Account takeover fraud (ATO) is on the rise, and businesses and banks are bearing the costs. ATO cost US businesses $5.1 billion in 2017, about three times as much as in 2016. This type of fraud is still trending upward, especially against banks. ATO attacks on financial services rose by 40% from Q1 to Q2 of 2018, according to ThreatMetrix’s Q2 Cybercrime Report. Even more alarming, the rate of ATO attempts via mobile transactions rose 200% during that period.
Fraudsters can not only steal merchandise and divert funds through account takeovers, but they can also access other data like personal information and card numbers to inflict even more damage on consumers and businesses. Because ATO fraud looks like activity by a trusted customer, detection can be difficult – but it is possible. Here’s what merchants need to know to fight takeover attacks without declining good orders.
How do fraudsters take over accounts?
Anyone with a customer’s login credentials can take over that person’s account. An increasing number of recent large-scale ATO attempts have been done with botnets that attempt to login in customers’ retail accounts, according to ThreatMetrix. How are thieves getting the credentials in the first place? Unfortunately, fraudsters have many resources at their disposal.
The ongoing wave of consumer data breaches at retailers, hotel chains, social media networks, and other companies gives organized criminals a steady supply of data points to exploit. This data can include names, payment card numbers, and in some cases, usernames and passwords. Unsecured wireless networks give thieves another way to steal credentials and other personal data. Some fraudsters impersonate their victims on the phone with customer service to change account passwords and gain access.
Scammers also use social engineering on social media to collect information they can use to hack their way in. For example, quizzes and memes that prompt users to share the names of pets, former hometowns, and other personal details can help attackers answer knowledge-based authentication questions that many online accounts require for password recovery.
What happens during an account takeover?
Account takeovers cause stress, fear, and a lot of work for consumers who have to repair the damage to their accounts and credit. One Florida businesswoman recently described the account takeover fraud she endured after briefly using her mobile phone on an unsecured airport wireless network. Although she had unique passwords and multifactor authentication on her key accounts, as well as freezes on her credit-bureau files, fraudsters were able to break into her mobile phone and her email, bank, and credit card accounts.
Because the thieves had access to the victim’s channels of communication with her bank and other companies, account-alert texts and emails never reached her. The fraudsters made thousands of dollars’ worth of purchases and cleaned out her checking account before she knew she’d been hacked. When account takeover fraud is detected, merchants and banks are usually liable for the cost of fraudulent purchases and transfers.
How can your business prevent account takeover fraud?
There are two main paths to stopping ATO fraud against your business. The first is to encourage your customers to follow safe-shopping best practices. You can set up your online account creation parameters to require a strong password, and you should encourage your customers to create unique passwords for all their accounts. You can offer to send alerts to your customers whenever they update their information or when they make purchases over a pre-set dollar amount. You can also offer two-factor authentication for your customer accounts and encourage your customers to use it. However, as the case of the Florida businesswoman shows, those precautions aren’t foolproof against ATO.
The second ATO challenge for businesses is preventing losses while avoiding false declines that can turn customers away for good. The most effective way to do this is to implement a fraud-prevention program with a combination of identity verification, device verification, and other order-screening tools, tailored to the fraud profile of each sales channel. The LexisNexis 2018 True Cost of Fraud Study found that businesses with these types of channel-specific layered programs “have a lower cost of fraud.” To avoid false declines, your program needs to include a manual review of all suspicious orders, rather than relying on automatic rejections. Reaching out to customers to validate flagged orders can also help you uncover ATO attempts.
Account takeover fraud is expensive and damaging to businesses and customers alike. By encouraging your customers to stay safe online and by implementing an anti-fraud program to spot inconsistencies in location and customer behavior, you can strengthen your customer relationships and prevent costly losses from ATO.