When thieves take over a bank account, they may use it to make fraudulent purchases, deposit and cash forged checks, write checks to themselves, or for all kinds of other nefarious purposes. Account takeover is rampant, and over a third of consumers say that they have experienced it at least once in the last year.
This number doesn’t just include bank accounts — it also includes other types of account takeover including cell phone accounts, credit card accounts, reward accounts, government benefits accounts, and more.
Consumers can suffer losses when any of their accounts get hijacked, but they stand to suffer the most losses when their bank accounts get taken over. Often, the bank ends up bearing the financial losses. They also incur damaged customer relationships and reputational damage when word spreads.
Which Accounts Are the Most Likely to Be Taken Over?
Thieves always reach for the lowest-hanging fruit. By extension, they’re likely to target the accounts that have the least amount of protection. They’re also likely to target accounts owned by vulnerable people.
A significant amount of account takeover is committed by someone who knows the victim. Elder populations and people who rely on others to manage their finances due to cognitive delays or other issues have a heightened risk of account takeover. Dormant accounts also face a significant risk.
How Do Thieves Take Over Accounts?
If the thief doesn’t know the victim, they often obtain information from a phishing attack. Ironically, they may reach out to the victim, pretending to be the bank. Then, they may tell the person that fraud has been committed on their account and to stop the fraudulent activity they need to verify some details. At that point, the consumer is scared and worried. They don’t want to suffer losses so they open up to the thief.
The victim may give away their online password, their ATM PIN, or all kinds of other details that banks don’t request. But the average consumer isn’t always aware of this. The fraudsters are often so effective that they can even have your bank name show up on the caller ID or the phishing email that they’ve sent.
In other cases, the thief may buy the details they need online. A breach of an unrelated site, for example, can reveal a host of usernames and passwords that the consumer has been using for all their accounts. When the thief tries these compromised log-in details on the customers’ bank account, they don’t know if they work or not, but if they do, they can get the ball rolling.
Thieves can also track a consumer on public WiFi or convince the victim to download key-tracking software onto their computer. Then, they can learn what bank the customer uses and get their login details. Criminals use all kinds of ways to learn the customer’s log-in details, but these are some of the most common.
What Happens When a Thief Takes Over an Account?
Once the thief is in the account, they may add themselves or a fake identity as an authorized user. They may order a credit card or check blanks from the account. Or they may find additional details about the victim so that they can take over more of their accounts or apply for loans in their names.
How Does Account Takeover Affect Customers?
Account takeover can cost customers a lot of money, but it also takes a lot of time to clean up. It can take years for a consumer to fully recover from the effects of an account takeover. They need to spend a significant amount of time contacting banks, requesting refunds, and signing fraud affidavits. They need to contact credit bureaus so that their credit report doesn’t reflect charged-off accounts, debts, or other issues related to the account takeover.
Typically, they will also need to freeze their credit, which helps to stop thieves from future attacks but also compromises the customer’s ability to use credit easily. This is draining for consumers.
What does the customer do with all this frustration? What do they think about when they’re waiting on hold to talk with credit repair specialists? Who do they blame when they lose seamless access to their ability to take out new cards because there’s a freeze on their credit? It’s simple — they blame the financial institution that allowed the account takeover to happen.
It doesn’t matter how much of a role the customer played in the account takeover. They will blame the bank.
Preventing Account Takeover Without Creating Customer Friction
To prevent account takeover, banks can put in strict safeguards. They can require customers to call the bank to verify the changes when they update their address or phone number. Banks can prevent customers from accessing their online accounts if the request comes from a strange IP address or an unusual device. They can make customers visit the branch or verify their identities through confusing questions when they forget their passwords.
All of these strategies can help to prevent account takeover, but they create another problem. They introduce friction into the customer experience. Customers change their addresses and phone numbers. They use new or borrowed devices to sign into their accounts. They access online banking from different IP addresses when traveling or on the go. They forget their passwords on a regular basis.
If you have a rule-based system that puts too much emphasis on these elements, you will damage the customer experience. Customers expect the ability to be able to make simple legitimate changes to their online account profile without a lot of friction. If you don’t offer a seamless banking experience, they will go somewhere else to find one.
What Can Financial Institutions Do to Prevent Account Takeover?
So what do you do? How can you minimize the threat of account takeover without compromising the customer experience? You need to take a holistic look at the things happening on your customers’ online accounts.
Rather than preventing basic updates, you should look for patterns of fraud. When possible, you should also leverage outside data sources to look for issues with the information being updated.
For instance, if your customer updates the phone number on their account, you need to find out if their phone number has been updated at other institutions. You also need to check if the new number has been associated with account takeovers or other types of fraud. Ideally, your system should be able to note issues such as the same phone number or address being added to multiple accounts within a short time.
Your anti-fraud system should also look for patterns of account takeover. If someone signs into their bank account from their mobile device using their usual IP address and then updates their email address, they have likely made the change themselves. In contrast, if someone logins in from a new device at a different IP address and then changes the email address to one that has been linked to crime on the dark web, they are almost certainly a criminal.
Get Help From SQB Banking Systems
The way that criminals commit fraud is complex, and you need tools and solutions that can help you monitor all of the ways that they infiltrate your bank. To learn more about how to protect your bank and your customers from account takeover and other types of fraud, contact us at SQN Banking Systems today.