OneSpan: how to protect from account takeover fraud

By Matt High
Account takeover (ATO) fraud is one of the top threats facing financial institutions, according to a new ebook from OneSpan The new guide, Account Take...

Account takeover (ATO) fraud is one of the top threats facing financial institutions, according to a new ebook from OneSpan

The new guide, Account Takeover Fraud: How to Protect Your Customers and Business, sets out the top techniques that cybercriminals use to take control of a bank account. 

Account takeover, which is an identity theft crime, can be initiated in several ways, with criminals using a variety of weapons and methods to harness personal data. 

These can include data breaches, phishing, SIM swapping and malware - all of which can cause serious damage to an enterprise. 

However, by employing a multi-layered security approach, account takeover fraud can be protected against and customers cared for at every stage of their digital journeys. 

This, together with several best practice steps, is explained in OneSpan’s new ebook

Data breaches

ATO attacks can be initiated by criminals harvesting personal data, says OneSpan. Typically, this is achieved through the purchasing of personal data leaked as part of a data breach that then allows cybercriminals to prepare targeted phishing attacks.

To combat this, financial institutions should use multi-factor authentication processes, such as fingerprint technology or one-time password capability. 


Typical phishing attacks include:

  • Classic email phishing
  • Spear phishing
  • Whaling
  • Vishing
  • Smishing
  • Overlay attacks

While all of these phishing methods can be used, according to OneSpan, the most common continues to be by email. 

Phishing takes advantage of trust. Messages typically create a sense of urgency that encourages the recipient to click links or open them. These redirect them to a fake banking portal or install credential-harvesting malware. 


Malware and banking trojans

Malicious software - or malware - is installed on a victim’s computer as a result of specific user actions. According to OneSpan, they carry out different types of attacks, including intercepting everything type by the victim and infecting web browsers through an add-on.

Mobile banking trojans have been growing in complexity, says OneSpan. The continued tendency towards mobile banking means that this trend is likely to continue. 

The attacks present their own screen on top of the legitimate banking app, thus capturing a user’s log in and personal details. 

Other forms of attack outlined by OneSpan include man-in-the-middle attacks, in which criminals position themselves between a user and financial institution to intercept data, and SIM swapping. 

OneSpan: protecting your business

OneSpan’s guide sets out several recommendations and best practices to protect financial institutions from ATO. These are based around a multi-layered approach that covers: 

  • Protecting the user: OneSpan’s Cronto visual transaction signing solution can protect users from social engineering and man-in-the-middle attacks. It does this by displaying a unique visual challenge  that contains transaction details - these cannot be modified by an attacker.
  • Protecting the device and banking session: The company’s Mobile Security Suite applies a 360 degree approach to mobile security. This includes factors such as app, device, interface, communications and more, and includes app shielding and runtime protection. The suite also includes encrypted, secure communications channels and storage.
  • Proactive fraud detection: OneSpan Risk Analytics is designed for this specific purpose. It provides financial institutions with the ability to proactively detect signs of an account takeover before there is any damage. It does this through continuous analysis and scoring of numerous data points in real time. 
  • Flexible, dynamic authentication: a flexible approach to authentication can prove fruitful, says OneSpan. Steps should include supporting a wide range of risk-based authentication methods and the assessing of every action taken by a user. 

OneSpan understands the complexity of ATO. The company’s guide provides an in-depth insight into the risks that company’s in the financial services sector face, as well as the steps they must take to mitigate them. 

Read the full guide here.

Find out more about OneSpan here.

For more information on all topics for FinTech, please take a look at the latest edition of FinTech magazine.

Follow us on LinkedIn and Twitter.


Featured Articles


FinTech LIVE returns this summer with FinTech LIVE New York on 17 June 2024 – The ultimate virtual event for fintech leaders in North America

WE’RE LIVE! FinTech LIVE Dubai

Back for another day, this time in Dubai! FinTech LIVE Dubai is LIVE, don’t miss out on your chance to hear from Swift, HSBC, Mastercard and many more

Amberdata: RWA tokenisation gains significant momentum

Explore the world of RWA Tokenisation and why finance professionals are investing in the technology for sustainable growth and risk mitigation

WE’RE LIVE! FinTech LIVE Singapore


FinTech LIVE Singapore: Just One More Day to Go!

Financial Services (FinServ)

Top 100 Women 2024: Allison Paine Landers, UBS - No. 10