Banking Exchange Magazine Logo

Beware address hijacking

When you call and the “customer” says “go ahead,” it may not be your customer

Beware address hijacking

“Why are 25 people from all over the country moving to a vacant lot in Brooklyn?”

Adam Elliott not only asks questions like that, his company, ID Insight, was founded on designing algorithms that can help companies like banks ask such questions, in an automated fashion.

Elliott explains that the sheer volume of data breaches in recent years has stocked the shelves of the “dark web” and other sources of illegally obtained consumer data with a massive supply of raw material.

“The good news is that there are not enough fraudsters to fully consume the data that’s out there,” says Elliott.

How crooks work

The methodology of choice of many fraudsters using such data is the account takeover. Typically financial accounts rely on several means of reaching the account holder, including a physical address, a phone number, and an email address. If, using access obtained via a breach, a criminal can get a bank’s records changed to divert communications from their bank to a false address or phone number, they have a chance to grab the legitimate customer’s assets.

“Address discrepancies are the biggest pain point of any ID verification solution,” Elliott explains, “as it drives so many mismatches and it is where the identity thieves are hiding.” Elliott’s firm relies in part on a system incorporating many sources of legitimate address changes, including those reported to its own customer companies. Scoring of risk of given addresses comes into it—not all reported address changes are necessarily true, obviously.

Even if certain details as Social Security number are used for verification, that may not mean anything, Elliott says. A fraudster who has breached files likely has such data. The data will match what’s on file with credit bureaus and other such sources, but that just means the fraudster has very reliable information at his fingertips.

With such information at hand, criminals can get account addresses changed to an address they control. Likewise an email or phone number.

So, the consumer may not even be receiving account information anymore, with the data going to the criminal’s destination, such as that vacant lot or a house being used as a letter drop.

Such destinations change fairly frequently.

“Fraudsters aren’t living in owned homes, waiting for the postal inspector to show up,” says Elliott. Similarly, they love prepaid phones, since they can be used and ditched before they become a liability for the criminal. Elliott says Google Voice phone numbers can be used anonymously, providing another source of contact for a hijacker.

“Yes, of course I’m me”

Elliott says his firm has seen a large spike in fraudulent phone number changes. He says a very large bank recently called a phone number that had been changed. The intent was verification for a large wire transfer that had been requested. The “customer”—actually, a criminal with enough information to convincingly pose as such—authorized the transaction. All the verification call did was confirm, after the loss, that the criminal had all the right credentials to pose as the customer.

The wealth of illicitly obtained data out there has wrought a change in the account takeover scam, according to Elliott. It has become much more organized, given the vast amount of potential waiting to be exploited.

Elliott’s firm provides nearly 600 financial companies with screening services that rely both on external databases that ID Insight has access to, as well as information shared among client customers through the company. Scoring of information under review helps highlight individual risks, while the view of the vendor’s community of banks helps spot trends where a criminal is trying to pass off the same address or other fake destination on multiple institutions.

“We’re always interested when we are seeing a lot of activity at a single address over a short period of time,” says Elliott.

The change of address, phone number, email address, and such are what Elliott calls “the setup event,” the step that puts the criminal in control.

After that, absent detection, the crook just starts the process to rake in the take, whether it be a funds transfer, obtaining a new credit card with a healthy credit line, or grabbing some other asset in a legitimate customer’s name waiting to be exploited.

Unfortunately, says Elliott, no matter what detection is applied such threats never go away.

“It’s like a balloon,” he says. “You squeeze on one side, it bulges on the other.”

back to top


About Us

Connect With Us


Webinar: From KYC to IDV

How three leading banks are utilizing cutting-edge
digital tools to onboard, win, and wow customers

Time/Date: June 23, 2021 11:00 a.m. ET

Digital adoption, already moving at warp speed, accelerated seven years into the future during the COVID-19 pandemic. As the number of bank branches continues to fall, with at least one study predicting all branches will disappear by 2034 (Fox Business) and foot traffic declining (Vox), today’s most innovative banks are charting a new, digital-first path to win over customers while increasing security, meeting KYC compliance requirements, and winning customers to drive revenue.

In this webinar, you’ll hear from John Baird, Founder & CEO of Vouched, Tyler Crawford, COO of Bankers Healthcare Group, Anand Sathiyamurthy, CPO of Flagstar Bank and Daniel Sheehan, Chairman & CEO of Professional Bank as they describe their vision for digital transformation and how customer expectations are changing to digital first. They’ll also explore how fostering an innovation mindset creates new ways to tackle complex KYC problems and allows them to quickly compete in new markets and win customers.


This webinar is brought to you by:
Vouched Logo