In Chapter 4 of our “Fraud Fighters Manual for Fintech, Crypto, and Neobanks,” Kenny Grimes, Head of Risk Strategy & Analytics at Mercury, and Tanya Corder, Compliance Manager at Treasury Prime, explore what account takeover (ATO) is, the four main stages of ATO fraud, who is most at risk, the top flags to look for, and how to prevent ATO fraud.
In this installment of our Fraud Fighters Manual: Community Insights, we expand on that chapter with real-life examples and insights from our audience of risk management professionals. We cover three of the most extreme cases of ATO fraud our audience experienced themselves—and address how they handled these threats.
We then cover some of the lesser-known tips these professionals had to share about detecting, preventing, and otherwise fighting account takeover (ATO) fraud specifically.
Extreme Examples of ATO Fraud to Learn From
Raw experience is intangible—all the theory in the world can’t prepare you for the real thing.
That’s why we’ve gone directly to the source, asking leading industry experts what their worst cases were (and how they handled them). To help organizations understand how ATO fraud happens in real life—and how to stop it—we cover three of the most outrageous real-life examples of ATO fraud from our respondents below.
1. Security breakdown leads to significant ATO breaches
Shivi Sharma, Data Scientist at Varo, had an experience with a previous company where “thousands of accounts got compromised because ATO checks failed at a checkpoint for a few hours due to a broken data pipeline. The fraudster purchased multiple gift cards up to the maximum allowed limit from each account and sent the gift cards to themselves or their friends. The card details stored on account were used for purchasing all the gift cards and there was a steep spike in disputes later for unauthorized users.”
As you can see, any breakdown in fraud prevention efforts can have a significant impact on an organization. Since ATO fraud compromises accounts, it puts customers—and their information—at risk. But it also directly impacts revenue, because it always leads to further fraud. This can cause significant amounts in chargebacks and operational costs investigating and actioning cases.
It’s especially troubling when the breakdown comes from the system itself—a system that’s meant to prevent fraud. Make sure to choose a reliable partner that can manage your needs and scale as you require.
2. Fraudsters impersonating a company with details found on the public domain
Pratik Zanke, from PayMate, had an incident where they “had a business registered whose documents were available on the public domain. Fraudsters created an account and started to transact.” Their “system detected the unusual activity when the business started to use personal credit cards for transactions,” and (fortunately) their rule system had logic that “was already implemented that corporates can only use commercial or corporate credit cards.”
As soon as accounts break this rule, they are flagged for investigation. Teams can then immediately investigate cases, minimizing the impact that fraud has on the organization.
Rule-based systems alert organizations when suspicious activity occurs, allowing risk teams to immediately investigate the case and take action. With the ability to customize and finely-tune detection rules, teams can identify unique cases related to ATO fraud specifically, honing in on signals related to account takeover.
Teams can monitor card types, account behaviors, and more to identify this type of fraud. With proper detection, teams can alert on incidents based on transaction data and other user behavior, clamping down on stolen accounts.
3. Guardians abusing their position of trust to create fraudulent accounts
An anonymous respondent noted a case they experienced where “a person was assigned as guardian by the court to an elderly person with no family. She then used the confidential information to create fraudulent accounts and take her ward’s funds.” In this case, they not only created fake accounts, but they also leveraged unique access to the customers’ personal information and current account details.
Despite how malicious and personal this case seems, most fraudsters are simply looking for opportunities they can exploit. For fraud prevention teams to be successful in stopping fraudsters, they need to be able to mitigate these opportunities.
The anonymous respondent emphasized that “only through deep analysis was it discovered that they were actually the perpetrator of the fraud.” Data monitoring solutions that empower teams to analyze customer behavior are essential for identifying fake accounts by enabling teams to tap into behavioral information that can signal suspicious activity.
With the right rules in place, risk management teams will be alerted to any suspicious activity, allowing them to step in and investigate what further action needs to be taken.
Lesser-known Tips for Preventing ATO Fraud
ATO is unlike a lot of other types of fraud. The criminal isn’t creating a fake or synthetic identity, but instead taking over access to a legitimate user's account. This not only puts your business at risk, but it also exposes your customers to privacy breaches and further fraud or abuse.
For most fraudsters, ATO fraud is simply a necessary step to commit further fraud. And because ATO fraud is so centered on the ability of a criminal to access another user’s account, it has a uniquely narrow area of focus for fraud investigators and analysts.
Risk management teams can focus on the account takeover component of this, and essentially place themselves (and their fraud prevention systems) between fraudsters and the accounts they plan on taking over.
Below, we cover some of the best strategies to do just that.
Use Customer Authentication for Returning Customers
The whole aim of stopping ATO fraud is to ensure that the person using an account is the actual account holder. So one of the first places to start for ATO fraud prevention is confirming that each time a customer uses your product or service, they are who they say they are.
Customer authentication is an extremely quick and easy process for most users, but it goes a long way in terms of fraud prevention, ensuring that the account holder is the one accessing their account—and by extension, your product and services.
Have users set up authentication during onboarding, and force users to sign in to complete authentication to access their account. Options include two-factor authentication, multi-factor authentication, biometric verification, OCR, and more. This will significantly reduce the ability of fraudsters to access another person’s account.
As Baptiste Forestier, Head of Compliance at Hero, says, “MFA is a must.”
Not all of these customer authentication solutions have to add friction, either. There are a variety of verification processes that can operate in the background without requiring input from the customer. Device fingerprinting, IP address verification, and other background ID verification solutions give teams an added layer of authentication—and protection—from ATO fraudsters.
Monitor User Logins for Suspicious Behavior
Behavioral information offers risk management teams a wealth of information—information that can make it easier for them to make better, smarter, and more impactful decisions.
Since account takeovers have a lot to do with account access, monitoring access is one of the best ways to look for ATO, or at least serves as a good starting point. Users often make account changes to gain control of the stolen account as well, such as changing the password and other personal information.
According to Shivi Sharma, “it is important to have checks in place that identify a trusted device, trusted IP address, and trusted phone number. There should be enough friction to not allow fraudsters to change this information in the profile.” This means adding checks at the points where customers actually change account information.
Teams should monitor logins to look for anything that stands out as suspicious. Emmanuel Abolo, from Riskmap Consulting Limited, says teams should “set rate limits on login attempts based on username, device, and IP address based on users’ usual behavior. Incorporate limits on the use of proxies, VPNs, and other factors.” Since none of these add friction to the customer experience, these identity verification processes are ideal for leveraging in the background.
Pairing monitoring with a rule-based alert-system allows teams to act on suspicious activity quickly, as teams will be alerted of cases as soon as possible. This empowers teams to act on cases in real-time, stopping threats while they’re in progress. In some cases, teams can even use these systems to anticipate future fraud based on unusual user behavior.
Screening New Account Credentials with Breached Credentials Databases
In most ATO cases, criminals use stolen credentials to gain access to an account they otherwise wouldn't have access to. And while it’s a good strategy to protect this access point, there are actually ways we can prevent ATO fraud before the user ever even attempts to take over their first account.
Breached databases are a common source of stolen ID credentials for fraudsters; credentials that fraudsters then use to commit more crimes. But since criminals so frequently use these credentials to commit fraud, these breached credentials can actually be an invaluable tool in preemptively stopping fraudsters.
If teams have access to a database of recently breached credentials, they can get ahead of fraudsters. These breached credentials are a window into what individuals are likely to be targeted by ATO fraud, as criminals will target victims based on the data they have access to.
So, by cross-referencing breached credentials, teams can proactively identify who is most likely to be targeted, and monitor those accounts more closely for abnormal behavior. Teams can even set up rules that proactively look for accounts that use those details, stopping fraudsters from being able to exploit the stolen credentials they have access to.
Teams that are willing to share information on credentials that have been stolen or have been used for ATO can also help each other out via data consortiums. By sharing information about instances of fraud with other organizations, teams are aware of suspicious individuals and entities before they even interact with their business.
In the case of ATO fraud, teams can share credentials that have been used for account takeovers, allowing teams to set up preventative measures at their own organization. Our Fraud DAO is just that, a consortium of companies coordinating and anonymously sharing data on fraud to better prevent criminals at not just their company but across the entire industry.
Customer Education is Pivotal in Preventing ATO Fraud
When it comes to ATO fraud, customers are more responsible for their own protection than ever. Even with robust security measures in place, a lot of the safety for account takeover is still in the hands of the customer—and not your fraud and risk management team.
Since customers are the main ones controlling access via their personalized login credentials, they have a lot of control over their own account security. That’s why companies need to make sure they are doing all they can to educate customers on best practices for account security.
In most cases, this can be summed up in a term Kenny Grimes calls “security hygiene,” which is essentially the process of taking care of the wellbeing of your account security. While it’s not foolproof in stopping fraud, it’s one of the first, most basic, and most impactful strategies for not only preventing—but also deterring—ATO fraud.
In the Q&A section of our Fraud Fighters Manual, Kenny Grimes goes on to say that when we talk about security hygiene, we are talking about “ensuring that you don’t use the same passwords across multiple accounts, having 2FA on your accounts, and using a password manager. Those types of things help prevent account takeover. The more of the good security hygiene you do, the less at risk you are for ATO.”
And since each customer needs to manage their own personal security hygiene to make sure they are adequately protected from ATO fraud, it’s imperative for organizations to educate customers on—and encourage them to practice—good security hygiene on their accounts.
Security Hygiene Standards: Best Practices for Customer Protection
When educating customers, there are a number of common strategies organizations should encourage their customers to use to meet basic security hygiene standards:
- Change your password periodically
- Use completely randomized and meaningless passwords for your accounts
- Use a password manager to keep passwords in a single location
- Never share personal information or passwords online with anyone
- Keep account access points safe (i.e. devices, networks, etc.)
- Identify phishing and other social engineering scams
At the end of the day, no organization can force customers to abide by recommended security practices. But by properly educating and encouraging them to develop good security hygiene practices, teams can help their customers use their product or service safely and securely.
It’s more important than ever to educate customers on emerging and popular trends so they know what their biggest threats are, and give insights into what they can do to best protect themselves. As Pratik Zanke says, if “users are well aware of emerging trends in fraud, they can become the first line of defense.”
It’s also essential to focus on phishing and other social engineering strategies that fraudsters are using, as many fraudsters are exploiting the customer themselves, rather than weaknesses in security protocols. As Baptiste Forestier points out, “with technological innovations, it is getting more and more complicated for fraudsters to take control of accounts. Thus, they use social engineering instead and educating is the only way to prevent this.”
Block Account Takeover Fraud—and the Fraud That Will Inevitably Follow It
Account takeover fraud is a unique threat. Rather than a monetary theft, it’s a breach of customer and organizational safety. Even worse, it’s also a gateway to further fraud—so stopping it and detecting it are both essential for preventing further instances of fraud from these account takeovers.
Without access to user behavior data, teams will struggle to actually identify ATO fraud, let alone prevent it. User behavior paired with a finely-tuned rules engine gives teams the ability to alert on suspicious activity related to account takeovers, such as logins, account changes, and more. These signals can tip teams off about when ATO has happened, is happening, or (in some cases) is likely to happen.
Teams should leverage a high-quality Transaction Monitoring solution that offers insights into more than just transactional data, but other user behavior. Develop strategies specifically for ATO fraud detection and prevention, and create rules that identify behavior unique to ATO cases.
As the customers themselves are the true gatekeepers of their personal information and account access credentials, customer education will always be a core component of account takeover fraud prevention. Teams will want to do all they can to educate their users on best practices, and do their best to enforce compliance with these safety measures.
That’s not all, check out our Community Insights Chapter 5—How to Think Like A Fraudster (& Prevent Fraud). In it, we encourage risk professionals to ‘Think Like A Fraudster’ so they can better understand (and stop) criminal behavior.