This article was updated on November 9, 2023.
Account takeover fraud is a huge, illicit business in the United States with real costs for consumers and the organizations that serve them. In fact, experts predict that by the end of 2023, account takeover losses will be over $635 billion. With consumers’ data, your reputation, and your organization’s financial picture on the line, now’s the time to learn about account takeover fraud and how to prevent it.
What is account takeover fraud?
Account takeover fraud is a form of identity theft where bad actors gain unlawful access to a user’s online accounts in order to commit financial crimes. This often involves the use of bots.
information that enables account access can be compromised in a variety of ways. It might be purchased and sold on the dark web, captured through spyware or malware or even given “voluntarily” by those falling for a phishing scam.
Account takeover fraud can do far more potential damage than previous forms of fraud because once criminals gain access to a user’s online account, they can use those credentials to breach others of that user’s accounts.
Common activities and tools associated with account takeover fraud include:
Phishing: Phishing fraud relies on human error by impersonating legitimate businesses, usually in an email. For example, a scammer might send a phishing email disguising themselves as a user’s bank and asking them to click on a link that will take them to a fraudulent site. If the user is fooled and clicks the link, it can give the hackers access to the account.
Credential stuffing/cracking: Fraudsters buy compromised data on the dark web and use bots to run automated scripts to try and access accounts. This strategy, called credential stuffing, can be very effective because many people reuse insecure passwords on multiple accounts, so numerous accounts might be breached when a bot has a hit. Credential cracking takes a less nuanced approach by simply trying different passwords on an account until one works.
Malware: Most people are aware of computer viruses and malware but they may not know that certain types of malware can track your keystrokes. If a user inadvertently downloads a “key logger”, everything they type, including their passwords, is visible to hackers.
Trojans: As the name suggests, a trojan works by hiding inside a legitimate application. Often used with mobile banking apps, a trojan can overlay the app and capture credentials, intercept funds and redirect financial assets.
Cross-account takeover: One evolving type of fraud concern is cross-account takeover. This is where hackers take over a user’s financial account alongside another account such as their mobile phone or email. With this kind of access, fraudsters can steal funds more easily and anti-fraud solutions are less able to identify them.
Intermediary new-account fraud: This type of fraud involves using a user’s credentials to open new accounts in their name with the aim of draining their bank accounts.
This is only an overview of some of the most prevalent types of account takeover fraud. The rise of digital technologies, smartphones, and e-commerce has opened the door to thieves who can exploit the weaknesses in digital security for their own aims. The situation has only worsened with the rapid influx of new and inexperienced online users driven by the COVID-19 pandemic.
Why should you be concerned, now?
Now that digital commerce and smartphone use are the norm, information used to access accounts is a security risk. If a hacker can get access to this information, they may be able to log in to multiple accounts.. The risk is no longer centralized; with every new technology, there’s a new avenue to exploit.
To exacerbate the situation, the significant shift to online, particularly online banking, spurred by the COVID-19 pandemic, appears to have amplified account takeover fraud attempts. In 2019, prior to the pandemic, 1.5 billion records — or approximately five records per American — were exposed in data breaches. This can potentially increase as the number of digital banking users in the United States is expected to reach almost 217 million by 2025.
The increase in first-time online users propelled by COVID has amplified the critical security issues caused by a shift from transaction fraud to identity-centric account access. Organizations, especially those in the financial and big technology sectors, have every reason to be alarmed.
The impact of account takeover fraud on organizations
Account takeover can be costly, damage your reputation and require significant investments to identify and correct.
Protection of assets
When we think of the risks to organizations of account takeover fraud, the financial impact is usually the first hazard to come to mind. It’s a significant worry: According to Experian’s 2023 U.S. Identity and Fraud report, account takeover fraud was among the top most encountered fraud events reported by U.S. businesses. And even worse, the average net fraud loss per case for debit accounts has been steadily increasing since early 2021.
The costs to businesses of these fraudulent activities aren’t just from stolen funds. Those who offer credit products might have to cover the costs of disputing chargebacks, card processing fees or providing refunds. Plus, in the case of a data breach, there may be hefty fines levied against your organization for not properly safeguarding consumer information. Add to these the costs associated with the time of your PR department, sales and marketing teams, finance department and customer service units.
In short, the financial impact of account takeover fraud can permeate your entire organization and take significant time to recoup and repair.
Protection of information
Consumers rightfully expect organizations to have a solid cybersecurity plan and to protect their information but they also want ease and convenience. In many cases, it’s the consumers themselves who engage in risky online behavior — reusing the same password on multiple sites or even using the same password on all sites. These lax security practices open users up to the possibility of multiple account takeovers.
Making things worse for organizations, security strategies can annoy or frustrate consumers. If security measures are too strict, they risk alienating consumers or even generating false positives, where the security measure flags a legitimate user.
Organizations are in the difficult position of having to balance effective security measures with a comfortable user experience.
When there’s a data breach, it does significant damage to your organization’s reputation by demonstrating weaknesses in your security. Fraudulent account take-overs can affect the consumers who rely on you significantly and if you lose their trust, they’re likely to sever their relationship with you. Large-scale data breaches can sully your organization’s reputation with the general public, making consumers less likely to consider your services.
How to build an account takeover fraud prevention strategy
There are numerous ways to build an account takeover fraud prevention strategy, but to work for your and individual consumers, it must pair robust risk management with a low friction user experience.
Here are some of the key elements to an account takeover fraud prevention strategy that hits the right notes.
The risk of account takeover is constant so your monitoring should be as well. A layered, proactive and passive fraud prevention program can monitor your interactions, reduce false positives and keep track of consumers’ digital identities.
Use the right tools
When it comes to fraud prevention, you’ve got plenty of choices but you’ll want to make sure you use the tools that protect you, as well as consumer data, while always providing a positive experience. We use risk-based identity and device authentication and targeted step-up authentication to keep things running smoothly and only pull in staff for deeper investigations where necessary.
Automate to reduce manual processes
Your organization’s fraud prevention strategy likely includes manual processes, tasks that are completed by employees—but humans make mistakes that can be costly. Taking the wrong action, or even no action at all, can result in a security breach. Automated tasks like threat filtering and software and hardware updates can reduce the risk to your organization while improving response time and freeing up your team.
Choose a nimble platform
Technology changes quickly and so does fraud. You’ll need access to a layered platform that lets you move as quickly as the bad actors do.