If an organization provides credential-protected accounts to customers or employees, it has the potential to be an Account Takeover victim. This is a broad target for all main types of fraud, and the pandemic has increased the issue. Aite Group research “Key Trends Driving Fraud Transformation in 2021 and Beyond” shows that 64% of financial institutions see higher rates of ATO fraud attacks now than before the pandemic.
*Source: Key Trends Driving Fraud Transformation in 2021 and Beyond, Aite Group, December 2020
Account Takeover, also known as ATO, is one of the most common threats to industries such as financial services, eCommerce, gaming, retail, entertainment and healthcare, to name but a few. It occurs when a fraudster takes complete control of a victim’s account after stealing their credentials. The techniques to steal user information and impersonate the victim are consolidated and effective. Often the ATOs are the result of Data breaches, Phishing or Overlay Attacks.
Targets are valuable accounts such as online banking, payment systems (PayPal), and all services with associated credit cards (for example, Uber).
This type of fraud can have devastating, long-term impacts on businesses involving consistent reputational brand damage and money loss. Despite that, many merchants lack security measures.
When a fraudster successfully gains a user’s account credentials, they can access the victim’s account and change account specifications to avoid the legitimate owner becoming aware of malicious activities on their account. Now, the fraud can be committed. The fraudster can make fraudulent orders, use account credits, or sell customer data or even the whole account.
Account Takeover is a fast-growing and widespread type of fraud affecting any organization with a customer-facing login. ATOs regularly target financial services, PA, retail, gaming, and reward programs. The danger is real for all business types since it could affect companies of any size, industry, or location. IT, HR, and management are the most frequently attacked departments.
It’s challenging to prevent credential extraction in the first place. Users using the same credentials between different services, or an effective phishing campaign, tend to be nearly impossible to stop just by training the end-user. Phone calls made by fraudsters are incredibly realistic, and they often know client details which only the bank should know.