Who commits document fraud: First-party fraud vs. third-party fraud

 
 
Featured Image

Most of us think of fraudulent documents only as part of larger schemes. But for fintechs, the reality is usually less elaborate: anything from a misrepresentation of personal information to fudged numbers to full-on document forgery or identity theft can qualify as fraud. This means that document fraud can be employed by just about anyone, not just career criminals. When dealing with fraud risk management in your organization, defining who uses fake documents and why is the first step towards successful fraud detection and prevention. That’s why we’re breaking down the two major fraud categories: first-party fraud and third-party fraud.

Summary

    What is first-party document fraud?

    First-party fraud is when an individual uses their own identity but alters certain details or provides misleading information. First-party fraud is often driven by a desire to bypass certain restrictions or to access services or benefits they wouldn’t otherwise be able to.

    The distinctive part about first-party fraud is that the fraudster is committing it in their own name. It involves real identities and at least some portion of real information; often, only minimal details are changed.

    For those carrying out this type of fraud, the small magnitude of their lies makes it seem like a relatively minor, even harmless undertaking in the grand scheme of document fraud. Of course, the subtlety that makes first-party fraud believable is also what makes it harder for traditional fraud detection systems to spot, as we'll see in some examples below.

    First-party fraud example: fake bank statement

    One real-world example of this type of fraud might be an individual using a fake bank statement to qualify for a mortgage they wouldn't otherwise be eligible for. A computer-literate person with less-than-stellar credit might go online and find a bank statement from the same bank with a more flattering record of account balances. The soon-to-be-fraudster just loads the new file in an image editing program and makes sure that it has the right personal information. Their bank still has them down as a real customer, the bank statement has the right account number, name, and address, but suddenly they’ve never had an overdraft and their income has jumped up a bracket for good measure.

    When submitted to a loan underwriter, say, at an online mortgage lender, everything may seem to be in order.

    Checked against the ID, personal information, and proof of address supplied during the KYC onboarding process, the information contained on the falsified bank statement will probably look legitimate. What’s more, the applicant will probably seem like an ideal customer, so loan approved, with a very favorable interest rate as well! But when it comes to actually repaying the loan in question…well, the lender may be in for a rude awakening, as the fraudster is likely unable or altogether unwilling to pay back the loan. In other words, first-party fraud has set up this online lender for a big loss; enough of these piling up over time can spell trouble for the lender's viability in a tight market, especially where speedy but accurate approvals set a lender apart.

    First-party fraud example: fake tax documents

    Another common example might come from the business world, where a company might engage in document forgery to appear more financially stable and trustworthy than it truly is. Say a small-businessperson has a legitimate certificate of incorporation, but it’s relatively new and they don’t have a very long track record of doing business. Again with some pretty minimal image manipulation, they might make their company seem older than it actually is by inputting their business's information into an older tax registration form found online, complete with all the requisite stamps and notarizations. They might even use a similar technique to create invoices that “prove” their time on the market.

    Once again, when submitted to an unprepared SME lender, everything probably looks rosy. The entrepreneur might even go further, seeking out willing investors. The fraudulent business will probably get the cash infusion they need, while those bankrolling it will lose out when a poor business plan, lack of experience, or just plain mismanagement comes to light. With the larger amounts of capital at play here and the higher level of scrutiny from regulators and industry legal teams, a lender linked to stories of lending to fraudsters will probably struggle to remain afloat for long.

    Other examples of first-party fraud

    • Government benefits fraud: Whether in long-entrenched systems such as welfare or extraordinary circumstances like the COVID-era Paycheck Protection Program (PPP), individuals or businesses alike may use real names and addresses but misrepresent other information such as how many children or employees they have.
    • Fake ID documents: Individuals often use their real name and photograph while falsifying details such as country of origin or serial number to create fake ID cards, passports, or driver's licenses.
    • Bust-out fraud: A fraudster applies for credit and builds up their credit profile over time, all using legitimate information and transactions. Once granted a larger line of credit, they max out their account with no intention to pay and “bust out”, a.k.a. disappear entirely.

    Hopefully these examples show not just how easy this type of document fraud can be to commit, but that first-party fraud can have far-reaching effects on businesses and other services even if it's in the fraudster's own name. Unfortunately, things can get even worse with third-party fraud.

    What is third-party document fraud?

    Arguably more malicious than its first-party counterpart, third-party fraud is where a fraudster assumes a completely different identity, typically by stealing someone else's personal details, creating a fictitious identity altogether, and/or mixing real and fraudulent information to create a "synthetic" identity. Third-party fraud poses significant risks to both businesses and the general public.

    Third-party fraud puts businesses at risk of inadvertently providing services or goods to someone who never existed, someone who isn't eligible for a given service, or someone who is a business risk in some other way. This, of course, opens companies to consequences ranging from losses to fines to legal actions, or even all of the above. The complexity of third-party fraud cases—who is actually using fake information, whose information is being used by whom, where was this personal information obtained, etc.—also makes them more difficult to untangle or "solve". This, of course, makes it hard for companies to identify the guilty fraudster, recoup their losses, and prevent recurring attacks from the same fraudster or someone using the same techniques.

    For consumers, however, the picture is even more dire. As news stories have confirmed for years, any one of us can easily fall victim to identity theft, sometimes through sloppy personal data hygiene but just as often through no fault of our own. The result of being a victim of identity theft can be the hassle of canceling credit cards and waiting for them to be reissued all the way up to hundreds of thousands of dollars in personal debts, destroyed credit scores, and even legal proceedings that can haunt someone for years. It's not too much to say that identity theft can ruin lives.

    At the intersection of these two interests, leaked or stolen personal information erodes customer trust in companies, making for a more adversarial relationship that is neither convenient for consumers nor a good climate in which to do business. As the rise in authorized push payment (APP) fraud has shown, the reputational risk of even so much as a whiff of being associated with identity theft or other malicious fraud—even if, in reality, that blame is misplaced—can present massive challenges for fintechs in particular.

    Third-party fraud example: money mule onboarding

    The APP fraud schemes mentioned above tie together fraud and money laundering: not only do fraudsters bilk victims out of money in the first place, they have to keep their money moving quickly in order to cover their tracks and make it hard to recover the ill-gotten funds. This more often than not hinges on a network of fraudulent accounts at neobanks and other instant money transfer services under the direct or indirect control of a single fraudster—these are known as "money mules".

    Building up such a money laundering network often calls for third-party fraud. Fraudsters today have many options for getting their hands on batches of personally identifiable information, either through directly engaging in identity theft or obtaining stolen documents from online marketplaces. Once in possession of even a single piece of passable documentation—say, a government-issued ID card—a fraudster can complete an unprepared KYC onboarding process without much trouble, making a money mule account in the name of whomever the unlucky victim was. Once they have confirmed that the ID in their possession will be accepted, reusing the fake in subtly different settings or on other services—what we call serial fraud—isn't particularly difficult.

    With just a few alterations, the fraudster can also supercharge their efforts in another way. By reusing some pieces of valid information, like the license number, date of birth, and street address, even a semi-skilled fraudster can replace other bits of information like a name or a face that can be coupled with other fraudulent documents to repeatedly fool outdated KYC onboarding checks. Either way, the result can be dozens or even hundreds of fraudulent bank accounts made under stolen or synthetic identities: the fraudster gets to set up a money laundering infrastructure at a distance from their real identity, while an innocent victim of identity theft can take the blame.

    The impact of third-party fraud can go far beyond facilitating financial crime and defrauded businesses. Real people can suffer erroneous police investigations, destroyed credit scores, and being blacklisted from services they want or need, to name just a few of the very tangible consequences.

    Other examples of third-party fraud

    • Fake documents: Creating forged documents or altering genuine documents using someone else's personal information, such as fake passports, ID card, proof of address documentation, etc.
    • Darkweb marketplaces: Large batches of personal information, like names, addresses, credit card numbers, and Social Security numbers, are often distributed or put up for sale on secretive websites. Scammers can simply buy thousands of profiles, using these identities directly or using their constituent parts to create synthetic identities.
    • Phishing and social engineering: Fraudsters trick individuals or businesses into revealing sensitive information, which is then used to produce fraudulent documents, gain unauthorized access to systems, or engage in APP scams.

    Clearly these two categories of fraud are not only illegal but also highly impactful on all of society, from businesses to consumers to simple faith in how finances and services function. Unfortunately, there are many more fraud techniques that bad actors use and a nearly endless array of document types that can be involved. Luckily, however, there is also a growing range of fraud detection and prevention options that, when implemented widely and properly, can help stem the tide of both first-party fraud and third-party fraud.

     

    Photo of Matt Jones, author of the blog post
    Matt Jones, Content Manager