The Cost of Account Fraud on Financial Services Industry

I remember hearing from the CISO of a top regional bank not too long ago, and he lamented the influx of malicious login attempts his business was experiencing. ”Almost 70% of the requests to our login and authentication pages are coming from malicious bots,” he stated.

Although that number seems huge, it’s actually below the industry average. The 2020 Automated Fraud Benchmark Report put the number of malicious login attempts at between 75% and 85% of total. And credential stuffing bots have only been getting more sophisticated with time.

Even more worrying? Recent research from Aberdeen Group found that 84% of financial services companies reported that a portion of their online users had experienced a successful account takeover in the previous 12 months.

As an individual who banks online, I wasn’t very reassured by Aberdeen’s report. But as a cybersecurity evangelist on a mission to make the web a safer place, I am optimistic about the huge potential for financial services businesses to provide a safer digital experience for their account holders.

Account takeover attacks mean revenue loss

Although the techniques used to commit account fraud are industry-agnostic, cybercriminals aren’t afraid to play favorites when it comes to picking a target — and financial services companies often wind up on the hit list. That’s not a huge surprise given that banks are where the money is!

Looking at data from commercial banks, credit unions, savings institutions, and fintech businesses, Aberdeen found that companies in the financial services space can lose 1.9 to 8.3% of their annual revenue due to an ATO attack. This includes chargebacks, add-on security services and damage to brand reputation and consumer trust that cause customer churn, slower growth and lower stock value.

Take credit unions, for example. The credit unions surveyed by Aberdeen had median revenue of $65 million and reported the median amount lost due to an ATO attack of 5.2% of revenue. This means that the average credit union could lose $3.38 million from a successful account takeover attack. That’s a lot of money!

This also supports a conclusion Aberdeen made that “The financial consequences of successful account takeovers have grown to a level that goes beyond a mere ‘cost of doing business,’ to become a material business risk.”

When your CDN benefits from missing bots

Cybercriminals aren’t the only ones reaping rewards from bot attacks; solutions offering two-tiered service plans, such as basic and premier, do as well. The vendors offering these tiers stand to gain from selling the cheaper option, but adding on service fees to tune, add rule sets and integrations, and otherwise manage the system as time goes on. This requires you to invest more time and resources into a solution that was supposed to make your job easier.

If you’re unsure whether a basic solution will offer full protection, you might be convinced to buy additional security and professional services. Uncertainty is a red flag. If add-on services are offered to supplement inaccuracies — or, in other words, increase detection accuracy — that’s a sign that the product’s basic level isn’t actually a complete solution.

Instead, financial institutions should choose a solution that will meet your needs from the get-go. Taking a comprehensive and automated approach to bot management enables you to stay on top of potential threats from automated credential stuffing and account takeover attacks, without having to purchase additional services to ensure that your account holders can safely access and manage their money online.

Application security solutions stop automated fraud

To safeguard their revenue, financial services companies are making two types of investments:

1. Reducing the effectiveness of automated credential stuffing attacks, including adopting stronger bot detection and mitigation capabilities
2. Strengthening user authentication capabilities, such as requiring stronger passwords or requiring multi-factor authentication (MFA)

Although both strategies had their supporters, Aberdeen found that financial services businesses overall were about three times more likely to invest in fighting malicious bots than in strengthening user authentication.

Going back to the conversation I mentioned earlier, the CISO’s own experience mirrored Aberdeen’s research. The top regional bank had started by implementing MFA, but quickly pivoted to bot mitigation when the MFA solution “saw an exponential increase in the number of bots attacking the login and authentication pages that fed into the MFA process, which led to a heightened risk of breach and increased security costs related to MFA.”

As online banking and digital transactions continue to grow, organizations in the financial services industry must prioritize risk mitigation strategies to combat credential stuffing and account takeover attacks. Advanced bot detection and mitigation solutions that leverage machine learning and behavioral analysis to continually improve detection accuracy effectively reduce the effectiveness of automated credential stuffing and account takeover attacks. This allows financial service businesses to put worrying about account fraud behind them and focus on innovating and delivering value for their customers.