Get a sneak peek of Unit21’s Fraud Fighters Manual, featuring Mercury’s Head of Risk Strategy & Analytics

Mercury’s own Kenny Grimes, head of risk strategy & analytics, was interviewed by Unit21, the customizable, no-code risk and compliance operations platform for a chapter in their recently published “Fraud Fighters Manual.” The chapter features Kenny’s insights on account takeover fraud (ATO) and how startups can protect themselves. With a career focused on managing risk and improving operational processes in tech, Kenny has seen the evolution of fintech fraud over the past several years and has useful insights to share about ATO prevention.

Read on for a preview of the manual and download a copy of the full manual here to learn from industry leaders about how you can safeguard your company against fraud.

In addition to fraudster types, identity fraud, and crypto fraud, another form of fraud that’s growing fast is known as account takeover (ATO).

According to the Q3 2022 Digital Trust & Safety Index by Sift, ATO has grown 131% year over year from 2021 to 2022.

While this trend is concerning, there are ways to detect ATO attempts and red flags you can look out for to keep you, your employees, and your users safe from this type of fraud.

What is account takeover fraud?

ATO is a type of fraud that occurs when a bad actor gains access to someone else’s account or personal information, often for financial gain. It can happen with any kind of online account but most commonly affects social media, banking, and ecommerce sites. Bad actors are using technology to script attacks using bots. For example, they have a massive database with a combination of credentials and mass-test them across a platform.

What makes ATO particularly tricky, Kenny points out, is finding the culprits of this form of fraud. “It’s extremely difficult to pinpoint where it’s happening and who’s doing it,” Kenny says. “It’s highly efficient.”

The information required to conduct an ATO is most commonly acquired through phishing, malware, data breaches, brute force attacks, or even public information.

The four stages of ATO

An account takeover doesn’t happen all at once; instead, it starts small and progresses. Sophisticated fraudsters will be more difficult to detect as they know how to be stealthy and cover their tracks. There are four steps to a typical account takeover. The fraudster first gathers information on the account then gains access and makes small changes before finally taking off with the user’s hard-earned money. Below is a look at each step in detail:

1. Information gathering

This stage is largely invisible. The fraudsters are working behind the scenes using whatever information is available. This stage can be considerable, in terms of both time and effort, especially for fraudsters working to take over business accounts.

2. Account access

Fraudsters often log in and make sure they can really get into the accounts before initiating any big changes. Many individuals and organizations often won’t notice this stage.

Organizations with any kind of online account feature need to be on the lookout for suspicious account activity that suggests this stage of ATO, Kenny says. For example, “you’ll see a new login from an IP or location that has never logged into that account before.”

There might be other minor signs: you might see many failed login attempts across multiple accounts on your platform, or you might notice accounts that don’t usually log in often are doing so multiple times a day. But the fraudster hasn’t yet made a big move. If users are getting unexpected password reset prompts or other unusual activity, that’s a sign that there may be fraudsters trying to access accounts.

3. Small account changes

Once bad actors know they can access the account, they will often make smaller changes to set up their fraud or cover their tracks. Unless the user on this account is on the lookout for any suspicious activity, this step is easy to miss. For instance, fraudsters might quietly add a new person to the account or open new accounts altogether. They might also switch off notification settings so that their changes will go undetected for longer.

It’s important for the platform to keep an eye out for an increase in complaints or strange account behavior that could point toward fraud because if there’s an increase in customer complaints about unauthorized access or fraudulent activity, it might be a sign that an account takeover is occurring on the platform. If there are multiple instances on the platform, it may be a sign that there’s a vulnerability in the system that is being exploited by fraudsters.

4. The money grab

The final stage is when many people realize something is wrong after the damage has been done. New lines of credit may appear, money might vanish, or the user may be locked out of their own account entirely.

At this stage, the victim has to play catch up to figure out what happened and how the fraudster pulled it off. The process of attempting to recover the funds is difficult and time-consuming, and it’s often impossible to recover everything lost. That’s why it’s essential to spot fraudsters before they reach this stage.

When bad actors attack your identity, they are not only after your bank account; they are after everything. They want to know where you buy your prescriptions so they can leverage health issues against you. They want to understand your full travel history so they can mimic you.

They will hack your social media along with your gym and any forums you belong to; this will give them access to more targets that usually interact with you on various platforms.

Who is at risk and why

“The sad fact is that everybody’s at risk,” Kenny says. “There’s almost no way to entirely avoid it.” That said, individuals and organizations most at risk are:

• Populations inexperienced with technology. They’re more likely to have poor security hygiene (like using the same password repeatedly), and they’re less likely to know the signs of common forms of online fraud (for instance, suspicious emails phishing for sensitive information).
• Small businesses. Startups and small businesses often don’t have the resources to invest in sophisticated security tools or hire dedicated security roles. This lack of resources makes business email compromise an even bigger threat for small businesses.
• High-profile individuals or organizations. Because there’s simply more information (like birthdays) about people and organizations available to the public, there are more opportunities for fraudsters to collect information.

Kenny stresses that no matter how sophisticated and thorough an organization’s processes are for handling and protecting accounts, there’s always a possibility that ATO could happen. In the same way that security features advance and individuals learn about how to protect themselves from fraudsters, fraudsters continue to develop new schemes to gain access to accounts.

ATO red flags

In order to protect your users and your platform, it’s important to be aware of signs that ATO may be happening. Look out for these red flags:

• Repeated attempts of 2FA. If a user has attempted 2FA several times in a matter of minutes or seconds, it could be a malicious attempt to gain access to an account.
• Changes in login patterns. There might be logins from unusual locations or more logins than usual. Any significant change in the patterns of a single user or multiple users could be a sign that fraudsters are gaining access to the account.
• Disabled security features that were previously enabled. They might turn notifications off so the victim won’t be alerted when the fraudster makes changes to the account.
• Deleted emails or other missing information. To cover their tracks, Kenny says, fraudsters attempting an ATO might send emails and receive emails from your accounts. “They’ll even send messages and then delete them from that person’s inbox right away and try to capture the responses before they can get them,” he explains, to “basically set up a scenario where they’re trying to get you to pay funds into an account by sending a fake invoice that’s modeled after communications they’ve seen within that invoice.”
• Small, unexplained purchases or withdrawals. This can be a test before larger sums are taken out. If any accounts experience a series of small, unexplained purchases, that could be a fraudster preparing for bigger heists.

Keep an eye out for anything out of the ordinary, and if anything seems like a red flag, act immediately.

How to prevent ATO

Kenny says it’s important to remember that ATO is often preventable if organizations and individuals are aware of the ways account takeovers happen and are consistently looking for ways to identify and prevent these instances before they happen.

• Double-check any unexpected purchases or invoices. Call vendors on the phone instead of relying on email.
• Stay on the lookout for any unusual account activity. Keep an eye out for the red flags listed above.
• Promote the one door, one key approach. Never use the same password for two different accounts.
• Change passwords regularly. Encourage any users or customers to do the same.
• Use a password manager. This is recommended for yourself and your organization to make generating and storing passwords simpler and more secure. “The benefit, the value that a password manager has that I think a lot of people overlook, is that it recognizes where you’ve logged in successfully before,” Kenny says.
• Enable 2FA. Wherever possible use 2-factor authentication for an extra layer of security.

Key takeaways

• ATO is a type of fraud where a bad actor gains access to someone else’s account or personal information, often for financial gain.
• ATO has four stages: information gathering, account access, small account changes, and the money grab.
• Red flags of ATO include repeated attempts of 2FA, changes in login patterns, disabled security features, deleted emails, and small, unexplained purchases or withdrawals.
• To prevent ATO, double-check unexpected purchases, look for unusual account activity, use a password manager, change passwords regularly, and enable 2FA wherever possible.

Remember, anyone with an online account is at risk of account takeover fraud. Despite the perceived inconveniences, individuals must take a level of responsibility for following security hygiene best practices like using a password manager and implementing 2FA where possible to keep themselves and others safe from being taken advantage of.

However, organizations that collect and store customer information are also at risk of data breaches and can be held liable for damages associated with poor fraud prevention practices, which is why it is critical for these companies to understand how to use security tools effectively.

To help with this, Chapter 5 will dive into the basics of fraud detection and prevention. We’ll cover the different types of fraud detection solutions, transaction monitoring and risk assessment best practices, and adopting a dynamic approach.

You can read that, along with the full Fraud Fighters Manual by Unit21 here.