Note: Part 1 of 2 on account takeover, which has been cited numerous times in financial industry research as the fastest-growing, most pervasive and/or most concerning fraud type. Part 2 deals with prescriptive advice for mitigating account takeover risk.
As most researchers and financial executives can attest, virtually all types of fraud have dramatically risen over the past two years. However, attackers taking over legitimate financial accounts have become even more of a favorite with cybercriminals than most fraud schemes.
Many major recent research reports have pointed out that account takeover (ATO), a form of identity theft where bad actors access legitimate bank accounts, change the account information and passwords, and hijack a real customer’s account, has skyrocketed since last year. According to Javelin Research’s annual "Identity Fraud Study: The Virtual Battleground" report, account takeover increased by 90% to an estimated $11.4 billion in 2021 when compared with 2020 — representing roughly one-quarter of all identity fraud losses last year.
Like many types of financial fraud, cyber thieves are betting on the fact that if they attempt to seize a large number of legitimate accounts, eventually they will get a payoff.
“Account takeovers are a numbers game,” said Gal Diskin, co-founder and chief technology officer for Authomize. “The more accounts that an organization has, the bigger their risk that some of them will be compromised.”
Account takeovers often piggyback off of previous attacks, making these crimes a way for hackers to make the most out of stolen information. Diskin pointed out that account takeovers most commonly happen when a password is “taken from another data leak and reused for different accounts. But there are a variety of risky scenarios that can lead to compromise.”
In its most recent quarterly financial crime report, Feedzai, a cyber-risk management provider to the financial industry, cited the growing threat from account takeover, which topped the list of top fraud scams last year, rising from fourth place in 2020.
CyberEdge Group, also released research just last week that corroborates the same findings about ATO. In its 2022 "Cyberthreat Defense Report," which surveyed 1,200 IT security personnel worldwide, account takeover was one of the two most pervasive and expanding threats (along with malware).
The CyberEdge research also predicts this type of pernicious fraud will continue to rise this year and beyond.
“ATO attacks are poised to overtake malware as the number one concern,” according to the CyberEdge Group research, adding that concerns for ATO and credential stuffing saw the biggest increase of any risk for IT security respondents.
“Malware is still perceived as the most important threat, but account takeover and credential abuse attacks moved up from fourth place last year to number two this year... [and] ATO will take over the top spot in the next year or two,” the CyberEdge report predicted.
Aside from being efficient, relatively easy and popular among cyber criminals, account takeover can be a jumping-off point to even more fraud incidents.
“Account takeover fraud poses a variety of risks to financial institutions because fraudsters will often weaponize a compromised bank account to perpetrate more fraud,” according to Mike Bosserman, chief revenue officer at MANTL, which helps banks and credit unions develop digital account opening platforms.
For example, criminals will use the stolen bank account to fund a new bank account they open online for criminal activities, Bosserman said.
“Failing to catch a fraudster during the account opening process can lead to significant financial losses down the road for financial institutions," he said.