It could be easier than you think for fraudsters to open an ‘impostor’ bank account in your name, a Which? Money investigation has found.
We ‘data swept’ volunteers and found a level of personal information available online which police believe could be enough for a fraudster to open a UK bank account.
It comes after a recent report from fraud prevention body Cifas highlighted ‘growing concern’ that fraudsters are opening accounts using stolen identities.
- The full version of this investigation appeared first in the October issue of Which? Money magazine. Try Which? Money for two months for £1.
How much information is available online?
We recruited 10 volunteers (a mixture of Which? staff and members) who were willing for us to ‘data sweep’ them as an identity fraudster might, to see how much information we could gather using legitimate sources.
This involved combing social media profiles, personal websites, the Land Registry, Companies House, the electoral roll and ancestry sites. All of our sources could be easily accessed by anyone with an internet connection.
For half of our volunteers, we found full names, dates of birth and residential addresses, plus at least two other pieces of identity information, such as their mother’s maiden name, their place of birth, marital status and occupation. Police believe this is likely to be enough for a fraudster to open an account online with a high street bank.
Chris Felton, National Fraud Intelligence Bureau (NFIB) detective inspector, said: ‘As long as you’ve got the basic name, date of birth and address right, you’re probably pretty much there.’
Some volunteers were particularly vulnerable because they were company directors, charity trustees or web domain registrants. But we also found examples of people giving away large amounts of personal information through social media.
How do criminals steal your identity?
Impostor applications often take place in order to deposit the proceeds of scams, or as a ‘link within a mule network’.
They can also be lucrative for ‘acquisitive reasons’ such as raiding an account’s overdraft facility or associated credit card offers. Overdrafts can also be transferred to another account for easier access to cash.
Criminals have many ways of obtaining the details needed to apply for a current account in your name. Cifas told us they use methods ‘from data loss and stealing mail, through to hacking, obtaining data on the dark web, as well persuading people to give up personal information by pretending to be from a bank, the police or a trusted retailer’.
No paper documents required
While it’s widely believed that you must show a physical ID document and proof of address when opening a UK bank account, that’s no longer always the case. Accounts are increasingly opened online rather than in branch – often without recourse to physical documents.
Instead, checks are done electronically by comparing your identity data, given as part of the online form, against your credit file and several other sources (such as databases of fraud victims or deceased people).
While practice varies between account providers (with some requiring scans or images of documents while others do not), the basis of electronic checks is your full name, address and date of birth, as laid down by the Joint Money Laundering Steering Group guidelines.
This may explain why 96% of identity frauds across all financial products were committed using a real person’s identity in 2016. A completely fictitious identity wouldn’t have a credit profile at all, and so might prompt extra checks such as a request to visit a branch.
‘I had an account with a bank I’d never heard of’
Which? member Vincent Armstrong (pictured) was shocked to come home and find a current account welcome pack from First Direct – a bank he hadn’t heard of.
On calling First Direct, he was told an account had been opened in his name. He asked for it to be closed immediately, but the bank initially refused.
The bank’s fraud team later told him the impostor who’d opened the account had done so with his name, date of birth and address.
Even more worryingly, they had a £500 overdraft that they had the option of transferring to another account so they could access the cash.
Mr Armstrong found his credit score had been affected by the fraudulent application. He told us that when he first approached the bank, he felt it ‘didn’t care about my worries, nor did it want to help’.
He added: ‘I still find it very strange no ID or proof of address was needed.’
First Direct told us it had ‘acted quickly’ to close the account and correct Vincent’s credit history, but recognised it ‘could have done more to reassure him along the way’.
It also enrolled him to a protective anti-fraud database operated by Cifas. It apologised and added that it had since ‘completely overhauled our account opening process, which has greatly reduced this type of fraud’.
Banks respond to bank account fraud
We asked the UK’s four biggest banks to respond to our findings, and all stressed they had sophisticated systems in place to prevent impostor applications.
Barclays told us: ‘We apply the same rigorous security policies online as take place in branch. This includes using the information provided to validate an applicant’s identity in real time with a number of credit reference agencies. In addition, we will also ask questions specific to the applicant’s credit history, which is unlikely to be in the public domain.’
HSBC also confirmed it completed ‘a number of checks as part of our online account opening, which includes identity and address checks as well as running anti-impersonation checks’.
RBS said online applicants are required to show ID documents, either by uploading them to its ‘DigiDocs’ service, or by presenting them in person at a branch.
Lloyds – encompassing Halifax and Bank of Scotland – said obtaining an applicant’s name, address and date of birth is just the first step in a ‘multi-layered approach’ which draws on sources including ‘credit information, fraud prevention data, previously identified fraudulent applications and information about the device being used to make the application’.