Third-Party Fraud
Fraud committed against a financial institution or business by an external criminal using a victim's identity or account details, without the account holder's knowledge or consent.
Also known as: external fraud, identity fraud, impersonation fraud
Last reviewed: 1 June 2026
Third-party fraud is committed by an independent criminal — someone entirely separate from both the financial institution and the genuine customer — who uses stolen personal data, forged documents, or compromised credentials to impersonate the victim and gain access to accounts or credit. The account holder is an innocent victim rather than a participant in the fraud.
Common examples include using stolen identity documents to open bank accounts or apply for credit, making unauthorised transactions on a victim's credit card using card details obtained from data breaches or skimming, taking over an existing account through credential phishing or SIM swapping, and fraudulently obtaining loans in the victim's name.
Third-party fraud is distinguished from first-party fraud, where the 'customer' themselves commits the fraud, and from second-party fraud, where the account holder knowingly allows someone else to use their account. This distinction matters for liability and investigation: third-party fraud victims are generally entitled to reimbursement by their financial institution, whereas first-party fraud shifts liability to the perpetrator. Strong KYC, transaction monitoring, and customer notification systems are the primary defences.
Examples
- A criminal uses card details purchased on a dark web forum to make online purchases on a cardholders account without the cardholder's knowledge — a classic case of third-party fraud.