Account Takeover in 2018: Traditional Protection Strategies Not Enough

Posted by Deborah Peace on Sep 5, 2018 9:30:00 AM

Corporate Account Takeover 1-719392-edited
Last year, 16.7 million consumers were victims of identity fraud - up eight percent from the previous year and a new record high, according to Javelin Strategy & Research’s
2018 Identity Fraud Study. This translates to more than $16.8 billion stolen, with much of that from financial institutions.

Moreover, Account Takeover fraud grew significantly, tripling over the past year and reaching a four-year high. Javelin reported that total losses from Account Takeover reached $5.1 billion – a 120 percent increase from 2016. Deemed one of the most challenging fraud types for consumers, victims pay, on average, $290 and spend 16 hours to resolve it.

But consumers are not the only victims. Corporate Account Takeover is also on the rise.

With Corporate Account Takeover, fraudsters begin by targeting their victims by using various phishing techniques like mass emails, pop‐ups, or faux‐friend requests. With these phishing techniques, fraudsters hope a victim will expose themselves to malware by responding to the various outreach attempts. Becoming infected can be as simple as clicking on a bad link, opening an attachment on an email, logging on to a legitimate website that has been compromised, or responding to a malicious email that has requested personal information.

Once the malware has been downloaded, it will run in the background unnoticed until the computer user logs on to his or her online financial institution account. The malware then acquires the user’s login credentials, which is then transmitted to fraudsters who use the information to initiate unauthorized fund transfers away from the victim’s account.

As account takeover fraud continues to rise, traditional protection strategies – including education and awareness; enhanced security like spam filters and firewalls; security tokens and One Time Passwords (OTP); and Out of Band Verification (OOB) – are no longer enough on their own.


To thwart Corporate Account Takeover, education has been the primary recommendation by both government officials and industry thought leaders. While this is important, it is one dimensional. Certainly, it is critical for businesses to raise awareness within their organization and teach users of the risks associated with opening unsolicited attachments, clicking on pop‐ups and cruising social networking sites, but trying to train, monitor and discipline every person within an organization is unrealistic. There are simply too many variables and it only takes one mistake to invite malware onto a machine. Instead, a more practical and effective preemptive strategy is needed.

Enhanced Security, Spam Filters & Firewalls

Experts have also suggested enhanced security measures, such as limiting certain functions that computers can perform as well as using spam filters and firewalls. But filters and firewalls can be breached and implementing security procedures such as dual payment controls remain cumbersome and time-consuming.

Security Tokens & One Time Passwords (OTP)

Security tokens and use of One Time Password (OTP) technology have also been used to hamper the efforts of cyber criminals. This technology works by having a designated password for only a short period of time to authenticate a user attempting to access a financial institution application. The problem with this method is that many malicious software applications and Trojans are now capable of acting autonomously from the end user’s personal computer. As a result, Trojans are able to inflict their damage before an OTP clearance expires.

Out of Band Verification (OOB)

Finally, Out of Band Verification (OOB) has become the industry’s go-to defense for verifying access. With nearly 40 percent of personal computers being infected with some form of malware, phone verification is seen as the most secure way to authenticate a user. The challenge with this method is that it is a manual process and adds yet another step in the authentication process – and often seen as another hoop to jump through.

While these methods may have been effective in the past, they do not provide complete protection against Corporate Account Takeover fraud. Computers cannot always be monitored and even dedicated equipment can fall prey at no fault of the user. Additionally, behavior monitoring systems that alert financial institution staff of anomalous activity pose risks. The employee cannot definitively know whether a transaction is valid or not, only the account holder can. If an employee assumes a transaction was authorized and verifies it, when it was actually fraudulent, there is no way to hold the originator accountable for the loss.

Financial institutions that shoulder the responsibility of preventing account takeover and the payments fraud associated with it can hinder their own growth. Growing their electronic payments business while monitoring for suspicious transactions on the back-end using manual processes like call-backs is difficult, if not impossible. This approach requires added resources and army of security analysts. Furthermore, this makes it challenging to keep electronic transactions moving at optimal speed.

The only way to eliminate this threat from fraudsters is to employ multidimensional, preemptive strategies that verify transactions once they arrive at the financial institution and before they are released to the ACH Operator.

For more information, download our "Corporate Account Takeover" white paper.

Download White Paper 

Topics: Account Takeover