In recent years, account takeover fraud has emerged as a dominant form of cybercrime, accounting for over half of all fraudulent transactions in 2020. It also means that having a good account takeover prevention strategy can dramatically decrease the risk of doing business online.

This article delves into the nature of account takeover fraud, examining how account takeover works, the potential consequences for businesses and consumers, and effective measures to mitigate the risk.

What is account takeover fraud?

An account takeover, also known as an ATO or ATO attack, occurs when someone gains unauthorized access to an individual's online account and uses it without their knowledge to steal money or personal data, and its occurrence steadily increases.

Example of account takeover fraud

In a real-life scenario of account takeover fraud, a fraudster might phish for personal information by sending a deceptive email that appears to come from a trusted institution, such as a bank. 

The victim, believing the email to be legitimate, unwittingly provides their login credentials. The criminal then uses this information to access the victim's account, transfer funds, or make unauthorized purchases.

Who is targeted in account takeover fraud?

Account takeover fraud targets individuals with online accounts that hold financial value or personal data, such as bank accounts, because they provide direct access to funds or can be used for identity theft and subsequent fraudulent activities.

Types of businesses at risk include:

• Banks and Financial Institutions: They hold sensitive financial data and assets.
• E-commerce Platforms: These sites have stored payment information that can be exploited.
• Telecommunication Companies: Accounts often linked to payment methods and personal data.
• Social Media Platforms: A high-usage source of personal information that could be useful for identity theft.
• Healthcare Providers: Access to health records can be used for insurance fraud or identity theft.

How does a fraudster obtain login credentials?

There are several actions a fraudster can take once they're successfully able to access an account. However, the first step is obtaining that information, which we explain below. 

Credential stuffing

Credential stuffing exploits large databases of stolen user credentials by using automated software to attempt logins across multiple websites. It operates on the principle that many people reuse their passwords, making it likely that a username-password pair from one breach can unlock accounts on unrelated services. 

This method is particularly effective due to its speed and the ability to test thousands of combinations quickly, potentially compromising user accounts at scale.

Phishing

Phishing involves fraudsters impersonating legitimate organizations via email, text messages, or phone calls to deceive individuals into providing sensitive information, such as passwords, credit card numbers, and Social Security numbers. 

These deceptive communications often create a sense of urgency, prompting victims to act quickly under the false premise of security concerns or account issues. By exploiting the trust of individuals, phishing attacks effectively harvest credentials and personal data for fraudulent purposes.

Data breaches

Data breaches occur when unauthorized individuals infiltrate an organization's secure networks to steal sensitive information, such as usernames, passwords, and personal identification details. These intrusions can result from cyberattacks exploiting security vulnerabilities or insiders leaking data. 

The stolen information is often sold on dark web marketplaces, where it can be purchased by fraudsters aiming to commit identity theft, fraud, or unauthorized account access.

Weak passwords

Weak passwords, such as those using common words, dates, or sequences, significantly elevate the risk of bank account takeover fraud by simplifying the task of cybercriminals attempting unauthorized access. This danger compounds when individuals reuse the same usernames and passwords across multiple accounts, allowing a single compromised credential to unlock several services. 

This vulnerability is a critical entry point for fraudsters, who can exploit these weak defenses to gain control over financial assets and personal information with minimal effort.

Spyware

Spyware is a type of malicious software that, once covertly installed on a victim's device, can monitor and record their digital activity without consent. This includes logging keystrokes to capture login credentials, tracking online behavior, and accessing personal and financial information. 

By operating silently in the background, spyware allows fraudsters to gather sensitive data over time, paving the way for identity theft, account takeover, and other forms of digital fraud.

What actions can fraudsters take following a successful bank account takeover?

Change account information

In account takeover fraud, once a fraudster gains access to an account, they can change the account information, such as the email address, phone number, and password, effectively locking out the legitimate owner. 

This unauthorized alteration prevents the victim from accessing their account and allows the fraudster to conduct unauthorized transactions, redirect communications, and potentially access linked accounts. The consequences include financial loss, identity theft, and long-term damage to the victim's credit score and reputation.

Account draining

Upon gaining unauthorized access to a victim's account, criminals frequently aim to transfer all available funds. They might conduct multiple transfers to make tracing the money more challenging.

Many banks and financial institutions now require authentication steps for large transfers, but sophisticated criminals can get around these security measures.

For example, fraudsters in the United Kingdom utilized a loophole where no authentication was required to pay previous payees to steal more than £8,000 from an account holder. Once they'd made the transfers, they contacted the payees, asking for a refund to be paid to their account.

Money laundering

Criminals who obtain cash from illicit activities seek methods to launder their money. If they can access a victim's bank account, they can deposit this ill-gotten money and make a series of transfers or ATO payments to hide its criminal origin.

Victims may not be too worried if they notice an unexplained deposit in their account. However, they might be unaware that a fraudster has access to their account and is using it to launder money, potentially draining it.

>>Read more in our Money Laundering Fraud guide.

Money muling

Money muling is a form of money laundering, in which criminals use legitimate bank account holders to launder their illicitly gained money. This concept is analogous to a 'drug mule,' but with cash instead of narcotics.

Criminals use these accounts to clean their money by quickly transferring money in and out with ATO online payments. Once they've done it, the money appears legitimate.

Money muling often targets young individuals, and the number of people under 30 involved is expected to rise by nearly 80 percent between 2020 and 2021.

Loan and credit card application fraud

By taking over bank accounts, fraudsters gain access to personal information that can be exploited for identity theft, enabling them to apply fraudulently for credit cards and loans in the victim's name. 

This misuse of stolen data leads to unauthorized debt accumulation, often unnoticed by the victim until significant damage occurs. The delay in the fraudulent use of this information further obscures the breach's origin, complicating efforts to trace and address the fraud.

>>Learn how to detect and prevent repeat loan applications.

Open new accounts

Fraudsters can use a victim's stolen identity to open new financial accounts, such as credit cards and loans, under the victim's name. This unauthorized activity, also known as new account fraud, leads to economic losses and entangles the victim in a web of legal complexities and credit score damage. Resolving these issues often requires extensive time and resources, further compounding the problem for the victim.

What are the consequences for banks and fintechs?

The repercussions of account takeover fraud extend beyond individual victims, significantly impacting banks and fintech companies. These financial institutions face financial losses, broken customer trust, and heightened regulatory scrutiny, highlighting the need for effective fraud prevention measures.

Revenue loss

Banks and financial service companies are seen as lucrative targets by fraudsters because of the potential for a big windfall. It's not just customers at risk - finance companies are often required to reimburse fraud victims.

Aberdeen's research found that companies in the finance sector can lose up to 8.3 percent of annual revenue to one ATO attack. Many companies report millions of dollars in revenue, representing a significant business loss.

Significantly, the report stated, "The financial consequences of successful account takeovers have grown to a level that goes beyond a mere 'cost of doing business' to become a material business risk."

Damage to brand reputation

As a business responsible for holding on to customers' money, being unable to do so is a fundamental problem. Customers who are victims of account takeover fraud naturally talk to people they know, which creates a substantial risk to their reputation and highlights the importance of prioritizing online security for banking and financial organizations.

EY Global research found that a cyber attack can destroy trust. It also uncovered worrying revelations for the finance sector: only six percent of financial services companies believed their data security fit their needs. Sixty-five percent said they were planning improvements in the coming years.

Rise in credit card chargebacks

Chargebacks are a form of fraud prevention afforded to debit and credit card holders. It often applies in ecommerce, where cardholders can seek a refund if items they purchase don't arrive in working condition, never arrive at all, or if the cardholder didn't authorize the purchase in the first place.

Chargeback fraud is increasingly common, where customers take advantage of the protection this system gives them to buy items, claim they never arrived, and enlist the help of their card issuer to force a refund from the merchant.

This impacts financial organizations because of the sheer time spent investigating chargebacks. It takes time to process disputes between customers and merchants, and implementing systems that prevent these transactions in the first place is a much more efficient approach.

>>Read our guide on how merchants can protect themselves from credit card chargeback fraud.

8 ways banks and fintech can prevent account takeover fraud

1. Employ strong password security policies

Strong password security policies are crucial in safeguarding accounts against unauthorized access and mitigating the risk of fraud. A strong password is typically long, combines letters, numbers, and symbols, and avoids common words or quickly guessable sequences, making it difficult for attackers to crack.

2. Implement multi-factor authentication

Multi-factor authentication (MFA) significantly enhances security by requiring users to provide two or more verification factors to gain access to an account, making account takeover (ATO) fraud substantially more challenging for attackers.

MFA adds layers of defense beyond just a password, drastically reducing the likelihood of unauthorized access even if the primary password is compromised.

3. Limit login attempts

To deter automated bot attack, which test multiple username and password combinations, limit the number of login attempts. After several failed attempts, impose a 12- or 24-hour stand-down period or ask for additional verification. 

However, avoid being too strict, as users may forget passwords, not use a password manager, or make typos. A limit of 3-5 consecutive failed logins is a common practice.

4. Creating a list of blocked IP addresses

Many fraudsters are repeat offenders, so it helps to permanently block the IP addresses behind fraud attempts. If your organization is the victim of fraud or attempted fraud, there's a good chance the person behind it will try again.

With that knowledge in mind, blocking the IP addresses of known bad actors makes sense. You can even share data with a third party to collaborate with other businesses and block other fraudsters before they target your financial organization.

Fraudsters often use techniques to hide their IP addresses using a VPN. Legitimate customers can do this also, so it's not a smoking gun for fraud, but it may warrant further investigation if a customer's location is constantly changing.

5. Sandboxing

Sandboxing refers to separating different business applications so that if one is compromised, the others remain safe.

This technique is like the security equivalent of the Titanic, designed so that if water flooded one section of the ship, it could be shut off from the rest, and the boat would remain afloat. That didn't work as intended, but it's a very effective online security measure.

For banking and finance, sequestering areas for online programs helps protect the rest of your business. It minimizes the security risk by compartmentalizing vulnerable, valuable, or high-risk business networks to separate them.

6. Improve your account takeover prevention workflows

Implementing preemptive measures is critical to proactively combating account takeover (ATO) fraud. Fingerprint offers a robust solution by assigning a unique identifier to each website or mobile app visitor, enabling persistent tracking of user activities. 

This technology thwarts fraudsters' attempts to evade detection through methods like clearing cookies, using VPNs, or browsing in incognito mode by linking their current actions to previously identified suspicious behavior, thereby enhancing the ability to prevent ATO fraud effectively.

7. Monitor accounts for suspicious activity

Monitoring accounts for suspicious activity is vital in detecting and preventing fraudulent actions, such as unauthorized access or transactions. 

Fingerprint aids in this process by utilizing its unique visitor identification technology that can analyze behavior patterns, allowing websites to flag activities that deviate from the norm, allowing for real-time identification of potential fraud, and enabling quick action to secure accounts and mitigate risks.

8. Customer and employee education

Educating customers and employees about account takeover fraud is crucial for building a first line of defense, as informed individuals are more likely to recognize and prevent fraudulent attempts. This collective awareness reduces the incidence of fraud and fosters a culture of security and vigilance within organizations and their user base.

Prevent and detect account takeover fraud with Fingerprint 

The awareness of account takeover threats is rising alongside their coverage in the media, financial organizations face not only the imperative to secure themselves but also the opportunity to stand out by demonstrating a solid commitment to online security. 

Fingerprint plays a pivotal role in this landscape by providing advanced technology to detect and prevent ATO fraud.

>>See how Fingerprint helps banks and fintechs prevent account takeover fraud and more.