Account takeover fraud

Our economic lives are increasingly digital. Bank, credit and crypto accounts are often online, as are numerous other services. Research from NordPass indicates the average person has over 100 passwords for various sites and services. Unfortunately, these accounts are prime targets for fraudsters who use different account takeover fraud techniques to gain access to funds or to obtain the personal information needed to commit other fraudulent activity.

Considering the value of online accounts, the number of global accounts and the speed that an ATO can access funds, account takeover fraud is one of the most severe forms of fraud today. According to Sift, account takeover attempts are up 228%  from Q2 2019 to Q2 2020, while NuData noted $6.8 billion was lost to account takeover fraud in 2019 in the U.S. alone.

Ensuring your organization has effective fraud prevention measures to protect your corporate accounts and customer accounts from account takeover attacks is essential to avoid financial losses, reputational damage and customer churn.

What is account takeover fraud?

Account takeover fraud involves fraudulently taking control of an account to access funds, perform unauthorized transactions, or gain entry to other accounts.

If not stopped, funds in a compromised online account are often quickly drained. As many people use repeat passwords, the fraudster can also try to take over other accounts. Or, the account itself might provide access to other linked services, like an email account. For example, SIM-swap fraud enables fraudsters to access a mobile device, providing access to email and other personal accounts and allowing the fraudster to takeover other accounts.

Businesses are also vulnerable. Corporate account takeovers amplify the fraud risk, as these accounts can hold significant funds and provide access to numerous customer profiles and confidential information. In one case, a global hotel brand had a data breach that exposed over five million customer records; the hackers were able to get hold of information by attaining employee credentials.

Preventing account takeover attacks

As with all fraud prevention measures, proper tools, training and ongoing diligence will help protect your organization. As there are many ways that fraudsters can get hold of accounts, there’s no one “magic” solution. Rather, layering in various social and technological processes helps reduce fraudsters’ opportunities and mitigate any damage if they gain access.

Effective onboarding

The onboarding stage, when you gather initial account information, is an opportunity to prevent fraud before it even starts. Verifying that a customer is who they say they are helps limit the opening of illegitimate accounts. The same applies to employees, suppliers, business partners and anyone with whom you’re doing business.

The information can also be analyzed at different points of the relationship to revalidate the account. Does the information they provided sync with information on record? If not, is there a good reason for any discrepancies? Depending on the type and quantity of data collected at onboarding, there are many ways to determine legitimacy.

Account takeover fraud - document verification

ID document verification can gather evidence of government-issued identity, as well as biometric information. The customer should be able to provide this evidence again if requested. It’s important to note that storing biometric data is especially sensitive and might not be permissible, depending on the jurisdiction.

MobileID information such as device, geolocation, usage and billing data provide numerous data points that are difficult for fraudsters to produce. This information is metadata, so it doesn’t require the user to provide it, enabling a more friction-free check.

If you need to verify an organization, you can use business verification to verify information like:

  • Business registration number
  • Company name
  • Address
  • Status
  • Key management personnel
  • Date of incorporation

Risk intelligence

Account and transaction monitoring enable ongoing insight into usage and any unusual activity can be quickly flagged for further analysis. Numerous data patterns can indicate potential fraud, including:

  • Spikes in activities
  • Exceeding thresholds
  • Out-of-area or unusual cross-border activities
  • Changing purchase patterns
  • Consumer alerts
  • Credit reports
  • IP address discrepancies

If there’s a fraud flag indication, halting transactions or temporarily freezing accounts is best practice. People understand the need for security and accept minor inconveniences to ensure their information is secure.

Education and training

Many customers are not computer savvy and might not know best practices when it comes to online safety. Taking the time and effort to help protect customers creates goodwill and can help avoid serious customer service issues. Everything from clear explanations to copy suggestions can help users more effectively use your services and better protect themselves.

Employee training on proper security practices is advisable, and in many cases, it’s a compliance requirement. For example, in the U.S., there are over 8500 local, state and federal standards that might require implementation. Date privacy considerations, information protection, ensuring payment information and company data is kept secure, and numerous other factors require robust and ongoing training:

  • Awareness
    Employees need to understand the overall risks and develop a security mindset.
  • Fraudulent practices
    Employees need to know what techniques fraudsters can deploy and to be vigilant to watch out for those activities.
  • Specific actions
    What are the company protocols and procedures to handle various scenarios? These instructions need to be clear and communicated.
  • Testing
    Expecting security, without analysis, is problematic. Numerous methods to probe defenses, from fake phishing emails to sophisticated penetration tests, can help detect issues before they become security failures.
  • Ongoing training
    Fraudsters continue to develop new ways to takeover accounts and people can often become complacent. Regularly updating programs and training is a good recommendation.

Account takeover fraud - systems and technologies

Systems and technologies

The global cybersecurity market is projected to reach $281 billion by 2027, from $112 billion in 2019. Numerous technologies and systems can monitor, detect, analyze and actively prevent fraudulent activity, including:

  • Identity access management
  • Two-factor or multi-factor authentication
  • Firewalls
  • Filters
  • Email scores and verification
  • Anti-virus software

Security and speed – A holistic approach to digital business

Account takeover fraud is a serious potential risk for businesses. However, security procedures mustn’t create excessive friction for the customer; simply put, customers won’t tolerate poor account creation experiences. According to our Account Opening Report nearly half (44%) say they would give up if a financial services site could not verify their identity after multiple attempts, and 41% would walk away if there were a lack of transparency about why certain personal information is required.

Fortunately, speed and security don’t need to conflict with each other. Creating risk-based workflows that consider risk profiles and adapt security accordingly, provides options to maximize customer acquisition while minimizing the risk of fraud. Effective use of systems and “human firewalls” help create organizations with both the technical capabilities and security-centric philosophies to help guard against fraud and risk in all its forms.

Ensuring that accounts remain in possession of authorized owners is fundamental. Taking significant measures to deter account takeover fraud while keeping the customer experience effective is the path to business success.