Watching Out for New Account Fraud
Table of Contents
- What Is New Account Fraud?
- How Do Banks Prevent New Account Fraud?
- Are Merchants Liable for New Account Fraud?
- How Can Merchants Protect Themselves from New Account Fraud?
When we talk about e-commerce fraud, we’re often talking about the use of stolen credit cards. High-profile data breaches and a lucrative dark web market for compromised payment credentials have made this an extremely common way to encounter fraud, but older scams are still in use—like applying for a new credit card, charging it up to its credit limit, and walking away without ever making a single payment.
When new credit cards are obtained against stolen or synthetic identities, this scam can be repeated over and over again. How does new account fraud work, and what can merchants do to protect themselves from it?
Decades ago, before the PATRIOT Act made it more difficult to open up financial accounts without a lot of personally identifying documents, new account fraud was a well-known scheme.
While changing regulations may have made it more difficult to open up a credit card account under a fake name, fraudsters have gotten very good at pulling off identity theft in the digital era. The internet makes it easier than ever to fill in the missing information required to substantiate a stolen identity, and some fraudsters have developed new ways of creating fake identities that will survive some level of scrutiny.
New account fraud is on the rise, and what makes this particularly concerning is that new account fraud doesn’t carry the same fraud indicators as stolen card fraud. That means it can circumvent many of the anti-fraud tools and protocols designed to prevent fraudulent transactions from being processed. New account fraud can also carry a high price tag for victimized merchants, as the name of the game is to max out the card as quickly as possible before the bank realizes something is amiss.
What Is New Account Fraud?
Most people are familiar with the basic concept of identity theft. A fraudster obtains someone's personal information—such as their name, date of birth, and social security number—and uses it to apply for credit cards or loans in that person's name. The stolen information is often obtained either through phishing or through a personal connection with the victim.
Synthetic identities are a more recent development. These identities aren't linked to a single person. Instead, some or all of the personal information may be linked to a combination of different people, using one person's name and date of birth, another's address, and a third person's social security number, for example. Some of the information may not belong to anyone at all. For example, a fraudster might provide a social security number that's within the range currently being used, but that isn't assigned to anyone.
Since there's no victim to sound the alarm, synthetic identities often go undetected for much longer than stolen identities.
Once the fraudster has been issued a credit card attached to their fake identity, they will use it to spend as much money as they can before the bank realizes what’s going on or subjects the account to closer scrutiny. The vast majority of new account fraud takes place within the first 90 days of the account’s existence.
As with most fraud schemes, the objective is to turn credit into cash, so most of the time the fraudsters will purchase goods with a high resale value on secondary markets. Merchants who process new account fraud transactions may find themselves liable for chargebacks filed by the issuing banks once the fraud is discovered.
How Do Banks Prevent New Account Fraud?
Here are a few red flags that can help spot new account fraud:
- The applicant’s government-issued ID is less than 60 days old.
- The applicant’s government-issued ID is of a type that does not confer driving privileges.
- The applicant’s address is a mail drop service.
- The applicant provides a different home address than the one on their identification.
- The applicant has no previous banking history.
- The applicant’s social security number doesn’t match their name or matches multiple names.
Are Merchants Liable for New Account Fraud?
That's a big if, however. If the bank determines that a merchant failed to use basic fraud prevention measures or failed to follow the proper procedures for transaction processing, the merchant may be hit with a chargeback.
In addition to making sure they have all the basics of authorization and fraud prevention covered, merchants may want to look at ways they can spot purchases from new account fraud. While many of the normal methods of spotting credit card fraud won't detect new account fraud, there are effective tools merchants can bring to bear.
How Can Merchants Protect Themselves from New Account Fraud?
New account fraud transactions aren’t “unauthorized” in the same sense that stolen credit card transactions are. There's no legitimate cardholder to dispute purchases they didn't agree to. The primary victim of this form of fraud is the bank, not the merchant, and therefore it's usually the bank that's left holding the bag.
Tools like velocity checking can help spot fraudulent orders, especially those coming from bots. Unusually large purchases or those focusing on items you know to be a draw for fraudsters are also good reasons to examine an order more closely.
Discrepancies between the customer’s device location and their shipping address are always a red flag that may warrant further investigation. Device fingerprinting can provide useful information, too—if a device that placed orders with you in the past suddenly shows up under a brand new user account, you should proceed with caution.
Suspicious orders can be set aside for manual review. If you really aren’t sure whether it’s safe to process an order or not, you might want to reach out to the customer directly to obtain more information.
New account fraud poses a challenge for merchants, as it can be very difficult to detect and the usual fraud screening methodologies will often miss it.
While it’s not a guarantee that every instance of new account fraud will result in a chargeback to the merchant, merchants should proceed with the expectation that issuers will take advantage of any opportunity they can find to pass on liability for these transactions, and follow best practices at all times for authorizing and processing transactions.
Looking for ways to detect new account fraud can help merchants shore up their anti-fraud defenses at the CRM level, which can strengthen their security against all types of organized and sophisticated fraud and help lower their rates of true fraud chargebacks. Fraud has many faces and is always evolving, but diligent efforts to detect and block it can make a real difference to your bottom line.