I’ve been developing identity fraud detection technology solutions for almost 35 years. With that background, I feel confident predicting that the identity fraud industry is at an inflection point. I believe 2022 will be a defining year in the identity fraud detection fight, but unfortunately, the “bad guys” have a leg up in technology innovation.
Over the next two weeks, I'll be posting a series of blogs with my thoughts on the five most game-changing identity fraud developments in 2022. These are not intended to be profound predictions. Rather, these developments have been building for some time, in numerous ways. In this series of posts, I will examine how the battle against the bad guys is evolving and how the good guys (like you) can fight back.
Last year's FTC Consumer Sentinel Network Data Book (also known as their identity theft report) indicated an increase of over 100% in the reported number of digital identity theft complaints by consumers (the numbers show 1.3 million complaints in 2020, as opposed to 2019’s total of 650,523 complaints).
What’s the root cause for that massive identity fraud increase? While the economic downturn related to COVID was undoubtedly a contributing factor, it obscures a crucial source of that increase. Most fraud experts agree that it is likely related to fraudulent FTC affidavits that were submitted in attempts to remove legitimate bad history from credit reports. This is referred to as “credit washing.”
Attack of the Credit Washing Bots (and Their Cohorts)
Credit washing occurs when a borrower fraudulently disputes negative information in a credit report, prompting the credit reporting agency to “clean,” or temporarily delete, the information from the report and artificially boost the borrower’s credit score.
Bots attempts provide one example. Bots can be deployed to create new accounts quickly and at scale using techniques such as “PII tumbling” to enable a fraudulent application to slip through. These massive scale attacks in new account identity fraud attempts can overwhelm scoring systems and manual investigation teams, to the point where they have difficulties handling the larger volumes of suspect applications.
Deploying bots is simple for bad actors, even those with limited technical skills. A basic internet search will return several different bot marketplaces, and each marketplace offers many different forms of bots touting each of their individual successes.
In addition to credit washing, bot-powered tools are used for attacks ranging from phishing to content scraping, new account fraud and registration, and even obtaining popular goods at the lowest price.
The Trend NOT to Watch for: Regulatory Scrutiny of New Account Fraud Bots
Will there be regulatory scrutiny of these bot marketplaces for new account fraud in 2022? Probably not, but there might be legislative activity. On the most recent Cyber Monday event, Representative Paul Tonko (D-NY), Senator Richard Blumenthal (D-CT), Senate Majority Leader Charles E. Schumer (D-NY), and Senator Ben Ray Luján (D-NM) announced the introduction of the Stopping Grinch Bots Act. The act seeks to restrict the use of bot technology to quickly buy up whole inventories of popular holiday toys and resell them to parents at higher prices. While not focused on new account fraud, it does appear that regulators are paying attention to the harm that bots can cause in marketplaces.
Bots are driven by data and there continues to be an abundance of stolen PII and credentials available to bad actors. According to the ITRC’s Q3 First Half Data Breach Analysis, the number of publicly-reported data compromises through September 30, 2021 has exceeded the total number of events in FY 2020 by 17%, even though the number of compromises dropped by nine (9) percent compared to Q2 2021. The trendline points to a record-breaking year in 2021 for data compromises.
When an Asterisk is More Than a Footnote
Back to bots and credit washing: Credit washing itself isn't new, but it ballooned out of control when the FTC tried to make it easier for consumers to file reports of identity theft by removing the requirement of an accompanying police report. This change inadvertently made it easier for fraudsters to conduct credit washing.
The problem of credit washing at the FTC continued during 2021, and one can expect another sharp increase in identity fraud and theft claims from customers when the new FTC numbers come out in February 2022.
In Major League Baseball statistics, they use an asterisk to indicate the significance of a stat in the greater historical context. In the upcoming 2021 report, the FTC will probably identify that credit washing played a significant role in the identity theft complaint increases over the last several years, and may apply an asterisk (or verbal equivalent of one) to 2020 and 2021 FTC ID theft numbers.
Fraud Trend to Watch For: The identity fraud detection and verification industry quickly counters emerging fraud vectors. In 2022, you can expect to see the emergence of solutions developed to solve the credit washing issue.
How to Win the Identity Fraud Battle
If your fraud scoring technologies are not up-to-date, large scale attacks can operate through high volumes that fall in marginal scoring populations and consequently defeat stale models. As always, it is important to update fraud models often, either internally or with your outside third party vendor, to ensure these large scale accounts don’t thwart your defenses. Additionally, moving away from manual investigation queues in a digital production environment and adopting automated forms of identity proofing, such as document validation of drivers licenses, or selfies with liveness detection, will help overcome large scale, short-term attacks.
The writing is on the wall for 2022 to be a defining year for every business fighting against identity fraud. If you’re concerned about credit washing, or similar challenges, please reach out to our team of fraud prevention experts. I know we can help you accept more good customers, reduce your fraud bill, and streamline your risk operations.
This is the second of five fraud trends I'll be posting on in the coming weeks (in case you missed it, here’s the first in the series). Want to instantly get each post in your inbox as it goes live? Subscribe to the Socure blog via the link below, or check back here for the full list of anticipated identity fraud detection trends, which will be added to the end of that post as each goes live.