Combatting Fraud in Financial Services

Financial organizations protect their customers’ most valuable assets—their finances and their data. Unfortunately, this makes them a tempting target for bad actors who seek to exploit financial institutions and platforms, as well as their customers. 

In this short article, we’ll cover some of the most common types of fraud in the financial sector and the capabilities that help organizations address them.

Common types of fraud targeting financial services

Account takeover attacks (ATO)

Account takeover attacks are an extremely prevalent cybersecurity threat in the financial sector due to the value of customer accounts. Bad actors want access to money stored in the accounts or sensitive personally identifiable information such as social security numbers, card details or address information. HUMAN’s Quadrillion report found that almost 99% of traffic to login/payment pages was attempting to break into an account or steal information.

ATOs can be executed in different ways. Credential stuffing is a common technique where bad actors use automation (typically bots) to rapidly try partial or full user name and password combinations. Cracking or brute force attacks attempt to break into an account by guessing the password. Other techniques include bypassing security, such as multi-factor authentication (MFA) via session jacking or tricking users into handing over their own login credentials via phishing or social engineering.

Fake accounts

Fake account fraud (aka new account fraud) is when fraudsters create an account to exploit a financial service or platform. For example, creating accounts to apply for a credit card, acting as a ‘money mule’ account, testing stolen credit cards, or taking advantage of introductory offers for new customers. Typically, these accounts are created at scale over long periods to provide a continuous revenue stream for the fraudster. HUMAN identified and flagged more than 218 thousand fake accounts per company created during 2023.

Malicious scripts

Website scripts can be used to exfiltrate sensitive information such as credit card details or other types of personally identifiable information such as name and email address. Forms are a common target for bad actors who want to steal sensitive data, and they use scripts to compromise them. PCI DSS 4 requirements 6.4.3 and 11.6.1 address the need to monitor, justify, and authorize payment page scripts as well as detect any changes to both HTTP headers and scripts. Of course, payment pages may not be the only location on a website where risky scripts can access customer information.

Tackling the challenge

In many organizations, it is common for these different types of fraud to be the remit of multiple disciplines across the security, fraud, and governance risk and compliance (GRC) teams. They also involve multiple touchpoints and interactions across the customer journey, requiring solutions that can solve for each of these different areas. Ideally, organizations would choose a single vendor that can help them address all of these use cases from a centralized platform.

Now, let’s review some of the capabilities needed to address account takeover attacks, fake accounts, and risky scripts:

Protecting the login process

Minimizing account takeover attacks requires a sophisticated solution that can identify the latest techniques used in bot attacks to try and bypass defenses in place. Solutions need to be able to detect and neutralize large-scale automated bot attacks used in credential stuffing and cracking attacks, combined with the latest intelligence on compromised credentials that stops fraudsters from making use of the credentials and reduces the attack surface area. 

Neutralizing account fraud

Continuous post-login monitoring of accounts flags suspicious activities that are indicative of an account that has been compromised or a fake account created to commit fraud. For example, logging in from a new country on a new device, making changes to security questions or the delivery address, multiple accounts created from the same device or accounts using a flow of actions that indicate abuse. When an incident is detected, the solution should take customizable mitigation actions that match your organization’s workflow such as locking the account, or issuing a password reset email to the end user.

Controlling website scripts

In preparation for requirements 6.4.3 and 11.6.1 of PCI DSS 4 organizations should look for a solution that auto-inventories payment page scripts, flags any changes to both scripts and HTTP headers, maintains an inventory that allows for easy justification of scripts, with an auditable trail of changes. The solution should also be able to surgically control scripts, blocking unwanted actions such as looking at sensitive customer information, without stopping the script from performing its primary function and if required, monitor pages beyond just the payment pages.

How HUMAN helps

Dealing with the consequences of fraud and abuse caused by account takeovers, fake accounts and malicious scripts is an ongoing challenge for organizations in the financial sector. These threats cover multiple surfaces and interaction points across the customer journey, meaning that solutions need to be able to address these different areas while offering the same high standard of protection. Ideally, organizations should look for a solution vendor that can help them tackle several, if not all of these challenges.

HUMAN helps financial institutions to reduce online fraud by protecting against ATO attacks, fake account creation, fraudulent bot-led transactions, and risky scripts. Head over to our financial services page to learn more, or if you’d like to see us in action, you can request a live demo.