Securing HSAs with AI-driven identity verification: the foundation of account takeover fraud protection

Key takeaways: Health Savings Accounts (HSAs) are an attractive target for fraudsters, and HSA providers must use automated methods to stop them before funds are lost. Account takeovers occur when bad actors use phishing, bot attacks, credential stuffing, or other methods to gain access to accounts. HealthEquity and Plaid worked together to put into place sophisticated, multi-layered controls that stop account takeovers and protect members.

Best practices include:

• Retiring micro-deposit verification through bank accounts
• Integrating instant bank account verification inside the member app
• Enabling real-time verification outcomes

Fraud is one of the most significant threats to trust in healthcare finance. According to the Identity Theft Resource Center, financial services and healthcare are the two most commonly breached industries, and the data fraudsters can steal from these accounts is uniquely valuable.¹

Because HSAs sit at the intersection of healthcare and payments, providers need identity verification that goes beyond static checks – combining phishing-resistant authentication, real-time risk scoring, and machine learning (ML) driven anomaly detection to reduce account takeover (ATO) risk.

As cyberattacks become more automated, HSA security programs must shift from reactive controls to instrumented, data-driven defenses. That means collecting high-fidelity telemetry (device, network, session, and transaction signals), evaluating it with deterministic policies plus ML models, and enforcing step-up verification only when risk warrants it.

Let’s look at one of the most common attack classes where this matters most: account takeovers.

What are the attack paths and observable signals behind account takeovers?

An account takeover attack occurs when an adversary obtains sufficient authentication material (credentials, session tokens, or account recovery factors) to impersonate a legitimate member. The attacker then initiates high-risk actions such as changing payout accounts or moving funds.² From a detection standpoint, ATOs typically create measurable deviations across login, session, and transaction telemetry. Common entry paths include:

• Phishing and social engineering: Obtaining credentials or recovery information; often correlated with unusual device/browser fingerprints and rapid post-login privilege actions
• Bot-driven credential attacks: Brute force and password attempts at scale; detectable via velocity, IP reputation, ASN/geo anomalies, and automation markers
• Credential stuffing and session replay: Reuse of breached credentials and/or hijacked cookies; often shows as “valid login” from a new device followed by payout changes or atypical ACH behavior

Once access is established, attackers try to convert quickly – draining balances before a member or operations team can respond. Total losses in the U.S. from ATO fraud rose to 15.6B in 2024 and are projected to continue climbing.³ Recent reports cite a median ATO exposure rate of 1.4%⁴, with the fintech industry potentially as high as 2.3%.⁵

This is why modern HSA platforms rely on near-real-time risk decisioning. Advanced security teams stream signals into a risk engine that can step up authentication, block payout changes, or hold funds pending verification.

Historically, organizations treated security and the member experience as opposing forces. A more technical framing is “static friction vs. adaptive friction.” Static friction (extra steps for everyone) drives abandonment and support cost. Adaptive friction uses a risk score (policy + ML) to apply verification only when signals indicate elevated probability of ATO – preserving low-friction flows for trusted sessions while hardening high-risk ones.

The platforms that will earn long-term trust are those that operationalize security as an always-on system: layered preventive controls (passkeys, strong recovery), real-time detection (anomaly models, bot detection), and continuous monitoring (drift, false positives/negatives, operational metrics). A strong strategy closes the loop – using confirmed fraud outcomes to retrain models, tune thresholds, and improve decision latency.

How can HSA providers implement AI-assisted identity verification (IDV) and risk-based decisioning?

To get ahead of fraud, HSA providers need an identity and fraud stack that can make decisions in-session – before funds ever leave the account. Practically, that means:

1. Aggregating signals (for example, device reputation, IP/ASN, behavioral patterns, account history, payout-linkage).
2. Scoring risk with a combination of set rules and machine learning.
3. Orchestrating step-up actions (passkey, bank/identity verification, cooldowns, or manual review) based on thresholds and business context.

At HealthEquity, we address cybersecurity, fraud, privacy, and identity as an integrated system with layered controls and continuous monitoring. This includes hardened authentication (like phishing-resistant methods), real-time fraud analytics, and measurable operational guardrails (decision latency, step-up rates, and support impact). The goal is to reduce ATO loss while maintaining predictable, seamless member experiences.

Bank account verification is a critical control for high-risk actions, which include linking a payout account, initiating ACH reimbursements, or depositing funds. It provides strong evidence that the member controlling the session can authenticate to the claimed financial account.

Through our partnership with Plaid, a technology platform that securely connects applications with users’ bank accounts, we modernized our verification flow to support near-real-time identity proofing and reduce attack opportunities:

• Retired micro-deposit verification (a slow, low-signal method that increases support load and leaves longer windows for attacker interference)
• Integrated instant bank account verification inside the HealthEquity web and mobile experiences to reduce time-to-trust during onboarding and payout changes
• Enabled real-time verification outcomes that can be consumed by our risk engine to approve, step up, or block transactions based on a unified risk decision

When money moves through ACH reimbursements or deposits, we can gate the action on verified identity and verified account linkage. This reduces the likelihood that a compromised session can redirect funds. For members, this translates into fewer manual steps, less disruption, and stronger protection against fraud without adding unnecessary friction to every transaction.

Learn more about our partnership with Plaid.

When employers evaluate an HSA partner, they should look for evidence of mature, measurable controls – not just policy statements. The leading platforms embed security into the identity verification process with risk-based decisioning: strong authentication by default, ML-assisted detection for anomalous behavior, and verification steps that trigger only when a session shows potentially elevated risk.

Measuring the impact of HSA security

Modern identity verification and fraud controls are measurable. Beyond “fraud prevented,” the right program tracks decision latency, step-up rates, authorization success for trusted users, false-positive friction, support contact rate, and downstream loss. These metrics help ensure models and policies are improving security without degrading member access.

• Instant verification reduces onboarding and payout-linking latency – eliminating waiting periods associated with micro-deposits and shrinking the window where attackers can exploit weak recovery or account-linkage flows.
• By applying verification adaptively, we can reduce avoidable friction for low-risk members, meaning members make fewer service calls and are more satisfied with our service.
• Our fraud-related service costs have dropped 70% compared to the prior year.⁶

The impact extends to employer customers and their employees:

• Phishing-resistant login via passkeys helps reduce credential theft.
• Instant bank verification adds strong evidence for account ownership.
• Risk-based controls help ensure members can use their HSA cards when they need them.

The common thread is smart, automated decision making at every step of the security controls.

How can HSA providers build trusted platforms?

Think about what happens to members when they experience an account takeover. They log in to pay for care and discover their money has been redirected or withdrawn. They could discover it at the pharmacy window picking up an essential prescription, or at the hospital for a life-changing emergency. We don’t want anyone to feel that panic, confusion, or heartbreak.

Preventing this requires a clear threat model and controls that operate at the right decision points: during login, recovery, payout linkage, and high-risk transactions. We’re focused on reducing both the probability (prevention/detection) and total impact (holds, step-up verification, and rapid response) of these events.

Benefits leaders shouldn’t have to be cybersecurity experts. But they should expect transparency into how an HSA partner reduces ATO risk.

So what should you look for in an HSA partner?

• Passkeys or other phishing-resistant authentication, plus hardened account recovery
• Real-time ATO detection and response using rules + ML (velocity/anomaly scoring, bot detection, device and session intelligence)
• Instant bank + identity verification for payout-linking and high-risk actions, integrated into a risk-based orchestration flow
• Continuous monitoring, layered controls, and model governance (drift monitoring, feedback loops, incident response)

Your HSA partner should help you build a resilient, trustworthy program that protects real people—by using modern identity primitives and AI-assisted fraud controls to reduce ATO risk without turning access to healthcare funds into a high-friction experience.

Visit our Trust Center to learn more about how HealthEquity is setting the standard for HSA security.