Finding your blind spot: authentication strategies to reduce identity fraud Finding your blind spot: authentication strategies to reduce identity fraud Finding your blind spot: authentication strategies to reduce identity fraud

2020 has taught us all about resilience, including fraudsters and organized criminals alike. As organizations adapt to the demands of an increasingly digital world, fraudsters are employing more tools and techniques to reap financial gains at their expense.

Fraud is unfortunately thriving. As such, organizations must employ up-to-date, secure, and user-friendly systems and controls to mitigate fraud risk while still meeting consumer expectations. Failure to do so may result in the risk of increased fraud losses, non-compliance with regulatory requirements not to mention loss of customers' confidence.

Identity fraud is a risk as old as commerce itself. However, in the digital age, fraudsters continue to collaborate and adopt new tools and methods to go undetected. Organizations that operate online face increasing risks of account takeovers, identity thefts, and other forms of identity fraud.

Identity fraud often begins undetected. A common tactic is to use fake or stolen information to create a fake identity (e.g., synthetic ID) to establish accounts (such as telecommunication, banking, online shopping, healthcare profiles, etc.) through which criminals can defraud businesses of their cash, products or services.

Fraudulent online activity tends to leave distinct signals for those who are trained to spot them. These can include:

• Suspicious information on the credit bureau profile, including:
  • Mismatched info between a customer's history and their provided information (e.g., address, age, transaction history, etc.).
  • Newly created credit bureau profiles with a telecommunications trade line followed by new credit application inquiries.
  • Inactive profiles for customers that would typically have more activity.
  • Profile warnings (e.g., social insurance number used by multiple credit bureau profiles).
• The same or similar personal information (e.g., phone numbers and addresses attached to multiple identities).
• Suspicious activity or changes in a customer's profile, followed by financial transactions.
  

Building a strong fraud defence includes assessing your current control environment and authentication strategies. It considers factors such as something the consumer knows (e.g., password), something a consumer has (e.g., digital token), and something identifying the consumer directly (e.g., fingerprint).

Leveraging antiquated authentication tools such as knowledge-based authentication (KBA) and personally identifiable information (PII) are no longer adequate forms of authentication. Neither is placing the onus on the consumer to confirm who they are. Instead, robust authentication requires a layered approach across the customer lifecycle, such as:

• Verifying the consumer's device and understanding the channel they are coming from,
• Analyzing the in-session consumer behaviour for unusual signs, and
• Using data analytics, machine learning and artificial intelligence (AI) models, biometrics solutions, and one-time passwords or two-way SMS tools.

While preventing online fraud is critical, so is ensuring a smooth customer journey. As such, extra precautions and verification controls must find a balance with providing fast and frictionless access for legitimate customers.

Today's consumers expect direct access to products and services with little to no friction in the process. At the same time, organizations are compelled to protect their digital assets. This challenge is compounded when internal teams disagree on how to share the risk and collaborate on a shared program. Knowing how to strike the right balance between providing a positive customer experience and online security should be top of mind for every organization.

The new digital landscape provides consumers with increased convenience, speed and anonymity –something fraudsters are eager to exploit at every opportunity. Defending your organization means knowing your consumer through a strong verification and authentication strategy, taking a holistic approach to fraud management at every stage of the client and product lifecycles, and collaborating across internal departments to ensure all potential "entry points" are being monitored.

There is no such thing as a perfect, one-size-fits-all fraud defense. Still, knowing what makes your organization a target, what red flags to watch for, and how to stop fraud before it begins, is key to creating fraud prevention controls and strategies that will keep the risks well mitigated.

Mélanie Gagné and Cherolle Prince are Senior Managers in the Forensic Practice at KPMG in Canada.

As organizations continue to move online, they must do so in a way that stays one step ahead by investing in the people, technologies, and best-practice strategies that will drive safe and secure digital transactions.

KPMG can help companies combat online fraud with a carefully considered, strategic approach. COVID-19 has undoubtedly been an uncharted crisis, but it provides us with opportunities to analyze the present and invest in future resilience in order to become stronger through our collective knowledge.

Contact us to learn more about fraud prevention strategies or to discuss a fraud risk assessment for your organization.

Read KPMG's recently published whitepaper: Battling economic crime - and winning together.