You can’t prevent identity fraud if you don’t know what it looks like

Near the start of the movie “This is the End,” Seth Rogen tells his friend that he’s on a cleanse, which means he’s cutting gluten from his diet. His friend tells him he doesn’t even know what gluten is. Rogen replies that he does, that gluten is anything that’s bad for you. Calories are gluten. Fat is gluten. It’s all gluten. Indeed, he doesn’t know what gluten is.  

First Party vs Third Party Fraud

A while back, I visited a financial institution where we discussed their fraud rates. First party, third party, synthetic. But they didn’t have Rates. They had a Rate. Because to them, everything was first party fraud. You don’t pay up? First party fraud. Cool. Somebody pretends to be somebody else to commit fraud? That was first party too. Somebody invents a fake identity to commit fraud? Yeah, that was first party as well. Huh?

It’s said that in order to solve a problem, you need to recognize:

1. That you have a problem, 
2. What kind of problem you have.

Defending against fraud

If you actually have a gluten allergy but don’t know where it’s hiding in your diet, you won’t know what to avoid. If you don’t know what kind of fraud that’s hitting you, you can’t defend against it. And chances are, if you’re a target of fraud, you’re likely facing more than one kind. You don’t take cough medicine for a broken arm. And you don’t send a collection agency after a person whose identity has been stolen, or a person who doesn’t exist at all.

We regularly test customers’ and prospects’ data, to demonstrate the lift we get in fraud capture and auto-acceptance. Nobody does better than us because our numbers are just that good. And we get those numbers because we build and test our models with larger data sets, across hundreds of banks, fintechs, and other organizations than anybody else. Yeah, it costs us money. But it’s worth it. The results speak for themselves, which is why we keep the customers we get.


We also regularly see, especially in new prospects, mistakenly labeled fraud. A lot of the time, those boo-boos are third party fraud labeled as first party. John Smith looks like a bum, but in fact it’s Fred Jones pretending to be John Smith who’s the bum. This makes it a wee bit harder for us when we’re trying to demonstrate value. How we turn that to our advantage is when we can show our clients, when running against blind data, WHY we call something first party or third party.

I’ve read about situations where financial outfits don’t mind labeling something synthetic fraud, in which the “person” is completely fabricated, because then they have a reason not to investigate the case. It’s a write-off. And to large degree in the lending industry, reserves have to be set aside for credit losses, but not fraud losses, which are an expense. So the accounting impact of mislabeling fraud can be significant.

Machine Intelligence 

The machine learning models operate differently against different kinds of fraud. Nobody does a great job at heading off first party, since really, if you’re going after an actual person using their actual name, and they’ve never been a deadbeat before and their credit looks decent, you need a crystal ball. Otherwise, you see the previous adverse actions and render your judgment.

Heading off third party is often done by plain matching up of profile attributes. That’s where we’re way ahead of the pack. We employ multiple data sources, proprietary and otherwise, plus the machine learning from that large data set I mentioned, and the AI we built from that learning. Again, it’s an investment, but one we’ve been happy to make in the pursuit of accuracy in the high 90’s. We validate all the PII provided, and then we make sure it all belongs to the same person.

And if you don’t properly profile types of fraud, you could end up changing how you profile future applicants. This means possibly rejecting perfectly legitimate customers for the wrong reasons, which is not only reputational risk but clearly lost opportunities for revenue.

It’s said that synthetic fraud is a victimless crime, in that no real consumer has been affected. But the bank or lender is in fact a victim. They’ve been ripped off. And those costs have an impact someplace. Plus when a crook gets away with it, that emboldens him to keep committing crimes.

So financial institutions that are being victimized shouldn’t victimize themselves a second time by calling a third a first, and missing the opportunity to do better by putting up the wrong defenses. Before you take a bite out of fraud, know what it tastes like.

Topics: Fraud Prevention, Fake identity, Third Party Fraud

Jeff Scheidel

Jeff Scheidel

Jeff Scheidel is a technologist with 34 years in software, including 26 years in security solution design. He is the author of numerous white papers on security and regulatory compliance, as well as a McGraw-Hill book on identity, access, database, and application protection. Jeff is an expert on compliance requirements across a number of industries, and has presented at a wide variety of security events.

Subscribe to Socure's Blog Posts