With new vaccines helping stoke confidence in a post-COVID summer, if not spring, what has the pandemic – and the work-from-anywhere movement it accelerated – revealed about the security of our increasingly digital world?
We caught up with Christina Luttrell, who took over the top spot as CEO of IDology last fall, to discuss the company’s latest look into the state of cyberfraud today. A Finovate alum since 2021, the Atlanta, Georgia-based identity verification provider published its report: The COVID-19 Effect on Identity, Fraud and Customer Onboarding earlier this year. Below, Ms. Luttrell shares some of its findings.
What is the biggest takeaway from your report on fraud?
Christina Luttrell: As COVID-19 drove 84 million Americans online for services that were previously carried out in person, businesses faced an influx of new customers to onboard. In response, many appeared to loosen fraud controls in an effort to reduce friction and simplify onboarding, particularly for digital “newbies.”
With this loosening, combined with COVID-19 factors such as dispersed fraud teams, remote work, stimulus checks, and sophisticated phishing and synthetic identity fraud (SIF) schemes, it’s easy to understand why fraud attempts surged to a four-year high. Also not surprising is the emergence of mobile as the most targeted channel, evidenced by an astounding 89% increase in fraud attempts likely due to an increased reliance on mobile devices during the pandemic.
In the report each year, we’ve seen businesses struggle with the challenge of balancing fraud with customer friction. Businesses drive revenue by greenlighting customers, which includes removing barriers and minimizing effort during the onboarding process to avoid unnecessary “friction.” Yet they must do so while deterring fraud. This challenge is exacerbated by current events and the state of fraud and, as a result, verification of identities was cited as the top challenge to fraud deterrence among businesses. Many have come to the conclusion that, at its core, fraud is an identity problem and 86% firmly view digital identity verification is a strategic differentiator across all industries.
When it comes to the future, 79% of businesses expect fraud to increase in 2021. With the COVID-induced shift to digital, fresh collection of more Personally Identifiable Information (PII) from 2020 and potential economic conditions, this is likely to be a “bust out” year for fraud.
How quickly have fraudsters followed the migration to digital channels during the COVID-19 crisis?
Luttrell: From our study, The COVID-19 Effect on Identity, Fraud and Customer Onboarding, we know that between March and July of 2020, 37% of Americans online activated an online service that was done offline prior and 46% said they have used their smartphone more often to sign up or apply for a new service. As a result, one-third of businesses experienced a customer shift of 50% or more to digital channels. In 2020, the number of new accounts opened with a mobile phone increased 43%. Fraudsters tend to follow the masses and the money and, in 2020, as those consumers went digital, criminals were quick to follow, employing rapidly shifting tactics, which was reported as a top challenge to fraud deterrence for 40% of businesses.
Mobile fraud attempts surged 89% in 2020 with increases across all fraud types, from spoofing and cloning to porting. With more consumers relying on digital information sources and businesses sending a higher number of customer communications, 56% of businesses reported phishing attacks as one of the most prevalent forms of fraud in their industries.
The pandemic provided a prime opportunity for fraudsters to take advantage of distracted Americans, the increase in digital communication between businesses and consumers and government relief efforts. Our research shows that 84 million Americans reported experiencing a phishing attack attempt in the months following the pandemic’s start, with an average of four attempts per person between March and June.
How have cybersecurity professionals effectively responded to this shift?
Luttrell: It appears cybersecurity professionals responded rapidly to this shift as best they could, but COVID-related disruption and distraction, such as remote working and government relief checks, put a wrinkle in plans and added a new layer of complexity to fraud detection and the consumer experience. Fraud is an identity problem, making identity verification the essential “digital handshake” and element of establishing trust. We expect to see more companies rely on the orchestration of blanketed layers of identity attributes, artificial intelligence, and integrated verification methods to remove friction and deter fraud.
Successfully onboarding new customers and building long-term loyalty in today’s rapidly shifting fraud landscape will require businesses to act quickly. On the back end, they will need to understand how identity verification attributes are performing so they can make adjustments to attributes that pinpoint fraud on an extremely granular scale while streamlining the verification process for real customers.
What kinds of fraud are increasingly prevalent – especially compared to the pre-COVID-19 period?
Luttrell: Aside from COVID-related fraud, such as vaccination schemes, the fundamental methods of remain relatively unchanged. Instead, the shift has occurred in the sophistication and amount of fraud which, as I mentioned, is rising across the board compared to pre-COVID numbers.
Credit, debit, and prepaid fraud were reported as the most prevalent by 63% of businesses, followed by phishing, account takeover, ACH/wire and first-person fraud. ACH/wire fraud spiked by 15% – presumably because of rising P2P usage due to social distancing and first-party, specifically “friendly or know fraud,” increased 28%. This may be attributable to chargeback fraud schemes as many Americans were unemployed, underemployed or suffering in shape or form financially, thereby increasing their pressure and rationalization of committing fraud.
Your report mentions the issue of synthetic fraud in the PPP lending program as specific challenge. Can you elaborate on this problem and what should be done?
Luttrell: A range of fraud schemes were used to exploit PPP in 2020, one of the most concerning being synthetic identity fraud (SIF). According to McKinsey, this is the fastest growing type of financial crime in the U.S. A recent report by Aite Group revealed that among 47 financial institutions surveyed, 25% experienced an increase of 10% or more since the start of the pandemic. Our own research also underscores the SIF problem, which hit an all-time high, with a 43% increase in SIF reported by respondents to the IDology Fraud Report.
SIF continues to trouble businesses, especially given the challenges associated with decentralized fraud teams working from home and the need to interpret and apply once-in-a-lifetime changes in consumer behavior and the swings and noise they create. There are also the problems created by the never-ending stream of data breaches, and the use of personally identifiable information gathered from phishing attempts and other scams that continue to thrive in the COVID era.
To quickly issue PPP loans and prevent fraud, lenders should reconsider the importance of Know Your Customer (KYC) measures. Placing a focus on strong KYC is not only best business practice, it also will help lenders prevent fraud and maintain integrity. To easily and securely ensure a borrower is who they claim to be and provide a smooth experience while battling fraud, such as SIF, the identity verification process supporting KYC should include multiple layers, control of the entire identity verification process and the flexibility to make and automatically deploy configuration changes and machine complimented with human intelligence.
How would you characterize the business world’s response to these new threats, especially in financial services?
Luttrell: The business world, as a whole, responded admirably. Consider the massive logistical shifts that needed to happen in months, if not weeks, from the mass migration of working from home to customer engagement and the shift toward digital. On a human scale, it’s a breathless achievement. Eighty-seven percent of businesses feel their organization is equipped to some degree to make the necessary changes to stay ahead of rapid digitization and COVID-19 fraud trends, indicating they recognize and perhaps, have a higher than expected sense of confidence.
Although two-thirds of Americans feel companies could be doing more to protect their identities, confidence in organizations being able to protect their data actually increased in comparison to pre-COVID-19 levels. Our data shows that financial services organizations are stepping up, forecasting larger anti-fraud investments and budgets for 2021, and leaning into a multi-layered approach to identity proofing as well as using diverse sources and types of data. Eighty percent of financial institutions expect to increase budgets on fraud deterrence in 2021, with 45% saying significantly, more so than any other industry. Though the investment varies by sub-sectors such as fintech, lenders and prepaid, prepaid firms appear to be most aggressive.
How do you think the post-COVID cybersecurity landscape will differ from the pre-COVID cybersecurity landscape?
Luttrell: The cat and mouse saga continues and the chase maze has become significantly more complicated. The lesson for many, in hindsight, is that strong, thoughtful and comprehensive digital identity verification is mission-critical. The digital handshake is essential in establishing trust.
Fraud knows no borders and the world is small and inter-related, as is identity verification. Address verification as part of identities is not only critical for accurate verification, but also for the delivery of essential items and resources. Americans have migrated much of their lives to digital, forever.
Identity collaboration between businesses and with customers will be more sought after, and technology, such as artificial intelligence, will need to be supplemented with high-touch layers of human intuition, proactive detection, fraud expertise, and consortium intelligence from other organizations. This is especially important as COVID introduces novel fraud schemes that can fool pre-COVID identity proofing methodologies. As was the case with major events in the past, the outcomes and unintended consequences of the pandemic are unknown but we know that fraudsters are harvesting data, scheming, probing new defenses, partnering with nation states and utilizing artificial intelligence to scale fraud on a global basis.