Financial institutions continue to prioritize investment in digital banking to grow revenue and acquire new customers. The coronavirus pandemic has only accelerated that transformation, specifically around digital account opening. With access to physical branches restricted, d
While the global pandemic has presented numerous opportunities for banks to drive digital adoption, it has also had a noticeable impact on account opening fraud, accelerating trends the industry was already seeing pre-COVID. The remote environment has provided optimal conditions for cybercriminals to hide within the surge of digital account openings — and they have the data to do so with ease. In only the last few years, more than 10.5 billion accounts, mostly username and password credentials, have been exposed through mass breaches. Trace Fooshee, Senior Analyst in Aite Group’s Fraud & AML practice noted in a recent webinar with BioCatch, “It’s easier than ever to abuse identity data to commit fraud, create bogus identities and create drop accounts to move stolen money.”
Digital account opening fraud, also commonly referred to as application fraud, continues to dominate the mindshare of fraud executives as the threat they are most concerned about in relation to detecting and preventing losses. A survey conducted by Aite Group in September 2020 revealed 71% of respondents reported an increase in account opening fraud with 10% indicating it to be at a significant level. Two in three financial institutions reported an increase in account opening fraud for the purpose of creating money mule accounts.
Money Mules: The Modern Day Gold RushMoney mules have become the modern day gold rush for cybercriminals. First, the economic climate brought on by the COVID-19 pandemic has enticed cybercriminals to step up their game. Global economic relief programs, such as unemployment benefits and government stimulus checks, were ripe for fraud because of open-door policies designed to distribute money fast to businesses and consumers. In the U.S. alone, it is estimated that more than $36 billion in improper payments were made to scammers. In the UK, up to £3.5 billion of unemployment payments were the result of fraud or error.
Second, technology has made it easier than ever for criminals to open new accounts using digital banking channels and bypass traditional KYC barriers. Previously, cybercriminals would have to recruit mules, most often through romance or work-at-home scams. Fraud-as-a-service business models have also grown in fraud forums, offering cybercriminals the opportunity to “rent” mule accounts to cash out stolen money. But these days, it is possible for cybercriminals to control their own mule accounts by simply opening an account in someone else's name and withdrawing the stolen funds.
Finally, the lack of clear ownership and resources dedicated to continuous detection and monitoring for mule accounts has given cybercriminals the edge. Most financial institutions are not in the business of proactively identifying mule accounts unless it is painfully obvious. Mule detection is instead a reactive practice that only moves up the priority list when law enforcement or a regulatory agency becomes involved. Combined with a lack of industry standards or best practices, and suddenly an ideal environment is born for mule accounts to flourish.
New digital banks or newly enhanced digital channels are particularly vulnerable for account opening attacks, with fraudsters assuming these organizations don’t have the right defenses to drive attacks away. This was confirmed after one digital bank, a BioCatch client, launched an aggressive marketing campaign offering high interest rates to acquire new customers. Results from the marketing campaign produced a significant amount of new applications, but it wasn’t good news. The bank realized they were under an account opening attack where cybercriminals were using the bank to create mule accounts that could be used to cash out funds from other compromised accounts. Behavioral biometrics played a key role in putting the brakes on this massive account opening attack.
The Road Ahead: Mule Detection Becomes a Priority for Fraud Teams
- S. Department of Treasury must establish national AML priorities within six months and subsequently review whether and to what extent financial institutions have incorporated those into their risk-based programs to comply with the Bank Secrecy Act. To what extent guidelines for cyber scams will play in those priorities is to be determined, but it is likely greater attention will be paid to this subset of financial crimes following the wave of COVID fraud. The U.S. is only one example and other nations will likely follow suit.
Discover more strategies for winning the battle against account opening fraud. Get in touch today to discuss how behavioral biometrics can help drive your next-generation fraud management strategy.