Account Takeover Fraud Q&A With Tanya Corder

As part of the Fraud Fighters Manual, Treasury Prime's Compliance Manager sat down for a Q&A about account takeover (ATO) fraud.
June 21, 2023
Fraud Fighters Q&A

This Q&A is part of the Fraud Fighters Manual, a collective set of stories from Fintech fraud fighters. Download your copy of the Fraud Fighters Manual here to read the full version.

Why is ATO such a popular form of fraud?

ATO (Account Takeover) provides fraudsters with direct access to victims’ personal and financial information, which they can then use those funds or that information to commit other activities. If they have unauthorized information, they can make unauthorized purchases and open up new lines of credit, stealing victims’ identities. Also, it’s popular because of the ease of access to information. With the increasing use of online accounts and the internet, information is at the tips of their fingers, basically. Also, for fraudsters, it’s a large payout right away. Once fraudsters gain access to victims’ accounts, they can potentially access large sums, also called hit and runs, where they take as much money as possible and disappear. It’s a large payout, which is very attractive to them.

It’s also difficult to detect when ATO happens. Fraudsters have seemingly mastered the ability to exploit their respective victim’s accounts in ways that appear normal and therefore are able to succeed in continuing the nefarious activity for prolonged periods of time. It makes it difficult for victims to notice that their account has been compromised because the activity looks so normal. Whether it’s small purchases that the fraudsters are making that look like normal purchases, as a victim, you might think, “Oh, I must have made that $10.99 purchase or whatever.” There are definitely steps that can be taken, but whenever there is financial information available out there, fraudsters will find a way to abuse the system or gain access. 

Who’s most at risk for account takeover?

Anyone (and everyone) is at risk for account takeover. Specifically, anyone who uses an online account or engages in eCommerce in any capacity is vulnerable. There are groups who are at higher risk for account takeovers. Elderly individuals who are less familiar with technology are susceptible to phishing scams or social engineering attacks. They are more likely to use weak passwords or reuse the same passwords across multiple accounts, making it easier for fraudsters to access them. 

High-profile individuals who are well-known celebrities or public figures are also at higher risk for takeovers because their personal information is more widely available, so their accounts are more attractive targets for fraudsters. Finally, small business owners are also at higher risk than average. They generally have fewer resources to invest in cybersecurity or be more likely to use their personal accounts for business purposes, making it easier for fraudsters to gain access to both personal and business accounts. 

How do they get the information in the first place?

There are multiple ways. Phishing is one of them, when scammers send fake emails or text messages that appear to be legitimate to individuals or companies, to employees of companies, asking to provide account information. Where you click on a link, and it looks like a real one, and you enter information. Social engineering is another one where scammers use tactics such as pretending to be a customer service representative or IT support or something tricking the individual into revealing account information.

Leveraging malware, scammers record account login credentials or capture screen images of account information. Another big driver for account takeovers is through data breaches, where scammers obtain account information from a company or financial institution that has experienced a data breach. 

Fraudsters have also become experts at leveraging public records. A lot of time, individuals display sensitive information such as addresses and phone numbers in a very public forum. For example, social media accounts also have a lot of public information where scammers obtain that information that can be used to guess login credentials, answer security questions, or otherwise gain access by verifying credentials. 

Fake applications and websites where scammers create phony applications that appear legitimate and are designed to capture account information when individuals enter their login credentials are another example.

Much of this seems to be depending on people being able to be super sleuths in terms of figuring out what’s legit and what’s not. Generations that didn’t grow up with the internet from a very early age need to be really cautious.

Are there distinct, predictable stages of what account takeover looks like?

The gathering of information stage is usually the first one. They’ll gather information about their target email addresses, phone numbers, and social media profiles. That’s done through various methods like social engineering or data breaches. Then there’s phishing and malware delivery. 

Once they have an email address, for example, they’ll email the target an email that says “click on this” or send a phishing message designed to trick the individual into revealing login credentials. Then the next stage is the access, the account access, where they obtain the target’s login credentials and they log into an account. Usually, they’ll change login details or add their own contact information. For example, my husband and I have a joint banking account. They’ll add another person, or another email, or something to the account.

Then after they gain access, that’s where the fraudulent activity starts happening. They’ll carry out unauthorized purchases or transfers of funds to other accounts, or sometimes once they access, they keep an eye out, and they don’t necessarily make any activity for a while, but then they’ll hit all of a sudden. Then, usually, there’s something where they’ll want to cover their tracks. Whether they delete browsing histories, disable security features, or something like that.

Are there red flags that people can look out for?

Unexpected password resets, reset notifications, and suspicious login activity on your account are all signs of potential nefarious activity. Additionally, the use of unfamiliar devices could be a significant red flag to look out for as well as unusual account activity. You might have a customer who is in the Pacific Northwest, and then all of a sudden, in the last three weeks, they’ve been logging in from the east coast or another location that is not tied to the home location. Another strong red flag could be changes in account information including adding or changing addresses or phone numbers that are associated with the account.

An increase in customer complaints is also something to look out for. If there’s an increase in customer complaints about unauthorized access or fraudulent activity, it might be a sign that an account takeover is occurring on the platform. If there are multiple instances on the platform, it may be a sign that there’s a vulnerability in the system that is being exploited by fraudsters.

And what red flags should organizations look for? Business email compromise?

Business email compromise is definitely something to look out for. Most business related fraud is targeted on platforms through its own employees. For example, in businesses and organizations where fraudsters will impersonate a senior executive or trusted individual in the organization, they’ll request an employee to transfer funds, provide sensitive information, or go to this website and log in and do this. Because it’s coming from an exec, you’re more likely to do it.

Fraudsters usually will do research on the organization and usually will do a little more planning with these account takeovers to identify personnel in the company that have access or are normally asked to do something like that. 

What lesser-known strategies can organizations and individuals use to stop ATO fraud?

Software. Keeping software up to date and security systems regularly updated can help prevent vulnerabilities that could be exploited by attackers. The use of anti-malware and anti-virus software programs can help detect malware. Monitoring account activity closely is definitely something that both individuals and businesses can do. Regularly checking accounts for unusual activity can help identify account takeovers early and stop them before too much damage is done.

With respect to the use of email authentication protocols, there are ones that can help prevent email spoofing and phishing attacks. As a risk mitigation measure, organizations should  conduct employee training and education on this topic. Training is critically important to prevention and detectionIf employees know what to look out for, there is a higher probability of  preventing account takeovers from happening. The use of machine learning and artificial intelligence is also a huge one. It can be used to analyze accounts and activity and identify patterns that may indicate fraudulent activity or behavior. Then there’s implementing multi-layer security measures such as firewalls, intrusion detection systems, security cameras, and things like that that can make it more difficult for attackers to gain unauthorized access to accounts with more sensitive information.

Can you describe the one door, one key approach?

The one door, one key refers to a security principle that’s used in physical security to access one room. The idea is that a single key, access card, or something is used to unlock only one door, and that key can’t be used to unlock any other doors. That’s to prevent unauthorized access to whatever room. 

To use this approach with an online account, you’re using one password for this account. You’re not using the same password over again. You have separate passwords for each account. 

That’s what the one door, one key approach is.

Are there any misconceptions or myths about ATO that you’d like to take the chance to dispel?

A lot of the red flags or even preventative measures that I’ve already mentioned. People who are at risk have repeating passwords. The myth is only individuals with weak passwords are at risk for account takeover. That’s not true. Weak passwords certainly make it easier for attackers to gain access. Individuals with strong passwords, those generated-numbers ones, can still be accessed in various ways through phishing, social engineering scams, malware, and more. The myth is that weak passwords are the only ones that are at risk. That’s not true. Really anyone is at risk.

Another myth is that account takeovers only affect individuals or small businesses and not large organizations. That’s also not true. There are certainly lots of data breaches and data leaks from bigger companies, as well.

Two-factor authentication, there’s a big myth that that’s foolproof and prevents all account takeover attempts, and that’s definitely not true. Attackers usually use some social engineering techniques to trick users into providing their two-factor authentication credentials or to bypass it altogether and stuff. 

Another myth is that once an account takeover happens, nothing can be done. There are definitely steps that can be taken to prevent further unauthorized access and recover any stolen funds. It might be a little hard, but there are still definitely steps that you can take to gain your stolen funds back. To prevent it from happening further on, you might reset your password, lock your accounts, or contact your financial institutions or law enforcement agencies to get them involved.

Any parting thoughts you’d like to include?

Prevention is key. Look out for the red flags, and change your passwords if you have even the slightest suspicion of misconduct. Be informed on the different techniques that scammers can use. Do your own homework periodically, as well. Make sure your software is up-to-date, and then report incidences and then keep a record of your accounts. 

This Q&A is part of the Fraud Fighters Manual, a collective set of stories from Fintech fraud fighters. Download your copy of the Fraud Fighters Manual here to read the full version.

Wondering how embedded banking could help your business? Contact Treasury Prime — we have a true multi-bank network, the deepest bank core integrations, and extensive compliance experience. Read more about our $40 million Series C Funding and why Tearsheet named us the Best Banking as a Service company two years in a row. Talk to the best embedded finance team in the industry.

Related fintech fraud content:

All You Need to Know About Preventing Account Takeovers

Fintech Transaction Monitoring Behind the Scenes

Don't Offload Compliance to a BaaS Provider

← Back to blog