Account takeover (ATO) fraud is on the rise. Merchants and consumers alike are losing millions of dollars each year to ATO attacks. And the issue is only expected to worsen as fraudsters continue to find new ways to steal and abuse sensitive information.
Fortunately, there are ways to prevent an account takeover attack. Learn all about our expert tips for stopping this threat so you can protect your business and your customers.
Account Takeover Fraud Explained
Account takeover fraud is an attempt to gain unauthorized access to an online account. Once a fraudster gains access to an account, he or she can steal sensitive information about the account holder, make purchases, change account credentials, steal debit and credit card numbers, and more.
Did you know?
Most data breaches are caused by human error or system glitches. That’s why it’s important to regularly give your employees security training, keep all your software up-to-date, and invest in data loss prevention technology.
Types of ATO Attacks
Fraudsters use a number of methods to break into accounts. Most tactics are relatively simple and can be completed in a matter of seconds. We’ll cover the most common types and how to spot them.
Credential stuffing is an attack in which a fraudster uses a list of stolen username and password combinations bought on the dark web or obtained through data breaches to log into user accounts. Typically, fraudsters use bots — or software that can run automated tasks like logging into an account — to speed up the process.
What to watch for
- Multiple failed login attempts from the same IP address.
- Multiple login attempts for different accounts within a short timeframe.
- Spike in website traffic (an indication of bot activity).
- Website experiences sudden downtime.
Brute force attacks
In a brute-force attack, fraudsters attempt to force their way into a user account by testing hundreds or thousands of passwords until the account unlocks. It’s similar to credential stuffing; however, fraudsters do not have any context or clues to help guess passwords.
Fraudsters may use random characters combined with common password suggestions to get into accounts. Typically, during this kind of attack, fraudsters only target one account at a time.
What to watch for
- Multiple failed login attempts from the same IP address.
- Multiple logins with different usernames from the same IP address.
- Logins for one account coming from multiple IP addresses.
- Failed login attempts from sequential usernames or passwords (ex: password 1234, password 234, password 345, etc.).
- Logins with a referring URL of someone’s mail or IRC client (an instant messaging chat system).
- Referring URLs that contain the username and password in the following format: <http://user:email@example.com/login.htm>.
Phishing is an attempt to get sensitive information by sending messages and emails that appear to be from a trusted source.
Let’s look at an example.
A fraudster sends a text message to Sally posing as a bank representative. The message claims that someone has tried to hack into her bank account and in order to fix the issue, she needs to log in. A link is included to a web page that looks exactly like Sally’s banking site. However, it is a fake site. When Sally logs in, she unknowingly gives her banking credentials to the fraudster.
What to watch for
- Reports from customers about receiving unsolicited texts or emails containing links from your business.
- Suspicious emails sent to your employees requesting sensitive information.
Identity theft happens when someone uses another person’s identifying information without permission — like name, address, phone number, and social security number — to commit fraud. Fraudsters often use this kind of information to impersonate a victim and manipulate customer service agents into helping them access the victim’s account.
Identity theft doesn’t just happen to your customers, either. It can happen to your business, too. Fraudsters may pose as employees to steal cash, get credit, or take out loans.
What to watch for
- Unusual activity in your company’s credit report.
- Changes in state business filings (like an address change).
- Influx of calls to customer support staff.
- Aggressive or manipulative customers contacting customer service agents.
- Current scams targeting businesses and/or customers.
5 Ways Account Takeover Fraud Can Affect Your Business
ATO fraud can affect any online business. The consequences of just one attack can be severe and long-lasting. We’ve listed out the top five major impacts you should be aware of.
1. Damage your reputation.
Any kind of fraud can spark doubt in your customers, business partners, and payment processors. But account takeover fraud can be incredibly damaging to the trust you’ve spent years cultivating. And that’s because data is extremely valuable. What you do with it has a major impact on your business reputation.
For instance, most consumers hold businesses responsible for protecting their online presence — whether it be the data they provide or the accounts they use to log into a service. And if a data breach happens, those customers will most likely stop engaging with your brand for a long time, possibly forever.
2. Increase your chargeback rate.
An account takeover attack can cause a sudden spike in your chargeback rate. And here’s why. When fraudsters hack into customer accounts, they typically drain the accounts of monetary funds or loyalty points, buy goods, services, and gift cards using payment information stored on the account, transfer funds to another account, or sell account information online.
All of these fraudulent transactions could potentially lead to chargebacks. And if a fraudster launches a mass account takeover attack — affecting thousands of customers at once — you could face a dramatic increase in chargebacks and enrollment in a monitoring program.
Take this scenario for example.
Let's say you usually process around 1,000 transactions a month. And fewer than 1% of those become chargebacks. Your chargeback-to-transaction ratio is well within card brands' limits.
One month, you get hit with an ATO attack and suddenly you now have 1,000 unexpected transactions — all of which are unauthorized and result in chargebacks. Your ratio could shoot up to the double digits, which means you'll automatically be enrolled in a monitoring program.
3. Drain your revenue.
ATO attacks are a huge drain on your hard-earned money. In addition to the cost of chargebacks, you may have other expenses — such as reimbursing customers for services or lost value, repairing software systems, and hiring extra labor to address security issues. All these extra fees can add up quickly.
Plus, if customers no longer trust you, they likely won’t continue to shop with you. In turn, decreasing your customer lifetime value.
4. Cause fines and legal issues.
Some of the most devastating effects of ATO fraud aren’t from chargebacks, lost revenue, or brand damage. State governments are starting to hold businesses accountable for account takeover attacks, leaving businesses with heavy fines and legal fees.
For example, attorney generals have begun to file lawsuits against national corporations that don’t adequately prevent fraud. These lawsuits claim that companies violate consumer protection laws when they fail to prevent cyberattacks. These cases are setting new precedents in consumer protection laws that could deeply affect your business.
5. Open the door for more fraud attacks.
Successful ATO attacks can expose weakness in your security systems and technology. And with that information, fraudsters can further target your business, potentially causing more damage. For example, if a fraudster hacks into your security systems and steals valuable customer data, that same person may come back later and try to hack into executive-level accounts.
How to Prevent Account Takeover Fraud
So what can you do to keep your customers and your business safe? Fortunately, you have options. We’ll cover all the steps you can take to prevent ATO fraud.
Did you know?
In a recent Kount survey, 60% of consumers admitted to reusing passwords across online accounts. As a result, these customers are at higher risk for an account takeover attack.
Simply requiring passwords is not enough to protect user accounts. You need to go a step further to truly give your customers the protection they need.
Boost website security.
Having a secure website is crucial to preventing ATO attacks, as well as other fraud threats. Don’t let your site become a liability. Invest in it.
Firewalls give you insight into your web traffic. You can filter out bad traffic — such as traffic from bots used for credential stuffing attacks — and get a better sense of who is visiting your site.
CAPTCHAs are tests to sort humans from bots. These tests typically require users to identify certain components of a picture or copy a string of text. When users sign up for a new account, require them to fill out a CAPTCHA.
Make sure your login pages are safe by encrypting passwords so that fraudsters can’t steal the information while it's in transit. Common encryption security protocols include HTTPS, TLS, and SSL.
Essentially, these protocols convert sensitive information — such as card numbers, social security numbers, and login credentials — into a code that is meaningless to anyone who might intercept it.
Use a secure web hosting platform.
When it comes to choosing your web hosting platform, do your research. Make sure you choose a provider that understands the security threats you face and is committed to keeping your site safe.
Clean up your website.
Fraudsters can use any database, application, or plugin on your website to hack into your systems. Delete any files or other items that you no longer use.
Perform regular security checks.
If your website has any vulnerabilities, fraudsters will be quick to find them. Schedule regular web security scans so you can address any issues.
Keep your software up-to-date.
Make sure you always update your software whenever a new patch or feature is released. Fraudsters can easily hack into systems that are outdated.
Limit user access and administrative privileges.
Not everyone takes website security seriously. Limit web admin access to certain employees in your organization and keep track of their responsibilities. Make sure you educate those employees about how to keep the site secure. Additionally, make your site administrators use two-factor authentication to log in.
Monitor account activity.
Subtle changes can often be the first sign of an attack. It’s common for users to forget passwords and change their personal information. However, when this activity happens in quick succession or in excess, it could be an ATO attempt.
Watch for suspicious activity.
Multiple failed login attempts, followed by requests to change personal information or login credentials could be suspicious, especially if these attempts are made from different IP addresses or in new locations.
Limit login attempts.
Don’t give users unlimited attempts to log in. If after 2-3 failed login attempts, deny further attempts for a certain amount of time or lock the account and have the user call a customer service agent to resolve the issue.
Challenge unknown logins.
It’s not uncommon for customers to login to their online accounts from different places. For example, if Jeff goes on vacation in a different country, he may try to login to his streaming account at night. To make sure Jeff is actually the one logging in overseas, you can challenge him with additional security protocols — such as security questions or multi-factor-authentication (MFA).
Communicate regularly with customers and employees.
Awareness is key to preventing security threats. Often, employees and customers are simply unaware of the scams out there or don’t notice small changes to their accounts. Keeping them up-to-date could be what prevents them from becoming a victim of an attack.
Send regular reminders and training.
Keep security top of mind for your employees by sending regular reminders about your web security policies, password requirements, and any other related information.
Additionally, you can send out fake phishing emails to test your employees’ knowledge about your security protocols.
Notify customers of account changes.
Communicate with customers often about their accounts. Send notifications whenever changes happen to their account — whether it’s a new password or address or login from a new location.
Implement strong login protocols.
Most customers fall victim to account takeover because they use weak passwords for their online accounts. But it’s still your responsibility to protect them. So what can you do?
Use authentication protocols.
Implement login protocols such as step-up authentication, MFA, or biometric verification for more secure logins. For example, whenever a user signs up for an account or logs in from a new device or location, you can require the user to provide an additional form of security — like entering a code sent via email or text.
Additionally, you can add biometric verification — face or voice recognition — as an alternative to passwords.
Implement password requirements.
If you’re going to require users to set up an account with a password, make sure they use strong passwords. Typically strong passwords include a combination of lowercase and capital letters, numbers, special characteristics, and a length of 14 characters.
Want Help Fighting Account Takeover Fraud?
There’s only so much you can do on your own to prevent ATO attacks. It’s worth the investment to use fraud prevention technology. And that’s where we can help.
Kount is a leader in trust and safety technology. We’ve helped companies from all over the world stop fraud and prevent account takeover attacks. Our technology works in real time to stop threats as they emerge — which is key to staying ahead of fraud.
If you’re looking for help fighting fraud or developing a risk management strategy, take a look at our account takeover fraud prevention solution.