who are tend to be less protected.

There's nothing that feels less helpful than being told, "Hey, don't worry about it. We got this covered." That's not really what you want to hear. Now, you do want to know there are assurances in place, and you won't be held liable if a fraud occurs in your name, stuff like that. You do want to hear that, but a positive engagement where Richard, for example, you mentioned two factor auth, and Carlos, you did as well, that something like reminding people that you may have aspects to your two factor auth that many account holders have yet to take advantage of. It might be a good time for review to check in, and make sure we communicate that in everyday language like eighth grade level in the U.S. or below or whatever the global equivalent is.

But signing up for mobile alerts, transactions and communicating with your provider if you're going to be traveling, those kinds of things can actually help people focus their activity, and give them a sense of being more secure. So, don't worry about... You only have to worry about giving people a sense of being bothered if they don't know why they're being asked to do something, and that UI level work, that experienced design work is really off where the highest payoff work comes in.

Andrew Goss/Host:

Very interesting conversation. I will also do a shameless plug here, because I don't know if Carlos got to this, and I don't know if we have time to get to this, but within the report we're citing today, we do go into the riskiest channels for inbound phone calls and the call centers there, which, again like Carlos talked about, gets to the almost pre-qualification of a call before the phone call even is connected there to an actual representative. So anyway, I'm going to move on to another area, and I think there was a good tease that Carlos had for that. So, let's get to synthetic fraud. Let's turn to Leslie on that. Let's get to those findings there and some potential business advice there, Leslie.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

Sure. I'm going to take a deep breath here because there's a lot to talk about on this topic. Carlos did give us a quick definition of synthetic identity, an identity that has been fabricated using real and fake information, and based on TransUnion analysis of U.S. consumer credit data, we can see that the use of synthetic identities to open credit accounts is not slowing down. Although attempted account openings over the last year look small, in fact it's one-third of 1%, enough are successful, and that's what's causing the credit exposure to continue to increase for financial institutions. Carlos, you mentioned 3.3 billion, and that's across the four trade lines that we track, auto loans, retail credit cards, bank credit cards, and personal loans. That's up from 3.1 billion last year.

What that means is if all of those accounts defaulted that are under synthetic identities, those losses would total $3.3 billion. The interesting thing is, or maybe not so interesting, the trade line with the highest exposure continues to be auto loans, and that takes up 63% of that 3.3 billion. We all know the cost of automobiles, both new news have gone up over the past few years, which means the average monthly loan payment has gone up over $700, I believe, and that's crazy. So, exposure for auto lenders could be a lot of consumers are using synthetic identities to try and get a better interest rate to get a lower payment, but we also know that there are fraud rings out there who are getting these auto loans to buy car, and then default. Because they're synthetic, you can't find them.

Those cars can be shipped overseas in containers to countries with loose import and customers regulations. They can even alter the VIN, the vehicle identification number, and sell them, or they can even sublease them. So to get to your question, Andrew, about how to proactively detect these synthetic identities, first, I want to point out that synthetics are not just a problem for financial services companies. Telecom companies are experiencing defaults, and seeing expensive phones go disappear. Property management companies are finding tenants who stop paying rent, and then they discover the application was fraudulent, and then it takes them months to get them evicted.

At a recent retail conference that we participated in, there were a number of retail companies that said that they're also concerned about synthetic identities. For us, we always say the best defense is to stop them at the front door, and this should definitely be part of your identity verification process if it's using models that include synthetic fraud flags, or you can go deeper by layering a fraud model that's built to predict synthetic fraud on top of identity verification. That can deliver score, and then businesses can use that as part of their decision making process based on their tolerance for risk. If you want more accounts, you may be willing to accept more risk. If you want to be more conservative, obviously, you want to be more cautious when the score comes in.

For e-commerce companies, we think that they should encourage shoppers to set up an account and reward them, because that gives them more information about the consumer, and they're more likely legitimate because they have set up this account. For our communication clients who frequently only use fraud alerts, those alerts that say, "We think this is a stolen identity, or this is an SSN that belongs to somebody who's deceased, or it's synthetic," we're now recommending that they use identity verification tools to not only verify identity, but can deliver a confidence score on the linkage attributes, meaning that yes, this email is linked to this individual, and the phone and the address, and deliver a confidence score on that so that you know whether or not these attributes actually can establish the legitimacy of that consumer basically lending insight to synthetic fraud risks.

So, I'll pause there, because I'm sure my colleagues also have some feedback on how to detect and help companies prevent synthetic fraud.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

I was actually just going to add. I think you cover almost all of it, but the things I've been hearing a lot about are actually when it comes to e-commerce merchants, synthetic identities are definitely becoming a problem, because you're getting these fabricated identities. There are actually signing up and registering accounts with those vendors. What they're doing is they're making these fake accounts, and they're loading all of these stolen credit cards, payment cards into that account to actually make purchases. That's where it's becoming highly problematic.

I know for e-commerce retailers, it's generally a little bit difficult, because it's not the area where they traditionally invest in doing some type of identity verification when they're creating these accounts. But if this problem continues to increase, it puts a lot more stress on that area where investment is needed.

Andrew Goss/Host:

Great. Anything else on synthetic fraud before we move on? Okay. Well, I'm going to just put a quick shameless tease here. If anybody has any questions, just a reminder, put them in the comments area below. So, I'm going to stick with Leslie on this one. I'm sure others will have things to say here. But Leslie, for this study, we surveyed consumers in 18 countries and regions about their fraud experiences and concerns. Can you explore some of those findings and how businesses can fortify their strategies, and build trust with these insights?

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

Of course. So, the clear message that we got from the survey is that consumers are relying more on businesses to protect them from fraud. As Jim already pointed out, yes, data breaches have decreased over the past year, but those valuable credentials are what criminals are looking for, and that's what can be used to create fake identities, and have access to be able to compromise consumer accounts. So, over half the consumers that were in this survey said that they have been a target of phishing, which is email. We're trying to get credentials and PII through email or tax phishing, which is a phone call or smishing, which is SMS text, and 29% of them lost money. In fact, the median amount across these 18 countries was $17,047.

Now, that doesn't sound like a lot, but keep in mind that some of these countries have much lower annual incomes than the U.S. like the Philippines, Dominican Republic, several countries in Africa, and we're included in this. But to put it in perspective, the median loss for U.S. consumers was just under $5,000, and that is a considerable sum. According to the survey, 52% of U.S. Consumers said they had been targeted, and 11% said they felt victim with smishing listed as the most needing type of fraud they were targeted of. But here's another surprising thing that I want to mention. We actually also dissected the data by generation, and most people would think baby boomers were more likely to be victims of fraud.

But no, the generation that actually had more respondents saying they lost money to fraud was Gen Z, which is the age group born between 1981 and 1986. 38% of them lost money to fraud, whereas only 11% of baby boomers did. From other studies that we've seen, the assumption there is that Gen Zers are far more digitally inclined. They have more social media accounts. They have more online activity than baby boomers who may only have one social media account, if any, and do a lot less transacting online. So, what would we say businesses should take from this? The message is, and Richard highlighted this a little bit earlier, consumers want to know their personal data is safe when transacting online, and 77% said that was the number one feature they look for, but they also want to be able to be treated as a legitimate consumer, and have ease of login.

If they're logged in or if they're transacting, they don't feel secure over half so that they will abandon their shopping cart or their online application. So, the way businesses can think about differentiating themselves from their competition is by understanding the tactics fraudsters are using across channels, and then mitigate against those vulnerabilities. One of the key areas is consumers are the weak link there. We all know that we should use unique passwords and usernames for every single account, but we don't. That's what is available to fraudsters when they get through these data breaches, and be able to use that to go across multiple accounts at the same time using bots.

So, it's important for businesses to make sure that they're protecting these accounts, but if they are using... If it is a legitimate consumer, consumers want to be able to be protected, but have that ease of access and to be able to transact online while protecting their personal data in their accounts. Businesses should not be afraid to promote that they're doing this for their customers. I think that's the biggest recommendation I would say came out of that consumer survey that businesses can use as a takeaway.

Andrew Goss/Host:

Carlos, so Leslie memorized every single one of those. There's so much data in there.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

I was following her eyes.

Andrew Goss/Host:

That loss number just always astounds me there. I just want to say, I think Leslie might've said that Gen Z was 1981, '86 or something like that. I think technically, most places have it at '97 to 2012.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

Oh, sorry.

Andrew Goss/Host:

I've been dropping in millennials.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

I'm so [inaudible 00:51:53] in what generation nowadays.

Andrew Goss/Host:

But I think you meant Gen Z there, so that's the important thing. So, anything else for what Leslie said? I mean, that is some really interesting findings from that survey that I believe exceeded over 10,000 survey respondents.

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

I'd like to jump in on that. Leslie, those are great points, and I could talk about consumer behavior, not just fraud victim behavior, but just overall consumers or business customer data all day, because the studies are always full of surprises, and it's always changing. It's so dynamic. But some of the points you made about generational groups, what struck me there is how much that each customer grouping is as unique as a fingerprint, and yet each individual customer is also unique, of course. So, the point is you really need to know your customer, not just in the compliance sense of the word, of course, but understanding what motivates them, what they're willing to do.

For example, if somebody's a fraud practitioner, and they're spending time in their call centers, those attitudes and motivators might be very different from the population at large. The reason that might be important is if you're trying to motivate all of your customers to use all available security tools, or to not fight you when you tell them to use unique passwords or share passwords with others, and trying to understand what the everyday user's motivations are, and making sure that you message test your communication attempts at saying, "Did I get through to the party I'm trying to reach and demotivate to get them to make the change I want to make?" You just can't emphasize enough how difficult that is, and so it comes right back to what I started my response to what you said, Leslie, which is really understanding what makes your particular customer base unique, whether it's across...

Say if you're a financial institution, and it's across product lines or checking, saving the money market or whatever the global equivalent is, depending who's listening, and in tailoring your message to them. Because as you said, younger people will tend to transact more online, but they're not as concerned about security generally as older audiences are, which work against people trying to change their behavior. They tend to become a victim of fraud, and then they get motivated, versus older people who may not be digital natives, who tend to be of a heightened security all the time. So a big challenge, but really studying up on the needs and drivers of your audience, I believe, was such a high payoff area. So, thank you for covering it.

Andrew Goss/Host:

Jim, what you had was insightful. I think Leslie dropped out of the conversation for a second, so it's no reflection on you or any.

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

It happens all the time.

Andrew Goss/Host:

So, I am going to move on. Oh, there's Leslie.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

I don't know what happened. Suddenly, I got dropped. Jim, I'm messaging you.

Andrew Goss/Host:

[inaudible 00:55:26].

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

What did I say, Leslie?

Andrew Goss/Host:

Leslie, anything else you want to touch on there before we wrap things up here, and get to some viewer questions?

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

I think that the one thing I would say is to the importance of data. We always like to say data, data, data, and that can help get a full picture of identity and digital risks, because you're not just checking if an email address is valid or if a phone number is active and a social security number exists, but all linked together, and providing that comprehensive view of an identity both from the identity elements they're providing, but also the devices they're using and checking for the risk. That considerably helps business to understand whether or not they're dealing with a legitimate customer, or if it's a potential fraud risk, and be able to take some steps to maybe pause on it, or ask for more information from the person trying to do the transaction. Layering in these type of strategies can really help to have businesses protect their reputation, their brand, as well as customer accounts.

Andrew Goss/Host:

Great. So, that's a good transition here. We're closing in on an hour on this conversation, so don't feel like you need to repeat yourself here. But if there's any big recommendations, big takeaways that you want businesses to come away with that you haven't already talked about here, now is your chance to speak up, wrap things up. Anybody want to go, or do we feel like we've exhausted recommendations for now?

Jim Van Dyke/Sr. Principal Consumer Engagement, TransUnion:

I'll just hit this. I talked about keeping the scrutiny on third parties, because it's working, third-party vendors to the enterprise and partnering with consumers. I'll just add in in closing of my comments that with regard to data security, not so much fraud mitigation, and for many people who are fraud-crack issuers, this is your partners on the security side of the house. Make sure that you're using every opportunity to take a credential-specific approach. I don't mean just logging credentials, but looking at the most sensitive of credentials that hackers are increasingly targeting.

If your database configuration allows you to do that and SSNs, despite everybody getting breached all the time, criminals literally can't get enough of SSNs. They're short supply to them, and that's why we see SSN exposures going up. So, SSNs, driver's licenses, financial account data, those are the top three to make sure we're protecting, because criminals are going to try to find their ways to that data.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

Then I'll go next. I'd like to reiterate the point that I made earlier that businesses can differentiate themselves by investing in fraud prevention, make it convenient for legitimate customers to transact online, make them feel safe that their personal data is not going to be exposed, and they'll keep coming back, and understand how fraudsters could go in and take those credentials, or use that information to take over an account. So, use that across channels. Make sure you understand critical vulnerabilities, and you'll continue to be able to grow your business.

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

Great. The point I would add is businesses need to always continuously invest in their fraud controls. I know everyone that's out there already has controls at different points of the customer lifecycle, but you can't stand still basically on the controls that are actually in place today, because fraudsters invest. They're adopting, and so investment is generally needed, and they're either at to solve for new account frauds or to solve for account takeover, so continuously investing in your identity proofing. Combine that with your digital risks signals. For account takeovers, definitely focus on customer authentication. Invest there.

There's a lot of changes in the industry as it applies to authentication methods, the movement onto passkeys, but that doesn't change the fact that fallback methods are still necessary. So, you still have to... What we think of as a weak channel today, one-time passcodes over SMS, unfortunately, they're not really going away because they're ubiquitous, but this is a very specific recommendation to spend some time and opportunity to look at the digital risk signals of who you're sending a one-time passcode to if you have to choose to use that as a secondary factor.

Andrew Goss/Host:

Go ahead, Carlos. Sorry.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

No, sure. As I mentioned earlier, and everybody has been very diligent into answering, I mentioned that there is the technology out there to protect yourselves. Just like Leslie mentioned, we need to invest as a company in those types of tools that are going to help us protect ourselves and our customers moving forward.

Andrew Goss/Host:

Well, Richard, I think you actually touched on this, I think. So, one of the questions I see here, and I'm not going to attempt to... I believe it's either Sunny or Sunnie asked, "What is the average time to market for fraud screening platforms when a financial entity is asking for a new control/screening capability to be implemented based on the fraud trend they've seen their clients being impacted by?" The impetus is fraud is always changing, right?

Richard Tsai/Sr. Director Fraud Solutions, TransUnion:

So, if I understood correctly, time to market for fraud controls. I wish I had a simple answer and say like, "Hey, it takes three days," but that's not a fair response, and it's not an accurate response. The reality is it's all over the place. I think you want it to be as fast as possible from a time to market perspective. But generally, from what I've seen, it's not necessarily a time to market for an implementation of what you're getting, because you're usually getting data and insights and risk signals. Usually, they are either data files or API-based types of situations to incorporate that.

So really, a lot of the time to market typically resides on whoever is implementing it on the business side. Usually, it's on the IT side where that process is usually the... It's usually the bulk of getting something to market. It's probably not the greatest answer and probably not the answer you're really looking for, but I think a lot of it is tied to the corporation, their IT team, how agile are they in terms of implementing data and the technologies that they're trying to bring in house.

Andrew Goss/Host:

Okay. There was one other question, and I don't think we're going to get into this. They asked about the countries or regions that's shown the greatest resilience or vulnerability to omnichannel fraud. So, I will say for this study, because I'm relatively familiar with it, we looked at where a consumer is located when transacting, and we analyzed we call 20 core markets to our business for that. So, we have the capability to look across markets, but we only analyze those specific markets. So, I would recommend. I believe that data for those 20 markets is in an infographic that we produced. If you go to TransUnion.com/fraud-trends, you can find that infographic there, or you can look at the report that we'll be talking about, where I believe we look at it by industry, by country.

So unless somebody has anything to add on that, I'm going to move on. Cool. Well, now is your last chance to say anything. Otherwise, I will wrap this up. Okay. Well, thank you, all four of you, for amazing insights, long conversation, super interesting stuff. Very helpful hopefully for the audience. Thank you to the audience for joining us via great questions. I saw a lot of comments coming in, so appreciate that. If we didn't get to your question today, and it's applicable to this conversation, we'll get back to you soon. To download all the findings from our recent study we discussed today, we'll be putting the web address up shortly, TransUnion.com/fraudreport and the QR code up on the screen.

You can also go to the event page description tab on our LinkedIn live event page, which you're on right there, and you can find it there. We'll see you next time on TransUnion live.

Leslie Deniken/Sr. Advisor Fraud Solutions, TransUnion:

Thanks for having us, Andrew.

Andrew Goss/Host:

Thank you.

Carlos Sanchez/Sr. Advisor Fraud Solutions, TransUnion:

Thank you.