A New Frontier of Fraud
Online DMV services open new opportunities for fraud
Of the many ways the COVID-19 pandemic changed our lives, it accelerated the shift from traditionally in-person services to online transactions. For motor vehicle agencies across North America, the pandemic necessitated a change in the way business is regularly done, enabling motor vehicle departments that had basic online service options to prioritize implementation of remote service delivery across a number of product channels.
While this created an opportunity for agencies to rethink and streamline some of their most commonly used services, it also presented a challenge: With more functions happening remotely via the internet, new avenues for fraud were created. According to the Federal Trade Commission, consumers reported losing more than $3.3 billion due to fraud in 2020, compared to just $1.8 billion in 2019. Additionally, the most commonly reported type of fraud was identity theft—a fraudulent activity that directly involves motor vehicle departments due to the ubiquity of the driver’s license as a document that proves identity.
An Opportunity for Scammers
“There is a lot more value on driver’s license information due to the pandemic,” says Owen McShane, director of investigations at the New York State Department of Motor Vehicles (DMV). “One of the reasons for that is the expanded unemployment benefits as a result of COVID-19. In New York, we saw individuals doing everything they could to try to get driver’s license information.”
McShane explains that the types of fraud individuals committed to get driver’s license information ran the gamut from using stolen credit cards to ordering duplicate licenses to the extremely common phishing scams that plagued seemingly every jurisdiction during the pandemic (see “Gone Phishing” below). JoAnna Shanafelt, assistant administrator at the Washington Department of Licensing (DOL), adds that opening up its system to help people perform more services online created a new vector for the types of fraud McShane lists.
“Because of COVID-19 and our offices closing down, we had a demand for services to be moved online,” Shanafelt says. “While we had a secure system, we, as a state, decided to open up online services to reduce additional barriers for our customers.” Shanafelt explains that this opening up included giving customers the option of not creating a secure account and performing some services as a guest. “We didn’t expect the volume of fraud that we saw. We saw individuals who had their identities compromised through other data breaches be taken advantage of—as soon as your information is on the dark web, it’s ripe for anyone to take.”
To illustrate the increase in fraud, Shanafelt shares that in a two-and-a-half year period under its secure transaction system, the Washington DOL had fewer than 1,000 fraud victims. In contrast, in just a three-month period during the pandemic after the non-secure system opened, the agency identified more than 300 victims.
McShane echoes Shanafelt’s experience with opening up a driver’s services function online and seeing an increase in fraudulent activity. “We offered online permit testing during the pandemic, and we knew as we pushed it out that we were creating some risk,” he says. “But we were amazed at the amount of fraud we saw initially. We started tracking the data and examining it for commonalities. We saw that online tests—for which we increase the number of questions to 50 from 20 for in-office tests—were being completed in record times, and many of the record times were originating from the same IP addresses. We identified individuals who were charging fees to take the DMV permit test for others. We ended up shutting everything down until we could put it back up with more controls in place.”
McShane and the New York DMV implemented a number of controls to address this online exam fraud, including geofencing for IP addresses and establishing an alert if one IP address takes multiple tests. For McShane, Shanafelt and their organizations, recognizing the increase in fraud was just the first step. The second step was taking actions, such as those McShane mentions, to combat the fraud.
“We had to focus on being proactive rather than reactive,” Shanafelt says. “It required us to become more aware of the vulnerabilities that we had within our systems and our operation processes to stay ahead of the fraud. We also had to create new internal processes to help victims.”
In order to identify vulnerabilities and act against them, the team at the Washington DOL created reports that looked for red flags. For example, if a customer already has a secure account, but requests to do a transaction through a guest account, that activity was flagged as suspicious. Other red flags included out-of-country IP addresses and email addresses that were from accounts or providers traditionally associated with fraud.
In particular, Shanafelt highlights one unique way the DOL fought fraud: “Because fraudsters had customers’ personal identifying information, we had to get creative. One of the things we would have applicants do is take a selfie and hold up their driver’s license in that image under their chin. We would then verify that image.”
In New York, McShane had a similar experience and recommends keeping lines of communication within your organization as open as possible to help fight fraud. “Being proactive and getting the information out there helps prevent fraud,” he explains. “When our investigators become aware of an issue, we meet with other senior managers from all parts of the department and advise them of the issue, so we can work together to address it.”
In the case of the fraudsters taking online exams for money, McShane and his team actually signed up to pay for the test themselves and were able to identify and shut down one such operation that way. Working with internet providers has proven fruitful for the New York DMV, McShane says, as they can generally get fraudulent advertisements taken down from Facebook or eBay within an hour or two.
Getting the Word Out
Beyond fighting fraud internally, getting the message out about fraud to the general consumer audience was also a priority during the pandemic. “I think a lot of impact can be made on fraud with education,” McShane says. “There is a segment of our population that believes everything they read on the internet is true. We post many of these [fraudulent schemes] as alerts on our website and social media. We can track the number of shares, and we generally see a huge spike in contacts after we post as people realize they are actually a victim and come forward.”
Chris McDonold, executive director of the Maryland State Police Vehicle Theft Prevention Council, concurs with McShane about the importance of education. “The biggest way to fight vehicle theft is through public awareness,” McDonold says. “We do a couple of campaigns a year, and we do a public service announcement [PSA] contest every year. We engage the community and local colleges to create the PSA, and it’s a win-win. The students get a check, the faculty loves it and the public gets informed.”
McDonold explains that this type of outreach is particularly important during the pandemic, when resources are limited and investigations can be restricted. Although he saw vehicle theft generally rise during the pandemic, McDonold doesn’t necessarily attribute that rise to COVID-19 directly, because some areas actually saw reduced theft. Regardless, the message for the public regarding vehicle theft is simple: “Of total vehicle thefts, 60% are done with the keys or key fob,” he says. “Remember to tell car owners to take their keys, lock their car and hide their valuables.”
As McDonold suggests, the true impact of the pandemic on fraud is yet to be seen. While there is data that shows some types of fraud increased, more data is needed to determine whether this is a trend that will wane as the pandemic fades or if it will continue to increase.
“For now, I think it’s probably going to maintain the level that it’s at,” Shanafelt says. “We’re in the beginning process as an agency to do a security threat assessment, and I’m eager to see what comes up. I’m hopeful that we’ll identify additional parameters and put additional controls in place as a result. I do feel like we’re on the road to recovery from this.”
Check out AAMVA’s Fraud Detection & Remediation (FDR) program to see the latest anti-fraud modules and resources available.