Securing HSAs with AI-driven identity verification: the foundation of account takeover fraud protection

By Sunil Seshadri, Chief Security Officer, HealthEquity | Originally posted by Health Equity

Key takeaways: Health Savings Accounts (HSAs) are an attractive target for fraudsters, and HSA providers must use automated methods to stop them before funds are lost. Account takeovers occur when bad actors use phishing, bot attacks, credential stuffing, or other methods to gain access to accounts. HealthEquity and Plaid worked together to put into place sophisticated, multi-layered controls that stop account takeovers and protect members.

Best practices include:

• Retiring micro-deposit verification through bank accounts

• Integrating instant bank account verification inside the member app

• Enabling real-time verification outcomes

Fraud is one of the most significant threats to trust in healthcare finance. According to the Identity Theft Resource Center, financial services and healthcare are the two most commonly breached industries, and the data fraudsters can steal from these accounts is uniquely valuable.1

Because HSAs sit at the intersection of healthcare and payments, providers need identity verification that goes beyond static checks – combining phishing-resistant authentication, real-time risk scoring, and machine learning (ML) driven anomaly detection to reduce account takeover (ATO) risk.

As cyberattacks become more automated, HSA security programs must shift from reactive controls to instrumented, data-driven defenses. That means collecting high-fidelity telemetry (device, network, session, and transaction signals), evaluating it with deterministic policies plus ML models, and enforcing step-up verification only when risk warrants it.

Let’s look at one of the most common attack classes where this matters most: account takeovers.

What are the attack paths and observable signals behind account takeovers?

An account takeover attack occurs when an adversary obtains sufficient authentication material (credentials, session tokens, or account recovery factors) to impersonate a legitimate member. The attacker then initiates high-risk actions such as changing payout accounts or moving funds.2 From a detection standpoint, ATOs typically create measurable deviations across login, session, and transaction telemetry. Common entry paths include:

• Phishing and social engineering: Obtaining credentials or recovery information; often correlated with unusual device/browser fingerprints and rapid post-login privilege actions

• Bot-driven credential attacks: Brute force and password attempts at scale; detectable via velocity, IP reputation, ASN/geo anomalies, and automation markers

• Credential stuffing and session replay: Reuse of breached credentials and/or hijacked cookies; often shows as “valid login” from a new device followed by payout changes or atypical ACH behavior

Once access is established, attackers try to convert quickly – draining balances before a member or operations team can respond. Total losses in the U.S. from ATO fraud rose to 15.6B in 2024 and are projected to continue climbing.3 Recent reports cite a median ATO exposure rate of 1.4%4, with the fintech industry potentially as high as 2.3%.5

This is why modern HSA platforms rely on near-real-time risk decisioning. Advanced security teams stream signals into a risk engine that can step up authentication, block payout changes, or hold funds pending verification.

Historically, organizations treated security and the member experience as opposing forces. A more technical framing is “static friction vs. adaptive friction.” Static friction (extra steps for everyone) drives abandonment and support cost. Adaptive friction uses a risk score (policy + ML) to apply verification only when signals indicate elevated probability of ATO – preserving low-friction flows for trusted sessions while hardening high-risk ones.

The platforms that will earn long-term trust are those that operationalize security as an always-on system: layered preventive controls (passkeys, strong recovery), real-time detection (anomaly models, bot detection), and continuous monitoring (drift, false positives/negatives, operational metrics). A strong strategy closes the loop – using confirmed fraud outcomes to retrain models, tune thresholds, and improve decision latency.