Can’t hide their habits: Preventing Account Takeover and Synthetic Identity theft by analysing fraudster behaviour

1. Generative AI is breathing new life into two more traditional types of fraud: Synthetic Identity Theft and Account Takeovers.
2. These fraud types can be difficult to identify in real-time. Behaviour analysis, which includes looking at key metrics related to historical bank account activity and transactions, can help signal fraudulent activity while it’s happening.

As AI continues its relentless advance, fraudsters are deploying ever-more sophisticated tactics to fleece individuals and businesses of significant sums of money. Developments in generating deepfake ID documents, voice prints, and even selfies, are catching all types of businesses off guard, including the largest financial institutions.

Two traditional fraud tactics have benefitted from the rapid advances in technology and, as a result, present an even greater threat to businesses and consumers: Synthetic Identities and Account Takeover.

Synthetic Identities (IDs) are created using a mix of real and fabricated personal information and are used by fraudsters to establish bank accounts. Fraudsters hide from financial institutions by processing small, occasional payments to make their accounts look legitimate. Synthetically created accounts are then used to receive and hide funds from many types of scams, including Authorised Push Payment (APP) and Business Email Compromise (BEC).

Account Takeovers (ATOs) occur where the login details to a bank account are compromised and a fraudster assumes ownership of the account. These can be difficult to detect for a variety of reasons:

• Businesses want to avoid creating friction for their users
• Credentials and passwords can be compromised in many ways (brute force attacks, credential stuffing, phishing and more)
• GenAI is becoming increasingly effective at defeating biometrics, such as facial and voice recognition

Beyond having access to a customer’s fund balance, the fraudster can attempt to buy products with the hijacked account, and/or seek refunds, chargebacks, or other payouts illicitly.

Account Takeovers and other fraud types, such as APP and BEC using Synthetic IDs, can financially ruin individuals and businesses before they notice a single dollar missing.

Businesses whose customers are victims of Account Takeover attacks or other similar attacks become responsible for costs of remediation (e.g. refunds) and take a reputational hit, losing revenue from current and potential customers. Additionally, by the time a fraudulent account has been detected and shut down by a financial institution, the fraudster will have moved their illicit gains to Synthetic ID-created accounts or other hidden assets, preventing victims, financial institutions and law enforcement from clawing them back.

Synthetic IDs are designed to look and act like a legitimate person or entity. Account Takeover fraud stems from legitimate accounts being used for illegitimate reasons. Running a bank account verification in isolation can help, but it won’t detect a Synthetic ID created in the same name as your payee, or an Account Takeover.

However, one thing a fraudster can’t hide is their behaviour. Fraudsters who have taken over an account or ‘activated’ their Synthetic IDs will move fast to generate as much cash as possible before their financial institution detects their activities.

As an example, a fraudster who has created a bank account with a Synthetic ID may start applying for credit, buy-now-pay-later accounts, or loans with the intention of never repaying any money. They may create dozens of eCommerce accounts with the intention of buying goods with those illicit accounts, to keep or resell goods they haven’t originally paid for. They may use their accounts as part of a BEC scam and direct businesses to pay money to them for work they haven’t done. They may even be able to claim insurance or unemployment benefits.

This is where a consortium-style approach to fraud detection is hugely beneficial. When new payment or payee details are collected and verified, there is the potential to identify risky behaviour across participating businesses quickly, minimizing losses and stopping fraud in its tracks.

The ‘activation’ can be detected by analysing:

• Recency: inquiries for a bank account made in the short, medium and longer term;
• Popularity: number of participating businesses that have seen a bank account; and,
• Velocity: total number of enquires made in short, medium and longer term.

In the aforementioned case, where a fraudster starts multiple credit, buy-now-pay-later or loan applications, or creates eCommerce accounts, their fraud attempts will detectable by reviewing recency, popularity and velocity behaviours of their bank account across participating businesses.

The reality is that bad actors, given enough time and effort, can overcome almost every type of individual security product or services available. This threat is amplified in the era of Generative AI.

However, criminals tend to go for the lowest-hanging fruit. If you add enough layers of fraud and security defenses, it will eventually take too much time, effort and expense for a fraudster push through, and they will move on to another opportunity.

Increasingly, a holistic, “always on” approach to fraud prevention, spanning the full customer life cycle, is recommended. This is based on consistent and continuous risk monitoring and rests on three pillars:

1. Trust the identity of the client, via data-based verification to supplement document verification and biometrics;
2. Trust the accounts, via bank account verification and account ownership verification; and,
3. Trust the interaction, via account behaviour analysis collected across a consortium and other ID signals, to detect anomalous behaviour.

Behaviour analysis, used in conjunction with robust identity proofing and payments verification, can help strengthen the arsenal organisations need to effectively counter fraud.