What makes account takeover (ATO) fraud so troublesome for banks, businesses, and consumers alike is that this form of identity theft can take on a life of its own. If a fraudster successfully commits an account takeover, they can get their hands on all the data they need to commit even more fraud.

Each month, one in three fraud attempts against the world’s top merchants is an ATO attack. Just as troubling is that ATOs are on the rise. Account takeover fraud surged by 72 percent last year, much more so than any other type of fraud, and financial losses from account takeover attacks exceeded $4 billion as recently as 2018. As ATO attacks become increasingly popular with fraudsters, the costs could balloon even further. 

Banks and merchants need to fully understand the DNA of an ATO attack to stay a step ahead of fraudsters (and unfortunately, services like 23andMe aren’t going to be of much help). Here’s a guide to help you decode the DNA of account takeover fraud.

Step 1: Account Takeover Fraud: A Refresher

The first step in decoding the DNA of an ATO attack is to fully understand the nature of the attack itself. To that end, here’s a brief refresher of how an account takeover attack occurs.

First, fraudsters obtain stolen credentials, account information, and passwords that belong to legitimate users to access their online accounts. They can do so through a data breach, phishing or malware attacks, or by purchasing them on illegal dark web marketplaces. Years of data breaches have given fraudsters troves of personally identifiable information (PII), including credit cards and social security numbers, that they can weaponize for ATO and synthetic identity attacks. These breaches have provided fraudsters with volumes of data that can be used for large-scale credential stuffing and brute force attacks – especially if customers reuse passwords and other login credentials across multiple online platforms.

Next, they log into legitimate user accounts. From there, they can authorize money transfers from the compromised account to their bank or crypto wallet. If they access an online eCommerce account, they can buy big-ticket items like airline tickets with the plan of re-selling the tickets to a third party.

Account takeover attacks that target a consumer’s online bank account can cause much more significant problems than expensive purchases. This point of access can give fraudsters the opening they need to make long-term gains from their fraud.

Step 2: How Fraudsters Monetize ATO Attacks

Instant transfer fraud is one of the most common ways that fraudsters profit from ATO attacks. Once the fraudster gains access, they can transfer money to another financial account that they control with funds moving in real-time. Banks and customers have very little time to stop the transfer, meaning the legitimate customer’s money will likely be gone forever if the transfer is completed.

Money transfers are just one of several opportunities for fraudsters who have launched a successful ATO attack. Having accessed the compromised account, they can commit credit card fraud by pretending to be the legitimate customer, contacting the bank, and requesting a new credit card with a higher balance. If they successfully get their hands on the card, they can make all kinds of purchases and leave the defrauded customer holding the bill. They could also attempt a SIM swap and change the second step in a two-factor authentication (2FA) solution allowing them to take full control of the user’s accounts.

Besides requesting new credit cards, fraudsters can also use a customer’s existing credit card to their benefit. The fraudster could use breached credit card information to make online purchases from various merchants that the legitimate customer already frequents to avoid (or at least delay) suspicion and have the purchases redirected to the address of their choice. Fraudsters might choose to clone an existing credit card and use the card to make in-store purchases or ATM withdrawals from the legitimate customer’s bank account.

In other words, a successful ATO fraud can enable cybercriminals to commit more account takeovers and target a customer’s credit card accounts. But credit card fraud is just the tip of the ATO attack iceberg. Fraudsters have much more opportunities to profit once they gain access to another person’s bank account.

Step 3: Understanding ATO’s Long-Term Impact

People don’t just store money in their bank. A bank customer account also contains several PII types, including the account holder’s social security number, bank account numbers, home address, mobile phone number, email account, associated credit card numbers, and more. In other words, successful ATO fraud attacks can provide fraudsters with troves of personal data that they can use to commit more identity fraud. 

Access to PII and sensitive data is like striking oil for fraudsters. If a fraudster gains access to a customer’s financial accounts, plenty of additional identity theft opportunities await them. Fraudsters can use these stolen credentials to commit tax refund scams or use a legitimate customer’s credentials to apply for loans, open new accounts, or request new lines of credit. Alternatively, they could also use the stolen PII to build a synthetic ID at a new financial institution where they can request new credit cards or fill out loan applications for stolen credentials. And all in a legitimate customer’s name.

Key Takeaways

ATO attacks are popular among fraudsters because they can result in significant gains. A single ATO can give fraudsters access to the data they need to commit more fraud at the targeted customer’s expense. 

Customers are not the only ones who can suffer because of an ATO attack. Banks and businesses can also experience reputational damage as a result of these incidents. That’s why it is important to understand the life cycle of ATOs. Decoding the DNA of ATOs is the first step to stopping future attacks. Stay tuned to this space to learn how to fight back. 

Download the report Leveraging the Digital Banking Shift to learn how the pandemic has changed consumers’ traditional banking practices and how to build trust with digital banking newcomers.