Sleeper identities, stolen or fake documents, phishing, malware and infiltration of insurers’ employees are all tools of today’s fraudster stalking the industry. Yet insurers remain unwilling to use the pooled intelligence that could help
It is everyone's nightmare: finding out that a stranger has stolen your identity and is doing something unconscionable in your name.
It became a reality for semi-retired teacher Harold Williams* when police burst into his house at 5am to arrest him on suspicion of downloading child pornography. The police searched his house and seized his computer. When it emerged that his credit card details had been stolen, his computer was returned and the investigation dropped. However, by then, serious damage had been done to his reputation.
“It’s certainly altered my life and personality irrevocably, because I’m no longer the completely open, frank person that I was lucky enough to be for the first 55 years of my life. I’m quite a different person now. I’m much more cagey,” he says.
Another identity fraud victim, entrepreneur and philanthropist John Mitchell*, discovered that a fraudster had withdrawn £9,500 in cash from his current account using a fake passport. The bank contacted him six days after the withdrawal, leaving him aghast at the slack security and the knowledge that someone could steal his identity so easily. While the money was reimbursed, the episode has left him feeling vulnerable and worried about where that fake passport is now, and what it might be used for.
Fraudsters perfect identity crime
Identity crime, including identity theft and the use of fabricated identities, has spiralled upwards in recent years. Last year, the number of detected identity fraud cases rose 32% to 102,367, compared with 77,642 in 2008; according to the UK’s fraud prevention service CIFAS. More than 50,199 victims of impersonation were recorded by CIFAS members during the first six months of this year; an increase of 22% from the same period in 2009.
But these figures may just scratch the surface of the problem. The Counter Fraud Studies Group estimates that 3.7% of the UK population (roughly 1.8 million people) are victims of identity theft each year.
Experts are warning that the insurance sector needs to take note. Identity crime is becoming a key strategy for insurance fraudsters and they are getting better at it. ABI figures reveal that in 2009, the value of detected bogus insurance scams stood at a record £840m, an increase of 14% compared to 2008. Motor fraud at £410m accounted for nearly half of this figure.
Berryman Lace Mawer partner Ray Southern says: “We are seeing an increase in cases that have identity fraud as a feature in them, particularly in the motor field, as the provision of false identification documents and false addresses increase. The insurance industry needs to focus on who it is dealing with.”
The greatest concern for insurers comes from organised criminal networks, the brains behind crash-for-cash scams and staged accidents. Crawford’s claims psychology director Nikki Grieve-Top explains that organised fraudsters have stepped up their use of identity theft or what she terms “cloned identities”, where a policy is taken out under someone’s name purely for the purpose of multiple third-party claims being made against that policy later on. Usually, the victim remains blithely unaware that their identity has been used in several scams until they come to renew their policy and face a massive hike in their premium.
In addition to identity theft, the use of fabricated identities and multiple aliases has also increased, as fraudsters seek to stay one step ahead of insurers. “Within claims, we see switching of identities and the manipulation of data to avoid detection; fraudsters now have a number of aliases. It is a very live issue for us,” Zurich claims fraud and investigations manager Scott Clayton explains. “Most commonly we see people who switch surnames and Christian names and use variants in the spelling of names and dates of birth. A person may have four or five different aliases at three addresses.”
Sleepers and swindlers
As insurers develop strategies to combat identity crime, fraudsters in turn are devising new techniques to stay one step ahead. This, Grieve-Top explains, is evident in the increased use of so-called sleeper identities. In these cases, the fraudster takes out a policy under a fabricated identity and lets it lie dormant for a while before submitting a bogus claim.
“The fraudsters have learnt that one of the fraud indicators is the timeline. If the claims are made within between one and three months of the policy’s inception, that is a fraud risk indicator. So they will leave them for longer before making a claim. They can be left for 12 to 18 months. It is not a particularly sophisticated technique, but it works,” she says.
Fraud hunters have also identified another form of fraud, where perpetrators convince a genuine policyholder to include them as an add-on name on their policy and then proceed to make bogus claims against it. This, Grieve-Top says, is most commonly seen in settings such as care homes where residents are vulnerable to such deception.
But it is not just organised criminal networks that insurers need to watch out for. Poor employment records and claims histories can lead policyholders to use identity fraud to get a better rate on their premiums. “We do see people who assume other people’s identities and misuse credit card details to get more on the motor side. That is being seen across the industry,” RSA’s counter fraud manager John Beadle explains.
The march of malware
So why is identity fraud becoming such a problem? Rapid advances in technology – in particular, the borderless terrain of the internet – has emerged as the main driver as fraudsters exploit the streams of information available. Many members of the public still remain oblivious to the dangers posed by the internet and neglect security settings, says Jim Gee, director of counter-fraud services at MacIntyre Hudson LLP and chair of the Centre for Counter Fraud Studies at the University of Portsmouth.
“We are one of the countries in Europe with the greatest internet usage,” he explains. “70% of people use the internet every day but 40% have only started using it in the past three years. Perhaps they are not protecting their information in the way they should. Meanwhile, social media is exploding and this creates problems with the amount of new information that is out there.”
Another problem is the rapid development in the use of malware, software that is clandestinely sent to individuals’ computers to steal passwords and other personal details, which it sends back to a central server used by fraudsters who sell the information on the black market.
“This is a very sophisticated market. You can hire literally thousands of computers which have been infected by malware,” Gee says. In 2006, fraud detectors found evidence of 10,000 malware programs in the UK but by last year this figure had jumped to 388,000. Gee warns that the protective security measures available to detect malware have only a 40% success rate.
In many cases, insurers are ill-equipped to meet the challenges of these increasingly sophisticated techniques. Flawed identification verification procedures and the sector’s patchy record in subscribing to fraud databases is a problem. Beadle points out that when it comes to authenticating key identity documents, the general insurance sector lags far behind the more stringent controls of the life sector.
But, he adds, many players in the general sector can ill afford to implement similar controls. “It is desirable for these controls to be put in place to help prevent front-line fraud but it is unlikely that the industry, particularly in the motor market at the moment, could bear the additional cost,” he explains.
In addition, in a fiercely competitive market, many players are loath to put extra procedures in place that might affect the acquisition of new business. “They don’t want to make the barriers too tough,” Gee explains.
Insurers’ unwillingness to use fraud databases – due to cost and a fear of giving away too much information to the competition – is also a boon to identity fraudsters. Grieve-Top points out that databases that record the type and amount of stolen or missing identity documents in circulation are invaluable tools. “It is vital that you have access to a list of such documents in circulation so you can check whether it is a genuine passport or identification document that you have been provided with. It blows my mind that these databases aren’t used more.”
Chair of the Identity Fraud Communications Awareness Group, Neil Munroe, warns that insurers also need to be more vigilant about “phishing” scams, in which people are asked to reconfirm financial details by fraudsters purporting to represent their financial services providers.
But it is not only threats from outside that insurers need to be worried about. Munroe believes increasingly vigilant staff controls are needed within the insurance sector, where employees are in a prime position to take advantage of the data available to them.
Beachcroft head of civil asset recovery and fraud Ben Daniels warns: “Beware the enemy within. There is anecdotal evidence that insurers are increasingly becoming the targets of criminal gangs that sell on customer data to be used in identity fraud.” While CIFAs operates a staff fraud database, with information about potential fraudsters, again subscription from the sector is patchy. Of its 265 members, only six are insurers.
Daniels warns that regular staff checks, vetting of potential employees, monitoring of individuals’ access to data, increased encryption of data and controls over the recording of information on memory sticks will become vital strategies in weeding out internal fraud.
The rising cost of fraud along with increased demands for better security will put extra pressure on insurers. But undoubtedly, the cost to potential victims is much higher. John Mitchell still has sleepless nights knowing that a stranger is using his identity. “I’ve worked hard to build up my reputation, to build up my business,” he says. “I’m very bothered that there’s someone out there who is pretending to be me.” IT