The cost of account takeover fraud tripled last year, reaching an estimated $5.1 billion in the United States. This type of fraud is costly and frustrating for customers and merchants alike.
What is Account Takeover Fraud
Account takeover fraud is when a fraudster obtained valid credentials to takeover an online account. After gaining access to the account, the fraudster is free to run wild pretending to be the actual account holder. This could include selling the account information to the highest bidder on the black market, making numerous transactions, changing passwords, transferring loyalty points, and any other activity that could make them profit. The goal of the account takeover fraudsters depends on what type of account they gain access to.
When a customer does not change their passwords from account to account this tees up fraudsters to takeover many accounts after gaining access to just one. Fraudsters are also utilizing technology to takeover an account. If they only have one piece of the puzzle, such as an email, a bot that can enter thousands of password a minute to try to access the account. Targeted accounts can be based on data breaches that contain customer information.
Synthetic Identity v. Account Takeover Fraud
Synthetic identity is when a fraudster gets information on an individual, such as name, email, address, date of birth, then will mix in some made up information. This is a common technique to apply for credit or debit card to make fraudulent purchases. A real person’s exact information is not used so this fraud can be hard to detect.
Account takeover fraud is when someone has the credentials to log in to an individual’s account. Which they then masquerade as the owner of the account to make purchases.
Types of ATO Fraud
What credentials or accounts that fraudsters can get their hands on will depend on the type of account takeover fraud. Here are the types that merchants need to be aware of:
Merchant Account Fraud
If a merchant has a cardholder’s information saved to their site when a fraudster takes gains to access to the customer’s account they can start to make purchases posing as the customer. Inside the customer’s saved setting the fraudster can change the shipping address to get physical goods or digital goods are delivered right away to the fraudsters device. By simply accessing the account fraudsters don’t have to get their hand on a credit card to make purchases.
Loyalty Program Fraud
There has been a rise in loyalty program fraud as it become more popular among merchants. What is drawing fraudsters is the lack of protection around the loyalty points. Merchants and even the customers do not view reward points as currency, but fraudsters do. As long as that mentality exists, there is going to be less protection around the loyalty points than there would be around credit card information. This makes loyalty programs an easy target for fraudsters.
The percentage of cyber attacks targeting loyalty and rewards accounts nearly tripled from 2016 to 2017, with 48% of businesses hit by account takeover attacks. This has cost companies more than $2.3 billion worldwide. But with rewards not being viewed as money, customers and merchants alike are not keeping track of points in their account like they would in their bank account.
What Merchants Need to Know
Even though it is a customer account that is being taken over, account takeover fraud is costly and painful for merchants too. Being aware of the signs of account takeover fraud is vital to prevent disputes and maintain customer relationships.
Any company with accounts can be a target of account takeover fraud. Large and small companies can be a target for ATO as long as they have customer accounts. As the ecommerce world is moving towards frictionless payments, it is making customers more vulnerable. By saving all of the customer information to complete a transaction gives fraudsters no roadblocks to go on a spending spree.
Signs of an Account Takeover Attack
A transaction that comes from an account takeover fraudster can be hard to catch. This is because the transactions might look more normal since it comes from a known customer with a history of making purchases. That is why merchants need to monitor for the following signs of an account takeover:
- The amount of purchases increases outside what is normal for the customers purchasing behavior.
- Many changes to the account at one time. Changes could include email, password, address, or device.
- An increase in fraudulent customer disputes. This means that the customer is disputing the charges on their card.
- Hundreds of login attempts to an account or mass password reset requests.
- Large transfers of reward points.
How to Protect Your Customers and Business
Ask customers to re-enter payment information. If your business has all the information save for customers to make a one or two click check out, you are making it easy for customers and fraudsters to make purchases. By asking your customers to re-enter payment information after a password, address, or name change to the account. Re-entering this information will deter or stop fraudsters from using the account to make purchases.
Add multi factor authentication to your logins. These methods can range from a code sent through text, an email verification, or a biometric login.
Notify users if there is unusual behavior on the account. Sending email notification if there is a change in the account information, unusual buying habits or other possibly suspicious behavior. If you feel like you need to get a hold of your customer as soon as possible, you can even call them.
Playing it safe. Fraudsters are clever and can use all kind of tactics to get ahold of customer’s accounts. The important thing is to be aware of the signs of account takeover fraud and take action to protect your business and customers.
The Damage of Account Takeover Fraud
One of the repercussions of account takeover fraud that merchants face is financial losses. This loss comes from true fraud customer disputes filed through the customer’s issuing bank. If the merchant does not catch the account takeover before the merchandise is shipped out, then they will suffer the loss of merchandise as well.
The second repercussion is the damaged customer relationship. When a customer chooses to shop with you, they are in turn trusting you. If a customer’s account gets breached, they will feel like you failed to protect them. A breach can turn away a loyal customer and taint the name of your company.