Search Icon
Back to Blog

In late 2021, two very high-profile financial institutions were attacked by a sophisticated cyber fraud ring. Because these institutions are part of Socure’s 1,800+ customer consortium ecosystem, it was a real-time test of how well Socure’s sophisticated defensive strategies held up when blitzed by some of today’s most digital-savvy criminal actors. Here’s more background and the story of what happened.

Application Fraud & the Rise of Cyber Fraud Rings

Identity fraud is sometimes perpetrated by individuals but, more and more, it is executed by highly-coordinated, organized groups of professional criminals colluding to form a fraud ring. These bad actors may steal identities or  personally identifiable information (PII), such as a name, date-of-birth, address, or Social Security Number (SSN), and use that PII to open a new account online. This is commonly called ‘application fraud.’

It’s becoming increasingly common for cyber fraud rings to launch high-volume attack campaigns against financial institutions that have the potential for enormous losses. Here at Socure, we regularly observe fraud spikes where criminals attempt to open online accounts with the intent of defrauding companies across companies in financial services, fintechs, online gaming, and more. This fraud attack was particularly coordinated and prolific in its approach.

PII Tumbling: The Origins of the September 2021 Fraud Attack

While many people may have been enjoying a weekend respite in September 2021, a digital fraud ring started to execute a complex application fraud attack against multiple Socure customers. Incredibly, this attack accounted for nearly half of all online account opening applications for one line of business in one of the affected financial institutions. This scenario is a potential nightmare for any financial institution. Inadequate defenses can rapidly turn into millions of dollars of losses as the fraudsters establish accounts and then vanish shortly after obtaining credit products and other financial value instruments.

The fraud attack method, or “vector,” involved “PII tumbling,” which means that online applications were being submitted with a mix-and-match of various PII elements. For example, contact information in the form of an email address stayed the same, while other valid PII was rapidly changed in order to uncover a combination of elements that might ultimately be accepted. The attack used IP addresses geolocated to North America, Chile, and Nigeria.

Responding To Fraud Events and Adjusting Your Risk Posture

Luckily, a nightmare scenario was avoided in real-time. The two targeted financial institutions use Socure’s Sigma Identity Fraud solution, which instantly detected and thwarted these scaled attacks.

One of the affected Socure customers weathered the storm of fraudulent account opening attempts without modifying their risk posture. The institution continued to accept good customers flowing through their online account onboarding process, while rejecting applications from the criminal actors using PII tumbling attack methods.

The other Socure customer reached out to their Socure Technical Account Manager after seeing an unusual uptick in fraud attempts flagged by Socure ID+. They wanted to better understand the situation and get advice on adjusting their risk posture. After consulting with the Socure team, they decided to modify their settings to focus on the riskiest 3% of applicants, rather than the riskiest 1% (their previous posture). This ‘no code’ change was implemented within the hour after the customer decision, and the threshold change significantly reduced the potential fraudulent account openings coming through the door. The customer also revisited earlier data to ensure that potentially dodgy customers that might have slipped through at the original 1% threshold were subject to a manual review.

Preventing Identity Fraud: Lessons Learned

Socure Sigma Identity Fraud prevented potential losses in the tens of millions of dollars, and the affected institutions continued auto-accepting good customers while deflecting the bad. While there are many lessons in risk mitigation from this extensive attack, a few big ones jump out:

  • Consortium Data Enables Better Responses: Socure caught this application fraud because we’ve seen this before. We know a thing or three because we’ve seen a thing or three. Socure is continually receiving feedback data from our customers and is able to discern and integrate rapidly changing patterns in our models. Solutions enabling you to leverage peer or adjacent vertical patterns have an inherent advantage as new fraud crops up.
  • Optimal Risk Posture via Flexibility and Rapid Adjustment: The ability to quickly adjust to incoming attacks improves your risk posture. Adaptable solutions that adjust to changing needs can get ahead of the whack-a-mole nature of the game of fraud. The changes took effect in under an hour after one of the affected customers decided to modify their settings. That is lightspeed in the world of fraud mitigation, and that speed avoids potentially catastrophic losses without interrupting the experience for good customers.
  • Combining Adaptability and Sophistication Provides Better Results: Fraud techniques evolve rapidly. Countering them requires considering more identity elements. It requires sophistication with technology like AI/ML to analyze those data elements together. It is not just name, date-of-birth, and SSN, but also phone, device, email, IP, behavior, and more that need to be considered. Looking at a single element or a small subset of digital PII elements can result in sub-optimal or outright poor risk decisions at scale. A holistic and comprehensive view of digital identity enables you to better control risk and avoid being the next victim.

At Socure, we are proud to be helping organizations counter fraudsters and streamline their operations. Give us a shout if you want to talk about how we can help you to better solve your application fraud problem while ensuring that your good customers get auto-approved.

In late 2021, two very high-profile financial institutions were attacked by a sophisticated cyber fraud ring. Because these institutions are part of Socure’s 1,800+ customer consortium ecosystem, it was a real-time test of how well Socure’s sophisticated defensive strategies held up when blitzed by some of today’s most digital-savvy criminal actors. Here’s more background and the story of what happened.

Application Fraud & the Rise of Cyber Fraud Rings

Identity fraud is sometimes perpetrated by individuals but, more and more, it is executed by highly-coordinated, organized groups of professional criminals colluding to form a fraud ring. These bad actors may steal identities or  personally identifiable information (PII), such as a name, date-of-birth, address, or Social Security Number (SSN), and use that PII to open a new account online. This is commonly called ‘application fraud.’

It’s becoming increasingly common for cyber fraud rings to launch high-volume attack campaigns against financial institutions that have the potential for enormous losses. Here at Socure, we regularly observe fraud spikes where criminals attempt to open online accounts with the intent of defrauding companies across companies in financial services, fintechs, online gaming, and more. This fraud attack was particularly coordinated and prolific in its approach.

PII Tumbling: The Origins of the September 2021 Fraud Attack

While many people may have been enjoying a weekend respite in September 2021, a digital fraud ring started to execute a complex application fraud attack against multiple Socure customers. Incredibly, this attack accounted for nearly half of all online account opening applications for one line of business in one of the affected financial institutions. This scenario is a potential nightmare for any financial institution. Inadequate defenses can rapidly turn into millions of dollars of losses as the fraudsters establish accounts and then vanish shortly after obtaining credit products and other financial value instruments.

The fraud attack method, or “vector,” involved “PII tumbling,” which means that online applications were being submitted with a mix-and-match of various PII elements. For example, contact information in the form of an email address stayed the same, while other valid PII was rapidly changed in order to uncover a combination of elements that might ultimately be accepted. The attack used IP addresses geolocated to North America, Chile, and Nigeria.

Responding To Fraud Events and Adjusting Your Risk Posture

Luckily, a nightmare scenario was avoided in real-time. The two targeted financial institutions use Socure’s Sigma Identity Fraud solution, which instantly detected and thwarted these scaled attacks.

One of the affected Socure customers weathered the storm of fraudulent account opening attempts without modifying their risk posture. The institution continued to accept good customers flowing through their online account onboarding process, while rejecting applications from the criminal actors using PII tumbling attack methods.

The other Socure customer reached out to their Socure Technical Account Manager after seeing an unusual uptick in fraud attempts flagged by Socure ID+. They wanted to better understand the situation and get advice on adjusting their risk posture. After consulting with the Socure team, they decided to modify their settings to focus on the riskiest 3% of applicants, rather than the riskiest 1% (their previous posture). This ‘no code’ change was implemented within the hour after the customer decision, and the threshold change significantly reduced the potential fraudulent account openings coming through the door. The customer also revisited earlier data to ensure that potentially dodgy customers that might have slipped through at the original 1% threshold were subject to a manual review.

Preventing Identity Fraud: Lessons Learned

Socure Sigma Identity Fraud prevented potential losses in the tens of millions of dollars, and the affected institutions continued auto-accepting good customers while deflecting the bad. While there are many lessons in risk mitigation from this extensive attack, a few big ones jump out:

  • Consortium Data Enables Better Responses: Socure caught this application fraud because we’ve seen this before. We know a thing or three because we’ve seen a thing or three. Socure is continually receiving feedback data from our customers and is able to discern and integrate rapidly changing patterns in our models. Solutions enabling you to leverage peer or adjacent vertical patterns have an inherent advantage as new fraud crops up.
  • Optimal Risk Posture via Flexibility and Rapid Adjustment: The ability to quickly adjust to incoming attacks improves your risk posture. Adaptable solutions that adjust to changing needs can get ahead of the whack-a-mole nature of the game of fraud. The changes took effect in under an hour after one of the affected customers decided to modify their settings. That is lightspeed in the world of fraud mitigation, and that speed avoids potentially catastrophic losses without interrupting the experience for good customers.
  • Combining Adaptability and Sophistication Provides Better Results: Fraud techniques evolve rapidly. Countering them requires considering more identity elements. It requires sophistication with technology like AI/ML to analyze those data elements together. It is not just name, date-of-birth, and SSN, but also phone, device, email, IP, behavior, and more that need to be considered. Looking at a single element or a small subset of digital PII elements can result in sub-optimal or outright poor risk decisions at scale. A holistic and comprehensive view of digital identity enables you to better control risk and avoid being the next victim.

At Socure, we are proud to be helping organizations counter fraudsters and streamline their operations. Give us a shout if you want to talk about how we can help you to better solve your application fraud problem while ensuring that your good customers get auto-approved.

Todd Thiemann
Posted by

Todd Thiemann

Todd Thiemann

Todd is Senior Director for Product Marketing at Socure, where he manages marketing for Socure’s Fraud suite of offerings. Prior to Socure, Todd worked in cybersecurity and identity at companies including Arctic Wolf Networks, Nok Nok Labs, Vormetric/Thales, and Trend Micro.