Bank accounts are probably the most important accounts in your life. Fraudsters know it, which is why they’d do anything to access them.
Let’s see how you can stop bank account fraud from damaging your business – and customers.
What Is Bank Account Fraud?
Bank account fraud is a broad term that encompasses any kind of fraudulent interaction with a bank account. It includes stealing someone’s bank account, opening a bank account with a stolen identity or getting someone to transfer money against their will.
While fraudsters have always targeted bank accounts as the quickest way to access money, the rates of attack have boomed following the COVID–19 pandemic. The rapid digitization of our lives (and ensuing confusion) saw more than £745M ($986M) stolen from banking customers in the first half of 2021 in the UK alone.
It’s worth noting that while the vast majority of bank fraud during the period was online (93% according to the Financial Crime Report Q2 2021 Edition), telephone fraud made a dramatic leap from 1% to 7% of all fraud attempts. This is also classified as bank account fraud if a direct transfer, or wire transfer, is involved.
The Most Popular Types of Bank Account Fraud
Let’s break down the most common types of bank account fraud in order of frequency, plus tips on how to prevent them.
Bank Account Takeover
Bank account takeover fraud, or ATO as it is known, makes up 42% of all bank fraud according to the aforementioned Financial Crime Report. It happens when someone accesses a bank account without authorization.
Consumers may refer to ATOs as account hacking, but the end results are the same: Someone gains access to the account and mines it for personal information, transfers money to their own account, or gradually drains it of its funds.
Because bank transfers aren’t reversible, unlike card payments, it is extremely challenging to fix the damages caused by ATO fraudsters.
As with all kinds of ATO attacks, bank account ATO happens due to:
- Phishing: Fraudsters create mass email or SMS campaigns that redirect users to a fake bank login page. They enter their login details and fraudsters steal them. Alternatively, they convince users to send them their login credentials directly.
- Social engineering: The ever-popular method of getting information directly from users or from the bank. Customer support is increasingly targeted by fraudsters who exploit banks’ desire to improve customer satisfaction.
- Bought credentials: It is rare for fraudsters to find valid bank account details on the darknet (the original thieves use them first), but the login details can still be used for a variety of nefarious purposes.
- Cybersecurity vulnerability: Fraud and cybercrime often intersect when it comes to bank account ATOs. Sophisticated criminals will look for unpatched security flaws such as badly deployed cross-site scripting (XSS) or server side request forgery (SSRF).
- Credential stuffing: Fraudsters use dedicated software (bots) to automatically test passwords and login combinations until they can enter the account. This is often performed using lists of passwords found on the darknet but it can also be tried at random, via what is called brute force.
Note that all of the above can be combined to improve the chances of success. Since many banks now add 2FA checks, fraudsters will also rely on SIM jacking to take control of someone’s phone number and receive passwords via SMS.
How to Prevent Bank Account Takeover
After improving your website security and educating customers on the value of their accounts, the next best thing is to set up detection systems. For instance, using a combination of velocity rules, device fingerprinting and IP lookup tools, you could receive fraud alerts whenever:
- A user enters the wrong password multiple times in a row
- The location seems suspiciously far from the user’s home address
- A user logs in from a completely new device
- The connection appears to be made via a VPN, proxy, or Tor connection
- The device configuration is emulated by software
- The user timezone or language settings don’t match those of your user
You can read more about how device fingerprinting and IP fraud scores can help in these situations. Or check how it’s done on the interactive image below:
New Account Fraud
A growing trend accounting for 23% of all bank account fraud: fraudsters opening new bank accounts. How do they do it? A combination of synthetic identity, user impersonation and configuration spoofing.
Fraudulent account opening is particularly pervasive with neobanks and challenger banks. These companies often sacrifice security for the sake of offering a frictionless onboarding experience. Fraudsters exploit that frictionless experience by:
- Combining real data with stolen data (synthetic identities)
- Using technology to bypass KYC and IDV checks (deepfakes, photoshopped documents)
- Spoofing their online configuration to make it appear as if they’re connecting from the right location.
How to Prevent New Account Fraud
Like with ATOs, a lot of the responsibility to stop and detect new account fraud comes from the banks themselves. If their KYC or AML systems aren’t good enough to flag fake identities, they must think outside the box:
- Look at alternative data: Don’t just look at ID documents, but the user’s digital footprint, such as social signals, device configuration, and connection type.
- Real-time transaction monitoring: This is a key feature of anti-money laundering, which can also help flag fraudsters as soon as they start depositing or withdrawing money into their freshly created accounts.
- Behavior tracking: In the fraud prevention world, this is done via velocity rules. These rules look at data over time, which can answer questions such as: How quickly did that user go through the KYC process? Are they gradually increasing their loans with the intent of defaulting? Are they sending multiple regular payments that could point to money laundering?
- Machine learning systems: ML has the advantage of being able to analyze massive amounts of data and suggest risk rules based on identifiable patterns. It can be a great help for neobank risk managers who struggle to find behavioral links between fraudsters.
Partner with SEON to reduce fraud rates in your business with real time data enrichment and advanced APIs
Ask an Expert
Money Mules
Money mules are accomplices to fraudsters. They open bank accounts under their own names with their real ID documents. This makes them impossible to flag as fraudsters, as they pass all the KYC and AML checks.
However, something more sinister happens in the long run, as they work with fraudsters to receive and transfer money – usually obtained through illicit means.
Of course, the intentions of the fraudsters who hire these money mules are never honorable. They use them to launder money, receive money from scams, and support all kinds of other illegal activities.
How to Prevent Money Mule Fraud
As money mules fall under the umbrella of new account opening fraud, the preventing strategies are the same. However, banks should put an extra emphasis on:
- Machine learning to extract patterns of fraud that may otherwise be lost to risk managers.
- Behavior analysis through velocity rules and checks to understand how money mules operate on your platform.
- Social network analysis or graph visualization, as these techniques can help you spot connections between accounts, which could point toward organized mule rings.
Bank Transfer or Wire Transfer Scams
Bank transfer scams have skyrocketed so much that some countries consider them a national security risk. In the US, that number reached $439M in 2019, at the height of the COVID-19 pandemic.
The techniques designed to push users into transferring money to someone else’s account aren’t always that sophisticated.
Fraudsters send worrying messages that make you want to act fast, ask for a fee for an urgent service, or pretend to be a friend or relative. Delivery services have also proved to be a goldmine for SMS scams, as seen in the example below.
A key issue is that once the money leaves your customer’s accounts, it’s virtually impossible for you to get it back. In fact, in recent years, a number of third-party services claim to be able to help you recover lost funds. Some of these services may be scams themselves.
How to Prevent Bank Transfer Scams
Unfortunately, this is another one of these situations where banks themselves have little control. However, most of them now show messages when adding a new payee or initiating a large transfer. You can also enable transaction monitoring in banking to keep track of unusually large payments.
Bank Impersonation Scam
Bank impersonation scams happen when fraudsters pretend to be banks. The goal is always to phish for personal information, especially bank login details, which is why it falls under bank account fraud.
This is a serious risk – not just in terms of security, but it may also damage your business reputation and reduce consumer confidence. You can also add loss of money, intellectual property, and disruption of operational activities to that list.
And it’s getting easier than ever for fraudsters to imitate a corporate entity. They might find fully-deployable phishing kits online, or simply hire a fraudster in the growing Fraud-as-a-Service niche.
How to Prevent Bank Impersonation Scams
Here again, prevention is better than the cure. You should:
- Communicate regularly about the kind of information you will/will not ask your customers
- Allow multi-factor authentication as much as possible
- Set up anti-phishing codes
The latter is increasingly popular with online businesses. Put simply, it allows customers to create their own code, which will show up in regular channels such as SMS or emails. If the code isn’t there, they should increase their suspicions.
How SEON Does Bank Account Fraud Detection
SEON is designed to let you validate and authenticate users faster, with 0 added friction. This works to augment your KYC and AML checks, protect customer accounts, or pre-filter users to save on costs.
Our modular, API-based fraud detection system allows you to:
- Enrich data from user devices, IPs, email addresses and phone numbers
- Protect your customer accounts with better dynamic friction security
- Know your users – even in unbanked markets
- Make AML and KYC affordable and painless
Best of all, we offer a completely transparent pricing model, with a cancel-anytime contract and a free 30-day trial.
Bank Account Fraud FAQs
Make sure you have a strong password and login security in place. Be extra vigilant with unusual messages via SMS or email. Double-check every payment to an unknown source. If possible, enable a security phrase that your bank will include in every communication.
Fraudsters use social engineering and phishing techniques to get you to give them your bank account login details. They often create fake websites and communication that looks official. They are designed to capture your login details for an account takeover.
Sadly, there is very little you can do to get your money back after a wire fraud scam. While you should immediately contact your bank, it may be powerless to refund you, unlike with a fraudulent card payment.
First, make sure to create a claim with your bank. You can also contact the local authorities and victim support websites to create a paper trail of your claim, usually with a crime reference number.
Sources