Account Takeover: Just a Phone Call Away

By Adam Elliott

This insidious fraud is on the rise, but some due diligence in checking phone-number changes can do much to combat it, says Adam Elliott.

A bank customer using an online banking portal requests a large wire transfer. The bank is suspicious, so it contacts the customer using the preferred phone number in the customer profile. Confident that the customer has authorized the transaction, the wire transfer is approved and the criminal is laughing all the way away from the bank.

This may sound like a plotline from a Holly?wood heist film, but it’s happening today to thousands of unsuspecting banking customers. In recent years, criminals have figured out new ways to impersonate their victims to perpetrate account-takeover fraud.

While address change is still a favorite among fraudsters, changes to a customer’s phone number have become another leading indicator of account-takeover fraud. Several financial institutions report that account-takeover losses associated with fraudulent phone numbers have become a real pain in the P&L and can dwarf the losses associated with fraudulent address changes.

Using an abundance of hacked personal data available on the black market, criminals pose as legitimate account holders and change the customer’s contact information, ensuring that fraud alerts and other bank communications are sent unwittingly to the perpetrator, paving the way for complete control over the account before the victim even knows it is happening.

Bypassing Controls

Fraudsters have wised up to the fact that when large money transfers or other out-of-pattern account activity takes place, financial institutions are much more likely to place an outbound call or text to their customer to confirm the legitimacy of the requested account action. To bypass these controls, criminals understand that they must first change the phone number on the account from that of the real customer to a number they themselves control. Then, when the financial institution calls or texts its “customer,” it is actually just confirming the transaction with the fraudster.

Banks are beginning to recognize this new account-takeover scheme and are scrutinizing customer phone-number changes to detect suspicious transactions. Our company has analyzed tens of thousands of phone-number changes in the financial-services space, including changes that were legitimate and those that ended up being fraudulent. There were some very discernible trends we uncovered when comparing the good with the bad. Below are the highlights from our research:

– Geographic distance between phone numbers. The greater the distance between the new phone number and the old phone number, the larger the risk. For example, a change from Boise to a new phone number in Atlanta is a much higher risk than a change from Boise to Idaho Falls.

– Geographic distance between address and phone number. Likewise, the distance between the new phone number and the current address of record is indicative of risk. If the customer lives in Dallas but changes the phone number to a new one in Chicago, this is a higher risk.

– Change in carrier type. While cord-cutting is still going on as consumers continue to abandon landlines in favor of mobile devices, we still observe that any change to the carrier type is indicative of risk. Example: Changing from a landline to wireless, or wireless to landline, is a higher risk than going from a wireless number to another wireless number.

– Carrier type. While a change in carrier type is a higher risk, certain carrier types standing alone are indicative of fraud. Prepaid phone numbers and VoIP (Voice over Internet Protocol) lines are much riskier than landlines or postpaid mobile phones.

– Urban versus rural. We observed some very interesting patterns when looking at the overall demographics associated with the geographic location of the phones. For example, changing the phone number from a rural location to a number tied to an urban center is a higher risk than a change from rural-to-rural or urban-to-urban.

– NPA NXX (Area Code/Exchange). A basic validation check of the area code and exchange confirms that the phone number has been issued. Additionally, this check allows us to see if the phone number is in the United States. A new phone number, such as 671-435-XXXX, looks legitimate, but the NPA NXX check reveals that the phone number is actually from Guam.

– Ported. Local number portability is a government mandate that requires wireless and landline service providers to allow customers to retain their phone numbers when changing service providers. New phone numbers that have been recently ported are a higher risk than those that have not been ported or were ported a long time ago.

– Business phone numbers. A change from a residential phone number to a business number can be high-risk. The type of business can also be indicative of further risk. For example, a phone number that belongs to a check-cashing store is worth further investigation.

– Phone number verification. When the customer name can be associated with the phone number through an independent verification source, the risk of fraud is greatly reduced. Example: When an independent source indicates that “John Smith” is already associated with 612-668-XXXX then the risk of account takeover fraud is very low.

Critical Channel

These are just some of the individual characteristics and peculiarities of phone-number changes that are indicative of suspicious activity. When these individual attributes are combined in a predictive model, the results are powerful and can alert banks to potential account-takeover schemes in their midst.

The mobile phone is a critical channel for bank customers and financial institutions that rely on mobile banking, online account opening, and mobile-wallet applications for convenience. Having controls in place to ensure that the phone number in the customer profile actually belongs to that customer is critical for reducing fraud risk.

—Adam Elliott is cofounder and president of ID Insight Inc., Minneapolis.