Banks detect, and fail to detect, millions of new-account identity fraud cases every year. At the same time, state and federal criminal prosecutions of such cases are rare. A lack of law enforcement resources and lack of reported bank data for new-account identity fraud make it difficult to effectively deter this multi-billion-dollar crime that harms consumers, businesses and the economy.
In order to open new checking accounts, and obtain new loans and credit cards, people must prove their identity. They do so by submitting a valid, government-issued photo identification document (state driver’s license, state ID card or passport), and basic “personally identifiable information” (PII), including their name, birthdate, social security number, residential address and telephone number.
Criminals also open new financial accounts, but do so by submitting counterfeit government photo IDs and stolen PII. Criminals can easily purchase cheap stolen PII and counterfeit identity documents available on the Internet.
The never-ending scourge of corporate data breaches are the primary source of stolen PII, which is subsequently posted for sale on the Internet. According to the non-profit Identity Theft Resource Center (ITRC), there were 1,291 publicly reported data breaches from January through September 2021, exceeding last year’s total of 1,108 data breaches.
How do criminals use fraudulently-opened accounts? The federal criminal case of U.S. v. Octavio Andres Difo-Castro et. al, illustrates a common scenario. Using stolen PII of multiple victims purchased from the Darknet, the lead defendant created counterfeit driver’s licenses and other documents that he supplied to his co-conspirators to carry out several fraudulent schemes.
In one of the fraudulent schemes, the co-conspirators used the victims’ stolen identities and counterfeit identity documents to file fraudulent applications with multiple financial institutions to open checking and savings accounts. These fraudulent new accounts were used by the co-conspirators to deposit and withdraw fraudulently-obtained funds. Posing as buyers and sellers of used cars, the co-conspirators used these bank accounts to fraudulently obtain used-car loans and transferred the loan proceeds to other co-conspirators.
Another illustrative case is U.S. v Aceituno, et. al, where the defendants used the stolen identities to open bank accounts at regional banks and a top-five big bank. The accounts were then used by the co-conspirators to deposit stolen checks and money orders, and thereafter withdraw cash from the accounts through debit card purchases, ATM withdrawals, postal money orders and cashier’s checks.
As a federal prosecutor, I prosecuted several cases involving new account identity fraud. In one case, the defendant posed as a debt collector and fraudulently used his access to a commercial data broker’s database to collect personally identifiable information for identity fraud. The defendant’s identity fraud scheme involved driving around town to collect home addresses of his targeted victims, downloading the victim homeowners’ PII from the data broker and using the stolen PII to file fraudulent online credit card applications. The new credit card applications contained the victims’ stolen PII and the defendant’s “burner phone” number and disposable email address to receive notice when the credit cards mailed. Based on the victim homeowners’ credit history, the defrauded lender issued credit cards with credit lines up to $3,000 and mailed them to the victims’ home addresses. Once notified that the credit cards had been approved and mailed, the defendant drove to the victims’ homes to retrieve the credit cards from the victims’ mailbox. He immediately used the credit cards for purchases and cash withdrawals before the credit card bills were mailed to the victims. The victim homeowners did not discover that they had become identity fraud victims until they received the credit card bill 30 days later.
Another case I prosecuted involved a defendant who used stolen social security numbers of children, in combination with real and fake identity data to create “synthetic identities” of fictional people. The defendant completed hundreds of online credit card applications with a top-15 big bank and received hundreds of $300-$500 credit accounts. The card-issuing bank’s fraud detection system did not detect this fraudulent scheme because all the applications contained different mailing addresses. Unknown to the bank, the defendant used the U.S. Postal Service’s online mail-forwarding services to redirect the mailed credit cards to the defendant’s home.
These cases demonstrate only a few of the millions of new-account identity fraud schemes. In order to effectively deter this crime, banks must to a better job of accounting. First, banks need to identity all instances of new-account identity fraud, and not misclassify new-account identity fraud as consumer bad debt. Second, banks should collect and share data about new-account identity fraud with their peers and government agencies, along with the effectiveness of various technology solutions. Finally, all the players in the financial services industry - financial institutions, lenders, payment companies, credit reporting agencies - must work together to better protect the financial identity of people.
About Tom O’Malley
Tom O’Mallley is a former federal prosecutor who specialized in computer hacking and identity fraud cases, and a data breach victim. He retired from a 37-year career as a prosecutor to help people protect themselves from becoming identity fraud victims following data breaches.
About Frozen Pii
Frozen Pii, LLC, operates a public service website, FrozenPii.com, dedicated to making identity protection free and easy for consumers. Frozen Pii contains information and verified links to help people protect their credit reports, federal government identity, and personal data files from criminals.