Banking Exchange Magazine Logo

“But I don’t bank online!”

How cheats can victimize “absent holders”

  • |
  • Written by  Craig Priess, Guardian Analytics
  • |
  • Comments:   DISQUS_COMMENTS
“But I don’t bank online!”

You might think that someone who doesn’t choose to have online access to his or her bank account would be safe from online banking fraud.

Think again.

The fraud intelligence team at Guardian Analytics has found a flurry of attacks that target precisely such victims, resulting in successful attacks that steal money through online bill pay, transfers, and credit card fraud.

Types of accounts hit by this pattern

Despite the popularity of online banking, there is still a segment of the population that is not actively banking online.

Some account holders simply have never established online access to their account. Others have banked online in the past but currently are inactive.

Examples include military personnel deployed overseas and prior online banking users who have passed away but their bank account has not yet been closed. This combined group of customers is often referred to as “absent account holders.”

While this fraud scheme is not new, in 2013 our fraud analysts have detected a significant uptick as part of their ongoing tracking of fraud attacks and trends. What makes this attack scheme popular among fraudsters: There’s a low likelihood that the absent account holder will discover it.

Fraud incident details

Here is how these frauds generally occur, step by step:

1. Compromise the absent account holder’s credentials.

Two variations appear here:

• Account holder never had an online account: The fraudster acquires the account number and enough information about the account holder to set up online access. The crook may get this initial information from many different sources, such as a compromised email account, a large data breach, Facebook, or by social engineering the call center.

Because online access has never been set up, there are no online credentials to steal. The fraudster creates them as part of the online registration.

Account holder has not used online banking for 90 days (dormant account): The fraudster acquires existing online banking credentials through data breaches, social engineering, data purchased through criminal websites, malware, or other established methods. The fraudster is counting on the victim not noticing the renewed online activity due to the pattern of not using online banking.

2. Change user profile information. The fraudster accesses the account and sets up the attack. Our analysts have detected fraudsters using this attack to move money out of the account through bill pay or external transfers, or by requesting a replacement credit card.

They change contact information as needed to support the scheme in play. If they’re going to request a replacement credit card, they change the mailing address. Or if they’re requesting a wire transfer, for example, they change the phone number or email address used for out-of-band authentication.

3. Launch the attack. The fraudster initiates the transfer or requests a replacement credit card.

How can this be stopped?

A common thread across all of the attacks of this type is that they happen very quickly. Unlike other schemes that may play out over several weeks or months, in this case fraudsters gain access and immediately execute all aspects of the attack. 

Pay close attention to any profile changes. Account holders change their profile infrequently, so any change is cause for closer analysis. And as this is one of the first things the fraudsters do, it’s an opportunity to detect the attack early.

Look for a rapid and unexpected series of activities. The fraudster might initiate online account access, set up a new profile, or change the existing one, and initiate a transaction all in short order, trying to complete the transfer before anyone notices.

Look for behavioral anomalies (for dormant online access vs. new online access). While the victim’s earlier online behavior may be dated, the account holder will still have a history of prior usage. And as with all online fraud attacks, the fraudster’s activity will differ in some way from the victim’s normal behavior—a different location, ISP, computer, payee, payment amount, time of day, etc.

Follow established procedures. For example, if your policy is to not send credit cards to a new address, then be sure to follow that policy, regardless of how good or longstanding of a customer this account holder has been.

About the author

Craig Priess is a founder and vice -president, products, at Guardian Analytics.

back to top


About Us

Connect With Us


Webinar: In-person and Remote Banking –
Why this Hybrid Model is the Future of the Branch

Banks combine the brick and mortar
physical banking experience with virtual banking

Time/Date: August 5th, 2021 2:00 P.M. ET

As consumers increasingly prefer to engage with their bank remotely instead of going to a branch location, institutions are looking to modernize the ways in which they interact with customers. Depending on the complexity of the banking activity, some consumers will use self-service digital channels while others will turn to channels where they can get human help. In a hybrid banking model, banks combine the brick and mortar physical banking experience with virtual banking.

In this webinar, OneSpan and guest speaker Alyson Clarke, Principal Analyst at Forrester Research, will discuss why hybrid banking will become mainstream and the importance of putting the right tools in place to support remote account opening, account maintenance, wealth management, and lending.


This webinar is brought to you by:
OneSpan Logo