How to detect account takeover fraud

Learn all the details of this rapidly growing issue, so your bank or fintech knows how to prevent account takeover fraud before it occurs.

Picture this. Your small business customer did not get an opportunity to check the financial account they have with your organization in days. (Can you blame them? They’ve had a busy week.) When they finally catch up on a Friday, they are unable to sign into their account.

They call your contact center but cannot answer the security questions, so the representative on the other side cannot confirm their identity. And your team notices that two withdrawals occurred earlier in the week — for tens of thousands of dollars each time — but the system approved these transactions because they were supposedly made by an authorized user. However, the individual listed does not match anyone that your customer names as an authorized user when asked.

Your customer service team is confused. Your customer is growing increasingly upset. And it just might be that your customer and your organization are now both victims of account takeover.

What is account takeover?

Account takeover (ATO) occurs when a fraudster manages to gain unauthorized access to an account, such as by obtaining a legitimate user's credentials to take control of the account, or even by impersonating a client through the branch. Once the bad actor gains unauthorized access, they exploit this control to steal funds. Since legitimate credentials are often obtained by the fraudster prior to signing on, fraudsters have a higher chance of flying under the radar and stealing significant funds before the legitimate account holder notices and the fraudster disappears.

Learn more about account takeovers in Alloy’s Fraud Q&A Series.

How does account takeover happen?

Account takeover can happen through multiple channels and in different ways, making detection and prevention efforts more complicated. Once a fraudster has obtained a legitimate customer’s credentials, they may alter personally identifiable information (PII) — like the email address or phone number associated with the account — so they can penetrate the account further. By changing the information on the account profile, the fraudster can better disguise their activity and prevent the customer from receiving notifications. This can then open more opportunities for the fraudster to take actions such as:

• Impersonating the legitimate customer to complete transactions

• Adding themselves as an authorized user on the account

• Requesting a new card, so they have one in their physical possession

What are typical account takeover methods?

Account takeover occurs through multiple methods, including:

• Phishing attacks and social engineering scams: Fraudsters use deceptive calls, emails, texts, and social media messages to impersonate and trick customers into believing they are legitimate entities and revealing their login credentials. Sometimes, the attackers will even contact a financial institution’s customer support representatives and impersonate a legitimate customer to request changes to account settings. Over time, phishing attacks and social engineering scams like these have grown increasingly sophisticated with the use of AI.

• Brute force attacks: Fraudsters use automated tools to quickly and systematically guess a high volume of usernames and passwords, finding the right combinations that will access customer accounts.

• Malware attacks: Fraudsters infect user devices with malicious software to capture customers’ login credentials without their knowledge.

• SIM swapping: Fraudsters convince a mobile carrier’s customer service agents to transfer a phone number to a SIM card under their control. Then, they intercept authentication codes and gain unauthorized access to customers’ accounts.

• Credential stuffing: Fraudsters obtain lists of stolen usernames and passwords from previous data breaches, knowing that legitimate customers tend to reuse their passwords. Then, the fraudsters use those credentials across multiple platforms until they are able to find one that works and unlocks access to an account.

• On-path attacks: Also known as man-in-the-middle attacks, fraudsters intercept communication exchanged between customers and legitimate entities to capture sensitive information that helps them gain access to login credentials.

While these methods may sound daunting, fraud risk strategies and solutions can help banks and fintechs strengthen their defenses against account takeover.

Why is account takeover fraud so frustrating for banks, fintechs, and customers alike?

Account takeover has multifaceted impacts, and it’s important to note that instances of this type of fraud are growing. In Alloy’s State of Fraud Benchmark Report, respondents in both the US and the UK named authorized push payment (APP) fraud as one of the most common types of fraud they see by case volume—followed closely by account takeovers.

Now, while every instance of APP fraud does not directly result in an account takeover, the broader implications of financial loss, compromised PII, and heightened susceptibility to future scams can increase customers' vulnerability to account takeover attempts.

Download the free Alloy State of Fraud Benchmark Report.

Like APP fraud, identity theft can also lead to account takeover. According to the FTC’s 2023 Consumer Report, of the 5.39 million reports filed in its Consumer Sentinel Network, approximately 1 million (19.2%) were related to identity theft—more than any other type of complaint. Identity theft does cover a broader range of fraud methods than account takeover, but the reports related to debit cards, electronic fund transfers, or phishing scams went up 13% from the previous year. The reports related to existing accounts went up 7%. This indicates that consumers could have reported cases of identity theft where account takeover also took place.

From the customer’s perspective, there are obvious financial losses that wreak havoc on their personal lives or businesses. But identity theft also increases the chances of account takeover and all its subsequent issues, which could linger for years beyond the initial fraud incident. Money removed from the account may be difficult to return, and the negative effects on a customer’s credit score can hurt their standing with lenders.

Financial losses are absolutely a relevant factor for banks and fintechs as well. However, the most serious implication of account takeovers for the bank or fintech may be the threat ATOs pose to an organization’s reputation, and the higher rates of customer attrition that can follow.

Any type of fraud can erode customer confidence in account security, but because fraudsters directly control customers’ personal accounts, account takeover often winds up being a more emotional, violating experience that causes even greater levels of distrust. Not to mention, incidents of account takeover increase bank’s and fintech’s operational costs for fraud detection and mitigation, and, if the attacks are widespread and substantial, they can increase regulatory scrutiny as well.

Account takeover highlights the urgent need for robust fraud prevention measures and better fraud prevention education for both organizations and customers.

How to prevent account takeover

How can banks and fintechs establish better account takeover prevention?

With the availability of faster payments and immediate transactions, your organization needs to have a better understanding of its customers before any funds leave accounts. In other words, you need the ability to catch a possible account takeover before a transaction occurs. To do so, you should layer identity-focused fraud prevention measures on top of your real-time transaction monitoring.

When you spot fraudulent activity as the result of transaction monitoring, it means fraud has already occurred. However, if you also concentrate on identity, this allows for a more proactive and holistic risk assessment using fraud indicators that emerge much earlier. In other words, you have a better chance of preventing fraud before it happens.

By choosing to prioritize identity risk, your organization will:

• Detect suspicious activity more efficiently and effectively on an ongoing basis, lowering the chances that account takeover goes unnoticed

• Improve operational efficiency and cut costs by streamlining identity verification processes, reducing manual intervention, and minimizing false positives.

• Maintain a friction-right customer onboarding experience — introducing the right amount of friction to stop bad actors, while allowing low-risk customers to onboard without adding unnecessary friction.

Discover how you can get a better handle on identity risk.

Automating step-up verifications also makes it easier to detect and prevent instances of fraud like account takeover. Step-up verifications are most effective when triggered by certain suspicious events like the use of a new device to sign in to an account or a change in a customer’s PII—the main hallmarks of account takeovers.

As customers’ risk profiles evolve over time, sophisticated fraud solutions use multi-factor authentication (MFA) methodologies to send faster alerts about risky behavior and provide a higher level of security. Customizing and layering all these different methodologies into different points of your workflow provides a more robust defense against fraud attacks and reduces your customers’ risk of unauthorized access.

Uncover the multiple benefits of automated step-up verifications.

How can customers better protect themselves against account takeover fraud?

You can help your customers understand the consequences of account takeover and protect themselves in the following ways:

• Encourage the use of unique and non-repeat passwords.

• Require two-factor authentication (2FA) to sign into accounts.

• Provide ongoing education about phishing attacks and social engineering scams.

• Send reminders about the types of information your customer service agents require, and what they will never ask.

The use of digital banking will only continue to increase, so it is also your responsibility to make sure your customers are aware of factors like account takeover and prepared to handle evolving fraud threats.

Establish better prevention with agile account takeover solutions

Alloy is an Identity Risk Solution—an end-to-end platform that helps banks and fintechs manage identity, fraud, credit, and compliance risks throughout the customer lifecycle by connecting to multiple data providers simultaneously. With Alloy’s codeless SDK, you can enable automatic step-up verification for risky customers while securely approving, protecting, and monitoring more good customers without adding friction to their user experience. With Alloy, you can check multiple facets of the customer’s financial and digital footprint and develop a more accurate understanding of customer identity over time.