Account takeover fraud: How it works and prevention strategies

Bank account takeover

In recent years, account takeover fraud has emerged as a dominant form of cybercrime, accounting for over half of all fraudulent transactions in 2020. This means that having a good account takeover prevention strategy can dramatically decrease the risk of doing business online.

This article delves into the nature of account takeover fraud, examining how account takeover works, the potential consequences for businesses and consumers, and effective measures to mitigate the risk.

What is account takeover fraud?

An account takeover, also known as an ATO or ATO attack, occurs when someone gains unauthorized access to an individual's online account and uses it without their knowledge to steal money or personal data, and its occurrence steadily increases.

Example of account takeover fraud

In a real-life scenario of account takeover fraud, a fraudster might phish for personal information by sending a deceptive email that appears to come from a trusted institution, such as a bank. 

The victim, believing the email to be legitimate, unwittingly provides their login credentials. The criminal then uses this information to access the victim's account, transfer funds, or make unauthorized purchases.

Who is targeted in account takeover fraud?

Account takeover fraud targets individuals with online accounts that hold financial value or personal data, such as bank accounts, because they provide direct access to funds or can be used for identity theft and subsequent fraudulent activities.

Types of businesses at risk include:

  • Banks and financial institutions: They hold sensitive financial data and assets.
  • E-commerce platforms: These sites often have stored payment information that can be exploited.
  • Telecommunication companies: Accounts are often linked to payment methods and personal data.
  • Social media platforms: A high-usage source of personal information that could be useful for identity theft.
  • Healthcare providers: Access to health records can be used for insurance fraud or identity theft.

How does a fraudster obtain login credentials?

There are several actions a fraudster can take once they're successfully able to access an account. However, the first step is obtaining that information, which I explain below. 

Credential stuffing

Credential stuffing exploits large databases of stolen user credentials by using automated software to attempt logins across multiple websites. It operates on the principle that many people reuse their passwords, making it likely that a username-password pair from one breach can unlock accounts on unrelated services. 

This method is particularly effective due to its speed and the ability to test thousands of combinations quickly, potentially compromising user accounts at scale.

Phishing

Phishing involves fraudsters impersonating legitimate organizations via email, text messages, or phone calls to deceive individuals into providing sensitive information, such as passwords, credit card numbers, and Social Security numbers. 

These deceptive communications often create a sense of urgency, prompting victims to act quickly under the false premise of security concerns or account issues. By exploiting the trust of individuals, phishing attacks effectively harvest credentials and personal data for fraudulent purposes.

Data breaches

Data breaches occur when unauthorized individuals infiltrate an organization's secure networks to steal sensitive information, such as usernames, passwords, and personal identification details. These intrusions can result from cyberattacks exploiting security vulnerabilities or insiders leaking data. 

The stolen information is often sold on dark web marketplaces, where it can be purchased by fraudsters aiming to commit identity theft, fraud, or unauthorized account access.

Weak passwords

Weak passwords, such as those using common words, dates, or sequences, significantly elevate the risk of bank account takeover fraud by simplifying the task for cybercriminals attempting unauthorized access. This threat compounds when individuals reuse the same usernames and passwords across multiple accounts, allowing a single compromised credential to unlock several services. 

This vulnerability is a critical entry point for fraudsters, who can exploit these weak defenses to gain control over financial assets and personal information with minimal effort.

Spyware

Spyware is a type of malicious software that, once covertly installed on a victim's device, can monitor and record their digital activity without consent. This includes logging keystrokes to capture login credentials, tracking online behavior, and accessing personal and financial information. 

By operating silently in the background, spyware allows fraudsters to gather sensitive data over time, paving the way for identity theft, account takeover, and other forms of digital fraud.

What actions can fraudsters take following a successful bank account takeover?

Change account information

In account takeover fraud, once a fraudster gains access to an account, they can change information associated with the account, such as email addresses, phone numbers, and the password, effectively locking out the legitimate owner. 

The unauthorized changes prevent the victim from accessing their account and allows the fraudster to conduct unauthorized transactions, redirect communications, and potentially access linked accounts. The consequences include financial loss, identity theft, and long-term damage to the victim's credit score and reputation.

Account draining

Upon gaining unauthorized access to a victim's account, criminals frequently aim to transfer all available funds. They might conduct multiple transfers to make tracing the money more challenging.

Many banks and financial institutions now require authentication steps for large transfers, but sophisticated criminals can get around these security measures.

For example, fraudsters in the United Kingdom stole more than £8,000 from an account holder by utilizing a loophole where no authentication was required to pay previous payees. Once they made the transfers, they contacted the payees, asking for a refund to be paid to their account.

Money laundering

Criminals who obtain cash from illicit activities seek ways to launder their money. If they can access a victim's bank account, they can deposit this ill-gotten money and make a series of transfers or ATO payments to hide its criminal origin. (Learn more in our Money Laundering Fraud guide.)

Money muling

Money muling is a form of money laundering in which criminals use legitimate bank account holders to launder their illicitly gained money. This concept is analogous to a "drug mule," but with cash instead of narcotics.

Criminals use these accounts to clean their money by quickly transferring money in and out with ATO online payments. Once the transactions are completed, the money appears legitimate.

Money muling often targets young individuals, and the number of people under 30 involved is expected to rise by nearly 80 percent between 2020 and 2021.

Loan and credit card application fraud

By taking over bank accounts, fraudsters gain access to personal information that can be exploited for identity theft, enabling them to fraudulently apply for credit cards and loans in the victim's name. 

This misuse of stolen data leads to unauthorized debt accumulation, often unnoticed by the victim until significant damage occurs. The delay in noticing the fraud further complicates efforts to trace and address the fraud. (Learn how to detect and prevent repeat loan applications.)

Open new accounts

Fraudsters can use a victim's stolen identity to open new financial accounts, such as credit cards and loans, under the victim's name. This unauthorized activity, also known as new account fraud, leads to economic losses and entangles the victim in a web of legal complexities and credit score damage. Resolving these issues often requires extensive time and resources, further compounding the problem for the victim.

What are the consequences for banks and fintechs?

The repercussions of account takeover fraud extend beyond individual victims, significantly impacting banks and fintech companies in the form of financial losses, broken customer trust, and heightened regulatory scrutiny, which all highlight the need for effective fraud prevention measures.

Revenue loss

Banks and financial services companies are seen as lucrative targets by fraudsters because of the potential for a big windfall. It's not just customers at risk — financial services companies are often required to reimburse fraud victims.

Aberdeen's research found that companies in the finance sector can lose up to 8.3 percent of annual revenue to one ATO attack. Notably, per the report, "The financial consequences of successful account takeovers have grown to a level that goes beyond a mere 'cost of doing business' to become a material business risk."

Damage to brand reputation

Since banks and fintech companies are in the business of holding and safeguarding customers' money, being unable to do so is a fundamental problem. Customers who are victims of account takeover fraud naturally talk to people they know, which creates substantial reputational risk and highlights the importance of prioritizing online security for banking and financial organizations

Rise in credit card chargebacks

Chargebacks are a form of fraud prevention provided to debit and credit card holders as a service. It's often used in e-commerce, where cardholders can seek a refund if items they purchase don't arrive in damaged, never arrive at all, or if the cardholder didn't authorize the purchase in the first place.

Chargeback fraud is increasingly common, where customers take advantage of the protection this system gives them to buy items, claim they never arrived, and enlist the help of their card issuer to force a refund from the merchant.

This impacts financial organizations because of the sheer time spent investigating chargebacks. It takes time to process disputes between customers and merchants, and implementing systems that prevent these transactions in the first place is a much more efficient approach. (Read our guide on how merchants can protect themselves from credit card chargeback fraud.)

8 ways banks and fintech can prevent account takeover fraud

1. Employ strong password security policies

Strong password security policies are crucial in safeguarding accounts against unauthorized access and mitigating the risk of fraud. A strong password is typically long, combines letters, numbers, and symbols, and avoids common words or quickly guessable sequences, making it difficult for bad actors to crack.

2. Implement multifactor authentication

Multifactor authentication (MFA) significantly enhances security by requiring users to provide two or more verification factors to gain access to an account, making account takeover (ATO) fraud substantially more challenging for attackers.

MFA adds layers of defense beyond just a password, drastically reducing the likelihood of unauthorized access even if the primary password is compromised.

3. Limit login attempts

To deter automated bot attacks, which test multiple username and password combinations, limit the number of login attempts. After several failed attempts, impose a 12- or 24-hour stand-down period or ask for additional verification. 

However, we also advise not being too strict regarding login attempts since users may forget passwords, not use a password manager, or make typos. A limit of 3-5 consecutive failed logins is a common practice.

4. Creating a list of blocked IP addresses

Many fraudsters are repeat offenders, so it helps to permanently block the IP addresses behind fraud attempts. If your organization is the victim of fraud or attempted fraud, there's a good chance the person behind it will try again.

With that knowledge in mind, blocking the IP addresses of known bad actors makes sense. You can even share data with a third party to collaborate with other businesses and block other fraudsters before they target your financial organization.

Fraudsters often use techniques to hide their IP addresses using a VPN. Legitimate customers can do this also, so it's not a smoking gun for fraud, but it may warrant further investigation if a customer's location is constantly changing.

5. Sandboxing

Sandboxing refers to separating different business applications so that if one is compromised, the others remain safe.

This technique is like the security equivalent of the Titanic, designed so that if water flooded one section of the ship, it could be shut off from the rest, and the boat would remain afloat. That didn't work as intended on the Titanic, but it's still a very effective online security measure!

For banking and finance, sequestering areas for online programs helps protect the rest of your business. It minimizes the security risk by compartmentalizing vulnerable, valuable, or high-risk business networks to separate them.

6. Improve your account takeover prevention workflows

Implementing preemptive measures is critical to proactively combating account takeover (ATO) fraud. Fingerprint offers a robust solution by assigning a unique identifier to each website or mobile app visitor, enabling persistent tracking of user activities. 

This technology thwarts fraudsters' attempts to evade detection through methods like clearing cookies, using VPNs, or browsing in incognito mode by linking their current actions to previously identified suspicious behavior, thereby enhancing the ability to prevent ATO fraud effectively.

7. Monitor accounts for suspicious activity

Monitoring accounts for suspicious activity is vital in detecting and preventing fraudulent actions, such as unauthorized access or transactions. 

Fingerprint aids in this process by utilizing its unique visitor identification technology that can analyze behavior patterns, allowing websites to flag activities that deviate from the norm, allowing for real-time identification of potential fraud, and enabling quick action to secure accounts and mitigate risks.

8. Customer and employee education

Educating customers and employees about account takeover fraud is crucial for building a first line of defense because informed individuals are more likely to recognize and prevent fraudulent attempts. This collective awareness reduces the incidence of fraud and fosters a culture of security and vigilance within organizations and their user base.

Prevent and detect account takeover fraud with Fingerprint 

As the awareness of account takeover threats is rising alongside their coverage in the media, financial organizations face not only the imperative to secure themselves, but also the opportunity to stand out by demonstrating a solid commitment to online security and protecting their customers' data. 

Ready to stop account takeover fraud?

Sign up for a free trial to see Fingerprint uses advanced technology to detect and prevent ATO fraud.

FAQ

What are the signs of an account takeover?

Signs of an account takeover include unexpected changes in account details, such as passwords or contact information, and unauthorized transactions or activities. Additionally, receiving notifications for login attempts or actions not initiated by the user can indicate a compromised account.

What is the difference between identity theft and an account takeover?

Identity theft involves the unauthorized acquisition and use of someone's personal information for fraud, such as opening new accounts or committing crimes in their name. 

Account takeover, on the other hand, refers to the unauthorized access and control of existing accounts, typically for financial gain or to perpetrate fraud using the victim's established credentials.

What measures can individuals take to protect themselves from account takeover fraud?

Individuals can protect themselves from account takeover fraud by regularly updating their passwords and enabling multifactor authentication on all accounts. Additionally, monitoring account activity for unauthorized transactions and being cautious of phishing attempts are critical preventative measures.

What steps should you take if you're a victim of account takeover fraud?

If you're a victim of account takeover fraud, immediately notify the financial institutions or service providers to secure your accounts and begin the fraud dispute process. Then, report the incident to relevant authorities, such as law enforcement and credit reporting agencies, to safeguard your identity and financial reputation.

Share this post