Fraudsters are good at adapting. When banks started calling or texting their customers to verify the legitimacy of out-of-pattern account activity, like big money transfers, fraudsters quickly found ways to hijack telephone communication.
Using the abundance of breached personal data available on the black market, a fraudster posing as the account holder contacts the bank to request a change in the account’s phone number of record. By processing the change, the bank unwittingly disintermediates the true account holder from their account.
Fortunately, banks and credit unions have been strengthening their fraud systems to reduce losses from bogus phone number changes. They are using predictive models to assess hundreds of variables and score the riskiness of the phone number change (or address or email change) so investigators can follow up as needed.
Without the data and matching algorithms in these predictive models, banks have no way of knowing that a risky phone pattern lurks beneath the surface.
Risky phone patterns
To keep banks on the front line of identity fraud protection, Kevari (formerly ID Insight) expanded its Fraud Intelligence Platform in 2017 to include phone number screening. This involved analyzing years of phone number changes in the financial services space.
As you’ll see below, the data revealed patterns that make intuitive sense. When used in combination with other identity-related data points, they help to form patterns that become actionable for fraud investigators.
Area code distance. The greater the distance between the area code of the new phone number and the area code of the old phone number, the greater the risk.
Geographic distance. Risk increases as distance between the new area code and the customer’s current mailing address increases.
Phone Service Type change. Switching from landline to wireless number, or wireless to landline, often indicates a higher risk of fraud than going from wireless to wireless.
Carrier type. Certain types of carriers, such as prepaid phone numbers and voice-over-IP (VOIP) lines are much riskier than landlines or post-paid mobile phones.
Urban versus rural. A change in phone number from a rural location to one that’s tied to an urban center indicates a higher risk than a rural-to-rural or an urban-to-urban change.
Area code/Exchange. A basic validation of the area code and exchange confirms that the phone number has been issued to a U.S. customer.
Local number portability. New phone numbers that have been recently ported to a new service provider require a higher level of scrutiny.
Business phone numbers. A change from a residential phone number to a business one (i.e. check-cashing outlet) is highly indicative of fraud.
Beyond the phone data
Let’s suppose an account holder changed from a Verizon contract to a burner phone with a new phone number. This is a head-scratcher but is not in itself enough to flag the change as risky.
For this reason, it’s critical to combine the phone insight with other datasets. By bouncing the phone number change information against other identity-related data, you can see if there are other out-of-pattern behaviors that would drive the risk level higher.
For example, what you might see is that someone – probably not the legitimate customer – logged into online banking and changed the account’s email address on Monday, changed the physical address on Tuesday, and changed the phone number on Wednesday. We have seen this phenomenon repeatedly in our data.
Sometimes, the fraudster has used breached data to access the customer’s online banking to make the profile changes. Other times, in the case where the customer isn’t using online banking, the fraudster first sets up online banking without the customer’s knowledge and then makes the changes.
By whatever means, having successfully made these profile changes, the fraudster solidifies control of the legitimate customer’s communication channels and uses a digital payment method to make a large withdrawal.
This high-dollar transaction will likely be flagged as suspicious by the bank’s fraud mitigation rules. However, when the institution emails or calls to verify the legitimacy of the transaction, they don’t reach the real customer. Instead they reach the fraudster on the newly changed phone number or email. And the fraudster responds, “Of course I meant to transfer that $40,000!”
Phone number verification
The financial services industry, as well as government and law enforcement entities are all aware of the role of phone number (and email) changes in completing the fraud cycle. However, there are varying points of view about what to do.
A few months ago, 31 state Attorneys General recommended that the Federal Trade Commission (FTC) make updates to the Identity Theft Rules to keep them relevant as technology evolves. They specifically addressed the role of phone number changes in account takeover.
In contrast, the ABA told the FTC that the current rules are “sufficiently flexible to accommodate these changing theft patterns, strategies and innovations in technology and that changes to the rules are not needed at this time.”
Whether the FTC alters its rules or not, it is good to see banks taking their own initiative to holistically monitor changes to customer communication channels to gain actionable insight. When phone numbers, physical addresses, email and IP addresses can be associated with other data through an independent verification source, banks significantly reduce the risk of fraud.