In the panoply of risks at hand where our identities are not properly protected, one which has perhaps attracted less attention than others – but which warrants serious consideration – is ‘ghost fraud’. Ghost fraud is, unfortunately, precisely what it sounds like: hackers use the stolen credentials of a deceased person to carry out fraudulent activities such as applying for loans and credit cards, purchasing items and withdrawing funds. Other avenues have included collecting government benefits or tax rebates, insurance premium fraud, and misleading fundraising activities via the victim’s social media accounts. Some more patient criminals even use impostor accounts to build lines of credit over time, to achieve credibility with a financial institution or lender with a view to a larger fraudulent payout down the line.
Sometimes referred to as impersonation of the deceased (IOD) fraud, this is often perpetrated by someone who knows the deceased person and has enough information to hand. With the ongoing proliferation of data breaches, and growth of the dark web, it has become a dispiritingly common phenomenon more generally. However, when a loved one passes away, bereaved families have often unwittingly published personal information about them in obituaries which allows fraudsters to add to data already gleaned from hacking, phishing, or social media – this can be enough to fill the gaps in a criminal’s knowledge and allow them to steal the deceased person’s identity.
Naturally, among the last things most of us want to spend time on following a bereavement is proving our loved ones died before an application was made should a creditor or subsequent fraud victim come knocking. Prevention is therefore of paramount importance, to avoid not only the emotional trauma which can be visited upon their family in the aftermath of their death, but the threat of financial and reputational harm to the deceased’s estate.
Ultimately this kind of fraud is best avoided by keeping access to sensitive personal information tightly controlled, primarily through rigorous adherence to multifactor authentication models: not only the ‘something I know’ such as secret answers or passwords, which can be gleaned with alarming ease by criminals, but also ‘something I have’, such as a mobile device, or ‘something I am’ such as a biometric. Before the time of death, the prospective victim (or those caring for them) can help keep their accounts and information safe from those seeking to exploit them, and then subsequently the executor(s) can be confident that any action taken in the deceased’s name is being undertaken by them the approved party.
This is an area of particular concern for the mobile industry: one report by ID Analytics for example found that of the 2.5 million deceased individuals in the US falling victim to ghost fraud, 800,000 has their identities used to establish lines of credit to open mobile phone subscriptions. The mobile industry therefore has both an ethical and commercial interest in combatting this particularly unpleasant form of criminality – and, thankfully, also the means to do so.
With an unmatched array of working partnerships with relevant private and public sector organisations such as banks, technology innovators and regulators – and an established role worldwide as trusted guardians of personal data throughout lifetimes – operators are uniquely positioned to help prevent cruelty of this kind. And, as the global meeting place for operators and their ecosystem partners, the GSMA proposes that more discussions on this often overlooked form of identity fraud take place over the coming year.