Identity theft vs identity fraud

Identity theft and identity fraud, it’s easy to get mixed up between the two. Theft and fraud often go hand in hand, which can make the distinction between identity theft and identity fraud just that little bit harder to understand. Despite their differences, both are signs of serious data breaches, either of an individual’s device or account, or the result of a major hack of an eCommerce merchants or financial institutions’s customer databases. Let’s take an in-depth look at identity theft vs identity fraud, and importantly, how to spot the warning signs and prevent these types of fraud with advanced behavioral biometric technology. Failure to act can lead to huge financial losses.

Put simply, identity theft (ID Theft) is the act of stealing a person's personal data in order to then use it for creating online accounts, applying for loans and credit etc. Fraudsters commit identity theft in order to gain popular stolen details that can include a social security number, credit card number, and scans of documents (passports etc.) that can be found on people’s computers or mobile devices. It’s not difficult to become a victim of identity theft, and the worrying thing is, most identity theft occurs with the unwilling support of victims who fall for social engineering scams (phishing emails, SMiShing, vishing etc.). Have you ever received a convincing email purporting to be from your bank, requesting that you click on a link? That’s just one of the simple ways identity thieves make you download malicious software. Sometimes identity theft can be completely out of an individual’s control. A serious data breach in a company holding your personal information can occur, with details potentially being sold online in darknet marketplaces. Although each individual identity may only cost a few dollars to buy, identity thieves may obtain thousands of identities which can lead to a large profit from those seeking to use a new identity to commit fraud.

A victim of identity theft may be completely unaware that they are indeed a victim, finding out only at the point when their banks, credit card companies, eCommerce merchants or even law enforcement informs them. Individuals may notice something is untoward by looking at their bank account transaction history, but even by this stage, financial losses may be huge. It is therefore essential for eCommerce and bank customers to regularly check their online accounts and statements to ensure any suspicious transactions are spotted early. The sooner fraud is spotted, the sooner actions can be taken to prevent further damage and gain a negative credit report.

Identity fraud occurs when a fraudster gains access to your personal information or accounts in order to commit online payment fraud and make fraudulent financial transactions in your name for their own personal gain. Again, using social engineering scams, a fraudster can essentially trick you into unwillingly giving away access to your online accounts. An account takeover (ATO) can be committed directly by a fraudster in order to use it personally to buy high-value goods on eCommerce services, to make large financial transfers or even buy cryptocurrencies (more on those later).

Why is identity fraud so popular? Well, once a fraudster has access to your account information, they can also use the details to create more accounts on other online services to commit further fraud. If they are detected on one eCommerce service, they can just move to another one, trying their best not to be detected before they commit a successful fraudulent transaction.

Why won’t fraudsters just make fake accounts using made-up details? This is seen as a rookie move as it can result in early detection by anti-fraud systems. It is not impossible to succeed, but certainly more difficult to fool anti-fraud using random names and email addresses, especially if automated bots are detected in the account creation process. Some fraudsters opt to use synthetic identity fraud, meaning they use a mix of fake and real information. Although there are elements of a real identity here, even just one mistake can cause early detection.

Fraudsters will always try to make quick financial gains, which is why they mainly opt to use real PII and try to imitate user behaviors and device, hardware and network settings - to act as naturally as possible, and as convincingly as the original account holder. They will often do so at the expense of real individuals that have become victims of identity theft for the purposes of identity fraud. This is the unfortunate reality of the cat-and-mouse game that is played out every single day in the online payments world between fraudsters and anti-fraud companies. Identity theft and the various types of identity fraud are huge problems that must be tackled head-on.

Now you know the difference between identity theft and identity fraud, how do fraudsters and identity thieves attempt to commit cybercrimes using your sensitive information and accounts undetected? First and foremost, fraudsters always search for weak spots in order to take advantage of them. This can be anything from an eCommerce merchant that has ineffective anti-fraud systems in place, and/or poor internal security measures that can be exploited. We have increasingly seen that fraudsters no longer need to purchase tools to action ATO fraud themselves through social engineering scams. By passing this step, they can buy identities and stolen accounts, but also data that can prove very useful to fraudsters to avoid anti-fraud systems by imitating the real account owner.

Fraudsters will always attempt to mimic your device setup and, importantly, mimic you in every way possible. Packs of data can be purchased in the dark web that includes: cookies (active user sessions), user agent information, browser info, IP addresses, webRTC, timezone info, system, language, screen type, webGL and fonts for every account holder. A fraudster can also obtain personally identifiable information (PII) data such as a home address, phone number etc. The sophistication of such methods shows how easily a person's personal information can not only be obtained but minute details about browsing sessions and device setups can also be discovered and used against them.

Without advanced fraud detection and prevention, it is very possible for a fraudster to successfully bypass a company’s ineffective anti-fraud system. By the time an original account holder or the company has spotted the fraudulent activity and received a fraud alert, the fraudster may already have gained hundreds, if not thousands of dollars worth of goods, cryptocurrency or even gift cards.

Our fraud intelligence experts often scour the dark web, looking to find the tools and knowledge available for purchase in darknet marketplaces and forums. Their findings are crucial for risk managers and anyone involved in payments and finance. But what recent developments have they found in connection to identity theft and identity fraud? Cryptocurrency fraud is increasing, and for numerous reasons.

It’s no secret that cryptocurrencies have always been a popular currency for fraudsters. Its largely decentralised nature and anonymisation suit them just perfectly. This is often why fraudsters opt to purchase cryptocurrencies (Monero is a particular favourite), to be able to then move their newly gained financial resources without being connected to their true identities. There are numerous darknet marketplaces where ready-made accounts can be purchased, and created with stolen information. One of the main reasons is to facilitate cryptocurrency money laundering. A fresh account with no negative history is also easier to use to commit online payment fraud. Buying cryptocurrency accounts created as a result of identity theft is becoming increasingly popular on the dark web. Usually, a debit card is attached to a newly created cryptocurrency exchange account and there is a large amount of cryptocurrency already loaded onto the account (which is, of course, declared by the seller of the account on the dark web to gain more interest).

Another key development has seen Russian fraudsters increasingly turn to cryptocurrencies in order to bypass western sanctions, applied following Russia’s invasion of Ukraine. This is similar to how North Korea has gotten around western sanctions in order to continue moving capital that could no longer continue under strict financial controls. Russian fraudsters therefore seek to commit identity fraud with accounts purchased on the dark web, or alternatively, they seek newly created cryptocurrency exchange accounts created as a result of identity theft. In this instance, the most sought after identities tend to be those of individuals living in ‘western countries’ such as the United States etc.

Whether a fraudster chooses to commit ATO fraud or identity theft, the relevant tools and knowledge are always available on the darknet. Despite regular seizures of marketplaces and forums, new ones are always popping right back up. Armed with this arsenal, fraudsters can make big gains in a short amount of time, so how can they be effectively prevented from committing identity theft and fraud? The answer is simple, but also very advanced - to distinguish fraudsters from real customers in a much shorter time than it takes fraudsters to commit fraud.

To do this, advanced fraud solutions that are powered by machine learning models can automatically analyse thousands of pieces of data in real-time to weed our fraudsters. Behavioral biometric analysis goes hand in hand with the analysis of digital fingerprinting in order to fully understand a user’s interactions with a service and their device setup. If a fraudster has purchased access to an eCommerce or bank account, or stolen an identity and used it to create a new account, despite their best efforts to mimic the original account holder, their devices, geographic location etc., they will always slip up. This is why advanced fraud solutions are necessary - they can distinguish genuine account users from impersonators, bots from humans etc. The means to prevent identity theft and identity fraud partly lies with individuals and their digital hygiene practices, but also with companies that have a choice to truly combat the threat. The FinTech capabilities are already available, so don’t become a victim of identity theft or fraud, be part of the solution to stop it.

---

It's time to stop identity theft and identity fraud from harming your business. Click 'book a call' at the top of this page or contact Patrick directly via email at patrick.drexler@nethone.com or via LinkedIn and let us show you how they can be prevented.