What is third-party fraud?
Third-party fraud refers to fraudulent activity committed using someone else’s identity or personal information. As such, it usually falls under the broader category of identity theft.
The term "third-party" emphasizes that the person committing the fraud is not the legitimate customer, but an external actor. This type of fraud is far-reaching and may involve several different tactics, ranging from application fraud to account takeovers.
Third-party fraud is a major concern for both individuals and businesses. A 2024 Javelin report found that third-party fraud costs Americans as much as $43 billion per year — but even such a massive figure obscures the psychological distress that comes with watching your credit score plummet or your bank account drain. For businesses, third-party fraud similarly represents a multi-billion-dollar threat that extends beyond direct financial losses to encompass regulatory fines and long-term reputational damage.
Because "third-party fraud" is such a general term, it can be difficult to understand the full scope of the problem. But it's worth taking the time to understand how the various forms of identity theft work — and how to combat them with proactive strategies and preventative measures.
First-party fraud vs. third-party fraud
The person or entity committing the fraud is the key element that distinguishes third-party fraud from another common type of fraud: first-party fraud.
First-party fraud involves the fraudulent use of one's own identity
Third-party fraud involves the fraudulent use of someone else's identity
The idea of using your own identity to commit fraud might seem confusing or contradictory, but it's more common than you might expect. First-party fraud is a multi-billion-dollar problem in its own right. Common examples include individuals who apply for credit cards or loans with no intent to repay, and individuals who ask for refunds for "lost" or "damaged" goods that were successfully obtained.
While the line between fraud types can sometimes blur, the distinction matters. The actors, tactics, and risk signals differ significantly and thus require different prevention strategies.
Examples of third-party fraud
Application fraud
Application fraud happens during the onboarding process, when a fraudster uses false information or a stolen identity to open a bank account or apply for financial products such as credit cards or personal loans. It typically involves forging, doctoring, or outright stealing documents such as the customer's valid passport or ID card.
A strong KYC process can help prevent application fraud — especially one that includes a selfie and liveness video along with automated documentation checks. Fourthline's identity verification solution, for example, performs over 210 checks on every document and selfie, resulting in a high level of fraud detection accuracy.
Fourthline's advanced identity verification solution detects up to 99.98% of fraud committed at onboarding, with 90% of checks automatically performed in the background to minimize friction for legitimate customers.
Account takeover fraud
Account takeover fraud is pretty much what it sounds like: a fraudster gains unauthorized access to a victim's account and uses it to commit fraud. Fraudsters may gain access to login credentials through a variety of methods, including:
Phishing, a type of social engineering attack in which individuals are tricked into revealing sensitive login information, often via fake emails, texts, or websites that appear legitimate.
Data breaches, in which a company storing an individual's sensitive information is hacked.
Business Email Compromise (BEC), a sophisticated cyberattack in which attackers impersonate trusted figures (like executives or vendors) to trick employees into disclosing sensitive information.
And those are just a few. Once fraudsters have access, they can run wild — changing account details, making unauthorized transactions, or stealing personal information for later use. Fourthline helps to prevent account takeover fraud with a client authentication solution consisting of device, geolocation, and biometric checks. You can add an additional selfie check in cases where red flags — such as an usually large transaction or an anomaly in device metadata — pop up.
Synthetic identity fraud
Synthetic identity fraud is a type of identity theft in which a fraudster creates an artificial identity from a combination of real and fake components. They may pair a legitimate social security number (SSN) with a fake name and date of birth to open a bank account, apply for a loan, or commit some other type of fraud. Though this is technically third-party fraud, it bears noting that there can be multiple victims here — for example, if one person's SSN is used in tandem with another person's name and birth date.
Fourthline's proprietary algorithms are specifically calibrated to catch synthetic identities by analyzing thousands of data points simultaneously. Our analytics can reliably detect the small discrepancies and atypical patterns that usually signal synthetic identity creation.
Card-not-present (CNP) fraud
Card-not-present (CNP) fraud has become increasingly common as the financial landscape has moved online. It occurs when a fraudster uses a victim's credit card or debit card information to make a purchase without being in physical possession of the card. Whereas this used to happen more during phone orders, it's now heavily concentrated in online transactions where the cardholder's physical card isn’t required.
To combat card-not-present fraud, businesses can implement security measures focused on detecting fraud in the moment, such as Fourthline's always-on fraud detection and predictive pattern recognition.
How third-party fraud works: An example
What does third-party fraud look like in practice?
Consider a common example in which a hacker obtains a victim's email login credentials through a phishing email. The email looks legitimate and claims to be from the victim's bank — it even includes the bank's logo and branding elements. The email's subject line reads, "Urgent: Suspicious activity detected on your account."
Seem fishy? Perhaps, but these schemes do a good job of exploiting in-the-moment panic and uncertainty.
Upon opening the email, the victim finds a link to "Restore Account Access." They hurriedly click the link, and they're taken to a fake website designed to capture their login credentials and personal information.
Once the victim enters their information, the hacker has won: They now have access to the victim's login credentials, and if they act fast, they may be able to transfer funds out to a third-party account or make unauthorized purchases.
Reporting third-party fraud
Individuals and businesses have different expectations and requirements for reporting third-party fraud. Here's a rundown of best practices:
Steps for individual victims
If you're a victim of third-party fraud, the best thing you can do is act quickly. Time is of the essence. Here are some steps to take immediately:
Notify your bank or financial institution: Immediately get in touch with the financial institution, whose representatives can help lock your accounts and advise you on what to do next.
Check your credit reports: Check your credit reports for any suspicious-looking transactions or newly opened accounts. Depending on your country, you may be able to request reports from multiple credit bureaus for free.
Report the fraud to local authorities: Contact your local consumer protection agency or an equivalent authority in your country. They can offer further guidance on how to proceed.
Document everything: Keep as many records as you can of everything related to the fraud. This can help solve disputes later.
Keep an eye out: Continue to monitor your accounts regularly to see if anything suspicious pops up. It can be easy to ignore your accounts (and many people do follow the "out of sight, out of mind" approach), but vigilance is the better way forward.
Steps for banks and financial institutions
Banks and other financial institutions are also accountable for reporting fraud to authorities and regulators. Depending on the specific jurisdiction and case of fraud, financial institutions may consider the following as best practices:
Establish a dedicated response team: This team should be trained to respond quickly to instances of fraud.
Document and notify those affected: Record the incident's details and inform affected departments and customers.
Report to authorities: The specifics may vary depending on where you're based and which local regulations apply, but generally you must report suspected instances of fraud to law enforcement and appropriate regulatory bodies. You may be required to submit Suspicious Activity Reports (SARs) to local financial regulators.
Investigate weaknesses and strengthen security: You'll need to figure out how the fraud occurred and what vulnerabilities were exploited so you can address them for next time. This may involve bolstering your internal practices, engaging with a new security partner, or both.
Educate your employees and customers: If you haven't already, consider investing in regular security trainings for employees and educational materials for customers.
Third-party fraud FAQs
What are the signs that I might be a victim of third-party fraud?
There are a few red flags to watch out for, including:
Unexpected or unexplained changes to your credit scores
Suspicious transactions on your bank or credit card statements
Bills for accounts you never opened.
If you notice any of these signs, don't wait to act.
How can I protect myself from third-party fraud?
Regularly monitor your financial accounts, use strong and unique passwords (and don't repeat passwords for different accounts), and enable two-factor authentication wherever it’s offered. Also, be cautious with emails or messages that ask for sensitive information. When in doubt, don’t click.
