Fans of the hit 2002 film Catch Me If You Can will remember the extraordinary lengths that Frank Abagnale, played masterfully by Leonardo DiCaprio, went to forge checks while on the run from the FBI. Much to the delight of audiences, the film elevates the act of forging checks and defrauding banks to a high art form involving charm, craftsmanship, and an extensive – almost superhuman – knowledge of the US financial system.
In the real world, however, defrauding banks via ‘bad’ or ‘hot’ checks is less of an art form and more of a numbers game. Here’s how “shotgunning” checks works in the real world:
The History
It all began in 1987 when Congress passed the Expedited Funds Availability Act, spurring the Federal Reserve to draft Regulation CC. The goal of Regulation CC is to ensure that banks process checks promptly so people can access their money in a reasonable amount of time. Regulation CC is the reason why most consumers today can cash a check in an ATM or on their phone and withdraw either all of the money or at least $200 (depending on various circumstances) almost instantly.
While Regulation CC helps legitimate consumers by requiring financial institutions to disclose to account holders when deposited funds will be available to withdraw, it also creates a dangerous loophole for fraudsters.
How the Scheme Works
In order to stay anonymous and lay the groundwork for shotgunning checks, many criminals will create hundreds of phony bank accounts. They can do this using the stolen identity information from a real person or creating a whole new fictional identity by combining the stolen identity information from multiple people. Either way, this step is easy due to the vast amount of personal data available for sale on the dark web.
After the fraudster creates checking accounts under assumed identities, they purchase checks via the dark web or pilfer them via mail theft.
The rest is simple—the fraudster addresses their newly purchased or stolen checks to the many fake identities they created, drives to the ATM of their choice, and deposits the checks. For each check they deposit, the criminal then withdraws about $200 (the amount of money that banks typically make immediately available under Regulation CC) right away. In the matter of a few minutes, a criminal can overwhelm a bank by depositing dozens and dozens of checks to fake accounts in short succession and come out thousands of dollars richer. It’s not until days later, when the checks bounce, that the bank learns they were defrauded. By then, the cash is gone, and it’s too late.
The Solution
Today, some banks are adopting a ‘sledgehammer’ approach to tackling this fraud vector by targeting all new account holders; while customers who have accounts that have been on the books longer can cash their checks quickly, new customers are forced to wait longer. Unfortunately, extending hold times to process new customers' checks for up to a week is not exactly a great first impression. Fortunately, there are more sophisticated ways to prevent remote deposit fraud than this one-size-fits-all approach.
In order to stop criminals from stealing thousands of dollars in just a few minutes while providing legitimate customers with the speedy processing of checks that they have grown accustomed to, banks must make identity theft much more difficult.
Only a few decades ago, verifying someone's identity was as simple as asking for their social security number. Today, however, it’s safe to assume that your social security number has already been exposed and is currently being bought and sold on the dark web. Because of this new reality, banks should adopt a more secure and accurate way to verify identity: the mobile phone.
After asking a customer to enter their phone number during the onboarding process, banks can leverage phone-centric identity to prevent identity spoofing in three simple steps.
- Possession answers the question: Is this customer in possession of the phone? Knowing that someone is in possession of a phone at the precise moment of a potential transaction helps identify someone regardless of the transaction channel and helps ensure the customer is indeed on the other end of an interaction.
- Reputation answers the question: Are there risky changes or suspicious behaviors associated with the phone number? Typically, people have had the same phone number for a long time and upgrade phones only every few years. Compare that to a burner phone or a phone that underwent a SIM swap or a phone number that was just registered. These activities lower the reputation of the phone itself, which allows companies to flag the phone regardless of the customer activity.
- Ownership answers the question: Is the customer associated with the phone number? It is crucial to associate a phone number with a person when confirming that the customer is in possession of the phone. Otherwise, the wrong person may be verified. This means knowing when a customer truly gets a new phone number or knowing that phone number is still associated with a person even if they switch carriers.
By verifying a user’s identity using the PRO method, banks can stop multiple types of fraud, including Brute Force Remote Deposit Fraud, at its source while ensuring a speedy and convenient process for legitimate customers.
To learn how your company can leverage phone-centric identity to boost revenue and prevent fraud, contact us through the form below.
Keep reading
AI tools can autonomously generate threat detection queries, sift through vast amounts of data, and pinpoint potential threats without manual intervention.
Deepfakes, while not entirely new, have reached a level of sophistication that challenges businesses that are trying to deliver frictionless digital onboarding to their users.
The Federal Trade Commission (FTC) received reports of a significant increase in SIM swap attacks in 2023, and Experian's 2024 scam forecast identified SIM swapping as one of the top threats, emphasizing the need for heightened awareness and preventive measures.
