3 Ways for Financial Institutions to Fight Account Takeover Fraud
Account takeover (ATO) is a formidable issue for the financial services industry — and the threat of ATOs continues to grow. Fraudsters are becoming increasingly sophisticated in their techniques, using social engineering tactics, phishing emails, and brute-force attacks to steal credentials and gain access to private accounts.
In 2022, bank transfer or payment fraud resulted in losses amounting to $1.59 billion. In addition, an estimated one-third of login attempts to financial institutions and fintech companies are also fraudulent ATO attempts.
ATO attacks can be very lucrative for cybercriminals. Often, they rely on a brute-force attack, like credential stuffing, in which logins are repeatedly attempted with large volumes of stolen usernames and passwords. Once unauthorized access is gained, fraudsters are free to execute a variety of criminal activities, including initiating wire transfers to fraudulent bank accounts.
In this post, we’ll explore the destructive consequences of cybercrime and present three actions you can take to reduce ATO fraud.
The devastating impacts of cybercrime
It’s no secret that technology has changed the landscape of our lives. Cybercriminals use a variety of tactics to target financial institutions. They can exploit vulnerabilities in web applications or application programming interfaces (APIs) to gain unauthorized access to financial data, inject malicious code, or steal sensitive information (Figure 1).
Fig. 1: ATO methods
Malicious bot attacks
Cybercriminals can also launch malicious bot attacks to perform a range of tasks, including stealing data, executing distributed denial-of-service (DDoS) attacks, or perpetrating fraud. DDoS attacks can cause major disruptions that flood financial institutions’ systems with traffic, overwhelming them and causing them to crash
Malware attacks
Ransomware, a type of malware attack in which a threat actor encrypts data and demands compensation in exchange for the decryption key, is another form of cybercrime that has been increasing in frequency and severity.
Phishing attacks
Phishing attacks are often used as delivery mechanisms for ransomware. Phishing is a tactic in which cybercriminals impersonate legitimate financial institutions to trick individuals into divulging sensitive information or clicking links that install malware.
Damages to financial institutions and customers alike
For financial institutions, the most immediate impacts of ATO attempts are financial losses, reputational damage, legal and regulatory consequences, operational disruptions, and decreased customer trust. For customers, consequences include financial losses; long-term damage to credit scores, reputations, and personal security; stress, and inconvenience.
How to spot account takeover fraud
Phishing, social engineering, credential stuffing, and malware are tools and tactics commonly used by fraudsters to gain access to financial services accounts and carry out ATO fraud. This type of fraud can create massive damage to your business and your clients’ lives.
That’s why it’s critical to up your defense game in response to hackers’ increasing levels of sophistication. Use these three tips to learn how to spot ATO fraud and shut it down before it can do any harm.
1. Think like a bot
In many cases, hackers use bots to carry out brute-force attacks or perform automated credential stuffing. Bot activity increased by 81% between 2021 and 2022, and bots continue to take advantage of personal user data that’s shared during data breaches.
To get ahead of malicious bot activity, identify the aspects of your account access process that only humans could perform, and make sure those fail-safes are included.
2. Track fraudulent behavior and look for patterns
Ask your employees and clients to report any suspicious emails, texts, or other attempts to access information. Although these “poser” strategies are more likely phishing attempts, hackers who gain important information can easily commit identity theft and create accounts in clients’ real names, lurk in the background or “sleep” for a few months, and then “bust out” and drain their accounts.
3. Invest in multi-factor account protection
Historically, the primary fraud prevention strategy for banks was the use of complex passwords to protect business and client information. Next, it was two-factor authentication (2FA). Now, it’s multi-factor authentication (MFA; Figure 2).
Fig. 2: MFA requires a user to combine two or more authentication factors
Why? Evidence shows that phishing kits such as Kr3pto uniquely target financial institutions and are able to bypass 2FA. Worse, this kit — which was initially created more than three years ago — is still highly effective and in use today.
To fight these sophisticated hacker kits, adopt FIDO2, the open standard that provides authentication that is more resistant to phishing and ATO. Instead of usernames and passwords, the FIDO2 standard is based on public key cryptography for more secure authentication than passwords. This framework does not rely on credentials that hackers can steal, and it is easier for service providers to deploy and manage.
Stay informed
In today’s tumultuous cybersecurity landscape, protecting your financial institution and clients against hackers, bots, and fraud is paramount. Rather than stressing about how to fight each small battle, get ahead of the enemy by investing in world-class protection for your clients. Then, train clients and employees to identify signs of suspicious behavior, so your entire organization can stand together in defending against ATO attempts.
When attacks do happen, you’ll be armed with even more information about the strategies and patterns that the hackers used to help inform your defense moving forward. It takes commitment and investment, but the safety and well-being of your clients and your firm depend on it.
