Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

3 Classes of Account Fraud That Can Cost Your Company Big Time

Understanding each one can go a long way toward demystifying the topic as a whole — and combatting the threat.

Joshua Goldfarb, Field CISO

March 22, 2021

4 Min Read
(Image: accounttakeover via Adobe Stock)

Last month I wrote about the surge in unemployment fraud (thank you, COVID-19). What you may not realize is that unemployment fraud is an example of a type of fraud known as account opening fraud.

Account opening fraud is one of essentially three high-level classes of fraud; the other two are account takeover fraud and payment fraud. While not every type of fraud fits into these three types, understanding each one can go a long way toward demystifying the topic as a whole — and combatting the threat. 

Account Takeover (ATO) Fraud
As you might expect, ATO fraud occurs when a fraudster takes control of a legitimate account that belongs to someone else. While there are many ways this can happen, here are a few of the more common ones:

  • Credential theft through phishing and phishing sites

  • Credential theft through malicious code (e.g., keylogging malware)

  • Session hijacking or man-in-the-browser malware

The volume of stolen credentials and the rate at which they are stolen make it impractical, if not impossible, to keep up with which accounts have been compromised. A far more practical approach is to look for signs of account takeover. A few notable ones are:

  • Anomalous activity in the user journey (e.g., visiting unusual pages or pages rarely, if ever, visited in prior sessions)

  • Anomalous behavior in the session (e.g., excessive cutting and pasting, erratic mouse movements, click speed)

  • Anomalous environmental factors (e.g., connecting from a new or unknown device, mismatched ASN and time zone, strange language or user agent settings)

Of course, enterprises must have both mature controls and a robust fraud-monitoring capability to see these signs requires, neither of which is a given. Both capabilities require strategic planning, diligent implementation, and continued focus. Further, detecting ATO is one thing – doing so reliably enough to confidently block or deny fraudulent transactions is another thing entirely.

When thinking of ATO, our minds may go to bank accounts or other financial accounts. But it's important to note that really any online account can be taken over. Frequent traveler accounts are one example. As a result, the number of enterprises that need to protect themselves against ATO is larger than one might expect.

Account Opening (AO) Fraud
AO fraud, sometimes called fraudulent applications (FRAP) fraud, involves opening entirely new accounts. Obviously, fraudsters open these accounts in other people's names and with other people's information. They get this information from the Dark Web. Due to the large number of breaches over the past 10 years, a wealth of PII is available to attackers at a very low cost.

With PII in tow, fraudsters then turn their attention to opening new accounts. In some cases, they may directly use the stolen PII of real people. In other cases, they may combine PII from several people to create a new, fake person. However they arrive at a stolen persona, once the fraudsters are able to successfully open a new account, they can begin enjoying its benefits.

Among the most popular account types that fraudsters love to open:

  • Unemployment benefits (filing for and receiving unemployment benefits using someone else's PII or the PII of a fake person created from different people's PII)

  • Credit cards (opening credit card accounts and using those credit cards)

  • Income tax refund (filing taxes using someone else's PII and receiving a tax refund)

As with ATO, detecting and preventing AO requires mature controls and a robust fraud monitoring capability.

Payment Fraud
Payment fraud is the type of fraud most of us are familiar with – when an illegal transaction is made. According to accounting firm Crowe, overall fraud costs the global economy in excess of $5 trillion per year.  Payment fraud is a significant portion of this fraud, likely amounting to hundreds of billions of dollars per year.

A few well-known types of payment fraud include:

  • The transfer of funds from a legitimate (victim) bank account to a fraudulent payee by a fraudster controlling both accounts

  • Social engineering or scamming a legitimate user (victim) into wiring funds or sending cash to a fraudster

  • Theft of payment account information and subsequent use of that information for fraudulent monetary gain

Generally, payment fraud is detected when an enterprise notifies a financial institution of a fraudulent transaction on its account. At that point, the money is long gone, and the enterprise has suffered a loss. Clearly, it is much better for the enterprise to detect and prevent fraud earlier – way before the fraudster executes the transaction. This, of course, goes back to why it's important enterprises have the proper security controls in place.

Conclusion
The merging of security and fraud into one central risk organization is already well underway in our industry. As this happens, security professionals may find themselves confronted by an unfamiliar subject: fraud. With a basic understanding, security professionals can apply similar risk management practices across both domains.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights