We Analyzed $485M in Stolen Checks. Here's What We Found.

As SentiLink's Head of Fraud Insights, part of my job is keeping an eye on darkweb markets, seedy Telegram channels, and other corners of the internet where we find the supply side for much of the fraud that SentiLink detects for our partners later down the line.

Recently, we began monitoring a select group of Telegram channels that are frequently used for check fraud and cataloging the stolen checks we find there. In just the past few months, we've cataloged nearly 20,000 checks, sourced from nearly 2,000 different US banks and credit unions, totaling more than $485 million in potentially-stolen funds. 

What we found

To date, we have cataloged 18,030 checks shared across 53 different Telegram channels. The earliest of these checks is dated 05/03/24; the latest ones date from mid-October.

A majority of the checks – 63% – include at least one business; 33% are checks from an individual to a business or a business to an individual, and another 30% are business-to-business. 

The next-largest segment is checks from or to government entities. Government checks account for 22.6% of all checks we've cataloged so far, with checks from the IRS alone making up about 10% of all total checks cataloged. "United States Treasury" is by far the most common single Payor in the dataset, appearing on nearly 4,000 of the 18,030 checks we've cataloged so far. 

Most financial institutions in the United States likely have customers whose checks have been stolen and shared. Our catalog contains checks from 2,162 different banks, totaling more than $485 million in value. Unsurprisingly, the largest banks are also the most heavily represented in the dataset, with top banks all having hundreds or thousands of checks shared on Telegram. 31 different financial institutions have had at least $1M worth of checks shared. In total, fraudsters have shared at least $10M in checks from four of the top five US banks. 

Of the 53 markets we monitor, 20 have shared at least 100 stolen checks, and the top six Telegram channels have all shared more than 500. (For obvious reasons, we will not name any of these channels, but all are Telegram channels that are accessible without any specialized technical skills). Some channels seem to aim for quantity, whereas others may be aiming for higher check values:

• The top channel by check count has shared 1,270 checks, worth a total of $15M.
• The top channel by value has shared 597 checks, worth a total of $50M. 

Disclaimer: fraudsters make things up, and it's likely that some of the checks shared in these channels are fake. When we've reached out to financial institutions about specific cases, they have often told us that the checks in question are real, and we think it's likely that most of the checks in this dataset are real, but some of them are probably fake. 

How fraudsters use stolen checks

Stealing checks presents fraudsters with a variety of opportunities, because by their nature, checks contain quite a bit of information, including:

• The payor's name
• (Typically) the payor's address and phone number
• The payor's signature
• The payor's bank
• The payor's routing and account numbers
• The payee's name
• (Often) the payee's address and phone number

Using this information and the stolen check, fraudsters can do things such as:

• Check washing: Carefully changing the payee name, and sometimes the dollar amount, on a printed check in order to deposit large checks into their own accounts. 
• Identity theft: Using the payee's information in combination with publicly-available PII information from various data breaches, fraudsters can steal the payee's identity and use it to do a variety of things, including open new bank accounts into which they can then deposit the stolen checks. 
• ACH fraud: Using the routing and account numbers that are printed on most checks in addition to the payor and payee data, fraudsters may be able to initiate additional electronic transfers from the payor's account into accounts they control. 

What can financial institutions do?

The easy availability of all of these stolen checks has significant implications for financial institutions (FIs) and their clients:

First, both the payor and payee on stolen checks are at risk of falling victim to identity theft and other forms of fraud. FIs may be able to more easily identify and stop fraudulent attempts to access their customers' accounts, credit, etc. if they are aware that the customer has had a check stolen.

Second, while the FI's customers are likely to be the direct victims of fraud when checks are stolen, FIs may be on the hook for reimbursing fraudulently-stolen funds in the long run. FIs that are aware their customer's check has been stolen may be able to take steps to prevent further fraud associated with that account, or potentially even prevent the stolen check from being cashed if they become aware quickly enough. 

In the interim, though, financial institutions that would like specific details about the checks connected with them that appear in our database can reach out to us here. 

Update: If you found this article interesting, David was recently quoted in a Wall Street Journal article about stolen checks and fraud that may also be of interest.