Share this post

With an 8 percent increase from the previous year, identity fraud is on the rise. More fraud means more victims, but the victims do not exist without perpetrators, and it’s important to understand exactly who these perpetrators are. The bad actors fall broadly into three main types of fraud: those who commit first-party, second-party, or third-party fraud.

First Party Fraud

Have you ever thought about slightly distorting your personal details to receive a credit card or perhaps a more attractive mortgage from a bank? Misrepresenting your identity or personal circumstances in any way – however minor – to procure unsecured banking credit is, in fact, one of the types of first-party fraud.

First-party fraud also encompasses taking out a loan or using credit without ever intending to repay the money. For example, someone may order a new flat-screen TV on credit, spending a larger sum than usual. An unusual purchase event can cause a bank to diligently call their customer to ask if the unusual purchase is authentic.

If the account holder claims they made no such purchase or did not receive the goods, the bank will often refund the money, leaving the retailer out of pocket as the bank demands a chargeback.


Everyone’s doing it

The most worrying thing is that people believe that this type of fraud is some form of ‘acceptable fraud.’

Shockingly, as many as one in seven Britons have committed consumer fraud, a statistic that’s mirrored elsewhere in the world. However, this kind of first-party fraud is causing companies huge losses, but it is also driving up the premiums for innocent customers.


Second-Party Fraud

Second-party fraud is more complex.  This is when legitimate account holders knowingly give their personal details or credentials to a friend or acquaintance to commit fraud. The associate can order goods or services from a device not linked to the account, making the fraud appear realistic.

It is challenging for banks to prove that the customer was complicit in the crime. This is known colloquially by the oxymoron ‘friendly fraud’, which we discussed in our previous blog post.


An interesting twist to this type of fraud comes when customers are seduced by fraudsters advertising ways to ‘make $200 fast’.

To receive the cash, the legitimate account holder will agree to accept and transfer funds in and out of their bank account on behalf of a second party. In return, they get to keep a share of the money for themselves. In reality, this is money laundering, and the people who have shared their bank details are money mules.’

But since the affected accounts belong to real people with legitimate credentials, detecting fraudulent activity can be problematic.

Third-Party Fraud

This is what usually springs to mind when people think about types of fraud. It is distinct from first and second-party fraud in that the customer does not know the fraudulent activity; in this situation, they are clearly the victim. The fraudster impersonates their identity, taking uses real-life facts about them to deceive their bank.

A common example of this type of fraud is account takeover (ATO). A fraudster gains access to a victim’s account using their personally identifiable information (PII), either being hacked or acquired through social engineering techniques such as phishing.

This is when a fraudster poses as a trusted entity to dupe their victim into revealing confidential information. This leads to an account takeover of the victim’s account, resulting in fraudulent transactions or purchases or drain funds.


Loan Stacking is another commonly used trick. This is when the criminal uses one person’s details to apply for multiple small loans from a wide variety of lenders. The gains can be huge, whilst it wreaks havoc on the victim’s credit score.

Why each type of fraud can be difficult to detect

These types of fraud are not easy to detect, but for different reasons.

  • You can’t interrogate the customer: In the case of first-party fraud, it can be challenging to establish whether customers are truthful. It is not a customer service best practice to interrogate a customer’s monthly spending, and a bank can’t go into their customers’ homes to see if there’s a brand new TV hanging on the wall. This type of fraud is hard to spot and even harder to prove.
  • No one will confess: Similar difficulties arise with second-party fraud.  Asking an individual outright if they have ever shared their banking details with anyone else isn’t going to get the bank anywhere – as the answer will inevitably be a defensive ‘no, of course not.’ As the individual has knowingly allowed this fraud to occur, all personal details are correct, and most of the usual signals of fraudulent behavior are not present. When individuals refuse to acknowledge their involvement, the banks will be hard-pressed to find firm evidence to prove they were. It’s a case of one person’s word against another’s.
  • Shrouded in complexity: A fraudster will often combine different techniques to complicate attempts to detect suspicious activity. For example, they might target individuals with low credit scores who are unlikely targets of fraud. Next, they may use credit piggy-backing, which adds another cardholder’s information to boost the credit score.

That additional user could be based on a synthetic identity, where the fraudster combines real and falsified information to create a new, more credible account holder.

This is a widely used technique, and Aite Group estimates synthetic identity credit card fraud will reach $1.25 billion in losses for American financial institutions in 2020. From here, the fraudster could ‘loan stack’ to make as much money – in as short a timeframe – as possible.

It’s this combination of so many different, highly sophisticated types of fraud that allow fraudsters to evade detection so often.


Combatting these diverse crimes

With the perpetrators of fraud ranging from organized crime gangs to long-term, highly valued customers, it’s hard to envisage an all-encompassing solution capable of combatting all three main types of fraud.

However, there is a way.  By combining device assessment, malware detection, and behavioral biometric analytics, banks can build unique profiles for each customer and understand what ‘normal’ looks like. If anything deviates from the norm, they can decide whether to take action.

This could even be the most subtle of changes; for example, if a user is misstating the truth to apply for a loan, they might dither over some of the answers while wrestling with their conscience. While typing slowly or retyping information doesn’t make anyone guilty, it might warrant investigation.

Want to know more about our behavioral biometric technology? Request a demo now.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?