5 Ways to Protect Your Financial Institution from Account Takeover Fraud

No matter how much emphasis is placed on creating safe passwords, avoiding phishing attempts, and safeguarding sensitive personal data, the risk of account takeover (ATO) fraud remains ever-present. This type of fraud, where criminals brazenly steal account credentials and personal identifiable information, including social security numbers, addresses, and banking details, poses a real threat, leading to scams, reputation damage, and selling data to third parties. Shockingly, in the U.S., about 22% of adults have fallen victim to ATO fraud, averaging losses of $12,000 per case.

The alarming growth of ATO fraud was further exacerbated during the pandemic's digital surge. Financial institutions' innovations inadvertently paved the way for cybercriminals to exploit vulnerabilities as they pivoted to meet the increasing demand for remote access and innovative communication channels. The use of application programming interfaces (APIs) and cloud environments to cater to customer demands for personalized, real-time services also led to significant challenges for information technology and security operations teams. As security teams pivoted to respond to security risks and threats fueled by the escalating need for remote access and innovative communication channels, cybercriminals swooped in to exploit increased vulnerabilities presented by larger attack surfaces.

Another factor affecting the increase in ATO attacks is the growing customer demand for personalized, real-time services. Financial institutions are increasingly relying on application programming interfaces (known as APIs) and cloud environments to better serve customers and grow revenues. They are rapidly adopting new multicloud architectures and integrating with third-party service providers, resulting in significant challenges for information technology and security operations teams as they work to keep pace. Too often, financial institutions’ cybersecurity frameworks are disjointed, lacking real-time visibility, situational awareness, and integrated security controls.

Fortunately, chief information officers and chief information security officers at financial institutions can get ahead of these attacks by making a plan. Here are some of the top cybersecurity essentials for banks and financial institutions:

1. Treat attackers as business adversaries: View attackers not just as technology adversaries but as enemies of your business. Lower their return on investment by implementing multifactor authentication (MFA) and adopting a "never trust, always verify" philosophy. 
2. Be aware of credential stuffing: Credential stuffing, where hackers use bots to test stolen credentials, is a major threat because it exploits bots’ superpower — performing automated, repetitive, well-defined tasks at break-neck speed and scale. To combat this growing threat, financial institutions need to detect bot traffic and mitigate malicious bots at the edge, while effectively managing good bots — all without impacting user experience.
3. Watch out for sleeper fraud: Be vigilant for sleeper fraud, where malicious actors build a payment history before conducting large-scale fraud. Detect subtle anomalies and improve fraud recording to counter this threat effectively.
4. Embrace a security mindset: Prioritize security as a core value from leadership to employees. Ensure visibility across the entire ecosystem and make real-time proactive decisions to maintain a strong defensive posture.
5. Understand your current state: Evaluate your institution's visibility, traffic profiles, and security controls. Conduct an audit with the principle of least privilege in mind to limit user access to essential information.

An ATO attack is a cat-and-mouse game; as attackers evolve their tactics, security teams must also evolve their defenses to stay ahead of threats. It might not always be possible to completely stop an attacker in every case. But by simultaneously focusing on mitigating your financial institution’s risk, making it harder for attackers to get in, and making it more expensive for attackers, you are more likely to protect your customers, employees, and assets from the potentially devastating consequences of an ATO attack.