Account takeover fraud is emerging as one of the most pressing threats in the American financial system, costing consumers a staggering $15.6 billion in 2024, according to a new report from Javelin Strategy & Research. That figure represents a sharp rise from the $12.7 billion reported just a year earlier, underscoring the growing sophistication of cybercriminals and the limitations of outdated security systems.
While large financial institutions often dominate the spotlight, it is smaller community banks that are on the front lines of this escalating battle. Their challenge: protecting customers without the vast cybersecurity budgets of the nation’s largest banks. And increasingly, they are embracing new technologies — and mindsets — to do it.
Outdated Defenses, Growing Risks
The mechanics of account takeover fraud are well-known but increasingly effective. Criminals use phishing, SIM swapping, multi-factor authentication (MFA) relay attacks and credential stuffing to gain unauthorized access to customer accounts. The tools they use are growing more refined by the day.
Yet many institutions are still relying on static defenses like passwords, one-time passcodes (OTPs) and security questions — methods developed decades ago, long before the modern internet threat landscape evolved.
“Account takeover fraud is no longer a customer annoyance; it’s an enterprise-level risk,” said Sean Goodwin, principal with the DenSecure team at Wolf & Co., where he leads cybersecurity projects across industries.
Goodwin advocates for stronger tools like phishing-resistant MFA, cryptographic device binding and behavioral biometrics. These approaches, he says, offer protection not only against unauthorized logins but also against increasingly common techniques like real-time MFA bypass.
“Implementing the proper controls is not just about protecting accounts,” he told Tyfone. “It’s about preserving trust, which is the cornerstone of a banking relationship.”
A New Defense
Some institutions are already moving toward these modern defenses and have developed cryptographic device authentication (CDA) — a passwordless technology that binds trust to a user’s device using advanced cryptography. The goal is to create a seamless customer experience that is also difficult for attackers to replicate.
The Credit Union of Colorado, with more than 160,000 enrolled digital banking users, implemented CDA earlier this year. In the first month alone, the credit union reported zero account takeovers, a dramatic improvement from the 10 to 15 incidents per month it had previously experienced.
Community Banks Take Action
Beyond new technologies, some banks are doubling down on internal training, manual review processes and even human intelligence to stem the tide of fraud.
At Community Spirit Bank in Red Bay, Alabama, CEO Brad Bolton expressed frustration at the lack of accountability from larger institutions. “One thing the regulators need to do is to hold big banks accountable to their bank-of-first-deposit responsibilities,” he told Tyfone. He also called for more transparency, suggesting that banks should itemize fraud losses in their reports rather than lumping them into general operating expenses.
To combat check fraud, the bank adopted an AI-based system called ThreatAdvice by FraudSentry, which analyzes check patterns and flags anomalies. While the system required extensive manual input at first, it has begun to yield results. In just the last two months, the bank intercepted roughly $13,000 in fraudulent checks, and no fraudulent checks have passed through its mobile or ATM deposit channels this year.
Human Capital and Incentives
At BOM Bank in Natchitoches, Louisiana, an aggressive fraud-prevention strategy includes not only standard cybersecurity practices but also financial incentives for staff who catch fraud attempts.
“We pay a bonus to any employee who catches anything fraudulent and helps prevent a loss to our customers and/or BOM,” CEO Ken Hale told Tyfone. The bank also brought on a recently retired FBI agent to advise on prevention and public education efforts.
Mary Bullock, BOM’s chief financial officer, said the bank takes a comprehensive approach: strict password expiration schedules, enforced complexity standards and session timeouts to reduce the risk of stolen session cookies. The bank also provides security awareness resources for customers.
“Fraudsters Adapt”
But even with all these defenses in place, experts caution that fraud is a moving target.
“Fraudsters are like cockroaches,” said Jim Houlihan, chairman and CEO of Paladin Fraud, a subsidiary of MVB Bank in West Virginia. “They just adapt to the environment that they’re presented in as the weakest link in the process.”
As fraud continues to evolve, so too must the defenses. For smaller institutions, the path forward appears to be one of constant vigilance, customer education and a embracing both innovation and attention to detail.
Because for now, the only certainty in the fraud landscape is that it’s not going away.
Previous