Anyone who's seen the film "Catch Me If You Can" could tell you that hijacking legitimate bank accounts has been a problem in financial services since well before the days of online banking.
Despite consumer and employee education and a plethora of continuously emerging products and services designed to weed out the bad actors behind seemingly good accounts, account takeover is rapidly on the rise.
In the United States alone, there were $6 billion in financial losses last year attributed just to account takeover, according to threat intelligence firm BioCatch. In fact, the firm also found that 38 percent of consumers said they have been a victim of account takeover in the past two years — and those are just the people who became aware of their accounts being hijacked. Not surprisingly, this also coincides with the epic rise in social engineering scams, which often go hand-in-hand with crooks gaining access to legitimate accounts or stealing credentials.
"We have to be able to detect even the most subtle indicators of potentially fraudulent behavior to better protect customers online," said Ayelet Biger-Levin, senior vice president for market strategy at BioCatch. Biger-Levin presented research on account takeovers in a recent webinar, along with her colleague, Andrew Dunn, senior threat analyst at BioCatch.
Aside from the financial losses related to account takeover, this type of financial crime can be particularly heinous and pernicious since it is a common method for criminals to launder money in drug sale and illegal arms sales, and even human trafficking, which also can create regulatory concerns, according to Biger-Levin. "Criminals use these 'money mule' accounts to cash out from drug deals or trafficking," she said. "So it's extremely important to find [these illegitimate] accounts."
In order to better suss out the potential threats, firms like BioCatch will compare the profiles of genuine versus criminal profiles, look for automated patterns as well as customer patterns, and determine if there are timing or location anomalies. (For example, if a bank account is created in the United States, but is suddenly being accessed by a computer in Southeast Asia or Eastern Europe, that can raise yellow flags.)
John LaCour, founder and CTO of PhishLabs, another threat intelligence firm, pointed out that particularly in the wake of online and mobile banking and the rise in digital payments, account takeover has increasingly become more prevalent — especially since fraudsters will often now use a combination of tools like bots and malware, combined with phishing and social engineering to take over accounts from their victims.
"What has changed is the variety of schemes used to take over accounts," LaCour said, "from phishing and vishing, to credential re-use, banking Trojans, malicious and fake mobile apps, SIM swap attacks — all used to compromise these accounts."
Complicating matters further for financial institutions in these cases are that customers have become so overwhelmed with reports of cyberthreats, that they are often irritated if their legitimate account is pinged as having been taken over when it has not. In a way, bank customers are suffering their own form of "alert fatigue," just like corporate employees. As a result, many financial firms are leery of being too quick to point out what could possibly be a false positive, lest they lose irritated customers.
In order to better determine more exactly who they might be looking for, BioCatch pieced together five "mule personas" which paint distinct and varying profiles for the different parties involved in account takeover schemes. From more to less complicit in these crimes, they are:
- The Deceiver, who hijacks or steals legitimate information to create a bank account expressly for perpetrating fraud or laundering funds;
- The Peddler, who sells genuine account information to criminals;
- The Accomplice, who participates in coercing information or account data from victims, typically for money;
- The Chump, who executes transaction on behalf of the account hijacker, without realizing what they're doing; and
- The Victim, who is sometimes unaware that their account or information has been taken over.
Despite regulatory, financial and even simple human concerns, as well as the continued effort of threat intelligence firms and financial institutions, Biger-Levin still expects to see account takeover crimes (or at least attempts) grow in the next year.
“There’s no silver bullet to stop account takeover,” LaCour advised. He suggests financial institutions should implement a three-pronged approach to mitigate these threats: train and help users to implement secure behaviors, detect and disrupt cybercriminal attacks and infrastructure, and rapidly detect and respond to unauthorized access and behavior.
And, he warned: “The biggest mistake made is to only perform one or two of these, or not do them well.”