Magnifying glass over a credit card

The US banking sector saw rapid Account Takeover (ATO) fraud attacks grow by 72% from 2018 to 2019. UK banks have experienced roughly a 50% increase in remote banking fraud losses during the same period. Clearly, ATO is a growing global threat. Here’s what you need to know to fight back.

What’s fueling the explosion of ATO attacks?

Fueled by societal and economic instability, fraudsters can leverage several dubious techniques to gain access to vulnerable customer accounts (i.e., phishing attacks, stolen credentials, identity theft). Account takeover attacks that were once large-scale, ‘scattershot’ campaigns have morphed into smaller, more honed attacks. While lacking in individual size, these attacks are more finely tuned and, as a result, significantly more effective. For example, such attacks can net — up to 6 to 7 figure losses for consumers that financial institutions (FIs) end up reimbursing.

Chart showing ATO fraud rose to $6.8 billion in 2019 from $3.9 billion in 2012
Chart showing remote banking fraud losses and annual case volumes from 2012-2019

Why has the cost of ATO fraud increased?

It’s no secret that fraud is a constant game of cat and mouse: fraudsters develop new attack techniques, and banks respond with the latest technology to keep pace. But, why has the cost of ATO increased so significantly in the past three years?

The answer lies within the new payment methods and ever-expanding banking availability that have cropped up over the past decade. For example, as new peer-to-peer (P2P) payment methods have been developed and rolled out, they’ve been key targets for fraudsters to exploit. In recent years, new P2P platforms have seen 48% to 58% year over year growth. Not to be outdone, fraudsters have their own impressive growth statistic: P2P fraud at two major providers has seen astronomical growth of 733% between 2016 and 2019.

These new channels contribute to ATO growth for one reason: recovering the money moved out of these accounts through these new digital channels is extremely difficult. Combine that fact with the rapid growth of payment methods that promote anonymity (e.g., different types of cryptocurrency), and fraudsters have several ways to move money quickly out of accounts and obfuscate the money’s origin.

With the above method of moving or obfuscating funds, the data released from seemingly daily data breaches has only grown more valuable to fraudsters and posed an increasingly significant threat to banks. Aite Group’s revealed that only 43% of US consumers use a different username and password combination for separate sites. As more and more account credentials are compromised, fraudsters can successfully use each set of account credentials on both the compromised source and other businesses. These credentials are often openly bought and sold on the dark web by fraudsters who, after gaining account access, often drain as many accounts as possible before getting noticed.

Annual number of data breaches in US from 2005 to 1st half of 2020 graph shows increase from approx 10 million to over 1 billion

So the question remains: with the confluence of new digital payment technologies, straightforward obfuscation of funds, and a dramatic increase in availability and quality of breached records, how can banks ensure that they can stay ahead?

This is how to improve fraud detection to combat ATO attacks

The key to keeping pace with new ATO attacks boils down to a simple concept: building a robust data strategy that enables earlier detection in the fraud lifecycle. Regardless of whether they rely on rules or machine learning for fraud detection, current systems are often limited in their detection capabilities because they score at the transaction level. The problem with transaction-level scoring (not including enrichment) is that by the time banks score a transaction, the fraudsters are already attempting to move the money out of the bank. At this point, it is often too late to detect fraud. And, if the bank gets it wrong, the money disappears into the fraudster’s pockets.

Leveraging a robust data strategy to detect fraud earlier in the fraud lifecycle breaks down into two distinct data-themed categories:

First, banks need to be able to bring in third-party data enrichers. These enrichers are critical in creating fraud modeling and customer profiling since it enables banks to lift the ‘iron curtain’ that digital transactions allow fraudsters to hide behind. When a fraudster/legitimate customer walks into a bank in person, banks can enact several authentication measures that simply can’t be done in digital channels. To account for this, banks need to pull in third-party data (such as device, geolocation, behavioral analysis, malware detection, device emulation, etc.) so they can understand the context the transaction is happening in. For example, if the transaction’s geolocation matches historical data, but it’s evident that the device is hidden behind a proxy, that may be a reason for concern.

The transaction journey from payments to card portfolios to core & activity to digital trust

Second, banks need to be able to bring together their data from all other channels. Omnichannel solutions, which incorporate data from other payments channels (i.e., combining data from credit card & non-card channels), have been shown to drastically increase detection accuracy. However, for ATO fraud specifically, data must be brought together from all customer touchpoints (whether it be call centers, online touchpoints, or others) when making decisions. Omnichannel solutions are critical to detecting fraud earlier. Take, for example, the following scenario:

  • A caller claiming to be Bob calls into a call center to check on his bank account, and after a few minutes of talking with the representative, he thanks him. The bank’s rep just verified that Bob has an account with the bank.
  • “Fraudster Bob” calls multiple-more-times to gain additional information and credibility. Bob gets a call center agent to change the email on-file to a fraudulent one.
  • As “Fraudster Bob” gained credibility, he could get the online bank account password reset sent to the fraudulent email address through a call center agent. “Fraudster Bob” was able to gain access to the online bank account and look at account balances.
  • Bob’s account has a new login from a location outside of 500 miles of his normal transaction area.
  • Bob makes a $2,500 instant transfer to a seemingly good instant transfer account.

By just looking at the transaction information in isolation, they miss a vital part of the picture. Multiple non-monetary events – calls, email change, login attempts from a new device, and access from a new geolocation should have triggered warnings. But, without the appropriate context, the wrong decision is easy to make.

ATO attacks are a significant problem and one that’s not likely to go away. But financial institutions can mitigate ATO fraud. The key is to shift their focus to earlier in the fraud life cycle with the appropriate combination of internal data sources and third-party data sources.

What to stop ATO fraud attacks? We’ll show you how. Download our latest “how-to guide,” Becoming Preventative vs. Reactionary: Early Risk Detection for Account Takeover Mitigation.