Account takeover fraud (ATO) is on the rise, and businesses and banks are bearing the costs. ATO cost US businesses $5.1 billion in 2017, about three times as much as in 2016. This type of fraud is still trending upward, especially against banks. ATO attacks on financial services rose by 40% from Q1 to Q2 of 2018, according to ThreatMetrix’s Q2 Cybercrime Report. Even more alarming, the rate of ATO attempts via mobile transactions rose 200% during that period.
Anyone with a customer’s login credentials can take over that person’s account. An increasing number of recent large-scale ATO attempts have been done with botnets that attempt to login in customers’ retail accounts, according to ThreatMetrix. How are thieves getting the credentials in the first place? Unfortunately, fraudsters have many resources at their disposal.
The ongoing wave of consumer data breaches at retailers, hotel chains, social media networks, and other companies gives organized criminals a steady supply of data points to exploit. This data can include names, payment card numbers, and in some cases, usernames and passwords. Unsecured wireless networks give thieves another way to steal credentials and other personal data. Some fraudsters impersonate their victims on the phone with customer service to change account passwords and gain access.
Scammers also use social engineering on social media to collect information they can use to hack their way in. For example, quizzes and memes that prompt users to share the names of pets, former hometowns, and other personal details can help attackers answer knowledge-based authentication questions that many online accounts require for password recovery.