Busting Fraud Rings with Social Link Analysis
Table of Contents INTRODUCTION... 1 WHAT IS BUST-OUT FRAUD AND WHY IS IT SO HARD TO DETECT?... 2 SOCIAL LINK ANALYSIS (SLA): A POWERFUL NEW WEAPON... 3 HOW SOCIAL LINK ANALYSIS WORKS... 4 Access Enterprise and Third-Party Data... 5 Detect and Resolve Entities (Entity Resolution)... 6 Link Entities and Create Social Networks... 6 Analyze, Score and Prioritize... 7 Alert... 7 Visualize... 7 BUSINESS BENEFITS... 9 CONCLUSION... 9 ABOUT INFOGLIDE... 10
Introduction Financial institutions are forced to combat many types of fraudulent activity, but few are as damaging and difficult to detect as bust-out fraud. Analysts estimate that between 10% and 15% of all banks unsecured bad debt is actually bust-out fraud, resulting in tens of billions in losses every year. While this type of fraud is certainly not new, it remains a significant problem for banks because it is so hard for them to identify and take action in time. Organized bust-out fraud -- also referred to as sleeper fraud -- occurs when an organized group of individuals applies for credit cards, loans, overdrafts or other unsecured banking credit lines, and then uses them to make purchases with no intention of ever paying them back. The criminals hold onto accounts for some time and then quickly ramp up spending activity before the banks can act. Unfortunately for banks, bust-out fraud is difficult to detect by traditional anti-fraud measures because initially, the fraudsters behave like any other respectable customers, bypassing the bank s rules and analytically-based detection measures. To defend against these sophisticated threats, banks must be able to identify fraud rings earlier in their life cycle so perpetrators can be stopped before they act. Additionally, since fraud rings typically operate within a wide number of geographic locations and business channels, the fraud rings must be pieced together across the entire institution. Infoglide has developed a powerful new weapon, Infoglide Social Link Analysis (SLA), designed specifically to combat bust-out fraud by exploiting the number one weakness of bust-out fraud rings: reused identity information. In almost every case of large-scale fraud networks, there are bits and pieces of reused, fraudulently obtained identity information (such as names, phone numbers, addresses, etc.). Infoglide SLA uses sophisticated technology to identify and piece together both exact and inexact (fuzzy) linkages and nonobvious relationships using these recycled pieces of information. As a result, the fraud ring can be discovered before its members can strike the bank. This whitepaper introduces Social Link Analysis and discusses in depth why it is an effective tool against organized bust-out fraud. It also highlights examples and key business considerations for financial institutions.
What is Bust-Out Fraud and Why is it so Hard to Detect? Organized bust-out fraud is a type of first-party fraud that occurs when a group of individuals opens bank accounts with fraudulent identity information. Often facilitated by employees, the individuals then typically spend between a few months and a few years establishing themselves as engaged and trustworthy customers. Oftentimes, to simulate activity, the fraudsters will cycle cash among the various fraudulent accounts without the payments ever leaving the bank. Over time, individuals within a network will accumulate several credit cards with increasing levels of credit, along with personal loans and checking accounts. Once a fraudster reaches a desired bust level or time in the scheme, he or she will rapidly increase spending, max out credit card limits and attempt to get additional credit cards, loans or accounts. Since the fraudsters are collaborating with each other, they are able to make sure that they adhere to the rules and thresholds that might otherwise trigger an alarm, making bust-out fraud difficult to detect. Frequently, they will use credit cards and checks to purchase items such as electronics or large household appliances that can be sold quickly after purchase. Because of the speed with which all of this activity happens usually only a couple of days banking systems do not detect it fast enough to react and block purchases. Yet another problem is that banks often lack the tools to detect activities across different lines of business within the institution. For instance, a customer may take out a loan from the retail division to continue cycling their credit card payments. Since most banks analytics are focused on specific lines of business, they are unable to detect cross-channel fraud. Finally, the very nature of the crime makes it difficult to detect. There are many reasons banks see charge-offs and bad checks (for instance, when a customer experiences a divorce, job loss or other personal crisis), so these issues are not always indicative of fraudulent activity. However, estimates indicate that up to 15% of all charged-off credit is, in fact, uninvestigated first-party fraud.
Social Link Analysis (SLA): A Powerful New Weapon Although organized fraudsters are sophisticated, they often leave behind evidence that can be used to uncover networks of organized crime. The fraudsters know that due to Know Your Customer (KYC) and Customer Due Diligence (CDD) regulations, their account information will be verified. To pass these checks, the individuals will either modify their own identity or use a synthetic identity, which consists of combining real identity information (e.g., a social security number) with fake identity information (names, addresses, phone numbers, etc.). Fortunately for banks, false identity information required to successfully open accounts can be expensive and inconvenient to acquire and maintain. For example, apartments must be rented out to maintain a valid address. Additionally, there are only so many cell phones a person can carry at one time and only so many aliases that can be remembered. In response, fraudsters look to share recycled bits and pieces of these valuable assets. This reuse of identity information is what makes Infoglide SLA so effective in combating fraud. By examining the linkages between the recycled identities, Infoglide SLA is able to identify potential fraud networks. Once the networks are detected, Infoglide SLA applies advanced analytics to determine the risk level for both the network and each individual associated with that network.
How Social Link Analysis Works Social links, in a banking context, are made up of groups of accounts, customers, and employees that share some sort of relationship with each other. Examples of attributes that may be shared and linked can include: Personal identity information (e.g., names, addresses, phone numbers); Account information (such as an account number and its creator); and Transactional information (including payment transfers between accounts, or employees who approve customer information). Infoglide SLA detects the shared relationships between the customers, employees and known bad guy data and links them together into networks. Once the entities are linked together, advanced analytics are applied to determine the level of risk. SLA works by first analyzing data across product lines, matching information across accounts, identifying linkages and networks, and then scoring those links. If connections indicate a risk of fraud, SLA creates an alert using a visualization tool to display the linkage. These steps as well as additional benefits for financial institutions are discussed in more detail with an example and images in the next section.
Figure 1: Social Link Analysis Process Access Enterprise and Third-Party Data One of the biggest assets of Social Link Analysis is its ability to analyze information across product and geographic lines. Because such a threat may span multiple product lines, individual fraud solutions may detect only small pieces of the puzzle. Social Link Analysis, on the other hand, is able to put these pieces together. The ability to automatically integrate diverse data sources and identify networks can be a significant driver of efficiency and productivity for the enterprise risk function. With all the data available in one location, downstream analysis is much simpler and takes less time to deploy so that bank officials can quickly identify potential risks.
Detect and Resolve Entities (Entity Resolution) Ideally, personal and business information would always be standardized across an organization. However, in reality, most data is fraught with inaccuracies, duplicates, and false identities. For this reason, one of the most challenging aspects of linking entities is being able to determine and match entity attributes that are similar, but not exact. If similar attributes cannot be properly matched, then the resulting link analysis will either analyze incomplete networks (resulting in false negatives) or attribute entities that do not belong together (resulting in false positives). Infoglide is the leading provider of identity/entity resolution software, with mission-critical solutions deployed at the US Department of Homeland Security as well as major banks, insurance companies and retailers. SLA includes Infoglide s patented matching technology, designed to identify, address and display connections between both accurate and inaccurate data. For example, SLA can detect slight variations in names, addresses, telephone numbers, SSNs, etc. In addition, data anomalies such as misuse of data fields, visual scan errors, and transposed data can be accounted for. Link Entities and Create Social Networks Figure 2 is a simple illustration of how Infoglide Social Link Analysis detects links within fraudulent networks. In this example, the applicant A. Lisa Knight shares a telephone number with cardholder Lisa Anne Carr. Additionally, Lisa Anne Carr shares a similar (but not exact) address with a bank employee named Michelle S. Hart. Although A. Lisa Knight does not share any exact attributes with Michelle S. Hart, they can be considered part of a network because of their shared relationship with Lisa Anne Carr. Figure 2: Network relationships via transitive linkages
Analyze, Score and Prioritize Once the links are identified and the social networks are created, Infoglide's Social Link Analysis applies additional analytics to determine the risk level of each network and individual within the network. For example, some factors that would impact the risk score include: Relationships with known fraudsters: New applicants who are connected to accounts that are already in a bank's fraud or AML data; Suspicious relationships with bank insiders: Due to the fact that a large percentage of bust-out fraud is facilitated by employees; and/or Unusually large and diverse networks: Large, connected networks of accounts and customers may mean a growing scheme is ready to bust out. Alert Infoglide Social Link Analysis is capable of analyzing links and generating alerts in real time. For example, when a bank automatically processes new applications through link analysis, applications that exhibit suspicious relationships (as determined by analytics) can be flagged and sent as alerts. Visualize One key component of Infoglide SLA is an integrated link visualization interface. The link visualization can help investigators analyze the linkages of a person/account of interest. Social Link Analysis typically starts when an investigator wants to look at the relationships of a particular person of interest for example, if an alert is generated by the bank s existing anti-fraud solutions or a security officer receives a hot tip. From there, the attributes (such as name, address, and phone number) are searched and a representation of the person of interest s relationships is presented in a visual layout.
Example: An investigation starts off with Susie Smith, who has a checking account, credit card, a charged-off loan (a loan with debt that is unlikely to be collected by the bank) and an active loan. The visualization tool also shows Susie s phone number and address. A look into Susie s relationships begins to turn up some suspicious information (see Figure 3 below). Susie Smith is connected to Jack Wilson, another customer with the same phone number. Like Susie, Jack has some charged-off credit, a credit card and a charged-off loan. Susie Smith is also linked to John Benton because they share the same address. Not only does John Benton have a charged-off loan, but one of his other loans is under investigation at the bank. If fraud is not confirmed at this point, it certainly is when the analyst looks at third-degree relationships. Jack Wilson is connected through an address match to Mark Rivera, who is under investigation for mortgage fraud, and Mark Rivera is connected to John Benton through a matching phone number. As a result, Social Link Analysis has detected four members of a network, each with various amounts of charged-off fraud. Figure 3: Link Analysis Identifying Network Connections
Business Benefits Bust-out fraud wastes bank resources not only through significant financial losses, but also by wasting staff time and affecting a bank's key risk predictions. Therefore, addressing bustout fraud using social link analysis can enable banks to significantly reduce fraud losses as well as improve operational expenses and investigator efficiencies. Implementing social link analysis: Reduces Fraud Losses: With social link analysis, banks can identify fraud rings while they are still active. As a result, they can take effective countermeasures, such as increased monitoring, shutting down the account, or taking legal action before fraudsters strike; Lowers Operational Expenses: Infoglide Social Link Analysis can complement fraud detection solutions already in place at the bank to streamline processes. For example, Infoglide SLA can provide additional analytics that can improve estimates of a specific threat to improve triage efforts; and Increases Investigator Efficiencies: Through its visual link analytics tool, investigators can quickly discover and visualize relationships of persons of interest. These visual references can improve collaborative efforts between different parts of the organization and with law enforcement. Conclusion Although bust-out fraud has been difficult for banks to tackle in the past, Infoglide s SLA can be deployed in a timely, efficient manner. By taking advantage of the most critical vulnerability of bust-out fraud rings reused and/or fraudulent identity information Social Link Analysis quickly pieces together and distinguishes elements of a fraud network. With the use of this product, banks can address issues and implement solutions before being attacked, improving fraud detection and potentially saving thousands of dollars in bad debt and staffing resources.
About Infoglide Infoglide (http://www.infoglide.com) is a leading provider of identity resolution and entity analytics solutions to government and commercial markets. Infoglide s flagship product, Identity Resolution Engine (IRE), searches disparate databases to discover possible matches and non-obvious relationships between people, places, and things. IRE has patented technology that is used to find matches and social links between entities despite errors in data and intentional attempts to deceive. The product is used by organizations in the insurance, banking, identity management, and government spaces for fraud detection, compliance, AML and screening. Incorporated in 1996, Infoglide Software is a privately held company headquartered in Austin, Texas.
Contact Us Infoglide Software Corporation 6500 River Place Blvd., Building II, Suite 450, Austin, Texas 78730 Email: sales@infoglide.com 512.532.3500 Fax: 512.532.3505 www.infoglide.com Copyright 2012 Infoglide Software. All Rights Reserved.