Account takeover fraud has shifted from being a rare, headline-making event to a pervasive threat that everyone should be aware of.

What is particularly concerning is that accounts at banks or fintech companies are especially valuable to fraudsters because these accounts store and move money—the ultimate goal of any fraud operation.

In the United States alone, statistics indicate that 22% of the population has been affected by account takeover attacks, leading to approximately $13 billion in losses in 2023.

To put this into perspective, the FBI reported 1,401 incidents of larceny/theft per 100,000 people in 2022, translating to about 1.4%. This means that you are over 15 times more likely to have your account hacked than to be a victim of theft.

Frustratingly, this surge in account takeovers comes at a time when security measures have significantly improved. Weak passwords are being replaced by generated passkeys, and one-time-passwords (OTPs) are now a standard feature in almost every app. Despite these advancements, fraudsters continue to find ways to outsmart others, finding new ways to bypass defenses. Beyond the financial impact, account takeovers can lead to customer churn and reputational damage, as consumers expect companies to protect their accounts and often hold them accountable when they fail to do so.

Looking at the broader picture, it is evident that many companies focus on protecting their users primarily at the access level. However, fraud continues because this approach can fall short without a robust backstop or safety net.

In this article, we will explore how account takeover fraud occurs and how you can leverage your transaction monitoring system to protect your customers more effectively.

Many fraud issues persist because criminals are adept at identifying the weak points in a company's defenses. Technically speaking, logins and user authentication are often managed by a cybersecurity layer that includes bot prevention and is separate from the payments or other user action systems.

However, if this initial protection layer approves a user, and the signals are not shared with the transaction monitoring system, the attacker can exploit the "trust" gained from a successful login to commit fraud.

The rise in account takeovers is largely because fraudsters have identified the end user as the weakest link. Relying on OTPs for two-factor authentication (2FA) has led to an increase in schemes that trick customers into revealing these codes.

Here are some notable examples of fraudsters' tactics:

1. You’ve implemented OTPs for sensitive actions like logins.

2. The fraudster obtains your user's credentials and encounters the OTP challenge during login.

3. The attacker uses an OTP bot to call the victim with a social engineering script to extract the OTP code.

4. The bot forwards the OTP to the fraudster, who then gains access to the user’s account.

Depending on the bot's sophistication, these can cost a fraudster between $140 and $420 per week.

This method follows a similar process, but instead of a bot, a scammer directly engages in social engineering. They often impersonate someone from the victim’s bank or the organization where the account takeover is happening.

While this might seem less sophisticated than using bots, these attacks are often executed by specialized call centers with operators trained in social engineering, complete with scripts and incentives for top performers, much like boiler room operations.

In fact, the 2024 LexisNexis cybercrime report noted that nearly three in ten cyber fraud incidents involved the account login stage, with such attacks up 18% year-over-year, underscoring account takeover as a leading fraud threat, particularly for neobanks.

Phishing kits are tools used by cybercriminals to create fake landing pages that mimic legitimate companies, enabling large-scale business impersonation. They gained popularity around the time 2FA became widespread because they are effective at social engineering.

Criminals often use them to harvest login or payment details, but they can also be specifically tailored to steal OTPs by pretending to be your OTP page.

Krebs on Security reported in 2021 about a phishing kit that stole cryptocurrencies from over 6,000 Coinbase customers, and such attacks have only become more sophisticated since then.

SMS-based 2FA systems have revived a niche fraud known as SMS toll fraud, now called SMS pumping. Here is how it typically unfolds:

1. The fraudster obtains a premium-rate phone number for SMS.

2. They use that number to sign up for various accounts and enable it for 2FA.

3. They spam the service, causing it to send multiple OTPs to the premium-rate number.

Here, the security flaws in OTP verification methods themselves become a risk, as the system can be exploited for financial gain.

While 2FA is effective against basic account takeover methods like credential stuffing, it falls short against more determined attackers.

This is where your transaction monitoring system becomes crucial—it acts as a hedge. While your login security might block 99% of attackers, transaction monitoring needs to be vigilant to prevent that remaining 1% from causing damage.

In essence, transaction monitoring serves as your failsafe.

The effectiveness of transaction monitoring increases with the amount of data available. It doesn’t just rely on signals collected during onboarding or transactions; you can also proactively ask your users for information to help protect their accounts. For example, Monzo allows users to set up trusted locations where transactions over a certain limit must be blocked or verified by someone the user trusts.

Practically speaking, transaction monitoring is most effective when it can respond to real-world scenarios:

It is crucial to look beyond whether a customer passes OTP during login. Proactive fraud prevention examines the entire user journey leading up to a transaction:

Account takeovers will often deviate from normal patterns, and best practices involve a "trust, but verify" approach. The more a user's actions deviate from the norm, the more verification should be required, with outliers being declined altogether.

Fraudsters often use proxies and emulators to mask their activities, but it is unlikely they will perfectly replicate the account holder’s device details—unless the device has been compromised or stolen. Scrutinize these details closely and adjust risk scores for any discrepancies that might indicate an account takeover.

With the rise of phishing kits, OTP bots, and other sophisticated tools, you are more likely to face organized criminals rather than lone attackers. These criminals have their own behavior patterns and aim to scale their attacks quickly.

Your transaction monitoring system must support your analysts with real-time adaptability, allowing new rules and data sources to be integrated swiftly to counter these evolving threats. It should make decisions in real-time, not just through batch processing.

On Taktile, for example, our Data Marketplace offers a wide range of providers that allow you to customize risk scores and make real-time decisions to prevent account takeover fraud.

When targeted by criminal gangs, certain signs and behaviors—reflective of their modus operandi—will emerge. By analyzing known account takeover cases, you can use machine learning to identify patterns that can be translated into rules to swiftly decline transactions initiated by these criminals.

Pay attention to everything, as criminal patterns often reveal themselves in their choice of proxies, devices, or even attack timing.

Many organizations hesitate to enforce strict transaction rules out of fear of inconveniencing users. However, if suspicious activity is detected—even low-risk activities not involving monetary transactions—it is best practice to alert the user and confirm their consent.

As long as these alerts are reasonable, customers generally appreciate the extra security measures and prefer them over having their account compromised.

Two-factor authentication is now a standard practice for financial companies, but unfortunately, criminals have discovered ways to circumvent it. Relying heavily on SMS-based OTPs is outdated. With the increasing threat of account takeover attacks worldwide, market leaders are stepping up their proactive security measures. To do this effectively, companies must leverage every tool available, especially transaction monitoring systems, to combat cyberattacks in all their forms.

The most effective solution is a real-time decision-making system that integrates various data sources and risk-scoring solutions, allowing for a customized approach based on comprehensive signals tailored to the user journey.

Taktile’s next-generation decisioning platform is already empowering teams worldwide to defend against fraud threats, including complex and rapidly evolving ones like account takeovers.