Tackling Finance’s Trojan Horse: Addressing Dormant Fraud
The presumption of innocence is a pillar of our justice system. It means that anyone accused of a crime is known innocent until proven guilty, and we uphold this standard to protect individuals from being unfairly judged or punished.
In financial services, this principle can wreak havoc.
Banks, fintechs, and other financial services providers don’t allow just anyone to open a new account — there are compliance, credit risk, and fraud considerations that make some customers too risky. However, most firms also want to grow their customer base, which incentivizes them to give greater leeway to new applicants.
This dynamic has given rise to a new type of fraud risk: dormant fraud. Dormant accounts are defined as those that haven’t transacted yet. For many firms, this seems acceptable — if they haven’t transacted, how can anyone say they’re fraudulent? This unsuspecting risk is the financial sector’s Trojan Horse – seemingly harmless on the surface, but potentially destructive if left unattended.
Today’s blog will answer this question and offer insights for how to protect your institution from this novel threat.
The transaction threshold
Dormant fraud thrives when financial firms presume new customers are legitimate until proven fraudulent.
In late 2022, NeuroID worked with a customer to backtest their user base for potential signs of fraud. Upon analyzing their user base, we discovered over 100,000 dormant accounts likely to be fraudulent, none of which had completed a transaction. The customer, a merchant acquirer, hadn’t considered these accounts suspicious and therefore didn’t see any risk in letting them remain active.
Our customer considered them sufficient to check customers for basic fraud indicators at the point of onboarding, and then check their first transaction attempt for signs of fraud. But, as we discovered, these defenses still let through a lot of fraud.
How did we know these 100,000 accounts were fraudulent?
- Low familiarity – Our backtest revealed these applicants weren’t deeply familiar with the information they used to fill out their application. Behavioral flags like copying and pasting into fields or constant tab switching typically suggest that the applicant is applying with personally identifiable information (PII) which isn’t their own.
- Fraud clusters – Our backtest also revealed that many of these accounts used the same web browser during sign-up. We don’t just mean that they all used Chrome or Safari — these accounts were opened using the same device, same IP address, and same web browser, suggesting most likely one individual was applying for multiple accounts.
We even found hundreds of clusters like these, many with 50 or more accounts belonging to the same device and IP address within our customer’s user base.
So, our customer’s efforts to safely onboard and monitor users’ transactions left them vulnerable. But if these accounts have been quietly existing, what is the threat they pose?
A sleeping threat
Our customer was surprised to find so many fraudulent accounts among their user base. While we were pleased to assist in identifying and closing these accounts, our strongest recommendation was to focus on prevention going forward. This is due to the nature of the threat posed by these accounts.
Dormant accounts are useful for a number of fraudulent purposes: receiving or transferring stolen funds, misrepresenting one’s financial position, or building toward a bust-out. Like a Trojan Horse in our midst, these dormant accounts, seemingly harmless in their inactivity, can cause significant damage once mobilized for fraudulent activities.
Other financial service providers may offer credit, for instance, based on the existence of the dormant account. The more accounts an identity has in good standing — even if that identity is stolen or synthetic — the greater the chance of another institution mistaking them for a good customer and putting themselves at risk.
Even worse, some firms actually consider an account more trustworthy based on how long it has existed — even if it has yet to attempt a single transaction. This creates an incentive for fraudsters to open many, many accounts today, with the aim of exploiting them later.
NeuroID’s tools are effective in flagging low familiarity and fraud clusters. We believe that most financial institutions could uncover significant numbers of dormant, fraudulent accounts by exploring these two variables. Doing so would not only benefit the firm in question — it would protect other institutions and keep sophisticated fraudsters from carrying out large-scale bust outs.
What’s to be done?
NeuroID’s behavioral data is most potent when combined with other fraud prevention techniques. Our merchant acquirer customer, for example, is resolving their previous blind spot vis-a-vis dormant accounts with NeuroID’s help, as well as other fraud tools.
