Unmasking online account takeover

Trends and key activity to consider when investigating a potentially compromised account

December 19, 2017 by Nasdaq Verafin

The intersection of fraud and online banking accounts continues to be big business. With our dependence on smart phones and as the Internet continues to seemingly expand into every aspect of our lives, criminals are fashioning masks molded from stolen personal data to obtain a hefty digital payday.

One of the biggest security concerns for Financial Institutions (FIs) continues to come through the criminal (mis)use of customers. Fraudsters continue to develop and hone a wide range of scams to compromise customers’ personal data, which they then use to successfully fuel online account takeover attempts.

Online Account Takeover

Digital fraud trends

As a cloud-based application with over 1600 client FIs located across North America, Verafin is uniquely positioned to recognize and combat advanced fraud trends in their infancy.

Here are high-level trends we are seeing in this age of digital fraud:

  • Criminals’ heavy reliance on elaborate third-party scams and phishing attempts to compromise customer information. Fraudsters are aware of how susceptible large sections of the population are to these schemes. More information about prominent criminal scams can be found in Verafin’s complimentary Understanding Fraud Schemes & Scams eBook. Customers are treated as the weak link in an FI’s fraud controls.
  • The globalization of fraud. Criminals prefer the anonymity and speed of online channels, allowing them to operate freely across borders. This is making fraud as much of a problem for community-based institutions as it is for nationally and internationally-based FIs (though resources are often more limited).
  • Criminals adapt to an FI’s fraud controls at an incredibly rapid pace, helping them avoid detection when utilizing stolen information.


The difficulty of keeping pace with digital threats

Keeping up with the sophistication of ever-changing criminal schemes is increasingly difficult for FIs. The 2017 ISMG Faces of Fraud Survey, which includes data gathered from banking and security leaders at U.S. financial institutions ranging from under $500 million to more than $20 billion in assets, found:

  • Over 50% of respondents felt “today’s fraud schemes are too sophisticated and evolve too quickly to keep pace,” and
  • Only 38% “have high confidence in their organization’s ability to detect and prevent fraud.”


The growth of stolen data

Online Account Takeover

Industry fraud numbers available thus far in 2017 show just how focused criminals are on stealing customer data.

The Gemalto Breach Index, which tracks and reports on global data breaches, indicated that more data was stolen in the first half of 2017 than the entirety of 2016. Ready for more bad news? 95% of that information was unencrypted.

The effects of this criminal activity are already being felt. The October 2017 Global Fraud Index shows that account takeover skyrocketed by 45% in Q2 2017.

To round out this gloomy picture, Symantec reports that both the global spam rate and phishing rate met two-and-a-half year and 12-month highs, respectively, in July 2017.


Activity to watch for when investigating online account takeover

Online accounts, with their ability to be accessed from anywhere with a large degree of anonymity, are ideal targets for criminals. Once they have compromised an account or opened new account with stolen data, money can be moved very quickly – potentially leaving an institution on the hook for large losses.

Online Account Takeover

Based on Verafin’s proactive analysis of data within its cloud environment and feedback from FIs attending its numerous industry seminars held across the country, the below provides factors to consider when investigating unusual online account activity:

Unusual digital fingerprint. Consider changes to the customer’s typical digital fingerprint. This includes their IP address, Internet Service Provider (ISP), and the device and web browser used to access the account.

Use of risky providers. Cybercriminals will often buy a service to hide their IP address, state, and country location. Ensure the customer has regularly used the VPN Hosting Provider in the past and maintain a list of risky providers for future investigative reference.

Logins from international IPs. Logins from international locations are a red light. If the account belongs to a long-standing customer, check for travel indicators. If the customer lives in Columbus, Ohio; has no history of travel overseas, but their account was accessed from an IP originating in Russia, you need to investigate.

Changes to contact information. Cybercriminals will often try to take control of any attempted communication between the FI and customer to ensure they control the conversation if FI staff reach out to question the activity. Changes to a customer’s contact information, particularly their phone number and email address, may be key clues.

Newly added payees. Were payees added to the account during a suspicious online session? Cybercriminals will often add fraudulent accounts to a payee list or attempt to establish an ACH consumer-to-consumer (C2C) transfer relationship between a compromised account and an account they own. Try to establish if either the customer or other customers at the institution have legitimately completed transfers with the account in the past.

Age of the account. While this is not technically “activity”, it is always worth noting that new accounts require an extra level of scrutiny. Criminals will frequently use stolen information to open a new account in their victim’s name to perform illicit activity.


Preventing a hurtful loss

Javelin Strategy and Research’s 2017 Identity Fraud Study discovered that incidents of identity fraud increased 16%, with criminals netting two million more victims than the previous year and a grand total of $16 billion dollars for their efforts. Total losses due to account takeover grew dramatically to $2.3 billion.

In isolation, institutions are struggling to stay ahead of the rapid evolution of criminal attacks. As long as criminals understand human vulnerabilities customers will remain susceptible to their schemes. A sophisticated defense is needed; one that utilizes diverse fields of customer data to detect trends early and alert FIs before criminals can launch their attacks.

By paying close attention to key activity indicators, investigators can begin to unmask criminals hiding behind customers’ identities – protecting both customers and their institutions from hurtful financial loss.

To learn more about how Verafin can help your institution detect compromised accounts, download our Online Account Takeover Detection feature sheet, or visit our solution page.

Nasdaq Verafin provides cloud-based Financial Crime Management Technology solutions for Fraud Detection, AML/CFT Compliance, High-Risk Customer Management, Sanctions Screening and Management, and Information Sharing. More than 2,500 financial institutions globally, representing more than $8T in collective assets, use Nasdaq Verafin to prevent fraud and strengthen AML/CFT efforts. Leveraging our unique consortium data approach in targeted analytics with artificial intelligence and machine learning, Nasdaq Verafin significantly reduces false positive alerts and delivers context-rich insights to fight financial crime more efficiently and effectively. To learn how Nasdaq Verafin can help your institution fight fraud and money laundering, call 1-877-368-9986.