Search Icon
Back to Blog

Customers become alarmed when they experience a massive and immediate rise in their new applicant decline rate caused entirely by Socure’s Sigma Identity Fraud solution. We understand the alarm. Conversion of good users is extremely important to fintech and traditional lending growth. Nevertheless, the rise in the decline rate may actually be good news.

Identity Fraud Attack

Why is this? Because a rise in decline rate can indicate that a fraud attack is being identified and stopped. During such an attack, the approval rate will indeed drop substantially. However, there is also a related increase in the application volume. While your marketing team may prefer to celebrate the quick increase, that jump is more likely tied to an escalation in fraud attempts. In these situations, the most important metrics to pay attention to are not the approval rate. The two more important metrics are:

  1. Approval volumes.
  2. Fraud score distributions.

Ideally, if your identity fraud prevention strategy is working properly during a massive fraud attack, your approval volume should remain relatively flat while your approval rate drops in relation to the increase in the percentage of riskier-leaning fraud scores (i.e., the higher the Sigma Identity fraud score, the more risky the applicant.) A worst-case scenario in these situations would be that your approval rates come down slightly, and your fraud scoring strategy does not capture the attack, especially if the attack is using new fraud behaviors or rapidly changing vectors.

Bad actors are getting increasingly sophisticated, and we have seen our customers face intense testing across their mobile, online, and even physical origination channels in attempts to thwart existing fraud protections. We’ve also seen dynamic changes daily, and even intraday, in the use of: disposable, vintage, and new emails; trusted or VOIP phone numbers; or a combination of the two. The creativity and innovation of fraudster attacks are more trailblazing than ever.

Socure’s newest V3 version of Sigma Identity Fraud was built using these new fraud behaviors. We also uniquely provide risk scores and correlation values for individual personally identifiable information (PII) elements, including email, phone, and address. Beyond giving you confidence that these elements likely belong to the applicant, these individual element RiskScores can be used to customize fraud strategies to either increase fraud capture rates (FCR) or reduce false positives. They can also be used to rapidly create controls that can be tailored to a specific fraud attack at any given time, in near-time.

Case study: Analyzing an attack

As an example, we have a customer who saw a sharp 20% drop in acceptance rates in early August. As they were very concerned with the drop-off in approvals, they asked us, “Why are we declining so many new applicants?” 

The answer was that the customer was seeing a sophisticated fraud attack happening with lightning speed. Socure discovered this by observing decision rates at the hourly level—the vast majority of declines were happening in the early morning on the East Coast (not exactly a normal application pattern. Further analysis then showed that Sigma Identity Fraud was correctly scoring these applications as risky, which stopped the fraud that would have occurred without the score in place. Specifically, for the fraud attack pattern, Sigma Identity Fraud captured over 80% of the fraudulent attempts at an acceptable false positive rate (FPR).

This fraud ring was aggressively alternating changes to email addresses and phone numbers in an attempt to break through existing defenses. For a few days, the fraud ring reused emails across applicants, and then fraudsters altered their pattern to reuse what we believe they thought were “trusted” phone numbers to break through our customer’s defenses. 

To increase FCRs and help our customer lock down their defenses further during the attack, Socure recommended decision logic that increased the FCR to 93% while adding only 1% short-term increase to the review rate. Because the attack used email addresses and phone numbers to attempt to break through existing origination fraud strategies, Socure’s Email and Phone RiskScores and Correlation values were applied in that strategy. We also took another look at applications that were previously approved during the fraud attack and returned transaction IDs for records that passed and fit the proxy fraud label, which allowed the customer to block or limit the accounts to further reduce risk.

Combatting a fraud attack: Takeaways

In this fraud ring attack, Socure’s Sigma Identity Fraud prevented potential losses in the millions of dollars. The impacted financial institution continued auto-accepting good customers while deflecting bad actors. There are always risk mitigation takeaways from a broad-scale attack like this one, but a few big lessons jump out:

Predictive analytics and machine learning (ML) techniques are effective in detecting identity fraud.

As we saw here, fraud techniques evolve rapidly. Countering them requires the ML model to be trained with more identity elements to scrutinize. Sigma Identity Fraud analyzes every dimension of consumer identity—name, email, phone, address, date of birth (DOB, Social Security number (SSN), IP, device, velocity, network, and behavioral intelligence. Looking at a single element or small subset of PII can result in sub-optimal or poor risk decisions—especially at scale. A holistic and comprehensive view of digital identity enables more predictive and accurate fraud scores.

Consortium data enables an inherent advantage when new fraud attacks appear.

Socure caught this new account fraud attack because we’ve seen the pattern before. Feedback data from our customers, operating across diverse industries and use cases and stretching back years, allows the model to discern and integrate rapidly changing patterns. Solutions enabling peer or adjacent vertical feedback data have an inherent advantage as new fraud emerges.

Optimal risk posture using flexible, rapid adjustment.

The ability to quickly adjust to incoming attacks improves any risk posture. Adaptable solutions that adjust to changing needs can get ahead of disparate point solutions in the fraud game. The changes in decision logic took effect almost immediately once the customer decided to modify their settings. That speed avoids potentially catastrophic losses without interrupting the experience for good users.

Email addresses, phone numbers, and addresses can expose the iceberg of riskiness in fraud detection.

Bad actors use compromised email, VOIP phones, and commercial addresses when conducting nefarious activities. Socure’s proprietary Email, Phone, and Address RiskScores are robust risk analysis tools that identify the riskiness of individual email, phone, and address PII elements, and correlate the likelihood that a particular element is associated with the applicant or user. Email, Phone, and Address RiskScores are included with Sigma Identity Fraud at no additional cost to customers.

Socure helps more than 1,800+ enterprise organizations counter fraudsters and streamline their operations. Contact us to talk about how we can help solve your onboarding fraud issues while auto-approving more good customers.

Mike Cook
Posted by

Mike Cook

Mike Cook

Mike Cook is VP of Fraud Solutions Commercialization at Socure and works alongside Data Science, Product, Sales and the Fraud Investigation team to help ensure solution optimization across all the markets Socure serves. Mike has been an innovator in fraud, identity, and credit risk for almost 35 years and has created several patents for identity risk technologies.