Insidious with far-reaching consequences for its victims, account takeover fraud (ATO) continues to challenge consumers, businesses, and the financial services industry. According to ThreatMetrix’s Q2 Cybercrime Report, ATO attacks on financial services rose by 40 percent from just Q118 to Q218. And although payment processors have wised up their platforms to detect and combat ATO in its traditional methods, both the entire payments industry and consumers continue to see increased attacks in this pervasive fraud type.
What Is Account Takeover Fraud?
Simply put, ATO occurs when a criminal (or more often organized criminal gangs) gains unauthorized access to an individual’s account data with the intent to exploit the information for financial gain. And because the criminal is posing as the online account holder, the typical ATO fraud is difficult to spot. Couple traditional ATO fraud with the current rise in synthetic identity fraud (SID), and you have a fruitful breeding ground for offenders to thrive. Typical ATO involves the criminal use of stolen legit consumer data, while SID fraud entwines legit data with invented data to make up what appears to be a real person.
How Does ATO Happen?
Data breaches, phishing, skimming, phone scams, stolen documents, and many other schemes afford opportunities for bad actors to gain access to personal data. And the increased use of social media by all parties makes these opportunities limitless. While consumers have gotten savvier about safeguarding critical information like social security or bank account numbers, they are still notoriously bad about password management. Despite educational efforts, many consumers use the same log-in credentials across multiple online accounts; a practice that can have cascading and devastating consequences. A confirmed username or email address is enough for a criminal to get started. This information alone is typically enough to create impostor profiles that can be used to open new accounts.
Is ATO a Fraud or a Security Issue?
ATO is both a fraud and security issue, which means that the energies used to prevent these attacks doesn’t fall on one individual or entity, but rather all stakeholders.
Financial Institutions Protections:
As noted in article penned by Pymnts.com, “Place a stone in a stream and the water will flow on around it – diverted from its path but not its destination." This holds true for many of today’s fraud schemes that are making a comeback, in more wily and penetrating ways. ATO fraud is back with a vengeance, and until all stakeholders change their defense hygiene, criminals will continue to prey and make headway with impostor fraud. A layered approach, which involves detection, prevention, easy and effective two-way communication, and ongoing education are vital for moving forward in the fight against ATO fraud.