Hanging Up on Phone-Change Fraud

Fraudsters are meticulous creatures, adept at adapting their methods to skirt common defenses. These pragmatic criminals do what’s easiest and most effective; they do the bare minimum of work for the highest reward. Nowhere is this more apparent than in the financial services industry, where technology placed in the wrong hands has opened the flood gates to more and more identity fraud.

Once community banks and credit unions started calling and texting their account holders to verify out-of-pattern transactions, fraudsters quickly found ways to hijack the telephone communications channel. Using an abundance of breached personal data – easily available on the dark web – fraudsters are now impersonating account holders and requesting changes to the customer or member profile: Notably, the all-important phone number.

When financial institutions unwittingly process these changes, communications through the phone channel between institutions and their true account holders are severed and intercepted. Fortunately, banks and credit unions have been shoring up their defenses to reduce losses from fraudulent phone number changes. But they need to remain one step ahead of emerging schemes.

Understanding Risky Phone Changes

ID Insight conducted analytical research of thousands of phone number change requests that were sent to its financial institution clients. The data analysis revealed interesting patterns that – when taken together – often point directly to identity fraud:

Area code distance: The greater the distance between the area code of the new phone number and the area code of the old phone number, the greater the risk.

Geographic distance: Risk increases as distance between the new area code and the consumer’s current mailing address increases.

Phone service type change: Switching from a landline to a wireless number, or wireless to landline, often indicates a higher risk of fraud than going from wireless to wireless.

Carrier type: Certain types of carriers, such as prepaid phone numbers and voice-over-IP lines are much riskier than landlines or post-paid mobile phones.

Urban versus rural: A change in phone number from a rural location to one that’s tied to an urban center indicates a higher risk than a rural-to-rural or an urban-to-urban change.

Area code/exchange: A basic validation of the area code and exchange confirms that the phone number has been issued to a U.S. customer.

Local number portability: New phone numbers that have been recently ported to a new service provider require a higher level of scrutiny.

Business phone numbers: A change from a residential phone number to a business one (i.e. check-cashing outlet) is highly indicative of fraud.

These are just some of the individual characteristics and peculiarities of phone number changes that are indicative of suspicious activity. Combining the relevant data sets is necessary to uncover patterns that are indicative of fraud – sources such as phone number portability databases, public phone directories, registration lists, known suspicious phone numbers and more.

When these individual attributes are combined together in a predictive model, the results are powerful. Because without the data, matching algorithms and these predictive models – as well as the ability to use all of this information together – financial institutions have no way of seeing the risky fraud patterns lurking beneath the surface of seemingly-innocent account changes.

Prioritizing Phone Number Screening

The financial services industry is already aware of the role of personal information changes – specifically those involving phone numbers – in completing the fraud cycle. However, there are varying opinions about how to remedy the situation.

With phone fraud in particular, the need for new verification methods is especially urgent. There are clear compliance requirements in place for banks and credit unions governing address changes, yet the rules are less clear as to how banks should screen phone number changes. Now that more consumers (and criminals) use online banking, fraud has evolved to the point where a cash-out doesn’t always require a physical address change. As a result, retail banks should apply the same rigor to phone-change screening as they do to addresses.

As with other forms of fraud, only a small percentage of consumer-initiated phone changes are fraudulent. But by scrutinizing these changes using data-driven analytics, financial institutions can “hang up” on most forms of phone-based fraud more efficiently than ever before. It’s worth the effort to preserve customer or member trust, reduce fraud losses and ensure compliance with industry standards. Data scientists have made it easier than ever for financial institutions to harness the power of consortium data – they simply need to take advantage of the work that has already been done.

Jack Sundstrom is chief product and marketing officer for ID Insight. He can be reached at 877-749-8731 or jack.sundstrom@idinsight.com.