Connect with us

Hi, what are you looking for?



Actions Enterprises Can Take to Combat Common Fraud Types

Fraud is a very general term that is used quite commonly in a variety of contexts.  Although many of us have heard the term repeatedly, fewer of us have likely ever stopped to think about what fraud really is and what it means.

Fraud is a very general term that is used quite commonly in a variety of contexts.  Although many of us have heard the term repeatedly, fewer of us have likely ever stopped to think about what fraud really is and what it means.

Fraud can mean many things, and it can mean different things to different people. Because of that, when trying to gain an initial understanding around the subject of fraud, I find it helpful to learn by looking into specific types of fraud.  In this piece, I’d like to examine three types of fraud:

● Account Takeover (ATO)

● Account Opening (AO) – sometimes called Fraudulent Applications (FRAP)

● Payment

Beyond just an initial understanding of each of these types of fraud, I’d also like to examine what enterprises can do to mitigate risk and limit losses for each type.

Account Takeover (ATO)

Advertisement. Scroll to continue reading.

As you might expect, Account Takeover (ATO) fraud occurs when a fraudster takes control of a legitimate account that belongs to someone else.  While there are many ways in which this can happen, here are a few of the more common ones:

● Credential theft through phishing and phishing sites

● Credential theft through malicious code (e.g., keylogging malware)

● Session hijacking or Man-in-the-Browser malware

The volume of stolen credentials and the rate at which they are stolen make it impractical, if not impossible, to keep up with which accounts have been compromised.  A far more practical approach is to look for the signs of account takeover.  There are many such signs, but a few notable ones are:

● Anomalous activity in the user journey (e.g., visiting unusual pages or pages rarely, if ever, visited in prior sessions)

● Anomalous behavior in the session (e.g., excessive cutting and pasting, erratic mouse movements, click speed, etc.)

● Anomalous environmental factors (e.g., connecting from a new or unknown device, mismatched ASN and timezone, strange language or user agent settings)

Of course, looking for these signs requires enterprises to have both mature controls and a robust fraud monitoring capability – neither of which is a given.  Both capabilities require strategic planning, diligent implementation, and continued focus.  Further, detecting ATO is one thing – doing so reliably enough to confidently block or deny fraudulent transactions is another thing entirely.

While thinking of ATO, we may think of bank accounts or other financial accounts.  It is important to note, however, that really any online account can be taken over.  Frequent traveler accounts are one example of a non-financial account type that often falls victim to ATO.  Because of this, the number of enterprises that need to protect themselves against ATO is larger than one might expect.

Account Opening (AO)

Account Opening (AO) fraud, sometimes called Fraudulent Applications (FRAP) fraud, involves opening entirely new accounts.  Obviously, fraudsters open these accounts in other people’s names and with other people’s information. Where do the fraudsters get this information?  From the dark web – due to the large number of breaches over the last 10 years, there is a wealth of PII available to the fraudsters at a very low cost.

Once fraudsters have obtained the PII of others, they turn their attention to opening new accounts.  In some cases, they may directly use the stolen PII of real people.  In other cases, they may combine PII from several people to create a new, fake person.  However they arrive at a stolen persona, once the fraudsters are able to successfully open a new account, they can begin enjoying the benefits of that account.

What are a few account types that fraudsters love to open?  There are many, though here are a few of the more popular ones:

● Unemployment benefits (filing for and receiving unemployment benefits using someone else’s PII or a the PII of a fake person created from different people’s PII)

● Credit cards (opening credit card accounts and using those credit cards)

● Income tax refund (filing taxes using someone else’s PII and receiving a tax refund)

As with ATO, detecting and preventing AO requires mature controls and a robust fraud monitoring capability.

Payment Fraud

Payment fraud is more than likely the type of fraud that most of us are familiar with. When enterprises do not have a robust fraud monitoring capability, it is the stage at which fraudulent transactions are most often identified. Generally, payment fraud is detected when a customer notifies the institution that they have noticed a fraudulent transaction on their account. Obviously, at this point, the money is long gone, and the enterprise has suffered a fraud loss.  It is much better for the enterprise to detect and prevent fraud much earlier in the fraud chain – before the fraudster has a chance to execute a fraudulent payment.

While there are, unfortunately, many types of fraud, I’ve attempted to provide a basic introduction to three of the more common types. Detecting and preventing ATO, AO, and payment fraud requires enterprises to put the requisite controls in place, as well as a robust fraud monitoring capability.  Enterprises that do not have these two important capabilities will continue to suffer increasingly large fraud losses. There are steps that can be taken to detect and prevent fraud before it happens, and my hope is that as awareness of the situation increases, so will action to address it.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...