There is clear evidence that account takeover (ATO) is a big problem and growing worse. The Federal Reserve Bank of Atlanta sounded the alarm in a report delivered last year, estimating 69% growth in account takeover fraud and $69 billion in losses from 2011 to 2012.
Sector-wide investments in stronger authentication and fraud monitoring tools to satisfy 2011 FFIEC compliance requirements have not been enough to reverse the trend. Last year, Julie Conroy of Aite Group noted, “We’re not decreasing account takeover at all. New malware strains are being deployed every day.”
Still, many community banks and credit unions simply do not see themselves or their customers as attractive targets for fraudsters. It’s easy to think “we’re too small to be a target,” and bump account takeover to the bottom of the problem list. Institutions make that decision just about every time they see new reports of ATO fraud in the news, while few actually have enough information on account takeover attacks to accurately assess the risk and know if that decision is truly in their best interest. It’s like betting the house in Vegas without knowing the odds.
So are community financial institutions being targeted?
Absolutely. They are being actively targeted by cybercriminals. We detect and stop account takeover attacks targeting the customers of banks and credit unions every day. And that activity is just based on the institutions that are our clients; however, there are thousands of other institutions who are not our clients and for whom we aren’t proactively detecting, analyzing, and stopping attacks.
Cybercriminals continue to broaden their efforts and are finding that community financial institutions are attractive targets. Why? For several reasons:
- They aren’t battle tested like the bigger institutions. Attacks are more likely to go unnoticed for longer periods of time. When they are detected, the response isn’t as fast or effective.
- They don’t tend to have the resources and willingness to do much more than the authentication and fraud monitoring required by the FFIEC which are trivial for cybercriminals to bypass.
- Their customers pay more attention to and have more trust in their communications. The skepticism or “human shield” that helps reduce victims of phishing, vishing, and other ATO attack vectors is lower for customers of community institutions.
- Community banks and credit unions are built on having better customer service. Friendlier staff, fewer hoops to jump through, more trust between employees and customers. While great for business, that trust is readily exploited by fraudsters.
Ramifications of ATO for community financial institutions
These factors also contribute to ATO attacks having a much greater impact on community financial institutions. A single attack can lead to tens of thousands of dollars in direct fraud losses. In a vishing attack earlier this year, the targeted institution incurred direct fraud losses of more than $70,000.
The impact on customer trust can be even more severe. Again, community banks and credit unions build their business around trust and great service. Account takeover attacks erode that trust, putting cracks in one of the core reasons customers choose to work with community institutions.
Account takeover attacks are also disruptive. When an attack is discovered, other projects are dropped to put out the fire and recover. Since account takeover attacks operate outside the institution’s environment with cybercriminals attacking customers directly, mitigating the threat and doing the necessary post-mortem activities can take days and weeks. Even with a good response plan in place, an attack is going to pull in resources that would otherwise be working on other initiatives.
For community financial institutions, the question to ask is no longer “will the institution and its customers be targeted for account takeover?” The answer to that question is yes. The question is now “what should be done to further reduce the risk?” Read the “Combating Account Takeover” white paper to learn about new strategies being used to protect institutions and their customers.