Detecting document fraud

When Blake Miner of south Florida received a letter from a bank in another part of the state about an account that he’d never opened, he took the matter to the police. They soon found out that a mother and daughter in central Florida, Jessica Chechile and Heather Steverson, opened the account in Miner’s name with notarized paperwork claiming to be his power of attorney (POA). Miner says he never signed the POA document or authorized a signature on his behalf. The account had deposited checks from ModivCare, a health care company based in Denver, Colorado. An image of a deposited check that Miner showed to police misspelled his name.

It’s unclear how the women got Miner’s personal information, but investigators soon discovered they’d been using other stolen identities to carry out a complex scheme to defraud Medicaid, a health insurance program for low-income Americans; Miner’s forged documents and fraudulent account were pieces of that puzzle. Investigators allege that Chechile and Steverson posed as drivers for patient transportation services, taxied patients to clinics across central Florida, fraudulently charging Medicaid for the trips and fleecing more than 20 low-income patients of $50,000 in benefits along the way. In April, the women were arrested on more than 200 combined charges, including identity theft, forgery, uttering a forged document, grand theft and racketeering. (See “Medicaid fraud? Eustis police arrest two in ‘most detailed’ scheme official has ever seen,” by Frank Stanfield, Daily Commercial, April 21, 2023 and “Lake County mother-daughter duo face charges in 2022 insurance fraud scheme,” by Emily McLeod, ClickOrlando.com, April 19, 2023.)

Criminals have long used forged documents and stolen identities to carry out all types of schemes like the case above. European anti-crime agency Europol considers document fraud a major engine of organized crime as faked identity and travel documents allow financial crimes, drug trafficking, human trafficking and terrorism to proceed. (See “Document Fraud: Will Your Identity Be Secure in the Twenty-first Century?” by Simon Baechler, European Journal on Criminal Policy and Research, June 3, 2020.) Yet while bogus documentation has provided cover to organized criminals for decades, there’s been an evolution of sorts in the use of fraudulent documents and who has access to them. No longer required are the time, patience and extraordinary skill to achieve the illusion of authenticity. Now anyone can fake information with readily available software like Adobe Photoshop and DocuSign. Whether this new generation of fraudsters are stealing checks in the mail for a check-washing operation or fudging their salaries for car loans, document fraud is taking all forms and is on the rise. We examine what’s behind this latest iteration of document fraud and what organizations can do to detect it.

Document frauds old and new

History is full of well-known examples of forged and faked documents and the persistent efforts to fight them. Indeed, forgery was common in Ancient Rome, and in the sixth century, the Roman Emperor Justinian dictated rules for comparing handwriting in courts. Venice, Italy, banned the use of checks in 1526 because check fraud was so widespread. (See “Criminals use Telegram to recruit ‘walkers’ as America’s big banks see an 84% increase in check fraud,” by Eamon Javers and Paige Tortorelli, CNBC, Feb. 6, 2023 and “A brief history of handwriting examination,” by Evaristo Alvarez Ghigliotti, Monografias.com.)

Perhaps the most notorious example of document fraud is the “Protocols of the Elders of Zion,” a forged publication from the early 1900s created to spread lies about Jewish people and used as a pretext to persecute them. The document still circulates on the web. (See “Protocols of the Elders of Zion,” The United States Holocaust Memorial Museum.) While not as destructive, forged documents purporting to be love letters between a young Abraham Lincoln and a woman named Ann Rutledge fooled many into thinking the U.S. president was nursing a broken heart. (See “Abraham Lincoln’s love letters captivated America. They were a hoax,” by Randy Dotinga, The Washington Post, Feb. 23, 2023.) More recently, the Department of Justice busted an operation in which administrators and affiliates of three Florida nursing schools sold fabricated nursing diplomas and transcripts to people across the U.S. so they could qualify for the national nursing board exam. Recipients got nursing jobs in hospitals and other health care settings despite their lack of authentic credentials. (See “7,600 Fake Nursing Diplomas Were Sold in Scheme, U.S. Says,” by Michael Levenson, The New York Times, Jan. 27, 2023.)

• Counterfeit: A document is created to look genuine, but it’s not authorized by an issuing authority.
• Forged/altered: An authentic document is modified with or without the knowledge or consent of the original owner or issuer.
• Fake: Documents are created to deceive or mislead and could be entirely fabricated or an amalgamation of truthful and false information.

In the following sections, we’ll see how fraudsters are currently using these documents and how ignorance of who these fraudsters are and how they obtain these documents is making lenders and other financial institutions vulnerable to fraud.

History is full of well-known examples of forged and faked documents and the persistent efforts to fight them. Indeed, forgery was common in Ancient Rome, and in the sixth century, the Roman Emperor Justinian dictated rules for comparing handwriting in courts. Venice, Italy, banned the use of checks in 1526 because check fraud was so widespread.

Gaming the system

According to Veriff’s 2023 Identity Fraud Report, fraud in general increased 18% globally between 2021 and 2022, with document fraud seeing the second-largest increase at 33%, behind recurring and pattern fraud at 43% (where fraudsters use the same tried-and-true methods to trick systems). Fraudsters also expanded their operations to new countries in 2022, including Uzbekistan, Kazakhstan, Belarus, Paraguay and Thailand. (See “Veriff’s 2023 Identity Fraud Report Reveals Continued Rise in Global Fraud, with Greatest Leap in Recurring Fraud,” Veriff, PR Newswire, Dec. 5, 2022.)

Among Veriff’s other findings, document fraud increased by 79% in financial services organizations in 2022 compared to 2021, and identity fraud was more than half (51%) of all incidents in the financial services sector. Government-issued identification cards were the most highly forged form of documentation. (See Figure 1 below.) Other most frequently forged items included documents to verify customers’ income and residence like utility bills, tax forms, business filings, bank statements, invoices, Social Security cards and pay stubs.

Figure 1: Top documents used for fraud globally in 2022.
Source: Veriff Identity Fraud Report, 2023. Chart courtesy of Veriff.

As Veriff states in its report, the lockdowns and social distancing requirements during the COVID-19 pandemic were a major factor for the increase in document fraud. All manner of business and governmental operations moved online, and people were now using the internet more than ever before to share sensitive information for essential services. This proved to be an incredible opportunity for fraudsters, especially regarding COVID unemployment relief funds and the Paycheck Protection Program (PPP) small business loans.

According to ProPublica, international organized criminals networks used stolen identities to file phony claims for unemployment benefits in bulk. They even used low-wage workers to file bogus claims with stolen information. Fraudsters used messaging apps such as Telegram to sell stolen IDs, trade tips on how to file bogus claims and provide instructions to get around security checks. In California, prison inmates successfully bypassed state unemployment agency anti-fraud controls with stolen Social Security numbers, made-up names and fake driver’s licenses for pandemic relief funds. (See “How Unemployment Insurance Fraud Exploded During the Pandemic,” by Cezary Podkul, ProPublica, July 26, 2021 and “Pandemic-related fraud totaled billions. California is trying to get some of it back,” by Eric Westervelt, NPR, Oct. 18, 2022.)

But it wasn’t just organized crime that took advantage of relief funds. Independent, opportunistic fraudsters also capitalized on easy access to federal money. For example, Danielle Miller, an Instagram influencer in Miami, Florida, used stolen identities and fake business names to apply for and receive more than $1 million in COVID-relief benefits. She even used a counterfeit driver’s license to charter a private jet from Florida to California where she stayed in a luxury hotel under a victim’s name. (See “Instagram Influencer Who Stole Mass. Resident’s Identity Pleads Guilty to $1M COVID Relief Fraud,” by Marc Fortier, NBC 10 Boston, March 6, 2023.)

The perfect conditions for document fraud

While many of the COVID-relief-related document frauds were fueled by third-party identity theft, organizations must also consider first-party fraud when an individual fabricates their income or conceals a history of bad debt to obtain a loan as a source of fraud. (See “2022 Identity Fraud Study: The Virtual Battleground,” by John Buzzard, Javelin, March 9, 2022.) Justin Davis, CFE, of Point Predictive warns in the March/April 2023 issue of Fraud Magazine that periods of high inflation and economic uncertainty correlate strongly with first-party fraud. During economic downturns, people who normally wouldn’t commit fraud might be tempted to provide false information about their income to get a better rate on a loan. Amid a period of high inflation and concerns about recession and layoffs, lenders must be vigilant when verifying applicants’ income. (See “Lender beware.”) Ignoring first-party fraud is perilous considering that most people who commit fraud have no prior fraud convictions, according to ACFE’s Occupational Fraud 2022: Report to the Nations.

Artificial intelligence company Inscribe cautions lenders not to write off customers’ failures to repay loans as credit losses but to mine those losses for possible document fraud. Indeed, in its 2023 Document Fraud Report, Inscribe found that 88% of fraudulent documents had alterations to non-identification details, and 30% of fraudulent personal loan applications match the pattern of first-party fraud. [See “Why your credit losses might be due to fraud (and what to do about it),” by Patrick Moreau, Inscribe, Jan. 10, 2023.]

Strengthening procedures

During the pandemic, governments eased anti-fraud controls to quickly distribute funds to those in need, but that rush allowed fraudsters to slip through the cracks. (See “Prosecutors Struggle to Catch Up to a Tidal Wave of Pandemic Fraud,” by David A. Fahrenthold, The New York Times, Aug. 16, 2022.) Likewise, to minimize customer friction and quickly approve loans, lenders make it easier for fraudsters to circumvent online application systems when procedures are rushed.

Perhaps the weakest links in the online loan approval process are the collection and inspection of know-your-customer (KYC) documents such as driver’s licenses, passports, utility bills and other identifying documents. Considering that anyone can obtain all manner of falsified documents on the web to build a synthetic identity, Frank McKenna, chief fraud strategist of loan data consortium Point Predictive, warned in a LinkedIn post that it’s risky for organizations to rely on documentation from potential customers.

“Organizations give themselves a false sense of comfort that requesting a document makes the loan legitimate,” said McKenna. “About 15% of pay stubs are forged or fabricated. Underwriters working through hundreds of these document reviews a day can’t possibly spot all the fakes.”

Slowing review and approval processes and equipping employees with better training to identify fraudulent documents can go a long way to preventing losses. Lenders and other financial institutions can also fortify their review and approval processes with clearly documented policies and procedures to assist fraud risk and review teams in making decisions on applicants. (See “AML & KYC: Addressing Key Challenges for 2023 and Beyond,” by Alex Roberto, Corporate Compliance Insights, March 16, 2023.)

Fighting document fraud with risk management tools

The massive wave of unemployment insurance fraud during the pandemic was enabled by governments’ aging or obsolete online systems, which were unable to manage the avalanche of applications for relief funds. International criminal organizations and first-time fraudsters used stolen identities and faked documents to game rickety verification systems. (See “How Unemployment Insurance Fraud Exploded During the Pandemic,” ProPublica.) But financial institutions and lenders can learn from the lessons of the pandemic to update their tools to better detect document fraud. As Inscribe data scientist Patrick Moreau writes, first-party fraud is difficult for lenders to identify because they don’t have the necessary tools to effectively beat the photo-editing and forgery techniques that fraudsters use to manipulate information on bank statements and pay slips.

Organizations often use third-party risk management (TPRM) software like GIACT, Ekata, Sift and Sardine to analyze and identify risks, such as determining whether an account belongs to a customer or if they have sufficient funds to withdraw money. But TPRMs interpret transactions based on a single data point, such as a fraud risk score, and don’t provide the complexity that lenders need to make decisions. A better approach is to use a risk engine, which can pull data from multiple sources, including from TPRMs, to make decisions about customers. Organizations could even build fraud profiles of their customers, archiving all activities that a risk engine can reference any time a customer submits information. When a customer submits three documents, such as a driver’s license and passport with different variations in the spelling of their name and a poor-quality copy of a bank statement with mismatched fonts to support a loan application, a risk engine references all available information to provide an overall score of that customer. Unlike TPRMs, risk engines base decisions on comprehensive information rather than TPRMs’ one-off scores.

Organizations must determine the types of tools and processes they’ll need to further enhance their operations to identify fraudulent documents. In many cases, they might need to build their own tools or seek an existing tool that will provide the following features.

Document forensics — Document forensics, such as handwriting analysis, is one of the oldest techniques of detecting document fraud. While early techniques might have relied on humans, digital tools are available to automate the process. A good forensic tool can detect earlier versions of a document, inconsistent fonts and the software used to create the document. Moreover, a document forensics tool that can find anomalies and discrepancies between documents might involve assessments of values or figures in tax returns or bank statements to ensure that numbers add up.

X-ray and metadata analyses — Electronically created documents have metadata — data about the data — that show who created it, when it was created or modified, the software used to create it, and whether there’s embedded text, with information about fonts, spacing, colors and whether placement of the text has changed. Sophisticated AI and machine learning tools like x-ray and metadata analyses can detect changes to a document since it was first created. The best tools can show whether PDFs submitted by customers, such as bank statements, utility bills or tax forms, are authentic.

Template detection — There’s a budding market of document template generator services on the dark web and the World Wide Web catering to a growing industry of fraudsters. Anyone can find the right template to create an authentic-looking document. Fraudsters offer template creation services for a small fee, making it easy for anyone to access fraudulent documents. Inscribe has noted a considerable increase in the use of templates for document fraud in the last year as demonstrated in Figure 2 below. (See “2023 Document Fraud Report,” Inscribe.)

Figure 2: Unique document templates flagged by Inscribe.
Source: Inscribe.

Because so many of these templates are readily available on the internet, organizations can learn what’s available and build their own archives of templates to help them identify when a customer has sourced a template online for the documentation they provide.

Blocklists or watchlists — Consider creating lists of repeat offenders to confirm whether a new customer doesn’t match up with a confirmed fraudster. Creating these types of lists is essential considering that in 2022, there was a 46% increase in recurring and pattern fraud, according to Veriff’s report.

Two-way matching — Two-way matching, which checks for discrepancies between documents, such as invoices and purchase orders, is greatly aided by optical character recognition (OCR), or text recognition. OCR can compare invoices to extract data from scanned documents and complete processes such as validating the captured information provided by the customer with that found on the submitted documents (i.e., name and address of the document owner, balance information, document dates, full transaction history for the statement period, etc.). This doesn’t necessarily indicate fraud, but it finds variances that can warrant further examination.

Network or database detectors — International law enforcement agencies use archives and databases of forged documents such as Switzerland’s Interstate Database of Fraudulent Identity Documents (BIDIF) and the False and Authentic Documents Online (FADO), an internet-based image-archiving system that European Union countries use to share forged and real documents. [See “An efficient method to detect series of fraudulent identity documents based on digitised forensic data,” by Solène Lugon Moulin, Céline Weyermann, Simon Baechler, Science & Justice, volume 62, issue 5, September 2022, Pages 610-620 and “False and Authentic Documents Online (FADO),” European Commission.] While similar databases might not exist for lenders and financial institutions, organizations should consider developing their own or collaborating with other organizations to create one. This is a huge undertaking, but it’s paramount that financial institutions and lenders share information about fraudulent documents, especially considering that fraudsters share their tips, tricks and templates to create fraudulent documents.

An effective database or archive tool supports document comparison and detects whether documents share a common source or deviate from the typical characteristics of authentic documents. The overall effectiveness of network-based detectors relies on a large network of historical documents for comparison, which small financial institutions might not be able to effectively institute on their own.

As fraudsters continually adapt to the changing times and take advantage of the latest technologies to produce and distribute fraudulent documents, financial institutions and their fraud examiners must also adapt to the times, understand the mechanisms that allow document fraud to flourish and adjust their methods of detection accordingly.

Dustin J. Eaton, CFE, is an executive-level fraud and risk professional having worked for banks, fintechs, broker dealers and more during his career. Contact him at djenzwm@yahoo.com.

Theodore “Teddy” Colon, J.D., is a New York state licensed attorney with an undergraduate degree in computational mathematics. He was a member of the New York Police Department where he spent five years changing the department’s approach to data processing and training a generation of new data analysts. Contact him at TColon830@yahoo.com.