Outline of how to decode the DNA of account takeover attacks

What makes account takeover (ATO) fraud so troublesome for banks, businesses, and consumers alike is that this form of identity theft can take on a life of its own. If a fraudster successfully commits an account takeover, they can get their hands on all the data they need to commit even more fraud.

The numbers paint a stark picture of how severe the ATO threat has become. In the U.S., consumer losses stemming from identity fraud rose to $56 billion (USD) in 2020. In the U.K., meanwhile, banking fraud losses rose by 43% in the same period.

What’s driving the rise in ATO attacks? First, economic and societal uncertainty work in fraudsters’ favor. If people are unsure about stability in their business or community, fraudsters are quick to take advantage. Another factor working to fraudsters’ advantage is that personal credentials are easier than ever to access. Fraudsters can use a variety of tactics, including phishing attacks, purchasing stolen personal information from the dark web, or using malware like remote access trojans or remote access tools – both known as RATs.

With these capabilities, fraudsters can commit identity theft at scale – giving the ATO threat a life of its own. Banks and merchants need to fully understand the DNA of an ATO attack to stay a step ahead of fraudsters (and unfortunately, services like 23andMe aren’t going to be of much help). Here’s a guide to help you decode the DNA of account takeover fraud.

Step 1: Account Takeover Fraud: A Refresher

The first step in decoding the DNA of an ATO attack is to fully understand the nature of the attack itself. To that end, here’s a brief refresher of how an account takeover attack occurs.

First, fraudsters obtain stolen credentials, account information, and passwords that belong to legitimate users to access their online accounts. They can easily purchase them on illegal dark web marketplaces. Years of data breaches have given fraudsters troves of personally identifiable information (PII), including credit cards and social security numbers, that they can weaponize for ATO and synthetic identity attacks. These breaches have provided fraudsters with volumes of data that can be used for large-scale credential stuffing attacks – especially if customers reuse passwords across multiple accounts and online platforms.

Next, they log into legitimate user accounts. From there, they can change account details to fully take over the victim’s account then authorize money transfers to their bank or crypto wallet. Using sim-swapping tactics, fraudsters can take greater ownership of a victim’s device to intercept the two-factor authentication (2FA) controls. If they access an online eCommerce account, they can buy gift cards or big-ticket items like airline tickets with the plan of re-selling the tickets to a third party.

Account takeover attacks that target a consumer’s online bank account can cause significantly more problems than expensive purchases. This access point can give fraudsters the opening they need to make long-term gains from their fraud.

Step 2: How Fraudsters Monetize ATO Attacks

Instant transfer fraud is one of the most common ways fraudsters profit from ATO attacks. Once the fraudster gains access, they can transfer money to another account they control – or even to a money mule account – with funds moving in real-time. From there, these funds can be withdrawn from ATMs or transferred again. Banks and customers have very little time to stop these transfers, meaning the legitimate customer’s money will likely be gone forever once transfers are completed.

Money transfers are just one of several opportunities for fraudsters who have launched a successful ATO attack. Having accessed the compromised account, they can commit credit card fraud by pretending to be the legitimate customer, contacting the bank, and requesting a new credit card with a higher balance. If they successfully get their hands on the card, they can make all kinds of purchases and leave the defrauded customer holding the bill. If the fraudster changes account details by adding their phone number and other account contact information, it will allow them to approve any 2FA verification requests.

Besides requesting new credit cards, fraudsters can also use a customer’s existing credit card to their benefit. The fraudster could use breached credit card information to make online purchases from various merchants that the legitimate customer already frequents to avoid (or at least delay) suspicion and have the purchases redirected to the address of their choice. Or they can purchase digital cards, a primary channel for exfiltrating funds. In other words, a successful ATO fraud can enable cybercriminals to commit more account takeovers and target a customer’s credit card accounts. But credit card fraud is just the tip of the ATO attack iceberg. Fraudsters have much more opportunities to profit once they gain access to another person’s bank account.

Step 3: Understanding ATO’s Long-Term Impact

People don’t just store money in their bank. A bank customer account also contains several PII types, including the account holder’s social security number, home address, mobile phone number, email address, associated credit card numbers, and more. In other words, successful ATO fraud attacks can provide fraudsters with troves of personal data that they can use to commit more identity fraud. 

Access to PII and sensitive data is like striking oil for fraudsters. If a fraudster gains access to a customer’s financial accounts, plenty of additional identity theft opportunities await them. Fraudsters can use these stolen account credentials to commit tax refund scams or use a legitimate customer’s credentials to apply for loans, open new accounts, or request new lines of credit. Alternatively, they could also use the stolen PII to build a synthetic ID at a new financial institution where they can request new credit cards or fill out loan applications for stolen credentials. And all in a legitimate customer’s name.

Key Takeaways

ATO attacks are popular among fraudsters because they can result in significant gains. A single ATO can give fraudsters access to the data they need to commit more fraud at the targeted customer’s expense. 

Customers are not the only ones who can suffer because of an ATO attack. Banks and businesses can also experience reputational damage as a result of these incidents. That’s why it is important to understand the lifecycle of ATOs. Decoding the DNA of ATOs is the first step to stopping future attacks. Stay tuned to this space to learn how to fight back. 

Download our eBook, Decoding Account Takeover Fraud’s DNA, to learn how banks can stop ATO attacks in their tracks without interrupting the customer journey.