Our bank clients use impressive fintech solutions to identify fraud attempts when money is changing hands. They also understand the importance of scrutinizing non-monetary transactions, like customer profile changes, to prevent account takeover fraud (ATO).
ATO is happening in real time
Years ago, when the predominant ATO scheme was an address change followed by a card request, banks had several days to discover the fraud, prevent losses, and preserve customer trust. Those days are gone.
Today, criminals have multiple real-time pathways in which to set up and achieve ATO. To protect the institution and its customers, high-performing banks use real-time methods to scrutinize every profile change. This includes changes to email addresses, physical addresses, and phone numbers.
What real-time profile screening reveals
Much like they did with address changes, criminals change phone numbers and email addresses to intercept the bank’s communication to its legitimate customer. By taking over the communication channel, they can effectively carry out the ATO.
To prevent bogus profile changes, effective real-time solutions validate and verify credentials, identify out-of-pattern activity, and return a risk score. This real-time screening catches suspicious activity like:
- A 1,500-mile move to a mail-forwarding facility in a high-crime area
- A phone number change from a big wireless carrier to a pre-paid line (i.e., burner phone) with an area code hundreds of miles away from the mailing address on file
- An email change to a server domain located in Belarus
Taken on their own, these events might be viewed as odd but harmless. However, when compared to past patterns of customer behavior, the new profile change could reveal something more sinister. Looking at profile changes in conjunction with other data enhances the ability to uncover ATO attempts.
Not just for compliance anymore
There are clear FACT Act Red Flag compliance requirements that govern address changes. Yet the rules are less clear as to how banks should screen phone number and email changes. Now that customers (and criminals) use online and mobile banking, fraud has evolved to the point where a cash-out doesn’t necessarily require a physical address change. That’s why banks should apply the same rigor to screening phone and email changes as they do to scrutinizing address changes.
Part of a layered approach
No single fraud detection system is a silver bullet for keeping criminals out of the banking system, and that’s why ATO is rising. In a recent Aite Group survey, 43 percent of respondents reported that ATO fraud attempts for DDAs were up over the past year; 41 percent said they experienced higher losses in DDAs because of ATO.
To maintain some semblance of control as ATO fraud schemes evolve, banks need a layered fraud-fighting approach that uses real-time data and technology at multiple monetary and non-monetary access points.
Fine-tuning this layered approach will require analysis to determine which combination of provider solutions and operational procedures most effectively combat ATO while achieving the greatest ROI. Getting it right means that banks and their customers win, and the fraudsters lose.