Why is Account Takeover Fraud Increasing?

Controlling account takeover fraud is becoming increasingly difficult as criminals continue to evolve their schemes.

As a result, this type of fraud is growing rapidly, and estimates for the total cost of account takeover were $26 billion in previous years. But trying to prevent this, if done improperly, can lead to customer frustration and, ultimately, abandonment. 

Defining Account Takeover

Account takeover is, at its simplest, when a fraudster gains control over a consumer’s digital account. There are many methods they can use to gain access to an account. Upon gaining access, they can then change passwords, PINs, email, physical addresses, and a host of other actions to take control of an account.

The dangers of account takeover go beyond just financial institutions and digital merchants, to a variety of industries. Once criminals have control of an account, they can inflict severe damage, including: 

• Withdrawing funds
• Purchasing goods and services
• Redeeming frequent traveler rewards
• Accessing sensitive information and intellectual property
• Hijacking an email address
• Overtaking online gaming accounts

The Scope of ATO Fraud

It is easy to understand the scope of the account takeover (ATO) fraud problem with these two statistics:

• ATO increased nearly 300% year over year for online merchants
• ATO rose over 70% for financial institutions in the same period 

The perpetrator is seldom the stereotypical hoodie-wearing loner working out of a dank basement. Instead, they are more likely to be part of a well-organized criminal syndicate, often state-sponsored. With this level of sophistication, legacy defenses are easy pickings. 

The increase in the past year was primarily driven, of course, by the pandemic. There were a variety of reasons behind the rise, some of which will remain long after COVID subsides: 

1. Prolonged spikes in digital activity provide more opportunities and also improves criminals ability to “hide” due to the noise of the larger volumes
2. More sophisticated hackers, using advanced technologies, the dark web, and higher levels of specialization
3. Acceleration of cloud migration and digital transformation initiatives led to increased opportunities
4. Increase in opportunists; individuals that prior to the pandemic were not fraudsters
5. Distracted employees and consumers due to working remotely and general anxiety
6. Overworked fraud teams from the flood of digital transactions

A recent Aite Group study found that account takeover is becoming a major concern for Security leadership. One of the critical drivers for this type of fraud is the stolen data widely available on the dark web. Additionally, the fraudster’s use and investment in “industrial-scale data-mining operations” will likely prolong the prevalence of takeovers. The advanced technologies and adaptability of the criminals have made them resilient to traditional fraud measures. 

Fraudster’s Account Takeover Tactics

Cybercriminals are constantly evolving their tactics and employing new ones in their attempts to breach consumer’s accounts. Increasingly automated methods such as credential stuffing, complex scripts, and bots make the fraud ever easier to deploy. In addition to targeting consumers, account takeover is increasingly being used to steal employee user credentials. It is often the easiest path to access sensitive information within organizations.

Fraudsters can acquire consumer or user credentials via a number of tactics, including:

• Credential stuffing from data breach marketplaces on the dark web
• Credential cracking is a targeted approach to access accounts
• Phishing emails to infect with malware
• Social engineering techniques to access accounts
• Brute-force attacks often involving complex scripts 

Bots have made these tactics extremely scalable so the cybercriminals can hit more targets, or focus more effort on a single target. The increasing use of bots is leading to more brute-force attacks that crisscross the web and deploy stolen credentials against accounts. 

In addition, the legitimate owner is not likely to be initially informed or aware of the takeover of their account. Often it takes a period of time until they realize the damage, but by then, the perpetrator will have disappeared.

Fight Account Takeover with Fraud.net

Read more in our eBook on Account Takeover Fraud. To learn more, please get in touch with our experts to receive a demonstration of how we can help your organization prevent account takeover fraud.