Fraud cases are requests from partners that noticed in their system or were notified by a client that fraudulent activities took place on their account using itsme. We use all given information from the partner to investigate all the actions on our side and, if necessary, block or delete the itsme account.

We want to inform any (possible) impacted partners during the fraudulent activity time frame. We might see that someone logged into your platform with itsme but we are not able to see the actions performed on your side. With the information that we provide you, you might be able to start an investigation on your side to resolve or reverse any actions that might have been out of the ordinary or done by fraudsters.

Fraud actions using an itsme account can be done in 2 ways: Account Takeover & Social Engineering.
Account Takeover means that the fraudster used certain ways in luring the victim to give control of his or her itsme account to the fraudster. This is done using a Change Device (= the account changes to another device) or by blocking and reactivating the account. Also creation of an itsme account with the victims credentials and information is common practice. In conclusion: this means that the fraudster has complete control of the itsme account and all connected partners. In this case, blocking the account of the end-user on your platform is recommended.
Social Engineering means that the fraudster will lure the victim into confirming actions using their itsme app. This can be done using phone call, email, sms or even physical. In this case, the victim stays in control of the itsme app and account but accepts requests that are not initiated by themself. Possible actions here are informing the end-user and/or blocking any pending (fraudulent) requests.

Some partners immediately send a request to block the account in order to limit the impact. If the account is not blocked, we first complete our investigation to see if blocking the account is necessary or not.

Reaching out to the end-user is a good first step to check if the actions performed on your platform where intentional by the end-user.

We are not able to see the details of the actions performed on your platform. In this case, it is better to check on the victim’s account for (possible) fraudulent activity or reverse any actions that might have harmed the victim. If there was an impact, you can also block the account on your platform and/or ask for a block of the itsme account (if not already blocked → this also mentioned in the email).

An ongoing call simply means that the user was actively on a phone or VoIP call at the exact moment they performed an itsme action, such as confirming a login or transaction.
Because fraudsters often keep victims on the phone while guiding them through actions, itsme detects this situation and displays a warning screen to alert and protect the user. If the user proceeds anyway, it means they saw the warning and still chose to continue.

Mobile malware refers to a malicious app that fraudsters trick victims into installing on their smartphone.
Once installed, this fake app can misuse special permissions — most commonly Android Accessibility permissions — to take control of the device, such as reading what is on the screen, entering information, or approving actions without the user noticing.
With this control, criminals can intercept or manipulate banking or itsme® actions, enabling them to perform fraudulent operations as if they were the victim.

This type of attack usually starts with social engineering (e.g., a phone call or message from someone pretending to be a bank or service provider) that convinces the victim to install the fake app.