Outline of how to decode the DNA of account takeover attacks

What makes account takeover (ATO) fraud so troublesome for banks, financial institutions, businesses, and consumers alike? This form of identity theft can take on a life of its own. If a fraudster successfully commits account takeover fraud, they can get their hands on all the data they need to commit even more fraud. 

What is Account Takeover?

Account takeover (ATO) fraud is a form of fraud that involves a bad actor taking control of legitimate accounts. For banks to take effective measures against ATO fraud, it’s important to understand its DNA. Here’s a guide to help you decode account takeover’s DNA. 

What’s Driving the Rise in Account Takeover Fraud?

Three key factors are driving the rise in account takeover fraud. 

New Digital Banking Customers Means More Fraud Targets

The COVID-19 pandemic pushed many customers into the digital banking ecosystem, presenting ATO attackers with an expanded pool of fraud targets. Many customers were just learning how to bank and shop online, and fraudsters eagerly took advantage of their unfamiliarity with digital banking to commit ATO fraud. Additionally, the large influx of government dollars directed at the economy created a perfect storm of opportunity for bad actors to exploit.

Stolen Customer Credentials are Widely Available

Easy access to stolen customer credentials is also fueling account takeover fraud’s rise. Data breaches have exposed billions of personally identifiable information (PII) credentials that are available for sale on the dark web. Bad actors have a deep arsenal of tactics and technologies – including phishing attacks and malware – to steal additional customer account credentials. 

Account Takeover Fraud is a Low-Risk, High-Reward Activity

Finally, fraudsters realize they can execute numerous ATO fraud attacks in a short period. Even if they are only successful once out of a few hundred or even a thousand login attempts, they profit with little effort. 

ATO Impersonation & Manipulation Attacks

Account takeover fraud falls into two distinct categories: impersonation and manipulation.

Impersonation Attacks

In an impersonation ATO fraud, a bad actor impersonates a legitimate user to access their account. They may use compromised PII data – like a stolen username and password – or other sensitive data to pretend to be the account holder. This compromise can be enhanced with a vishing attack to extract one-time passcodes. From there, the fraudster accesses the customer’s account and changes account details to control the account, transfer funds to a mule account, or make purchases using the customer’s payment cards. 

Manipulation Attacks

Manipulation attacks use Remote Access Tools and Remote Access Trojans, also known as RATs. 

A Remote Access Tool facilitates account takeover attacks via Remote Access Scams where the attacker convinces the victim to allow them access to their system. Once access has been granted, a bad actor can infect the unsuspecting customer’s device whenever they want for follow-on attacks.

Additionally, legitimate account holders can inadvertently install RATs. A customer may click on a link in a text message or email and unknowingly fill out a form that installs the malware onto their device. After the malware is installed, fraudsters can access any information stored on the device.

5 Ways to Commit an Account Takeover Attack

Using either impersonation or manipulation types of attacks, fraudsters typically use one of five notable methods to commit account takeover fraud.

Compromised Credentials

A recent survey by Google found 65% of U.S. adults use the same password for multiple accounts. Unfortunately, with large troves of sensitive data now widely available due to years of data breaches, committing large-scale ATO fraud on multiple user accounts has never been easier for fraudsters. Especially with credential-stuffing bot attacks.

Phishing Attacks

Fraudsters use phishing attacks to trick customers into voluntarily revealing their PII. For example, they send customers an email pretending to be their legitimate bank and instruct them to log into their online bank account. Once the customer has revealed their credentials, the fraudster can proceed with their account takeover fraud.

Vishing Attacks

Vishing involves a fraudster establishing voice-based communication with their target. Fraudsters will contact their target and pretend to be an IT specialist who has detected suspicious activity on their computer. From there, the fraudster guides their victim to give them remote access to their device or a one-time passcode.

Smishing Attacks

Smishing is another form of phishing. In this tactic, a fraudster texts their victim that something is wrong with their bank account. The message includes a link to sign into their account. However, these links are fake forms designed to trick the recipient into revealing their personal information.

Malware Attack

In a malware attack, a fraudster tricks their victim into installing a malicious program onto their mobile device. Once installed, the fraudsters access the computer or mobile device remotely, stealing credentials or enabling man-in-the-middle attacks.

Understanding ATO’s Long-Term Impact

People don’t just store money in their banks. A bank customer account also contains several PII types, including the account holder’s social security number, home address, mobile phone number, email address, associated credit card numbers, and more. In other words, successful ATO fraud attacks can provide fraudsters with troves of personal data that they can use to commit more identity fraud. 

Access to PII and sensitive data is like striking oil for fraudsters. If a fraudster gains access to a customer’s financial accounts, plenty of additional identity theft opportunities await them. Fraudsters can use these stolen account credentials to commit tax refund scams or use legitimate customers’ credentials to apply for loans, open new accounts, or request new lines of credit. Alternatively, they could also use the stolen PII to build a synthetic ID at a new financial institution where they can request new credit cards or fill out loan applications for stolen credentials. And all in a legitimate customer’s name.

Decoding the DNA of ATO Attacks 

Customers are not the only ones who can suffer because of an ATO attack. Banks and businesses can also experience reputational damage as a result of these incidents. That’s why it is important to understand the lifecycle of ATOs. Decoding the DNA of an ATO attack is the first step in fighting back with enhanced account takeover prevention. 

Banks can either react to or prevent an account takeover attack. If they are reacting, then the fraudster’s ATO attack has been successful, and the fallout can take a significant toll on a financial institution’s reputation and undermine consumer trust in the organization. And let’s not forget about the considerable financial stress that bank customers could endure as they attempt to sort through the fraud-related damage to their accounts and credit history. 

4 Tips for Enhanced Account Takeover Prevention

Here’s what banks can do to prevent future attacks armed with this understanding of account takeover DNA to enhance their prevention efforts.

Tip 1. Know Your Legitimate Customers’ Digital DNA Profile

Prevention is a much more effective strategy when it comes to ATOs. Understanding the DNA of an ATO attack should be a central component of a bank’s fraud detection strategy. The second is to decode the financial DNA of their legitimate customers. 

Building a DNA profile of legitimate customers relies on banks and businesses drawing on several different customer-generated data points to get a holistic view of normal behavior. These data points can include biometric actions – such as how they move their mouse, type on a keyboard, or hold a mobile device. They can also include behavioral data – what time of day a customer usually logs into their account, the mobile devices and networks they typically use, how much time they spend on a site or online platform, and how they typically transact. 

Malware detection can also identify precursors to ATO attacks like keylogging, phishing, or Remote Access Trojans. All are examples of why fraud prevention should begin at the moment of login to stop any potential account takeover attempts and future fraud attempts.

This knowledge of typical customers’ behaviors can help banks determine if an ATO attempt is underway if the customer’s account suddenly starts to behave differently. Using unfamiliar mobile devices, an unusually high rate of failed login attempts, changes to default language settings, login attempts from new geographical locations, or the detection of malware can alert banks that the account is experiencing some unusual activity, or even an active attack and is at a high risk of an ATO. Knowing when usual events are occurring is the first step in preventing them and triggering the proper response mechanism to protect customers from being manipulated into compromising their session or revealing their credentials.

Tip 2. Educate your customers

Teaching customers about how ATO attacks succeed can be an important step in preventing future attacks. Fraudsters need access to legitimate customers’ PII to commit ATO attacks. Banks and businesses should raise awareness about fraud tactics like phishing attempts like fake websites and SMS scams that trick customers into revealing their personal details. Consumers should also be encouraged to use secure passwords and change them regularly.

Tip 3. Promote good digital hygiene

Teaching customers about how their everyday online habits can reveal personal information can also go a long way toward account takeover prevention. Banks can warn customers that some mobile gaming apps carry risks to their privacy, especially if they carry some type of malware. Fraudsters can also use customers’ information for social engineering purposes. They build new, fake profiles and attempt to pass themselves off as legitimate users.

Tip 4. Invest in layered security

Banks can thwart ATO attempts if they have effective safeguards in place. This can include two-factor authentication and biometrics measures to access bank accounts or authorize specific types of transactions. The more layers of security, the harder it gets for fraudsters to succeed in their account takeover efforts. But too much authentication can also cause customer friction. That’s why banks should verify their customers at every interaction to ensure nothing changes between their previous interaction and the current one. This ensures only good users are interacting with the system and will continue to be allowed to transact.  

Account takeovers are one of the most persistent types of fraud because they enable even more fraud. If left unchecked, ATO can take on a life of its own. The key is to stop this type of fraud before it can reach the transaction stage. Stopping this fraud in its tracks begins with decoding its DNA and building an understanding of a legitimate bank customer’s financial DNA.