TerM

Account Takeover (ATO) Fraud

TerM

Account Takeover (ATO) Fraud

Introduction

With modern technological advancements, more users are conducting banking, investing, and other financial services entirely online. This makes it easier for cybercriminals to assume control of users’ accounts, as they can gain virtual access without ever having to visit a branch or financial institution.

For Fintechs like neobanks, users are especially susceptible to account takeover fraud, in which users gain control of financial accounts to make purchases, transfer funds, and otherwise commit fraud.

To ensure FIs know how to identify and address account takeover fraud, we discuss what ATO is, how it works, and how to detect and prevent it from occurring.

Bad Fraud Practices Hand-Out

What is Account Takeover Fraud (ATO)?

Account Takeover (ATO) Fraud is a specific type of fraud where malicious actors illegally gain access and control of user accounts. It’s a form of identity theft and can happen to both individuals and businesses.

Many different types of accounts might be targeted by ATO fraud schemes, including credit card accounts, bank accounts, government benefit accounts, and more.

When left unaddressed, ATO fraud can cost both consumers and businesses significant amounts of money and time. Though there are ways to reconcile accounts that have become victims of ATO fraud schemes, the best thing to do to remain safe is to take proactive measures that prevent ATO fraud from occurring.

Account Takeover Fraud vs. Identity Theft

Account Takeover Fraud is a specific form of identity theft, but not the only one. Identity theft is a broad, umbrella term for any activity where a malicious party pretends to be someone else. As such, ATO is a form of identity theft, but identity theft is not a form of ATO.

How Much Does ATO Fraud Cost Organizations on Average?

The impact Account Takeover Fraud has on individuals and organizations is far greater than expected. According to security.org, 22% of adults have been victims of ATO in the United States, with the average financial losses amounting to $12,000.

While this more directly affects users on the platform, the FI itself can also suffer losses related to fraud. Organizations impacted by this will need to devote resources to investigating the overall impact of the breaches, updating security systems to improve protection, and more. All of this costs the business in losses and used resources.

Businesses Susceptible to ATO Fraud

Any business dealing with sensitive financial information could fall victim to account takeover fraud. However, there are clearly a few types of businesses that are more likely to be targeted and victimized than others:

  • Financial Services: The motivation behind most ATO fraud campaigns is financial gain, which is why banks, credit unions, credit card companies, and other financial enterprises are often among the first to be targeted. Payroll data and tax data will often be targets of attack.
  • Retail and eCommerce: Recent data suggests that the retail and eCommerce industries experience the greatest amount of malicious attempts, with accounts linked to credit cards and virtual gift cards experiencing greater exposure to risk.
  • Social Media: With billions of users worldwide, social media contains a nearly bottomless amount of personal information—both financial and otherwise. And because social media accounts are often connected to email addresses and other accounts, the consequences of these attacks can be ruthless.
  • Higher Education: The combination of the high volume of student loans and low IT budgets at many institutions makes higher education a particularly vulnerable sector to ATO fraud attacks.
  • Healthcare: Medical records—which can potentially be sold for large amounts of money—are not immune to ATO attacks. Some ATO fraudsters will even use other people’s records to get access to “free” healthcare services.

In general, the more personal information involved in an industry, the more cyber risk both businesses and consumers will be exposed to. In most cases, the end purpose of the ATO is for financial gain.

How Does Account Takeover Fraud Work?

In general, account takeover fraud schemes work the same. A fraudster illegally gains access to your private information and can then gain control of your account. They then exploit this access to commit fraud by making payments, trades, or transfers using the account access they gained.

How account takeover fraud works

Step 1: Fraudster Accesses Unauthorized Information

First, the fraudster acquires unauthorized information. Most modern fraudsters achieve these digitally through cybercrime, but this can also be achieved by gaining access to paper documents or using other non-digital means.

There are several standard methods that fraudsters use to achieve this:

  • Brute-Force Attacks: Fraudsters attempt a variety of username and password combinations until one works. Typically, this is done using automated scripts that test a variety of input options until a match is found.
  • Phishing: Fraudsters ‘fish’ for personal or private information about an individual or business, with the intent of using that information to commit fraud. In most cases, these take the form of fake emails designed to collect sensitive information that can then be exploited.
  • Malware Attacks: Fraudsters use malicious software to collect sensitive information, such as account credentials. Once collected, fraudsters can use this information to access victims’ accounts.
  • Credential Stuffing: Fraudsters, having gained user credentials, attempt to use those same credentials to sign on to other accounts. Since many people use the same password across platforms, fraudsters attempt to use the credentials they have to access more accounts that person may have.

This list is certainly not comprehensive but covers some of the main methods fraudsters use to acquire unauthorized information. In theory, it could be as simple as a person seeing a user’s credentials on a slip of paper and then using that information to access their account.

Really, the fraudster simply needs to gain access to enough information to access your account; this can involve gaining information such as login credentials, account passwords, credit card numbers, bank account numbers, and more.

Step 2: Fraudster Gains Access to Account

Having acquired the necessary information, the fraudster then uses this information to sign in to the victim's account. They will use the credentials they’ve acquired illegally to gain access to the users’ account.

In some cases, fraudsters can then take complete control of the account by changing the account password, and locking the legitimate user out. In other cases, fraudsters will leave the account setup as is, hoping that the user never notices the account has been compromised. 

The fraudster can then layer in illegal transactions while the user performs legitimate transactions, further covering up the fraud.

In many cases, the fraudster will perform a test purchase to ensure they’ve been successful, and that they can use the account to perform fraud.

Step 3: Fraudster Escalates Criminal Efforts

Now that the fraudster has access to the account (and they’ve tested that they can make purchases, transfers, etc.), they begin to escalate their fraud efforts. Fraudsters can exploit access in various ways, making purchases using this account, transferring funds to their own accounts, and much more.

Bad actors can also perform fraud at different rates. Some will quickly use the access to the account to perform as many illicit transactions as possible before they are caught; others will perform random, spread out fraudulent activities in the hopes that it goes unnoticed, and they can exploit access to the account for an extended period of time.

Either way, the criminal (having gained access to the user's account) will use that access to commit fraud. If the individual or business that legally owns the account doesn’t notice the account is being used, this scheme can go unnoticed for an extended period.

Account Takeover Fraud Examples to Learn From

Millions of ATO attempts occur daily, often conducted through automated sources.

Even though just a tiny fraction of these attacks will be successful, it is clear that the consequences can be extreme. Some of the most notable ATO fraud attacks of all time include:

1. TurboTax

As a platform containing tax records, social security numbers, and bank account numbers of millions of Americans, TurboTax (and other tax services) has always been a prime target for fraud campaigns. 

In 2021, the TurboTax information for millions of users was leaked (the exact number is not clear). A significant portion of this ATO activity came from poor password management skills, with many users relying on passwords they use on other sites.

2. Dunkin Donuts

In 2018, “tens of thousands” Dunkin Donuts users—particularly those who use in-store “DD Cards”—had their information stolen and accounts compromised due to a sustained ATO fraud campaign. 

As a result, in addition to spending millions on legal fees and new digital infrastructure, Dunkin was also slapped with a $650,000 fine.

3. Basecamp

In 2019, Basecamp—a software company—experienced a global ATO fraud attack, which consisted of more than 30,000 login attempts and the compromising of hundreds of accounts. The company believes that, like the TurboTax breach, many of these successful ATO efforts came from using passwords utilized across multiple accounts.

The faster someone can react to an ATO attack, the less damaging that attack will ultimately be. Still, especially when executed at scale, these attacks can undoubtedly create a lasting impact.

How to Detect and Prevent Account Takeover Fraud

As an individual user, there are a number of ways to prevent account takeover fraud, including using difficult passwords, updating passwords regularly, verifying URLs being visited, and using multi-factor authentication. In the end, properly detecting account takeover fraud comes down to knowing what to look for.

But as a financial institution, how do you keep users - and your organization - safe from account takeover fraud? Below, we cover the top methods for detecting and preventing account takeover fraud at an organization.

Ensure Password Requirements Offer Adequate Security

One of the simplest ways to protect customers is to enforce high standards for passwords, demanding users have a long password with various characters, including a letter, a number, and a special character. Make passwords case-sensitive, have customers change their password multiple times throughout their tenure as a client, and restrict users from reusing previous passwords.

Educate customers about best practices for passwords when having users set up their account. Remind customers that they should use passwords that are easy for them to remember, but not easy for others to guess - such as a birthday, repeated characters (i.e. 022022), and other public information.

Use Controls to Protect Login Credentials

Beyond simply requiring passwords that are hard for fraudsters to crack, there are a number of login protections that can be put in place to prevent account takeovers from happening.

Offer users the option to set up multi-factor authentication, which provides an added layer of protection. This also provides an element of detection, as users may be alerted to attempts to sign in by a malicious actor. Set limits on the rate of login attempts based on the account username, the actual device, and the IP address. 

By having rate limits on these login attempts, organizations can prevent fraudsters from using automated login tools. Setting limits on the number of password attempts in a certain period will also deter fraudsters from making login attempts.

Another good practice is to send alerts when a user logs in or when changes are made to login credentials. Oftentimes, once a fraudster has gained access to an account, they will change the login details, locking the legitimate account holder out. 

By sending an alert to the user’s email, phone, or other account, financial organizations can potentially alert the user that an unauthorized login has occurred. This can significantly reduce fraud losses, as the account takeover attempt - even if it’s been successful - can be addressed.

Use Transaction Monitoring to Identify Suspicious Behavior

It’s extremely difficult to catch account takeover when it occurs, as fraudsters typically acquire identifiable information, enabling them to access the account without detection. However, once they gain access to an account, fraudsters typically have different spending habits and patterns.

Transaction monitoring solutions can detect anomalies in account activity, alerting financial institutions to suspicious activity. This can allow risk teams to detect instances of account takeover early, as soon as the behavior changes. 

This can significantly limit the extent to which the fraudster can commit fraud, reducing fraud losses and protecting the unknowing victim. With the right rules in place, teams can drastically reduce the amount of time to detection - ensuring that fraudsters are stopped in their tracks.

Download Transaction Monitoring Product Guide

Keep Users Safe by Mitigating Account Takeover Fraud

Account takeover fraud is a serious threat to financial institutions and their users, and it’s only going to grow in frequency. With the proliferation of digital financial services, fraudsters are constantly adapting and perfecting cybercrime, leaving financial institutions struggling to catch up to the growing threats. As you improve your process, you'll increase the accuracy of your ATO fraud detection efforts, rooting out more fraud along the way.

Account takeover fraud is a serious threat to user safety, as fraudsters can exploit access by making purchases, transfers, and more. Beyond this, adept fraudsters can gain further personal information, which can be used for further fraud cases. With diligent customer onboarding and finely-tuned transaction monitoring, financial institutions can catch - and put a stop to - account takeover fraud.