Listen to 3 Tips for Banks to Stop Account Takeover Fraud (7 min):

Account takeover (ATO) fraud is a form of fraud that involves a bad actor taking control of a legitimate customer’s bank account. This persistent type of fraud was one of the top five fraud scams of the second quarter of 2021, according to the Feedzai Q3 2021 Financial Crime Report

For banks to take effective measures against ATO fraud, it’s important to understand it clearly. 

What’s Driving the Rise in Account Takeover Fraud?

Three key factors are driving the rise in account takeover fraud. 

New Digital Banking Customers Means More Fraud Targets

The COVID-19 pandemic pushed many customers into the digital banking ecosystem, presenting fraudsters with an expanded pool of fraud targets. Many customers were just learning how to bank and shop online, and fraudsters eagerly took advantage of their unfamiliarity with digital banking to commit ATO fraud. Additionally, the large influx of government dollars directed at the economy created a perfect storm of opportunity for bad actors to exploit.

Stolen Customer Credentials are Widely Available

Another reason account takeover fraud is so widespread is that it’s easier than ever for fraudsters to access stolen customer credentials. Years of data breaches have exposed billions of personally identifiable information (PII) that criminals often list for sale on the dark web. What’s more, bad actors have a deep arsenal of tactics and technologies to steal additional customer account credentials. These include phishing attacks and malware, to name just a few.

Account Takeover Fraud is a Low-Risk, High-Reward Activity

Finally, fraudsters realize they can execute numerous ATO fraud attacks in a short period. Even if they are only successful once out of a few hundred or even a thousand login attempts, they profit with little effort. 

How Account Takeover Fraud Works

Account takeover fraud falls into two distinct categories: impersonation and manipulation.

Impersonation Attacks

In an impersonation ATO fraud, a bad actor impersonates a legitimate user’s access to their account. They may use compromised PII data – like stolen usernames and passwords – or other sensitive data to pretend to be the account holder. This compromise can be enhanced with a vishing attack to extract one-time-passcodes. From there, the fraudster accesses the customer’s account and changes account details to control the account, transfer funds to a mule account, or make purchases using the customer’s payment cards. 

Manipulation Attacks

Manipulation attacks use Remote Access Tools and Remote Access Trojans, also known as RATs. 

A Remote Access Tool facilitates account takeover attacks via Remote Access Scams where the attacker convinces the victim to allow them access to their system. Once access has been granted, a bad actor can infect the unsuspecting customer’s device whenever they want for follow-on attacks.

Additionally, legitimate users can inadvertently install RATs. A customer may click on a link in a text message or email and unknowingly fill out a form that installs the malware onto their device. After the malware is installed, fraudsters can access any information stored on the device.

5 Ways to Commit an Account Takeover Attack

Using either impersonation or manipulation types of attacks, fraudsters typically use one of five notable methods to commit account takeover fraud.

Compromised Credentials

A recent survey by Google found 65% of U.S. adults use the same password for multiple accounts. Unfortunately, with large troves of sensitive data now widely available due to years of data breaches, committing large-scale ATO fraud on multiple accounts has never been easier for fraudsters. 

Phishing Attacks

Fraudsters use phishing attacks to trick customers into voluntarily revealing their PII. For example, they send customers an email pretending to be their legitimate bank and instruct them to log into their online bank account. Once the customer has revealed their credentials, the fraudster can proceed with their account takeover fraud.

Vishing Attacks

Vishing involves a fraudster establishing a voice-based communication with their target. A common tactic is for fraudsters to contact their target and pretend to be an IT specialist who has detected suspicious activity on their computer. From there, the fraudster guides their victim to give them remote access to their device or a one-time-passcode.

Smishing Attacks

Smishing is another form of phishing. In this tactic, a fraudster texts their victim that something is wrong with their bank account. The message includes a link to sign into their account. However, these links are fake forms designed to trick the recipient into revealing their personal information.

Malware Attack

In a malware attack, a fraudster tricks their victim into installing a malicious program onto their mobile device. Once installed, the fraudsters accesses the computer or mobile device remotely, stealing credentials or enabling man-in-the-middle attacks.

3 Ways Banks Can Stop ATO Fraud

If left unaddressed, banks risk losing customers who were impacted by ATO fraud. A recent survey found that roughly one-third of identity fraud victims said their financial institution did not address their problems adequately. The survey also found 38% of respondents closed their bank accounts because they were dissatisfied with the way their bank handled the issue.

Fortunately, banks have several options to mitigate the ATO fraud threat before fraudsters execute transactions.

Embrace a Prevention-First Strategy

Many banks and financial institutions have implemented controls to detect suspicious activities after an attack has occurred. However, the fraudster may already have transferred money out of their customers’ accounts by that stage. What’s needed is a first line of defense to actively stop malware or phishing from stealing credentials in the first place. 

Build a Complete Picture of Your Customers

Banks need to understand how their customers usually interact with their systems. This goes beyond data like knowing their login credentials or the geolocation of a device. Banks should also pay attention to whether customers login at strange hours, if they swipe their phone screen differently, if the way they usually handle their mouse has changed, or if their language settings have changed. Building an in-depth profile of their customers helps banks know their customers at both a behavioral and biometric level. If the account starts behaving suspiciously, banks can stop the activity before an ATO fraud can happen. 

Keep Bank Customers in Control

Embracing a proactive approach to stopping fraud enables legitimate customers to continue transacting without experiencing any interruption in their workflow. Instead of waiting for fraud analysis teams to stop an in-progress ATO attack or respond to a customer’s fraud report, banks can go on the offense and block transactions before a crime occurs. Banks should allow customers to be silently authenticated and protected without disturbing their digital banking experience.

Account takeover fraud is a complicated and layered method of attack. While fraudsters have a wide range of tools to execute such attacks, banks also have several strategies to prevent future ATO fraud attempts. 

Download our eBook 6 Crucial Capabilities to Protect the Online Banking Journey to learn how to protect customer accounts from bad actors.