Account Take Over – True Fraud or Friendly Fraud?
Part 2 of 2 – Account Take Over Series
This article focuses on ATO defenses against exit strategies. To see how to protect against ATO entries, check out the first article here.
Continuing with Account Take Over (ATO) defenses, this article focuses on protecting the exits. As a reminder, ATOs have been increasing in the financial services industry as companies shift focus to digital. If your credit union doesn’t have the appropriate defenses, profits will sink, customer churn will increase, and your brand will take a beating. So, what can you do to stop true fraud and keep your customers happy? Read on for a game plan!
ATO Anatomy
Account Take Overs need an Entry Point (access) and an Exit Point (monetization). This article addresses what you can do to protect exit points. The first article addressed protecting entry points. Remember that both entry and exit need to be successful, otherwise it’s a waste of the fraudsters time. Wasted time means moving on to easier targets, i.e., not your company! The following graphic simplifies the customer account lifecycle and where entry/exit occurs:
Exit Defenses:
ATOs need to cash out accounts they have gained access to. This is accomplished through:
- General purchases of goods and/or services
- Money services, such as transfers, wires, etc…
Of course, these activities are all quite normal for your customer base. Similar to Entry Defenses, a layered approach to exit defenses will serve the company and the customers well.
Let’s dive into a few best practices for each of the Exit points mentioned above:
First, a note on Data Linkages!
- This is going to be your best defense. Simply knowing if any suspicious activity has occurred for an account in the last 30 days will help stop exits mentioned below. For instance, a change to the accounts email/phone 3 days ago paired with an odd purchase or money transfer is a big red flag.
- New user information can be suspicious, such as new device/IP addresses being used or a new email/phone for account recovery.
- Interactions through a new channel, e.g. use of call center when customer previously only uses the application. Remember that people tend to stick with preferred channels of engagement. Deviations themselves are not necessarily a red flag, but additional behavior that is atypical can be a red flag, such as account changes or attempts to gain other lines of credit.
General purchases of goods and/or services
- Knowing what products/services your customers tend to use helps to identify customer level anomalies. A customer with a revolving line of credit suddenly is trying to transfer funds could warrant a second look.
- Setting dynamic alerts based on customer account metrics can help. If a customer uses a DDA product and is only paying on a mortgage and monthly credit card, a random charge (especially one tied to a distant location!) can be anomalous and warrant a second look. This would be anomalous in the number of payments per month and size of payments (even small payments can be suspicious – many fraudsters test accounts before draining them).
Money services, such as transfers, wires, etc…
- This is the ideal exit for fraudsters. Getting cash out to another bank account not only gets them maximum value, but also helps to launder money, making tracing more difficult.
- Knowing which accounts use money transfer services and which don’t is an easy, dynamic way to alert for suspicious activity. Further, knowing what kind of money transfers (P2P, wire, ACH, etc…) and trends (regular transfers, one time, or inconsistent transfers) helps to establish what is suspicious and what is normal for your customer.
Again, linking all your data will give you an enterprise wide view on suspicious activity. You can spot account entry and exit attempts that individually would normally appear low risk but in aggregate show a more sinister trend. Reach out for more details on how to implement, enhance, and manage your exit defenses. We’ve only scratched the surface!
John Ray