Address change fraud is one of the easiest, oldest, cheapest and non technical tricks to steal personal information and take over someone’s identity for a variety of reasons including fraud. The unauthorized address change can occur at the post office or at a business which is the focus of this article.
There are many ways that personal information are stolen and address change scams are executed using pretexting and social engineering. The scheme by which a company’s employee with system and information access is fooled to share customer’s information with thieves is called social engineering and a scam whereby the thief pretends to be the customer and requests a change of address is called pretexting.
Social engineers know that all employees are not well educated regarding company policies and procedures for protecting customer information and validating customer identities. Scammmers know that with persistence and multiple attempts, an unsuspecting employee will be found who can help them complete the scam. The scam is so low tech that anyone with some persuasion skill can succeed on their very first attempts which is why employees are the weakest link in fraud prevention efforts and the risk must be addressed through employee education and monitoring. All it takes for such scams to be executed successfully is one employee. The scammer just needs to find one employee who can be fooled to unknowingly follow orders and go above and beyond his or her ability to provide the best possible customer service to the wrong customer.
An address change fraud occurs much too often and its victims include celebrities, company executives as well as millions of regular customers. Identity fraud does not discriminate unless of course the scam can provide the most bang for the buck which is why high credit worthy and high account balance consumers are often the best targets. Sometimes, an unauthorized address change is detected after the fact when the customer information is stolen through mail diversion. Here’s one example; an identity thief calls the bank to request and address change which is eventually executed by an uneducated and unsuspecting employee leading to address change fraud. A few days later, the fraudster calls to report a lost or stolen credit or debit card which prompts the bank to issue a new one by sending it to the identity thief’s address. Once the card is received, the fraudster finds a way to either activate the card or create a counterfeit to go shopping or take money out of the bank for as long as the cards remain active. Usually the banks have fraud detection systems which are configured to detect a variety of common fraud red flags. Depending on how well a bank’s fraud detection system is configured and managed, the address change fraud may be detected early on or much later. For example, the system might not recognize the address change as a suspicious account activity although the address change occurred only a few days before the card was reported as lost or stolen, however, the system might detect the fraudulent transaction as the thief continues with his shopping spree.
Address change fraud is one of the identity fraud red flags which is addressed by the Federal Red Flags Rule for preventing fraud. This type of scam is meant to easily bypass system security controls and take advantage of an employee’s lack of risk awareness and education regarding company procedures and their applications in their daily work. Address change fraud scams can be detected if banks properly identify it as part of their red flag management during the identity theft risk assessment process, configure their fraud systems to report suspicious activities according to the results of the risks assessment, follow up with reported events, update their identity theft prevention policies and procedures, and educate their employees especially regarding customer identity verification.
Customers can also help banks prevent and detect identity theft early on. For example, a couple of the most important things that consumers can do are to observe the frequency of their bank or credit account statements and notify the bank when they do not receive one on the scheduled date because if an unauthorized change of address is executed, all mails from the institution will be diverted to the new address. Also, customers can review their account statements to detect any unrecognized transactions even if they do not expect any activities on the account and promptly notify the company.