These days no one is safe from fraud. Even charities are a target with the third sector losing an estimated £2.3bn worth of donations this year alone. It is therefore no surprise that fraud is now the most common crime in the UK, with an annual cost of £190bn, more than double the amount the Government spends on the NHS. This equates to around £10,000 for every single family in the UK, according to the Annual Fraud Indicator 2017.
Identity fraud is one of fastest growing areas, a possible reason for this, as our research among ex-offenders suggests, is that it is considered an easy crime.
With thousands of organisations being hacked, the wealth of personal data available on the black market for as little as 5p per record is overwhelming. In 2016, the number of reported data breaches increased by 40% and it is thought that a similar figure will be racked up in 2017.
Only a few weeks ago Uber owned up to a data breach impacting 57 million users, while the hack on Equifax back in September is thought to have affected up to 143 million people. The dark web is awash with the personal information of literally millions of customers globally, from passwords and account numbers through to birthdays and addresses – a fraudster’s paradise.
Next May, under GDPR, all organisations will be required to report a breach within 48 hours or be subject to a large fine. The aim is to help better protect consumers and their personal information; however, the side effect of this new regulation is that it serves as free advertising.
The breach will be in the public domain within two days of it occurring and fraudsters will quickly become aware of what kind of information is available, albeit even for a short period of time. If consumers know that their data has been compromised, it means they can act upon it and reduce the chance of fraud. But this is where deceased ID fraud comes in. It makes the value of the stolen data live on as a deceased person obviously won’t be aware of a breach and can’t protect themselves.
Deceased ID fraud is the illegal procurement of the personal information of someone who has passed away and then using that data to obtain goods and services in their name – anything from financial products such as loans and credit cards through to consumer goods on credit such as catalogues or mobile phones.
There also instances of people using the deceased as guarantors and references for things such as renting a property. Deceased ID fraud generally falls into one of two camps: organised crime (the purchase of data on the dark web) or opportunistic (the recent case of a family friend emptying the bank account of a deceased person because they knew the bank hadn’t been informed of the death yet).
The attractiveness of the personal information of people who have died to both criminal gangs and opportunistic consumers is that typically it takes much longer to identify fraudulent activity around the accounts of a dead person than it does to detect normal ID fraud as often organisations aren’t aware that a customer has passed away.
Consequently, early notification of a person’s death is important so that stops can be put into place to safeguard against fraud. Alternatively, screening new applications for credit or large orders against ID fraud products can help identify any suspicious activity.
Today the rate that deceased data reaches these files is incredibly fast, meaning that bogus orders and applications can be caught very quickly. It is also considered best practice to suppress customer databases against deceased files.
This is important as otherwise there is the possibility that marketing such as catalogues, direct mail or financing offers can be left hanging around the property of a person who has died as the household goes through probate and possible resale. Fraudsters are known to book viewings at homes where the owner has died with the specific aim of stealing mail to gather personal information in order to steal their identity.
Whilst GDPR itself could inadvertently contribute to a rise in deceased identity fraud, moving forward organisations will be responsible for protecting the information of their customers as best they can and therefore putting into place safeguards against deceased ID fraud will work towards both GDPR compliance, but also in the case of financial services, “know your customer” (KYC) and “anti-money laundering” (AML) compliance too.
Karen Pritchard is product director at Wilmington Millennium