It’s no secret to financial institutions that fraud is on the rise.  

Seventy percent of financial institutions reported losses of over $500,000 to fraud in 2022, according to Alloy’s State of Fraud Benchmark Report.

While fraudsters sometimes request direct payments from their victims, one of the most common — and most dangerous — methods for stealing users’ cash or data is an account takeover (ATO), according to the report. 

The ATO is identity theft that occurs when a cybercriminal gains access to a user’s login information, with which the cybercriminal can then acquire funds or sensitive information. 

With generative artificial intelligence convincingly mimicking human interaction and even individual voices, cybersecurity experts in the banking industry are closely monitoring the use of AI among cybercriminals. 

“The cyber landscape continues to evolve,” Amanda Sorensen, senior vice president of Bank of America’s Business Information Security Office, told Bank Automation News. “There have been headlines lately on generative AI and what that may mean for cybercriminals, as well as cyber security teams, and I think it will be interesting to see how that develops.”  

With this threat looming, former cybercriminal Alexander Hall told BAN about the most common forms account takeover attacks can take. 

Hall said he spent almost 10 years committing fraud before giving up his criminal activities to become a cybersecurity consultant. His company, Dispute Defense Consulting, has worked with major AI-based anti-fraud fintechs including Sift and nSure.ai. 

Hall notes five basic methods of ATO fraud that banks should watch for:  

1. Linear approach

In this approach, a fraudster acquires a user’s login information and uses it to infiltrate the account. It is the simplest method, according to Hall. 

Fraudsters can obtain this information in several ways, Hall said. These can range from purchasing stolen login information to putting out calls for stolen information with a promise of payment for every piece of account information received.  

2. Knowledge-based verification questions

A more sophisticated method is to use social engineering to bypass customer-facing protections, according to Hall.  

This method involves using information acquired illegally to answer knowledge-based verification (KBV) questions that give the fraudster access to the account. 

“I was able to reset the login information and update the information on the account of one of my old accounts … that was dormant for a long time with relatively no information,” Hall said, adding that all he had needed was his date of birth and Social Security number.

Using a few key pieces of information, fraudsters can reset email addresses and passwords to give themselves access to an account, Hall said. 

3. OTP scams

Fraudsters who are advanced enough can take over accounts by using social engineering to convince a user to share their one-time password (OTP), he said. 

OTPs have become increasingly common as a method of two-factor authentication to provide extra security for user accounts, but they are not 100% secure, according to engineering firm Thales.  

If fraudsters can convince users to share their OTPs, they can gain the ability to control an account from afar, such as through a remote desktop, according to Hall.  

Citi counts OTPs among other sensitive pieces of information such as credit card details and advises customers never to share them over the phone or via email, according to one of the bank’s anti-fraud help pages.  

4. Call-in scams

When fraudsters are willing to impersonate victims or their confidantes, Hall says they can use customer support helplines to gain access to users’ accounts. 

This type of ATO often sees a fraudster calling in to a helpline, adding an authorized user to an account and then using that to access the account. 

Fraud involving vocal impersonations has been on the rise recently, as criminals embrace deepfakes, or digitally altered media meant to imitate a personal identity. A May 30 report by verification platform Sumsub found that deepfakes made up 2.6% of all fraud in the U.S. last quarter, an increase of 1,300% over the 2022 average.  

5. Third-party account takeover

The most sophisticated fraudsters can use fraudulent third-party fintech accounts to drain funds from legitimate accounts at established financial institutions, Hall said. 

Payment platforms like Venmo and PayPal often use microtransactions to verify links between accounts on the platform and bank accounts at financial institutions. These deposits or withdrawals of just a few cents must be reported correctly to the platform by a user to ensure that the user has access to the bank account they are attempting to link. 

However, if fraudsters can gain access to a victim’s transaction history through one of the previous methods, they can pass off their fraudulent third-party accounts as legitimate and use them to steal a victim’s balance, according to Hall.  

Responding proactively

These five methods are rarely used alone. 

By combining various forms of these attacks, fraudsters can come up with hundreds of unique methods for committing ATO fraud, Hall said.  

To mount an adequate response, banks need to move away from the mindset that they should only devote their attention to a specific type of attack once it costs them “considerable losses,” he said. 

“We need to proactively implement datasets and technology that apply across all of the touchpoints, where a fraudster might approach or might attack,” Hall said. “Going from zero to one is much more important than sitting at zero, waiting until the losses reach millions and finally attempting to plug that hole.”