VIENNA, Va. – The Financial Crimes Enforcement Network (FinCEN) today released its analysis of identity theft suspicious activity reports (SARs) filed by securities and futures firms that shows identity thieves prefer to use stolen account identifiers to take over existing legitimate investment accounts rather than to set up new unauthorized accounts.
This is one of several trends uncovered in FinCEN’s analysis Identity Theft Trends, Patterns, and Typologies based on suspicious activity reports filed by securities and futures industry firms (SAR-SF). The report examined a sample of the more than 10,000 identity theft SAR-SFs submitted between 2005 and 2010, representing more than a tenth of all SAR-SFs filed during that period.
“The analysis illustrates how through the review of SARs, FinCEN can spot criminal patterns that help an investigation and lead to holding criminal actors accountable for their actions,” said FinCEN Director James H. Freis, Jr. “This report contains information that provides a window into the type of activities identity thieves undertake, of which financial institutions should be aware in order to protect their customers and the financial system from criminal abuse.”
Key findings from the report include the following:
- Identity thieves most often stole individual and account identifiers through computer intrusion, physical theft, or phishing and vishing scams. Thieves then attempted to use the stolen identifiers to initiate unauthorized transactions within existing accounts or to set up new accounts.
- During most of the study period, identity thieves reportedly preferred to take over existing legitimate investment accounts rather than to set up new unauthorized accounts using stolen identifiers. This preference appears to relate to the greater level of scrutiny investment firms place on new accounts compared to the level placed on existing accounts.
- While most SAR-SFs reported the direct theft of funds from existing accounts, there was also a high reported incidence of share price manipulation. For instance, between the fourth quarter of 2006 and the first quarter of 2008, 20-40 percent of quarterly filings reported attempts to manipulate the share values of thinly-traded securities with funds stolen from the investment and/or depository accounts of identity theft victims.
- Filers frequently reported more than one victim per filing after the same bank account number, phone number, Internet protocol (IP) address, media access control (MAC) address, physical address, and/or email address was used to facilitate theft from multiple victims. Overall, nearly 8 percent of filings reported attacks from the same IP address on accounts of multiple victims.
- Wire fraud was co-reported with identity theft in nearly 53 percent of the relevant sample filings. Virtually all SAR-SFs co-reporting wire fraud described unauthorized Automated Clearing House (ACH) transfers.
- Identity thieves used checks to promote financial fraud in nearly 16 percent of sample filings. While the general public’s use of checks is declining, the trend in reports of thieves’ check use increased modestly. Just over 6 percent of filings reported identity thieves used debit cards to steal funds. Debit card usage by identity thieves and dollar loss trends moved strongly up.
As part of the analysis, FinCEN reached out to representatives of the Bank Secrecy Act Advisory Group (BSAAG) Securities and Futures Subcommittee for input regarding the types of information industry would find most useful.