ACH fraud resulting from account takeover has persisted as a serious threat to businesses, government offices and consumers spurring guidance from the Federal Financial Institutions Examination Council (FFIEC) titled Authentication in an Internet Banking Environment. In response to this guidance, which was originally issued in 2005 and supplemented in 2011, financial institutions have improved on their authentication techniques and, according to industry experts, while account takeover attempts have increased detection and defense has improved.
The FBI estimates ACH fraud losses in the U.S. sum to $100 million annually, and this is widely considered a conservative estimate. But for fraudsters to commit ACH fraud they must first gain access to the victim’s accounts which can be taken over by brute force or, more commonly, by obtaining login credentials through phishing, malware programs that log keystrokes and other means. There is no shortage of account takeover attempts in the banking and financial sector and since 2009 these attacks have led to many fraudulent ACH transfers coming from business accounts, where there are far less protections and liability coverage than with consumer accounts.
Now more than six years since the initial FFIEC Authentication in an Internet Banking Environment guidance what has changed? According to Doug Johnson, VP of risk management policy at the American Bankers Association (ABA), ACH and wire fraud attempts have increased in recent years but the amount of losses due to ACH fraud has decreased. This claim is supported by evidence in a survey conducted by the Financial Services Information Sharing and Analysis Center (FS-ISAC). In their survey of U.S. financial institutions there was an increase in account takeover attempts reported by these financial institutions from 2009 to the first half of 2010. However, in 2009 only 20 percent of account takeover attacks were detected before the fraudulent transfers went through, but this figure increased to 36 percent in 2010. Account takeover attempts aren’t slowing down anytime soon, but banks are catching the fraudulent transfers more quickly.
For More Information: Account Takeover: Better or Worse?