Account takeover fraud - the pandemic you may not have heard of
Covid-19 is driving a dramatic increase in cases of account takeover fraud as customers are forced to use digital channels
The term "account takeover" may not be familiar to most people. However, everyone needs to be aware of what it is and how it happens, because this type of fraud is escalating fast.
Put simply, account takeover is the straightforward takeover of online accounts, such as internet banking. It is often carried out through fraudsters using social engineering tactics to gain the data they need to mimic a user's identity and infiltrate accounts. Fraudsters will then use the customer information they have collected to make money by exploiting people and their hard-earned cash.
Even before Covid-19 struck, account takeover fraud was on the up. Experian's Global Identity Fraud report found that 57 per cent of businesses reported higher losses associated with account opening and account takeover fraud in 2019, compared to 55 per cent in 2018.
The growing threat of account takeover
But this trend is only going to get worse as Covid-19 is driving a dramatic increase in cases of account takeover fraud. The primary reason this is happening is because more customers are being forced to use digital channels, for example, online banking and grocery shopping. Therefore, fraudsters have a far bigger pool of victims to target.
In the same way we saw fraud increase during the 2008-2009 recession, we can expect to see a similar pattern in the wake of Covid-19. UK ecommerce fraud losses on cards are said to have topped £359 million last year, but with fraud known to rise during recessions we can expect that figure to be far larger in 2020.
Fortunately, account takeover is a known threat and regulators are already on the warpath. For example, the EBA has introduced inobtrusive checks like behavioural biometrics into their guidance. This adds an additional layer of security to protect the consumer without harming the user experience.
A three-pronged approach is needed
The key to tackling the issue is by taking a three-pronged approach. Firstly, by using behavioural insights, such as swipe, keystroke, and mouse movement to identify a genuine customer and also detect any change in behaviour patterns - for instance, the way a fraudster types in a customer's username and password is very different to how the customer would type it themselves using their laptop or mobile. Behavioural authentication is extremely powerful for this use case as it is a passive approach to identifying a user as well as threats, without disrupting the user experience.
Secondly, there must be the adoption of a more holistic, industry-wide approach whereby technology vendors and banks work collaboratively to help mitigate these attacks. By utilising data from a range of tech companies, such as telecoms providers, there will be additional intelligence available to help identify risks such as SIM-swap fraud.
The strategic angle of banks cross-referencing customer information could really help drive down the risk of account takeover fraud, as the fraudster will often attempt to replicate an attack across several banks. For example, they will start off by hacking into just one of the customers' accounts, then, using all the additional personal information they have been able to garner from that initial account they will easily be able to hack into the customer's other bank accounts. By taking this joined-up industry approach we could eventually see banks move into a ‘pro-active' fraud prevention position.
Data is always powerful, but its true value can only be achieved when it is accessible and completely reliable. That is why the final tactic to use is taking an "ensembling approach" - whereby you incorporate single data points (device, behaviour, location and other third-party insights) in order to provide a holistic and contextual view of the customer. For example, device data when viewed on its own is siloed and does not provide the bank with any other information on whether it is a customer or fraudster attempting a transaction. However, by combining information about device, location and behaviour, there are far more data points to rely on to make a better risk-based decision. This ensembling approach is proven to detect more incidents of fraud and reduce false positives.
Keep customer experience front of mind
Whilst security is the top priority, brands cannot afford to impose additional security at the expense of the customer experience or user journey. Businesses must remember to continue to provide an excellent level of customer service, as individuals can easily switch to other brands if the banking experience does not meet their expectations. In fact, Callsign research has highlighted that 20 per cent of consumers switched to another brand due to a bad online shopping experience in the month of April alone, showing that brand loyalty can only take organisations so far.
The current pandemic has clearly highlighted the increased risk of account takeover and how fraudsters are exploiting digital users in the midst of a chaotic environment. So, what can banks do now to ensure they won't get caught out?
While an industry wide approach may take slightly longer to initiate, they must aim to switch to using behavioural insights immediately and integrate them into their account takeover fraud strategy. By combining behavioural information with data and intelligence, they will have a greater chance of keeping the fraudsters at bay and hit the brakes on this rising issue.
Ryan Gosling is commercial director at Callsign