To date, we’ve identified over 9,100 fraudulent checking and credit applications spanning multiple financial institutions. In this post, we’ll review what we know today, provide analysis and share what financial institutions can do to protect themselves.
WHAT'S HAPPENING
There’s been a recent influx in applications from purported residents of Massachusetts who were born between 1975 and 1990. While the majority of the identity elements provided during the application process tie to a real-world individual, there are consistent patterns across four key areas indicating a concerted fraud effort behind this rise. Let’s break it down.
1. Use of specific domains with gibberish email handles and no correlation to identities
The observed increase has primarily been associated with outlook.com and hotmail.com email addresses that are using gibberish email handles (random combinations of letters and numbers, such as a62e9bofgr@hotmail.com).
Notably, we also identified a newly emerging email domain, luuinet.com. Since its first appearance in the Socure Network on Nov. 5, 2024, this domain has been associated with 5,500 applications, also featuring gibberish email handles and tied exclusively to Massachusetts-based identities.
Based on both authoritative data sources and Socure’s own network of over 500 million identities, we are also not finding any correlation between the identities and the email addresses that are used in these applications.
2. A spike in overnight application volume (EST)
During this rise in applications, we’re also seeing increased volumes from Massachusetts in the middle of the night (EST). Neighboring states are still exhibiting a typical drop in volume overnight. See the comparison in the charts below:
Many of the IP addresses observed were from outside of Massachusetts. This mismatch strongly suggests the use of VPNs or proxy services. Notably, over 89 percent of flagged applications came from geolocations that were more than 100 miles away from the declared address.
The applications used a constrained set of Massachusetts phone area codes, namely: 339, 351, 413, 508, 617, 774, 781, 857 and 978. However, the majority of these phone numbers were flagged for limited activity (phone numbers with no active usage for more than 90 days) or were recently reassigned — both of which are common patterns seen in fraud attempts. Just like for the emails, there are also only very few of these phone numbers for which any correlation can be found to the associated identities.
INTERPRETING THE ATTACK
When analyzing an attack like this, two critical questions arise:
- What enabled the attack to start?
- Why are fraudsters employing these specific tactics?
We've seen at least 9,000 identities used thus far (measured as unique SSNs), with new ones appearing every day. The perpetrator(s) are also mostly using one email address and one phone number per person, instead of reusing the emails or phone numbers for multiple people.
Second, it’s clear that the perpetrator(s) are pairing stolen Massachusetts identities with Massachusetts-based phone numbers to appear more legitimate. The use of gibberish email handles indicate automated generation. These randomized email handles help them avoid creating email addresses or accounts that may already exist.
It turns out that luuinet.com is a domain that was registered in China in 2023. If we shift the earlier view of luuinet.com’s volume to the time zone where the domain is based, we get the following view:
Finally, the fraudster(s) are using U.S.-based IP addresses because foreign IP addresses would look too “risky.” Knowing that the attack is happening mostly during working hours in China, it strongly suggests the use of proxies. They are also using various IP addresses to avoid getting blocked, many of which are spread across the U.S. because they likely don’t have enough proxies on hand in Massachusetts.
MOVING FORWARD
As AI-generated fraud and deepfake technologies become more sophisticated, traditional fraud detection methods are no longer enough to combat emerging threats. Modern fraud prevention must leverage advanced AI-driven solutions that can detect nuanced patterns, anomalies and synthetic identity elements in real time. The attack we identified in the financial sector underscores the urgent need for such technology, but it is likely not confined to this industry. Other sectors, including health care, telecommunications and government agencies, should also be vigilant against similar tactics. As fraudsters evolve, so must our defenses — staying ahead requires continuous innovation and investment in AI-powered fraud detection solutions.
Socure is deeply committed to identifying and preventing all forms of fraud. Thanks to the rapid innovation of our expert data science team and the continuous feedback from our extensive customer network, Socure consistently delivers new models that protect businesses and government from new and emerging fraud patterns — all while ensuring a seamless experience for legitimate users.
To learn more about how Socure can help protect your organization from attacks like these, talk to a fraud prevention expert today.
