SVB and Signature Bank Failures Cause Unusual Spikes in Identity Fraud

In the days surrounding the collapse of SVB and Signature Bank, third party fraud and synthetic identity fraud attempts rapidly spiked in small business banking and investment platforms, according to fraud pattern data pulled from across Socure’s 1,900+ customers, including the largest banks and fintechs in the market.

Attackers hit quickly in the wake of the news, looking to hide their own patterns among a rapid and massive increase in application volume as consumers and businesses raced to establish new accounts. 

We don’t believe these synthetic identity fraud attacks will entirely end until the banking uncertainty subsides. 

About Our Analysis

Socure monitors new account openings for all of our customers in real-time, minute-by-minute, including online gaming and gambling, fintech and traditional banking, investments, credit card, small business banking, auto financing, payroll, gig economy, and other industries. 

We are able to identify the “attack rate” in a single organization or across market sectors by studying the distribution of the highest risk scores from our Sigma Identity and Sigma Synthetic solutions as a proxy to measure how much our customers are being attacked by bad actors at the point of account origination. 

In this case, we identified patterns among those applications with the highest risk scores, .99 (the riskiest 3% of applications), in the days immediately before and after March 10, when SVB first shut down. The patterns across the market were clear as day – while there were minor bumps in activity in consumer-retail banking, the clear attack patterns arose in small business banking and investment platforms.

The attack rate does not reflect successfully opened fraudulent accounts, and in fact, our Sigma scores tend to capture and stop >80% of incoming fraudulent applications. 

Third-Party Fraud: Fraudsters Were Ready and Waiting

Between March 7 and March 11, the days in which the first, and worst, of the SVB news dropped, data shows a 498% increase in third-party attack rates in small business and investment platforms.

The fraudsters had been lying in wait, monitoring news feeds and ready to pounce. These bad actors had been testing the systems across our customer base for weeks and were therefore able to immediately scale up their operations, using bots to create accounts about every 4 minutes once the news dropped.

In the waves of attack, we spotted a flood of the same U.S. phone number used from China, linked to hundreds of applications with stolen identities. When that number was blocked, the attackers changed it up to create new VOIP phones for each application.

Synthetic Attacks Are Not Over

Meanwhile, on the day of the SVB closure, synthetic identity fraud began to climb from an attack rate of .57 to an initial peak of 1.24% on the Sunday following the closure, or an increase of 80%. After the first initial spike reduced on March 14, we only saw a return of an even higher spike on March 21 to 1.35%, with bumps continuing since then. We will continue to closely monitor synthetic activity to determine the underlying patterns.

Not All New Activity is Bad Activity

Beyond examining identity fraud attack rates, we also monitor increases in changes to non-monetary data for our customers who use our Sigma RiskScores to frictionlessly measure the riskiness of PII (personal identifiable information) changes to accounts. Bad actors will change contact elements, such as phone number, physical address and email address when they are trying to take over an account. While we considered there may be increased account takeover attempts in banking, the data suggests that bad actors are not increasing their efforts to take over accounts during this turmoil in the banking industry. 

There has been an increase in account changes, however, and we believe those belong to legitimate consumers who are likely updating their account information because their bank accounts are top-of-mind during so much market uncertainty. In this case, we attribute a drop in the attack rate to the higher number of “good” account changes that are taking place.

In a recent press statement, CEO Johnny Ayers shared his views on how our customer community should think about this attacks:

“The bottom line – bad actors strike during the most turbulent of times. As businesses race to establish new accounts in the wake of SVB and Signature Bank failures and wider market uncertainty, fraudsters aim to mask their attacks amid unusual shifts in onboarding patterns. 

Immediately after the news of SVB’s impending breakdown, bad actors who we had seen testing banking systems across our customer portfolio for weeks, scaled up their attacks within hours, leveraging bots to create new accounts about every four minutes. 

Banks and fintechs providing small business and/or investment accounts must practice vigilance during this time of uncertainty. Socure will partner with our customers to do just this.

At Socure, we are monitoring onboarding activity and fraud patterns across our 1,900+ customer base to provide the insights that allow our users to adjust their risk decisioning based on the very patterns we spot. And we’re continuously training our models to lock out bad actors, while allowing our customers to safely onboard new accounts even in the most extreme times of attack.

This is how we will get through this turbulent time together.”