Battling Fraud in Online Loan Applications

Posted June 15, 2017

Battling Fraud in Online Loan Applications

With so many online lending choices available, customers often submit applications with multiple lenders, then sit back and wait for the first lender to say “yes”. However, many of these online loan applications are submitted by fraudsters using stolen names, addresses, social security numbers, bank account numbers and more obtained from the dark web.

This confluence of speed and risk creates enormous pressure on both traditional and alternative lenders to more accurately detect fraud while not making the loan application process harder for legitimate customers.

Beg, Borrow or Steal?

From 2010 through 2016, cybercriminals have made off with at least $3.5 billion through loan fraud for everything from mortgages to payday loans using stolen identities, according to Javelin Research.

The scary part is that the actual figures may go much higher. A ThreatMetrix report found that there were at least 1 million cyberattacks targeting online lending transactions in 2016, with an estimated value of $10 billion.

Why the disparity? One reason is that loan fraud can go undetected for long periods of time if consumers don’t realize their personal information has been misappropriated.

In addition, cyber-thieves are finding ever-faster ways to commit their crimes.

One common scheme we are hearing a lot about is loan stacking, where fraudsters capitalize on the time delays inherent in reporting loan agreements to credit bureaus. Leveraging stolen identity credentials and device spoofing techniques, these thieves can bypass even complex application procedures to take out numerous sham loans at one time — before credit files are updated to reflect increased debt loads.

Financial institutions that we talk to also share stories of how cyber-crooks are finding success creating “synthetic” identities. They use a jigsaw puzzle of stolen data to build fictional identities that are virtually indistinguishable from the real thing. Other fraudsters are piecing together real or synthetic identities and sitting on them, allowing them to season for months or even years before using them to commit fraud.

Fresh Targets

With traditional institutions starting to catch on, reject rates on transactions can run as high as 40 percent. This makes alternative lenders especially tempting targets for fraudsters looking to make a quick buck on a P2P loan.

The number of attacks specifically targeting alternative lending increased by 150 percent quarter over quarter last year—and could get worse as cybercriminals step up automated bot attacks, especially within account application processes.

Banks should avoid becoming complacent, however. There were more than 80 million attacks using stolen or fraudulent identity information on the financial services sector as a whole last year.

And according to our 2017 Q1 Cybercrime Report, more than 3 percent of all account creations and nearly 1 percent of all account logins are now fraudulent.

“There are staggering amounts of data available about people that enables me to impersonate them for the purpose of fraudulent applications,” says Richard Parry, principal at consulting firm Parry Advisory. “Fraudulent applications will go up until the financial services industry comes up with better ways [to verify identity].”

Fortunately, we are seeing signs the industry is doing exactly that.

Operation: Payback  

To counter loan fraud in all its forms, a growing number of institutions are gravitating toward digital identity-based authentication solutions.

Instead of verifying identity based exclusively on static information, such as personal information or login credentials, financial institutions are using solutions that analyze the ever-changing associations between individuals and their devices, locations, accounts, behaviors and hundreds of other dynamic data points that can’t be replicated or faked.

Leveraging behavioral analytics and advanced machine learning, these systems compare seemingly disconnected data elements with device profiling information and global, crowd-sourced threat intelligence spanning millions of daily transactions. The result is that fraudsters are identified and blocked instantly, without creating any friction that could turn off legitimate applicants and customers.

In fact, with these solutions, organizations don’t need to know your name to know who you are. By understanding who this person is holistically, how they are behaving, and how they are interacting with your institution, you have a far better way of authenticating this person and deciding whether or not to trust him or her.

When I talk to people about digital identities, I tell them that I don’t need to know your name to know who you are. If I can understand who you are holistically, how you’re behaving, and how you’re interacting with me, I’ve got a far better way of authenticating you and deciding whether to trust you or not.

That’s how digital identities work. And, institutions that have deployed these technologies report encouraging results.

One major international bank — one of our customers who has taken digital transformation to the next level — claims it has been able to dramatically reduce fraud rates, even while cutting customer friction by 65 percent. Another of our customers — a global P2P lender frequently hit by cybercriminals armed with stolen identity data — says these technologies have been instrumental in detecting and denying fraudulent applications.

These early successes are giving financial services organizations hope that they finally have the weapon they need to win the battle against cybercrime.

To hear more of my thoughts on this topic, listen to this Lend Academy Podcast.

Frank Teruel

Frank Teruel

Chief Financial Officer, ThreatMetrix

close btn