The Challenge: Hidden Threats and Spoofed Signals


The bank was facing a systematic and sophisticated attack involving identity fraud and mule accounts.

icon-phone-1

Fraud Farms

 

Criminals concentrated their operations in specific micro-regions of the country, operating like organized crime offices. They used compromised devices, including emulators, rooted devices, and modified apps. This technical profile is a strong indicator of high-risk environments.

icon-person-block

Recruiting Money Mules

 

The primary vector was not Account Takeover (ATO), but the use of real third-party data (PII). Investigations suggested fraudsters were paying individuals ("mules") to hand over their data and photos for account opening, bypassing traditional biometrics by using low-quality images or exploiting minors.

icon-phone-x

Persistence of Attack

 

A single device, if not detected quickly, was associated with the opening or access of dozens of distinct accounts. The financial impact was severe, resulting in average losses of five figures per consummated fraudulent account.

The Solution: Location Intelligence & Device Integrity


The institution integrated Incognia’s risk platform to replace reactive logic with a proactive defense based on physical behavior and deep device integrity.

1. Detecting Anomalies in the Physical World

Unlike purely digital signals that were being spoofed, Incognia analyzed the concentration of high-risk devices. The technology identified clusters of devices exhibiting anomalous behavior within specific micro-regions.

  • Proactive vs. Reactive: Incognia flagged the location as suspicious before the fraud peak occurred. When the bank later confirmed the attacks, the locations matched Incognia’s early warnings exactly.

2. Integrity & Cross-Device Blocking

The solution enabled the identification of devices attempting to open multiple accounts using different identities. Incognia implemented rules focused on:

  • Device Integrity: Detecting devices with signs of tampering, emulators, or frequent factory resets.

  • Risk History: Blocking environments associated with previous identity fraud attempts.

  • Continuous Protection: Identification not only during onboarding but also within post-login sessions, preventing fraudulent devices from continuing to access accounts that had already been opened.

The results


The implementation drastically changed the bank's security landscape and operational efficiency in just four months.

icon-eliminating_fraud-lt 2
Eliminating Fraud: The volume of account-opening fraud, which had previously spiked, dropped sharply month over month, reaching zero reported cases by the end of the analysis period.
icon-conversion_surge-lt 1
Conversion Surge (+70%): With reduced false positives and the removal of generic regional blocks, the onboarding conversion rate increased by over 70%, allowing more legitimate customers to open accounts without friction.
icon-base_cleanup-lt 1
Risk Reduction in New Accounts (~50% Drop): The percentage of identities classified as high risk during new account onboarding dropped by nearly 50%. This indicates that entry barriers worked effectively, forcing fraudsters to give up or shift target, thereby ensuring higher-quality incoming accounts.