Account Takeover Fraud in Forex Trading

Every online account is important. But, in terms of net value, few are as important as forex trading accounts.

Has a fraudster slipped in? That means guaranteed chaos for both your customers and your company. Here’s how to avoid that.

Why Is Account Takeover a Problem for Forex Trading?

Account takeover, or ATO, is what happens when a fraudster takes control of a legitimate customer’s account. In the forex trading world, the consequences can be dire:

• The fraudster may make unauthorized trades.
• They may withdraw the account balance to their bank drop account.
• They can mine the account for personal data.
• The legitimate account owner loses their balance.
• Customer trust in the forex platform is eroded.
• Repeat incidents can result in licensing issues.

The last point is particularly worrying. In the highly competitive world of FX trading, losing an account to “hacking”, as some customers may call it, is the surest way to gain a reputation as an unsafe exchange. 

There are also data-governance issues. If a fraudster steals personal data from one of your accounts, you may have to give answers to compliance or data protection agencies.

As FX trading is under high scrutiny due to AML and KYC regulations for forex, losing an account to fraudsters could land you in hot waters, resulting in fines and lawsuits.

How Do You Detect Account Takeover in Forex Trading?

Forex trading account takeovers happen at the login stage. Usually, fraudsters get access to an account by using data found on data breaches, trying their luck with blind guesses/brute force attacks, leveraging bots, or targeting specific accounts (spear-phishing). 

To secure the login stage, you must ensure you monitor any kind of suspicious activity. This may include:

• a lot of password reset requests
• an unusual lot of failed log-in attempts
• wrong CAPTCHA entered (could point to a bot attack)
• existing user with a new device and IP address
• sudden proxy and emulator usage

Here are more examples of suspicious user activity that may point to an account takeover:

As you can see, many of these examples attempt to monitor your users’ behavior. In the world of fraud prevention, this is done via velocity checks, which are rules designed to look at several actions over a set period. We’ll look at some of these velocity rules in detail below.

Top 3 Custom Rules for Account Takeover in Forex Trading

Educating users about the value of their accounts is the first and often the least costly step. You can also set up defenses by closely monitoring user behavior at the login and trading stages.

Here are three examples of effective rules you could deploy today.

#1: User Failed to Enter the Right Password Multiple Times

Monitoring the login stage is paramount to protecting user accounts. While you should enable CAPTCHA or 2FA to filter out bots and unsophisticated takeover attempts, it’s also important to keep an eye out for failed login attempts.

To that effect, we’ll deploy a custom rule that counts how many times a user failed to enter the right password. 

The above is a rule designed to send five or more failed password guesses in one session to be manually reviewed, but you could also automate the outcome, either by freezing the account or sending a verification email. 

In the screenshot above, you can also see that the rule added 10 points to the fraud score, which can help you calculate how risky a login is. 

#2: Device Hash Has Never Been Seen Before

A device hash is essentially an ID created from unique device parameters. With hundreds of data points available for device fingerprinting, it’s less common than you might think to see two identical configurations of software and hardware. 

So why would a device hash change suddenly?

Well, of course, your user could be logging in from a new device. Or something more sinister could be at play if a fraudster has logged into your user’s account. This is why we will increase the risk score but only slightly.

Because this isn’t a sure bet that you’re dealing with a fraudster, we’ve set up this rule to add 10 points to our fraud score. 

In an ideal world, you would review any unrecognized device, but this is unrealistic if you are a high-volume exchange. It’s wiser to combine this rule with examinations of other suspicious data, such as a change in IP address, for instance.  

#3 User Is Suddenly Increasing Trading Volume

The following rule is designed to identify suspicious behavior after a successful login. If an account takeover is truly successful, chances are the fraudster is unlikely to behave in the same way as the original customer.

This velocity rule looks at transaction volume over a certain period – 24 hours. We’re calculating the entirety of the previous transactions and looking at a sudden increase (+200%). 

Here again, this isn’t significant enough to label the trader a fraudster without further consideration. But you have reasonable doubt to ask them for a quick verification via email or, at best, to continue monitoring the account more closely.

How SEON Can Help Your Forex Exchange with Account Takeovers

As a full fraud prevention system, SEON is designed to expose as much user data as possible during the signup, login, deposit, withdrawal and trading stage. 

More importantly, that data lets you calculate risk on your FX trading platform wherever you may identify potential red flags.

With complete customization flexibility, you can rely on SEON to automatically freeze accounts of users who exhibit suspicious behavior. You can also dynamically ask for extra verification to reduce friction, and protect your platform – and your user’s accounts. 

Related Articles

• KYC Compliance for Forex Trading
• Spike in Fraudulent FX Accounts During the Pandemic? Time for Better User Authentication

Case Studies

• Global Forex Trading Platform Slashes Chargeback Rates by 45% With No Extra Friction