Share
Fraud Q&A Series: Detect and prevent account takeover fraud attacks
Fraud continues to make headlines, with fraud attempts growing in both volume and sophistication. Combating fraud can often feel like an uphill battle as fraud tactics evolve at a much more rapid pace than ever before.
To help you navigate the ever-changing fraud landscape, we tapped risk experts from our partner ecosystem to share their insights on fraud trends.
This blog series will highlight the most pressing fraud trends affecting financial institutions today. Learn about the different ways fraud is perpetrated and discover best practices your organization can adopt to mitigate against such attacks.
In the first installment, Mike Cook, VP of Fraud Commercialization at Socure, discusses the key characteristics of account takeover fraud and shares strategies on how best to combat this type of fraud. Mike is a fintech entrepreneur and advisor with more than 30 years of experience in the industry, is responsible for leading Socure’s strategic plans to eliminate financial loss from all fraud types and efficiently validate 100% of consumer identities, capture market share, and increase growth. Mike previously shared his insights on synthetic fraud's impact in the digital economy in our webinar: Identifying and Mitigating Synthetic Fraud.
What fraud trend should we be paying more attention to and why?
Account takeover (ATO) attacks continue to be a painful problem for financial institutions. Customers regularly change phone numbers, email and physical addresses, but fraudsters can easily compromise credentials and redirect traffic to a fraudulent contact point. This problem erodes the bottom line for enterprises and also impacts customer loyalty for a financial institution.
How does account takeover work?
The fraud perpetrators are trying to take over a consumer’s account so they can drain funds or make fraudulent retail purchases. They attempt to obtain credentials to access an account. An ATO attempt typically includes the following steps:
A fraudster gains access to victims’ account(s)
- That fraudster then makes non-monetary changes to account details, like:
Modifying personally identifiable information (PII) such as the email address, phone number or physical address
Requesting a new card
Adding an authorized user
Changing the password
From there, the fraudster carries out unauthorized transactions resulting in a financial loss for the financial institution or retailer, resulting in a potential loss of the victim’s customer relationship between the business and the consumer.
Whatever the origin of an ATO episode involving a consumer account, the consumer will likely blame the financial institution for the attack and resulting inconvenience. The pool of brand loyalty will probably be diminished or evaporate altogether, which means more customer churn and a long-term negative impact on revenue.
How has account takeover evolved? What larger trends/factors make this fraud possible?
Given the massive volume of breached consumer information combined with consumers frequently reusing passwords, ATO can be an easy path to illicit profits. Fraudsters can sift through the ocean of available personally identifiable information (PII) on the Dark Web to acquire illicit information in an effort to attempt their takeovers. Bad actors also continue to create better phishing and smishing techniques that are used to either download malicious software or create social engineering opportunities.
How can ATO be detected?
ATO mitigation strategies involve layered solutions. The solutions include validating changes made to consumer accounts, bot mitigation, device fingerprinting, transaction/event monitoring and more. Most financial institutions have some security and risk management layers in place to control ATO, but need to tighten up their defenses given the fraudsters' evolving tactics.
One strategy we are seeing with increased frequency by customers is validating consumer changes to PII. That means understanding the risk of the presented identity element (email, phone, address) as well as evaluating the correlation of the identity element with the consumer. Fraudsters change PII to take over accounts, and detecting malicious changes can nip the problem in the bud. That might involve validating the shipping address before sending out a physical credit card or validating an email address or phone number before accepting the change. This can all be done passively without increasing friction to legitimate consumers.
What is the best safeguard against ATO fraud?
The fundamentals of protecting against ATO are frequently in place, but may need tuning or reinforcing. Aside from validating account changes to ensure they are not risky, you can also validate the destination for one-time passcodes (OTPs). Understanding the risk of the OTP destination, be it a phone number or email address, allows you to make a decision about sending the OTP or requiring some appropriate friction to weed out potential fraudsters.
How can financial institutions battle fraud without sacrificing the client experience?
The client experience frequently suffers when there is unnecessary or inappropriate friction imposed on the consumer. One of the best, or most notorious, examples is knowledge-based authentication (KBA). KBA causes friction and has been proven to be ineffective - it uses information assets that are easy for bad actors to circumvent. Legitimate consumers often have difficulty passing KBA questions, and feel they are invasive.
An operative word in maintaining an optimal customer experience is “passive.” You want to avoid friction by validating changes without requiring any customer action. That passive, frictionless approach is exactly what Socure provides with our ID+ fraud solutions. Validating changes occur without the consumer taking any action and it typically takes under 350 milliseconds.
The customer experience can also suffer when a false positive alert is raised that causes manual intervention by the financial institution. Manual review causes friction for the consumer and operational costs for the financial institution. It might be necessary, but you want to minimize it. Searching for solutions that are extremely accurate in detecting fraud while also delivering the fewest false positives provides the optimal path to a happy and profitable consumer. And those phenomenally accurate solutions are exactly what Socure delivers.