What Goes Wrong for Insurers Who Don't Get Identity Right

It’s no secret that consumer data is “out there," being bought and sold on the dark web, and used regularly by bad actors for application fraud across the private and public sectors, including the insurance industry.

‍

Identity theft has grown so rampant that it’s become a national conversation. President Biden made a point in his State of the Union address this year to mention that identity theft losses related to the distribution of funds during the pandemic will total billions of dollars. The White House is taking action and has since gone on to name a new chief prosecutor, Associate Deputy Attorney General Kevin Chambers,  who describes the amount of data his team must sift through as “shocking.”

Of course, the problem is even larger than just pandemic-related losses. In the US:

• Someone becomes a victim of identity theft every 14 seconds.
• In 2020 alone, victims filed 2.2 million reports with the FTC.
• Some sources believe up to 33% of all Americans have been victims of identity theft. 

‍

Increasingly, insurance companies are experiencing the true cost of fraud first-hand in the form of damaged reputations, class-action lawsuits, and increased scrutiny from regulators. In this article, we’ll cover the macro forces driving fraud, explore the most common forms of fraud targeting the insurance industry, and review the three things every insurance company should do to protect themselves and their customers from fraud.

‍

What is going wrong?

Fraudsters are using customer information stolen from breaches and other schemes (keep reading for the specifics) to target insurance companies via identity fraud. Because the bad actors have customer data, they can easily pass most application flows that require data input to "fake" an identity. As a result, even some of the biggest companies are realizing that many insurance policies are opened under fictitious identities, leading to fraudulent claims down the road. 

‍

What fraud use cases should insurers be aware of? 

Let's take a look at one important use case especially relevant to insurers: application fraud. Application fraud takes place when a fraudster uses false information to complete an onboarding flow. 

In a recent high-profile case, fraudsters used basic consumer information to begin the quote process. The insurance company then auto-filled the application with additional customer information, including the victim’s driver’s license number, to streamline the process and accelerate onboarding. While this sounds like a good idea, it was actually a critical mistake. The fraudster “scraped” the new information that was auto-filled on the forms (including driver’s license numbers) and used the additional data to fraudulently apply for unemployment insurance under the victim’s name. By auto-filling forms with sensitive customer information BEFORE authenticating or verifying the user, the insurance company inadvertently helped criminals defraud victims. Lesson learned: identity proofing the user should be one of the first steps in any onboarding process.

‍

What’s driving application fraud in the insurance industry?

Insurance companies have been making it easier for customers to obtain insurance products online in the last decade. While this is great news for legitimate customers, it also creates opportunities for bad actors.

‍

‍
‍

What can insurers do to stop the cycle of fraud? 

Although banks have historically taken the hardest hit when it comes to fraud, insurers are far from immune. Today, fraudsters have learned that there’s big money in defrauding insurers and are leveraging application fraud at an unprecedented rate. To prevent fraud and protect their reputations, insurers must up-level their identity proofing. 

‍

To stop fraud, it’s important to get to the root of the problem. In the case of application fraud such as the example given above,  the problem lies in the fact that the insurer’s application flow lacks the digital identity proofing capabilities necessary to provide a high level of assurance that the consumer is who they claim to be. Put simply, to build an application flow that prevents fraud, you need to know that you have the right person at the other end of the digital interaction. This assurance level is critical to the complete set of interactions that will follow.

‍

Here are three steps every insurance company should take ASAP to improve their digital identity and security posture: 

‍

• Safeguard and accelerate onboarding flows with advanced account opening solutions such as Pre-Fill®: Prove Pre-Fill auto-fills online forms with verified consumer data from authoritative sources (with the consent of the user), authenticates consumer identities to thwart account opening fraud such as synthetic identity fraud, and offers users a faster, more secure, and consent-driven sign-up process.

• Embrace cryptographic authentication for seamless MFA: Cryptographic authentication (AKA key-based authentication) allows insurance companies to trust that the data asserted by users during authentication and verification events is true by leveraging the cryptographic key within a consumer’s mobile phone as the source of truth. Because it uses something that almost every adult consumer already has, cryptographic authentication is the most scalable but also the most accurate way of proving identity online today.
• Harness Prove’s three-step PRO check: Today, the best way to authenticate a user online is not with a password but rather by running a PRO check. If a user passes all 3 checks, you can feel confident that it really is them on the other side of a transaction. 

‍

What is a PRO check?

A PRO check is composed of the 3 checks companies should use to fortify their identity verification & authentication: Possession, Reputation, and Ownership:

1. Possession answers the question: Is this customer in possession of the phone? Knowing that someone is in possession of a phone at the precise moment of a potential transaction helps identify someone regardless of the transaction channel and helps ensure the customer is indeed on the other end of an interaction.
2. Reputation answers the question: Are there risky changes or suspicious behaviors associated with the phone number? Typically, people have had the same phone number for a long time and upgrade phones only every few years. Compare that to a burner phone, a phone that underwent a SIM swap, or a phone number that was just registered. These activities lower the reputation of the phone itself, which allows companies to flag the phone regardless of customer activity.
3. Ownership answers the question: Is the customer associated with the phone number? It is crucial to associate a phone number with a person when confirming that the customer is in possession of the phone. Otherwise, the wrong person may be verified. This means knowing when a customer truly gets a new phone number or knowing that phone number is still associated with a person even if they switch carriers.

‍

What are other ways that the insurance industry can protect itself against escalating rates of fraud?

While insurance companies who are proactive in leveraging the advanced identity technology described above will differentiate themselves by bettering customer experience and better protecting their customers, there are also important steps the industry must take as a whole to address rising rates of fraud. This year, the NAIC (National Association of Insurance Commissioners) created the Anti-Fraud Technology Working Group that is charged with reviewing and providing recommendations for the development of an Anti-Fraud Plan Repository. This repository will be used by insurers to create and store electronic fraud plans for distribution among various states and jurisdictions. The output of this working group and others focused on cybersecurity is expected towards the end of 2022 and should be a good start for an actionable plan. 

‍

Final Words

‍

Insurance companies today must develop identity proofing technology that protects their customers from a wide range of fraud and accelerates onboarding to boost revenue. By leveraging Prove’s cryptographic authentication technology, insurance companies will be able to protect their industry’s reputation among the public and avoid unnecessary regulatory scrutiny. With Prove’s exceptionally simple API structure and skilled team of identity experts, integration is a simple and straightforward process.

‍

‍Want to get identity right for your insurance company? Contact a Prove fraud expert today.