Skip to content

Industry Collaboration Combats ATO Fraudsters

Author

Russ Anderson, CFE
Head of Financial Crimes Services
LIMRA and LOMA randerson@limra.com

September 2022

Less than 10 years ago, the industry was caught off guard when it started experiencing a new type of financial crime — third-party account takeover (ATO) fraud. ATO fraud happens when an individual or individuals impersonate someone unknown or unrelated to them to steal funds from financial accounts. With all of the private and personal data readily available online — from data breaches to compromised emails, ransomware attacks, or our own social media accounts — this type of fraud began to flourish.

About the time fraudsters first discovered there were trillions of dollars in insurance and retirement accounts, they also discovered most company authentication and fraud control procedures were not designed to prevent these types of attacks. At the same time, companies were beginning to enhance their online capabilities to provide customers easier and faster access to their accounts. Unfortunately, making it easier for customers to access their accounts also made it easier for fraudsters. The largely foreign-based fraudsters initially targeted larger companies, simply because they were unaware of the companies with smaller media footprints. However, within a few years, most insurance and retirement services companies were experiencing ATO fraud.

Industry Response

Industry response to these attacks was quick and remains ongoing, as companies seek the best methods for securing customer accounts while providing a high-quality and cost-effective customer experience. Initially, companies starting requiring policy numbers along with the standard name, date of birth, and social security identifiers. However, they learned quickly that many customers don’t have their policy number handy when they first call. Then they began using knowledge-based answers to authenticate their customers. However, this time they realized that asking the questions was tedious, time-consuming, and frustrating for the customer and the customer service representative.

Thankfully, a number of technology solutions became available to combat this new and growing threat. These solutions scored phone calls to flag suspicious ones for review, confirmed bank account ownership prior to sending funds, and analyzed and validated online activity. Companies also have adopted better methods for authenticating customers, with many utilizing one-time passcodes and a few even implementing voice biometrics.

Collaboration

As ATO fraud incidents increased, companies also learned they could benefit by sharing the information and data associated with these incidents. Fraudsters don’t just attack a single company; they attack the whole industry. Even though fraudsters have easy access to personal and private information, they do not necessarily know where a consumer’s financial accounts are held. So, they use the personal information to contact individual companies until they find one with an account they can access. Companies quickly realized that — by sharing the associated threat indicators — they could potentially prevent an attack. Initially, companies shared information via email and Excel spreadsheets, which had obvious challenges and limitations.

Seeing an opportunity to help the industry, LIMRA and LOMA worked with member companies to develop a solution for sharing ATO fraud incident data; as a result, FraudShare was launched in October 2019. FraudShare enables participating companies to report ATO incidents and their associated threat indicators (e.g., phone numbers, emails, bank accounts, and IPs). Companies access and use the data to protect themselves from similar attacks. In addition to helping companies combat ATO fraud, FraudShare provides data and statistics to facilitate a better understanding of ATO activity and how company experiences compare with those of their peers.

The Evolving Threat of ATO Fraud

Over the past few years, there has been a steady increase in ATO fraud attacks, along with evolving attack vectors. In 2020, the average company reported five incidents per month, and that number grew to 6.5 by 2022 .

Figure 1 — ATO Access Points and Success Rates
2-ATOFraud_Figure1.jpg
2-ATOFraud_Figure2.jpgSource: Unpublished data from FraudShare, LIMRA, 2022.

Consistent with companies expanding their online capabilities, fraudsters have also increased their use of customer portals as their point of attack. So far in 2022, over 64 percent of attacks targeted the customer portal, which is a notable increase from 45 percent in 2020 (Figure 1). Unlike the decrease in the proportion of attacks that successfully accessed an account via the customer portal in 2021 over 2020 (79 percent down to 68 percent), we are seeing a slight increase in 2022 (with 70 percent of attacks via the customer portal successfully accessing the account). Attacks targeting contact centers, however, are decreasing — from 49 percent in 2020, to 40 percent in 2021, and to 31 percent so far in 2022. Overall, attacks focused on contact centers are less successful than those that target customer portals, with 51 percent of attacks in 2022 successfully accessing the account.

Detection Methods

When it comes to ATO fraud, the method of detection does matter, as more automated solutions tend to prevent the incident from occurring or detect it more quickly. We have seen an increase in third-party utilities detecting a greater percentage of ATO fraud in 2022 over 2021 (Figure 2). Since third-party utilities tend to provide more automated methods for detecting and preventing ATO fraud attacks, this increase in industry utilization points toward faster detection and prevention.

Figure 2 — Detection Methods

2-ATOFraud_Figure3.jpg
Source: Unpublished data from FraudShare, LIMRA, 2022.

 

Looking Ahead — FraudShare and Verisk

In June 2022, LIMRA and Verisk joined forces through a partnership that will focus initially on building more robust solutions while improving overall automation. This will include integration with Verisk’s FAST life insurance platform, providing joint clients real-time access to FraudShare and additional threat intelligence data. The partnership will offer all FraudShare users enhanced threat intelligence data and expanded data analytics and automation capabilities. Through this partnership, LIMRA and Verisk will enable FraudShare clients to mitigate a wider range of fraud threats facing the insurance, retirement, and recordkeeping industries.