Account takeover fraud is a lucrative type of identity theft in which online account information or login credentials are stolen and used for nefarious means. When fraudsters gain access to an account, they manipulate things like passwords and usernames to prevent the rightful account owner from receiving notifications so they can make withdrawals, submit fraudulent payments, or open new accounts using the compromised credentials. A 2021 Javelin study1 reported huge increases in account takeover fraud, with losses increasing 90% from the prior year. With limited resources to devote to cybersecurity, small and midsize businesses are at a higher risk for account takeover. Small business account takeover, also known as “corporate account takeover”, represents a significant and ongoing threat to both businesses themselves and the lending institutions who service with them. In this article, we are going to review how corporate account takeover manifests in various businesses who are applying for credit and explain how risk professionals can leverage automated fraud detection software to improve review processes, streamline their lending services, and perhaps most importantly protect their reputations.
What is Corporate Account Takeover Fraud and how does it happen?
Account takeover is an insidious type of cybercrime in which fraudsters or hackers gain access to online accounts and use them to withdraw money, make purchases, or extract information. Their goal is either to use that information to gain access to associated accounts or sell it on the dark web to increase damage and their potential profit. Account takeover schemes can happen right under the business or business owner’s nose, and the results vary. Some fraudsters are looking for instant gratification and a big payout while some play a longer game, accessing accounts via weak passwords, malware, or email phishing schemes and selling sensitive information on the dark web to other cybercriminals.
Small and midsize businesses are particularly vulnerable to account takeover schemes as they often have limited resources to devote to cybersecurity, or weaker security measures in place compared to larger corporations. The 2021 Identity Fraud Study by Javelin Strategy & Research found that the number of identity fraud victims in the US increased by 113% between 2019 and 2020, with small businesses experiencing a higher rate of fraud than larger businesses3. Here are a few examples of account takeover schemes in small business lending:
When an account takeover attempt has been successful, there is an increase in suspicious activity like changes in usernames, passwords, and addresses, or unauthorized bank account activity or transfers. It is also common for fraudsters to use the newly stolen information to try and open new lines of credit, all before the business or business owner is aware there has been a breach. According to the Better Business Bureau (BBB), business email compromise affects organizations big and small, and has resulted in more losses than any other type of fraud in the U.S. with 80% of organizations receiving at least one email in a scam attempt4.
How does Account Takeover impact lending services?
Despite uncertain economic circumstances, small and midsize businesses continue to press on and evolve. According to Experian’s 2023 Beyond the Trends Report, SMBs make up 99.9% of all businesses in the U.S. and new business applications continue to rise5. But weaker security measures and limited resources mean SMBs are at a higher risk for account takeover fraud. This ultimately impacts lending institutions, who may unknowingly release funds to a compromised business account.
So how does this work in an SMB environment?
A fraudster who has successfully obtained the account information of a small business, small business owner, or personal guarantor can bypass legacy security protocols to appear legitimate. That fraudster can then commit various harmful acts, like apply for lines of credit, open new accounts, and make transfers. For more insight into how these account takeover attacks play out, consider the realistic scenarios below:
It’s important to note that most, if not all, lending services providers experience some degree of fraud loss, and competing business priorities no doubt play a role in the adoption of fraud prevention technology. Budgetary restrictions, high turnover rates, and technological expertise and limitations all play a role, but without modern fraud solutions in place, lenders run the risk of experiencing more than just financial losses. They risk losing confidential or proprietary information, encountering legal liabilities, and perhaps most importantly damage to their reputation. So, the question is, what kind of risk are you willing to take? Account takeover schemes, though pervasive, are just one type of fraud attack. The reality is fraudsters continue to evolve and become more sophisticated all the time, and to stay competitive lenders should consider implementing a comprehensive fraud strategy that will arm them against unnecessary losses.
If you are a financial institution coming to terms with growing fraud rates, below are some questions you should consider asking.
Questions to ask when formulating your fraud mitigation strategy:
- What kind of fraud losses are you currently experiencing and what impact are they having on your business?
- Are you able to accurately assign your fraud losses?
- Do you have a fraud prevention strategy? If so, what types of fraud does it solve for? If not, what are your barriers to implementing one?
- What do your current approval processes look like? How much time are you spending manually reviewing applications and what would the cost-to-benefit be if you had something automated in place that could streamline those efforts?
- What solutions, do you have in place? Do they solve for one or more types of fraud? For example, can they detect the specific information anomalies that indicate an account takeover?
Proactive, automated solutions are the key to preventing Account Takeover Fraud
With increasing business applications and high fraud rates, now is the perfect time for risk professionals and lending institutions to take a close look at their current fraud prevention strategy and consider what improvements could be made. Many legacy fraud solutions are limited in scope compared to their modern counterparts, and often leave large referral volumes on the shoulders of analysts who simply can’t keep up with demand. This, coupled with outdated screening protocols which offer limited scope into the full picture of the application, makes it that much harder for analysts to detect account takeover fraud even when it’s right in front of them. Some institutions use tools that only seek to meet for Know Your Customer (KYC) or Know Your Business (KYB) requirements, while others may only look to verify the identity of the personal guarantor. But the key to preventing account takeover fraud is to implement an automated fraud solution that uses different data sources to confirm both the identity of the applicant and their association to the SMB.
The most effective fraud solutions provide more than simple KYC and KYB checks, they also look for various inconsistencies and connections between the business owner, personal guarantor, and the business itself. For example, a fraudster who has committed account takeover might appear legitimate on an application, passing KYC identification checks without issue, but perhaps they aren’t associated with the business, or the business itself is illegitimate. A comprehensive fraud solution looks beyond KYC and KYB at multiple and varied data sources, like professional and social networks, SBA status, website linkage, and more to detect hidden anomalies indicative of account takeover fraud. The best part about these fraud screening tools is that they work during the account opening or onboarding stage of the customer lifecycle to proactively prevent account takeover fraud losses before they impact lenders.
Implementing a comprehensive fraud strategy may be in competition with other business priorities, but lenders who prioritize upgrading their outdated or limited risk processes to a seamless, automated fraud strategy will set themselves apart. They will effectively and efficiently reduce their risk of approving fraudulent applications, including those which have experienced account takeover, save time and resources spent manually reviewing large volumes of applications, and fortify their reputations as institutions that put integrity first.