Fighting Account Takeover and Email Compromise in Business Banking

Cheryl Brown

Listeners, give us your feedback to help us make The Purposeful Banker more meaningful for you! Take our brief, 10-question survey at q2.com/podsurvey.

In this episode of The Purposeful Banker, Sara Seguin from Alloy joins Jim Young to talk about the increasing threat of account takeover and email compromise and how financial institutions can help their business customers fight back.

Listen

Transcript

Jim Young

Hi, and welcome to The Purposeful Banker, the leading commercial banking podcast brought to you by Q2, where we discuss the big topics on the minds of today's best bankers. I'm your host, Jim Young, senior content strategist at Q2.

Before we hop into today's topic, I want to ask you, our devoted Purposeful Banker listener, to take just a few minutes to give us some feedback about the show. Just go to q2.com/podsurvey to fill out a brief survey. There'll also be a link to it in the show notes. I want to make sure that this is a show that keeps you informed and, yes, even a little entertained about all the issues impacting commercial banking. So we want to hear from you about what you want and what you don't want. Again, that's q2.com/podsurvey. OK, on to today's show.

Fraud is top of mind for a lot of our listeners. So we're continuing to look at this topic from different angles on the podcast. Today we're going to focus on the threats of account takeover and business email compromise. We've invited Sara Seguin back on the show to shed some light on the nature of these threats as well as ways bankers can protect their customers. You may recall that Sara was on The Purposeful Banker podcast previously to talk about the findings from this year's State of Fraud Report. She's the managing director of advisory at Alloy, and you may also recall that Alloy and Q2 have a partnership and recently launched our joint product, Ongoing Fraud Monitoring.

OK, with that lengthy preamble out of the way, Sara welcome back to The Purposeful Banker.

Sara Seguin

Thanks, Jim. It's great to be here.

Jim Young

And for those … I'm sure everyone listened to your previous appearance, but just in case we've got a few people that missed that one, can you start off by telling our listeners a little bit about your background?

Sara Seguin

Yes, absolutely. So I have been with Alloy about two and a half years in an advisory role on fraud and identity risk. But prior to joining Alloy, I was in banking for about 17 years, always in the fraud and identity space. And in those different roles, it was both operations-related from a fraud perspective as well as strategy. So I've seen both ends of what happens once the fraud has occurred, operationally as well as from a strategic standpoint on how to predict and detect the fraud.

Jim Young

OK. All right. And then for those in our audience who may not eat and breathe fraud defense every day, can you just give us a quick definition of account takeover and business email compromise and then explain why, out of the many threats out there, these ones deserve particular focus?

Sara Seguin

Yeah, so account takeover, I would think of it as when an unauthorized individual is gaining access to your client's account, and that could be through online banking or digital where that unauthorized individual is gaining access. And it could be because they have your credentials—they receive them in a breach, perhaps even an individual that the client provided them those credentials. But then they can gain access to online banking. And account takeover can also occur in the contact center and in the branch, as well, where someone can walk in to the branch or call into the contact center and impersonate a client in order to gain access to their account. And again, that's unauthorized.

From a BEC standpoint, so the business email compromise, I would think of it as a business that has had their email compromised, but where a fraudster is trying to, again, impersonate either an employee—it could be a CEO—and providing instructions to another employee to request that they send funds or they make changes to a wire in order for those funds to go to the fraudster.

Business email compromise can also occur from a vendor perspective. So let's say that a business is expecting to pay a vendor for an invoice, but they receive instructions that say, "Change that payment method” or “Change that ultimate account number. And you still owe us the money on that invoice, but now send it to this other account number." Again, they can be impersonating that vendor. And once the funds are sent, it's actually rerouted to the fraudster, and the vendor who is owed the money does not receive those funds. In either of those scenarios, ultimately the email of the business has been compromised.

Jim Young

OK, gotcha. Yeah, I thought it was interesting looking at some stats actually from the AFP Payments Fraud Report because I always kind of thought the executive one, to me, I was always a little surprised that people get nailed on that one because it sort of felt like, "Hey, why ... .” You would sort of have that warning bell of why is the CEO suddenly emailing me something like this. But the vendor one in particular, I was like, yeah, I could see that one getting some people.

Sara Seguin

Yeah, Jim, and you're spot on. I mean, I think when you think about the risk of business email compromises, the fraudsters are targeting these commercial accounts, these business accounts where they do have a lot of money in their accounts. And if an employee receives an email from their CFO or from their CEO, there's also that moment of wanting to impress and ensure that they follow instructions. So I do think there's the human element that is preyed on, and then there's a lot of money in those accounts and it is actually normal behavior for those accounts to be sending those larger dollar transactions. So the fraudsters are also trying to circumvent some of the controls on that front, as well.

But Jim, I love that you brought up the 2025 AFP Payments Fraud and Control Survey Report because 63% of respondents cited it as the number one avenue for fraud attempt. So they cited BEC as the number one fraud attempt. That's really high for that to be in 2025 and 63%. That's incredibly high, showing that it is still very prevalent risk.

Jim Young

Yeah, absolutely. And we're going to get now into some of those tactics and techniques because I think the thing that always hits me with this is I think when people maybe think abstractly about financial fraud, they're thinking about complex hacking, and there's so much of this that is, like you mentioned, the human element. And so I want to get into that now talking about it back to account takeover. Just talking, can I get from you some of the common methods that fraudsters are using and then also some of the early warning signs that a bank can watch for and ones that they can then also warn their customers to watch for?

Sara Seguin

Yeah. So if we start with account takeover, some of those common methods that fraudsters are using involving the client. So unfortunately, they're still trying to involve the client because SMS OTP, banks are using that heavily in order to perform a step-up authentication. And so fraudsters are exploiting that and pulling in the element of the client in instilling panic or that impersonating the bank, impersonating a vendor, but trying to gain credentials or even that step-up. So once they can gather trust with the client, that can help them to gain access to the bank account. And so that's a very common method. It's been around, it is still widely used.

And also from an account takeover standpoint, what is also still widely used is gathering the data from a data breach and then trying to find a vulnerability at the bank, whether it is in the branch or in the contact center, certainly online banking as well. But what we're seeing is a lot of financial institutions are starting to lock down their controls in the digital space. And then we're seeing some of a shift in the branch and contact center where account takeovers being performed, impersonation in those channels, as well. And so again, that's common methods that the fraudsters are using for account takeover.

On the business email compromise side, common methods that are being used, really the two that we talked about impersonating of an employee in really instilling that urgency and panic to, “I need you to send the funds right now.” The vendor piece is definitely one that if an employee is expecting … has already received an invoice and they are expecting to send money to a business they do business with all the time, they're expecting to send that money. So if they receive a follow-up email from someone they talk to and it says, "Hey, just send it here instead, this is our other account," they're not always thinking that there would be an issue there. So by the fraudsters using the tactic in a common method of gaining access to a vendor account and asking to change the transmission or change that account, still very common, very common method.

Jim Young

So you mentioned just, I suspect most people do know it because there's so many acronyms and letters involved in this with ATO and BEC for the AFP Report, but SMS OTP, can you just clarify what that was again?

Sara Seguin

Absolutely. So think the text message with one-time passcode. So as you go to log in and maybe you're using a new device, you may receive a text message and your bank will tell you, "Hey, we're going to send a text message to the account number on file." A text message is then received and maybe a six-digit code. And you have to enter that six-digit code into the online banking portal just as an example.

Jim Young

So in a lot of these and I mentioned it briefly earlier, sort of this I think maybe broader cultural sort of thing of thinking of these elaborate hacks that do this stuff. And there definitely are to do the data breaching part. But it feels like in almost all these scenarios, there still needs to be a human that does take some action that sort of triggers it. Is that fair to say in almost all these scenarios?

Sara Seguin

You know, Jim, I would say in business email compromise, yes, because they are definitely targeting employees within a business. So then you need to have the unknowingly participation or participant in business email compromise.

For an account takeover, I would say that yes, a lot of times there are still clients participating, but there are definitely scenarios where clients are not participating at all, where the groups have become more and more sophisticated, have received more information. If they are targeting a financial institution that maybe their controls are not as complex as other institutions, they could be exploiting a vulnerability there where they do not need to involve the client and it may be a bit easier to get in.

Jim Young

All right. So Sara, I'm also just kind of curious with business email compromise, why is that one so heavily targeted? It almost feels a little like that would be almost the antiquated one, the old-school approach, but it is such a heavy area for fraudsters.

Sara Seguin

Jim, it does seem like an old-school approach, but unfortunately one that still works. And so what we see with those fraudsters is if there is a method or a tactic that works and it's kind of proven, then they will just continue to exploit it. But I think it's many things and why it's targeted is business and commercial accounts have a lot of money in them. Businesses are sending thousands of dollars to pay an invoice and they are sending money via quick methods, via wire, and so that's normal behavior. And so the faster the money can move for the fraudsters and the higher dollar amount, that's a win for them.

And then I think why it's effective, when you think about from a behavioral standpoint, the client that is sending the money, they're in their banking account. They are sending the money. So behaviorally they are performing the transaction. It is from their device. There's not going to be some of those suspicious flags because it is a user who always sends the money, who always sends wires. And so you kind of take some of the red flags out of that detection portion, and then it is expected again that they send high-dollar wires or via another method. So because it is ultimately a client sending those funds from a known device in their login that they use all the time, it's harder for banks to detect.

So I think that there's many reasons as to why it has been successful. And then you have the fraudsters preying on the trust and urgency and loyalty of an employee trying to make sure that they're performing their job when really the request is coming from a fraudster.

Jim Young

OK, got it. And we're going to talk a little bit in just a little bit about how the bank can maybe start to identify some red flags in a way that they couldn't before, like you said, in the ways it wouldn't normally show up as a red flag. But first I want to talk a little bit about the customer as the first line of defense. So can you talk a little bit about what banks can do to make sure their customers are—like you said, once the customer's taking the action, it's harder to spot—but what are the ways that the customer can spot the fraud themselves and how the banks can help them be that first line of defense for account takeover and business email compromise?

Sara Seguin

Yeah, Jim, that's a great question. So education I see on business email compromise being used very broadly. So whether that is a bank who is setting up a webinar for their business and commercial clients to share this information with them and give them methods and red flags to be aware of in order to not fall victim to this type of scam, or it's even doing road shows where banks will work with business clients and they will go out to a business or go into a place and invite many businesses where they can share a presentation with them in person. And ultimately it's really ensuring that they second guess, slow down, pick up the phone, maybe call if there is urgency or there is a change in payment information. Many different things that they can do in order to spot the red flags before sending the funds.

Jim Young

Is there a little bit, I'm going to segue just a little bit out of here. Is there a little bit about do you have to get customers maybe willing to accept a little bit more friction than they have in the past, too, to be like, "Hey, I know this is maybe not ideal, but this is worth a few extra seconds of your time?"

Sara Seguin

Yes, definitely, Jim. You're spot on. I think we've moved so far into a space of no friction is good and moving quickly. And yes, that's where we should be with the exception of the right amount of friction for the right moments. So instead of everyone receiving the same amount of friction, it should really be dynamic and smart about who needs to receive the friction only when there's the red flags or suspicious events that are there versus everyone receiving it. But you're spot on. Friction is our friend when it can help us to prevent and detect fraud.

Jim Young

Gotcha. All right. It's a little bit of the whole stop and look both ways before crossing the road type of thing. But you've segued really well into what I wanted to talk about now, which is, and again, fair warning here, we're going to talk about our joint product, but it really does dovetail into what we've been talking about—Ongoing Fraud Monitoring—and what we just talked about sort of selective friction and we talked about red flags that maybe you hadn't … you wouldn't normally spot in certain situations. Can you kind of take us through this joint solution and how it can help identify and combat account takeover and business email compromise?

Sara Seguin

Yeah, absolutely. It's going beyond onboarding and moving into that ongoing behavioral and transactional analysis. So really taking the ability to have a layered defense and proactively detect when there is something that does not behaviorally match what clients have done before and look at all of their transactions that they're performing. And so both from a real-time perspective, which is incredibly important in these scenarios, as well as being able to perform step-up.

So I think when you think about detection, anytime a transaction is occurring, it's not just the transaction, it's not just that immediate dollar amount. It is that holistic view across identity in what has occurred before, what transactions have they performed, and really trying to detect before the funds are sent. Because if the funds are sent, then you're in a position where you're just trying to claw them back.

So when we think about the solution and how it can be effective, it's trying to predict and detect before the funds are sent based on all of the information that we can see, as well as taking all of the data between the solutions and pulling that in to where you can alert on that data.

Jim Young

So again, I'm putting you on the spot here a little bit, but can you give us what that would look like in a real-world example? Is there something where a customer, by a lot of standards, is doing something that would normally be authorized but that this solution would raise a red flag? And then what would it do in that situation?

Sara Seguin

Yeah. So think about if a client is in online banking and they have logged in, and once they've logged in they maybe want to change information. Maybe they want to change their email or their phone number. Maybe they can successfully do that, and then thereafter they want to perform an external account transfer. From a solution perspective, it is taking the information that we're seeing and the ability to say from a login now they're changing information and now they want to perform an external transfer. This should be an alert.

And again, that's not every scenario is going to fall in if you have those three pieces, but it's really looking at that intelligence to say, "I recognize the login change of information and the external account transfer that they never perform, and we want to alert before those funds are sent out. We want to be able to stop before those funds are sent, alert the financial institution with that data because we see multiple issues across this interaction."

Jim Young

Gotcha. OK. So I'm trying to think, again, to me to analogize, and this is one of the situations where it may be more for me, all the bankers listening may be like, "Yep, got it." But for the marketer on this podcast, sort of the retail version of that, would it be sort of like I just submitted a credit card receipt, which seems like a normal credit card receipt except it's three time zones away from where I just did a previous transaction, which also seemed like a legitimate transaction. So maybe this is time to send out some sort of a, "Hey Jim, is this you" sort of note, basically?

Sara Seguin

Jim, you're spot on. So when you think about login and you take your credit card, but if you're using the example of login from a solution perspective, looking at the device, the IP address, anything that we can gather from a login to indicate this login, we don't think it's the client logging in. It doesn't make sense, or maybe they've logged in from three different time zones in the past five minutes. That doesn't make sense. So, Jim, you're spot on from the standpoint of whether it's login or thereafter. But the earlier we can detect that an event is suspicious, the better because if we can detect it at login, we can stop it before they get to the monetary event.

Jim Young

And when you get that red flag, then that's when you're going to introduce a little bit of the friction at that point. What does that look like typically in a situation where, OK, that you've gotten that red flag, we need to make sure, what are you then asking, I assume, the customer to do?

Sara Seguin

Yeah, so the real-time interdiction in order to be able to have that individual step up and perform another type of authentication before they can proceed. And I think what's great about that is you're providing the opportunity for the client to self-remediate in that workflow if it is in fact the client. And if it's not the client, then they should not be able to then authenticate and proceed. So it not only helps with the client experience, you're not providing everyone that same workflow. It's now smart if you introduce that friction, but then it can help to mitigate the fraud events as well.

Jim Young

Gotcha. Gotcha. OK, great. We could go on on this for a while. It's fascinating and it feels like it's definitely a way to now … offense is maybe not quite the right word, but like you said, it's sort of catching the fraud before it happens rather than, OK, fraud has happened, how do we identify it? Where's the damage? And how do we compensate people for it? Which is still an important part, but wouldn't you rather catch it? Prevention versus treatment, I guess, when it comes to this?

I just want to wrap up. Is there anything else though that, like I said, we could go on for a while, but is there anything else you wanted to touch on? Any additional points you wanted to make?

Sara Seguin

Yeah, Jim, I think the one thing as we talk about account takeover and whether it's login activity and the ability to detect when there is a suspicious login with a solution, password reset, PII changes. But I think the other piece that we kind of talked about slightly, but I'll just mention again, is on the payment fraud side, right? So from a solution perspective, whether it is account linking on who owns that external account, we mentioned PII changes, but also that payment activity and velocity, the frequency of it. So I think when you pull all of that together between the login and the payment, that's when you have a really successful solution in order to detect and prevent the fraud. So I just wanted to call out more specifically the payment ability and what we'll have in the solution.

Jim Young

So in a situation like, "Hey, this is normally, these guys normally send over this sort of payroll or something like twice a month," and all of a sudden there's something that comes in in between the 1st and the 15th or something like that, that would be a little bit of a, "Oh, hey, just making sure this is you basically," that sort of thing?

Sara Seguin

Yes. Yep.

Jim Young

OK. All right. Sorry. As always on this podcast, you’ve got to dumb it down for the host occasionally on these sort of things. Sara, though, thank you so much for coming on and talking about this really important topic and love talking about it with you. It is, I guess unfortunately, a topic that is not going away anytime soon. So highly suspect we will be asking you to come on the show again to talk about other ways that banks can combat fraud. Thanks again for coming on.

Sara Seguin

Thanks so much, Jim. I appreciate it.

Jim Young

And thanks again for listening to this latest episode of The Purposeful Banker. One more reminder to share your feedback on our podcast content at q2.com/podsurvey. It's all one word, podsurvey, and there will be a link in the show notes. You can subscribe to the show wherever you listen to podcasts, including YouTube, Apple, and Spotify, and you can see our archive of podcasts, including the previous one that Sara was on, at hub.q2.com/podcasts. Until next time, this is Jim Young, and you've been listening to The Purposeful Banker.