Account takeover is not a new threat. But despite all the advancements in fraud prevention, fraud losses continue to rise and account takeover is leading the pack.
How can this be?
This article looks at the current fraud landscape, contributing factors for the increase in account takeovers, and what institutions need to do to stop it.
Why Is Account Takeover on The Rise?
Advancement in technology coupled with the current state of the world opened the door for fraudsters to find new, innovative ways to commit account takeover fraud.
Online shopping was at an all-time high even before COVID-19 forever changed how companies operate. When the pandemic hit, forcing businesses to close their in-store operations and quickly find a way to survive virtually, the growth of online commerce skyrocketed.
The shift into the digital space happened at the enterprise level as well. Not only were more transactions happening online, but more business operations were occurring virtually. The more communication and data storage that exists online, the more entry points a fraudster has to steal and exploit data.
More business online means more transactions and data online, but it also means more competition online. Consumers have come to expect a seamless user experience. As companies try to compete and meet these expectations, emphasis is placed on customer service to ensure consumer issues are resolved and customers become repeat customers. Implementing fraud controls that are too strict runs the risk of upsetting consumers and losing “easy and convenient” as a competitive edge.
The dark web is rich with personal identification data. With over 37 billion records breached in 2020 alone, it is easy and cheap for fraudsters to purchase the unique credentials they need for large-scale fraud. The stolen data can be used for account takeovers as well as account opening fraud.
As technology gets more sophisticated, so too do the bad actors who use it maliciously. Fraudsters use specialized, automated software, or bots, to test hundreds of compromised credentials and identify which ones are valid. Validated usernames and passwords can then be used for account takeover, new account opening fraud, or sold to other criminals.
Fraudsters have significantly refined phishing schemes, making them more difficult to detect before it’s too late. There are countless ways they trick consumers into clicking a link or opening an attachment that installs the malware. In some cases, fraudsters are scamming phone companies into assigning a consumer’s phone number to a new SIM card, giving them the ability to intercept any two-factor authentication methods.
How To Stop Account Takeovers
Account takeover is challenging to detect. But there are ways to mitigate and keep businesses secure.
Many businesses use the following:
- A system-wide approach. Involve all relevant departments, including security, IT, fraud prevention, e-commerce, and customer experience.
- Security questions. This essential security measure is a good first line of defense against fraudulent login attempts.
- Multi-factor authentication. One-time SMS passcodes or telephone calls can help ensure a login is legitimate.
- Limiting login attempts. Restricting the number of login attempts can prevent fraudsters from spamming logins trying to find the correct password.
While the above methods can effectively decrease some account takeovers, they cannot detect all the subtle nuances that differentiate legitimate account activity from unusual activity. They also can create friction for valid users.
To distinguish real customers from bad actors, companies must use a multi-layered process that leverages artificial intelligence, machine learning, behavioral biometrics, and an advanced risk engine.
A truly successful solution will create a complete picture of every user, including:
- The device the user employs and how they interact with it.
- ISP metadata and IP location to detect how the device is connected.
- If the GPS location and HTML5 device-based location are consistent with where users are really located.
- Behaviors including how users initiated a session, interactions with fields, typing speed, and how long they spend on a page.
- Third-party data to evaluate the history, consistency, and overall reputation of users.
Genuine users can pass through the system seamlessly, allowing companies to maintain the user experience customers expect. Suspicious users, however, are detected immediately and flagged for further investigation.