Are you doing business with the dead?
Discover all about the darkest form of identity theft, and how to protect your company from the threat of ghosting fraudsters.
Have you ever been ghosted or a victim of ‘ghosting fraud’?
While ‘ghosting’ is widely known as the sudden and random disappearance of a potential suitor, the term ‘ghosting fraud’ refers to something far darker. Ghosting fraud describes the theft and fraudulent use of a deceased person’s personal information.
One of the most notorious cases of ghosting fraud happened in 2016 in Florida, US. Two fraudsters managed to hack into a computer system, and access the records of the deceased to collect names, addresses, birth dates, and social security numbers, which they used to commit tax fraud.
By filing multiple fake tax returns, the two scammers received fraudulent refund checks worth millions. This was all at the expense of the IRS, which had no idea that these identities were fraudulent, or even that these people were deceased.
While it’s unknown how many identities the fraudsters stole, they were ordered to pay back over $1.26 million, and sentenced to 11 and 12 years respectively.
Although it’s shocking, this isn’t the only story of its kind. In fact, as the cost of living rises, ghosting fraud is becoming increasingly common.
What is ghosting fraud?
Ghosting fraud is the term used to describe a form of identity theft, where perpetrators impersonate a deceased person for financial gain.
Fraudsters will use a deceased individual’s name, address, and other confidential information to open up new lines of credit, take out loans, or, as the example above, request tax refunds.
Ghosting fraud is made possible thanks to vulnerabilities and failures in internal controls, record keeping and monitoring systems, as well as lags in system updates. In the UK, for example, relatives have up to twelve months to register a death.
What’s worse though, is that in some regions, credit unions and lenders won’t know of a customer’s death unless they receive a dedicated phone call from a relative. Of course, this is not often a priority for grieving family members. Lenders have been known to keep lines of credit open – and charge interest – for years without an official death notification.
However, it’s not necessarily the individuals of the deceased that should be most concerned, but businesses. Unlike romance scams, ghosting fraud doesn’t hinge on social engineering, but rather knowledge of the customer.
More on that later.
What are the different types of ghosting fraud?
Within the realm of ghosting fraud, there are three common scams to be aware of:
Credit fraud in this context can work in two separate ways. The first involves someone close to the deceased, who has physical access to their credit accounts. Here, the perpetrator simply starts using the credit cards of the deceased without notifying the provider of their death.
Secondly, credit fraud can happen when external scammers get hold of the details of the deceased. By accessing information such as their name, date of birth and social security number, the fraudster has all the information they need to apply for new accounts.
In the US, approximately 800,000 cases of ghosting fraud happen every year for the purposes of opening new lines of credit.
Companies that should be most concerned about credit fraud are credit providers, such as credit card companies or lenders. Without specific identity checks in place or a tool to flag suspicious signals, these financial institutions stand to lose the most from ghosting fraudsters.
Ghosting fraud can also affect tax authorities on a global scale. Here, criminals get hold of deceased individuals’ details, and file false tax statements in order to generate refund checks.
Tax fraud with ‘ghost details’ primarily affects the tax authority in the country it is happening. This year, the IRS identified approximately 12,617 cases of identity theft tax fraud in the US, leading to refunds of over $6.3 billion. And unfortunately, it’s highly likely that this is only the tip of the iceberg, with a high proportion of cases still undiscovered.
Workplace data breach.
It might not be your first thought when someone says ghosting fraud, but workplace data breaches are also high risk when an employee dies.
One famous data breach at Twitter in 2020, for example, led to over $800,000 in losses and a drop in the share price. It happened because fraudsters convinced employees that they were part of the security team, and needed to verify the identity of the workers by getting their passwords when the company moved to remote work. The fraudsters then began tweeting links to cryptocurrency scams from high-profile and celebrity accounts, generating hundreds of thousands in profit.
In the same vein, scammers can use the log-in details of deceased employees if their accounts have not been shut down by their employers.
Alongside the threat of huge financial consequences, falling victim to ghosting fraud might also result in reputational damage, and make it hard for businesses to attract new customers.
Large corporations can’t rely on death notifications from family members or on third party log-in software. Instead, continuous monitoring is key in preventing fraudulent access.
What are the key fraud challenges for companies?
While the vast majority of ghosting fraudsters are seasoned scammers, others might be family members looking to exploit their relative’s death. This makes the fraud even harder to fight against.
A major challenge for some businesses is that sophisticated fraudsters can easily bypass outdated identification methods, such as only requiring details like date of birth and social security numbers.
This should be a key concern for organizations, and they should prioritize updating their identity verification services to reflect the threat of ghosting fraud, among other types of scams, such as money laundering.
How to detect and prevent ghosting fraud.
While death registers may be still stuck in the stone ages, that does not mean your organization needs to be.
Entrust the detection and prevention of ghosting fraud to a dedicated fraud prevention and identity verification platform like IDnow.
Our six-pronged approach to data checks involves:
- A derogatory financial score
- Property data
- Vulnerability data
- Application data
- And all-important mortality data: to ensure that the applicant is not deceased, and is therefore who they say they are
Alongside mortality data, IDnow conducts Know Your Customer checks for a comprehensive overview of who your customers are.
Ongoing monitoring, through Strong Customer Authentication, allows our clients to comply with regulatory requirements. Our identity verification services combine biometric information (such as face ID or a fingerprint) and possessions (such as a code sent to their mobile phone) alongside knowledge, for better validity in customer identity checks.
Team Lead of Product Marketing at IDnow
Connect with Ellie on LinkedIn