What is Account Takeover Fraud? How Do You Protect Your Business Against It?
Did you know that you’re more likely to be robbed online than anywhere else?
It’s true. According to data published by Javelin, 13 million people in the US were victims of Identity theft in 2019 alone. There are a lot of different methods that fraudsters can employ to steal consumers’ identities. Account takeover fraud, or ATO, is one of the fastest-growing of these threats.
Reports of account takeover fraud climbed 378% during the Covid-19 pandemic. This carries consequences for cardholders, banks, and merchants alike.
In this article, we’ll discuss the reasons you might be targeted, and also provide some tips and tactics you can adopt to help protect your business.
Recommended reading
- Return Fraud: What It Is, and How Merchants Can Fight It
- The Top 5 Prepaid Card Scams to Watch Out For in 2023
- How do Banks Conduct Credit Card Fraud Investigations?
- What is Authorized Push Payment Fraud?
- Denial-of-Service Attacks: How to Protect Your Organization
- 10 Tips to Prevent Card Testing Fraud Attacks
What is Account Takeover Fraud?
- Account Takeover Fraud
Account takeover fraud is a form of identity theft by which a third party gains access to unique details of a trusted user’s online accounts. Fraudsters can pose as the real customer to change account details, make purchases, withdraw funds, and even leverage the stolen information to access other accounts.
[noun]/* uh • kount • teyk • oh • ver • frawd/
In an increasingly connected world, both merchants and consumers benefit from streamlined access. Unfortunately, the shift to digital communication and recordkeeping also gives fraudsters multiple entry points to gain access to users' personal information.
Bad actors don’t need complete, detailed information to compromise a person’s account. They can take partial information and then try to fill in the gaps from there. Once the fraudster has control of a user’s account, they can make fraudulent third-party purchases and conduct other activity without the user’s knowledge.
As a payment fraud tactic, account takeover fraud is appealing to fraudsters for multiple reasons. It’s comparatively easy to do, and it’s hard to detect. In fact, you probably won’t even know you’ve been targeted until it’s too late.
Surprising Account Takeover Stats
Account takeover is big business for fraudsters, and it’s impacting an increasing number of consumers, both here in the US and abroad.
Did you know that nearly one in four Americans have fallen victim to account takeover fraud? Not only that, but data published by Security.org found that the average successful account breach will cost $12,000. Check out some of these startling account takeover fraud statistics below:
Dealing with the aftermath of an ATO attack can be a major headache. Part of the problem, though, is that relatively few consumers seem to understand the threat.
Only 74% of individuals are aware of account takeover fraud as a potential threat. 18% are totally in the dark, and another 9% are unsure if they have heard of it. These percentages reflect a concerning gap between account holders and proper security awareness.
How Fraudsters Takeover Accounts
Technological conveniences are a wonderful thing, but they also invariably attract those who are up to no good. For various reasons, the ease with which your customers attain information and goods can open doors which fraudsters would otherwise lack.
The good news: you can assist customers and protect their businesses at the same time by keeping up with new and developing fraud methods.
Here are a few common account takeover fraud examples that outline how criminals gain access to customer data:
Phishing
Phishing is perhaps the most insidious tactic on the list, since it cannot function without the victim’s help. A clever phishing scam doesn’t need much more than an email address and a great line to be effective.
How it Works:
Phishing refers to any practice by which a fraudster tries to trick individuals to reveal personal information, such as passwords and credit card numbers. This can be done through emails purporting to be from reputable sources, dummy sites, etc.
How to Prevent it:
Merchants should require users to complete two factor authentication when they log in from a new device or add a new payment method. Consumers can protect themselves by adding similar methods (see the “Layer Up” subsection below).
SIM Card Swapping
A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification. Specifically, it works when the second factor or step is a text message or call placed to a mobile telephone.
How it Works:
A fraudster contacts a user’s mobile carrier, telling them they have a new device. The fraudster then uses stolen credentials to gain access to accounts they wish to use, but is able to subvert the two-step authentication process by tricking device fingerprinting methods.
How to Prevent it:
If a cardholder’s personal details are accessed by someone in another region, or they are suddenly unable to access certain accounts, they should change their credentials immediately. Never reuse credentials on multiple sites. If the device they typically use to access sites is no longer recognized, they should contact their mobile provider immediately.
Malware
Malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. This is the method by which most fraudsters gain access to systems they haven’t been inadvertently invited to, whether through phishing or by other means.
How it Works:
Most often, malware is injected into a user’s computer through faulty apps, unsecured sites, or through hardware that is inserted into a drive. The malware then tracks keystrokes or other activity to capture login credentials.
How to Prevent it:
Cardholders should ensure their systems are secure and that they follow security best practices online. For merchants, your employees should only access necessary data through secured networks.
Mobile Banking Trojans
Banking trojans are type of malware that tries to obtain access to confidential information which is stored or processed through online banking systems.
How it Works:
This is malware 2.0. Instead of targeting your system at large, rooting for whatever can be sifted from your data, mobile banking trojans are targeted attacks that are designed to escape your notice.
How to Prevent it:
Cardholders need to guard their banking details carefully. If a site doesn’t look trustworthy, they should never add their payment details. Period.
Man-in-the-Middle Attacks (MitM)
Imagine you’re at a coffee shop and you’re attempting to pay one of your friends for the coffee they purchased for you. Naturally, you login to a site like Cash App or Zelle and attempt to pay your friend. What you didn’t know was that there was a suspicious individual in the same room, accessing your accounts from the unsecured network you used to make the payment.
How it Works:
This attack is a lot like eavesdropping. A fraudster will position themself between your data and its reception point on a network in order to redirect that information or payment elsewhere.
How to Prevent it:
Cardholders should never transmit sensitive information via public Wi-Fi. Also, savvy merchants provide secured Wi-Fi networks for all in-house use, including any that might be consumer-facing.
Brute Force Attacks
This method, known as an exhaustive key search, is exactly what it sounds like. When stealth and subterfuge fail, fraudsters may attempt to bombard your system with a flurry of password cracking attempts. Perhaps this method may seem less dangerous than the others, but the statistics above show that the number one weakness in cybersecurity is password strength.
How it Works:
Brute force attacks involve a fraudster bombarding your firewalls and system checks with a bevy of passwords all at once. The goal is to gain a keyword that might crack the whole system. The attack will often persist until the password is accepted or the keyword is revealed.
How to Prevent it:
Merchants should budget for strong anti-virus and password management software.
Ready to take the next step in the fight against fraud? We’re here to help.
What’s the Worst that Could Happen?
The extent of the damage following an account takeover attack can be dramatic. It may not be as extensive as bankruptcy…but it could happen, and that’s the point.
Consequences of account takeover fraud may include:
- Revenue loss: bankruptcy is an extreme example…but you get the idea. Remember, individuals tend to lose an average of $12,000 per successful ATO attack. If this is a loss you’d notice, it’s worth considering your security.
- Loss of confidence: both customers and partners aim to do business with parties they can trust. If your data is wide open for fraud or you’ve implemented limited security, this will give a bad impression of your business practices and priorities.
- Make others vulnerable: data breaches are harmful to everyone, but merchants especially. Your business often bears sensitive information for partners and customers, including crucial account details which could open your systems up to attacks.
Most attacks are by invitation only. The victim has to click on something, leave something open, or utilize weak defenses or faulty security measures to precipitate a majority of ATO attacks. That isn’t to say, however, that this is your fault.
Fraudsters know humans are communicators. They know we like to keep things simple, tidy, and organized. They also know we’re social creatures that prefer to trust and believe in one another. In fact, they count on it.
It doesn't help that so many consumers operate with passwords that are embarrassingly simple to guess. The stakes are exceptionally high for account takeover fraud when it comes to bank customers. Imagine an individual with the same login information for both credit card and checking account. A successful account takeover attack on either one would expose both.
Five ATO Fraud Prevention Tips
As a merchant, you need to keep eye open for account takeover fraud red flags. Although ATO attacks are primarily cardholder-facing, they will come back to you in the form of chargebacks.
With that in mind, here are five things you can do right now to help protect your business and your customers against account takeover fraud:
Even after an account takeover fraud attack happens, there is still preventative actions to take. The key is to learn from past experiences.
Take Control of the Fight Against Fraud
It’s true that online fraud is on the rise. However, the means to combat fraud is also diversifying, so there is plenty you can do to protect yourself.
If you’ve ever been a victim of account takeover fraud, you can certainly see the benefit in increasing your prevention efforts. For those who haven’t, now is the time to prepare your defenses. Prevention, as they say, is the best medicine.
