Account takeover fraud is becoming an increasingly more common form of cybercrime. If account takeover fraud continues to go relatively unchecked, it will continue to affect many eCommerce businesses which just can’t afford such risk or loss in today’s economic climate. So, how do we stop account takeover attacks in their tracks?
What Is Account Takeover Fraud?
Account takeover fraud takes place when a fraudster takes control of a business or individual account under false pretenses, posing as a genuine customer, client, or employee. These attacks are not limited to internal business accounts either, as fraudsters can infiltrate a range of accounts spanning subscriptions, bank accounts, and emails, all for the purpose of stealing sensitive information to reap a financial reward.
The process of account takeover fraud is relatively simple. First, the fraudster will gain access to the account using stolen credentials, likely changing the details upon entry to prevent the genuine owner from regaining access. Then, the fraudster will likely make fraudulent purchases using linked credit or debit cards and extract sensitive data to sell on to third parties. Around 24 million households in the U.S. have fallen victim to this type of fraud.
Bubbling to the Surface
Although not a new type of fraud, account takeovers have become increasingly prevalent in recent months, mainly driven by the resurgence of social media throughout the pandemic and the simplicity of the crime itself. SEON’s most recent report investigating account takeover attacks found that over half of all account takeovers are linked to an individual’s social media account. And, unfortunately, once fraudsters have gained access to a social media account, it is likely they will be able to use the information they have found to exploit many more of a victim’s private accounts.
Handing Over the Keys
Many may question how the infiltration of a social media account could spiral into significant financial losses for an individual. Unfortunately, it is simply an easy access point for fraudsters to retrieve the information they need to gain entry to a bank account. Often, financial accounts are protected by strong passcode barriers, requiring personally identifiable information to unlock the account. Sadly, the keys to this metaphorical Fort Knox can almost always be found within a social media account, such as mobile phone numbers, email addresses, and dates of birth.
It isn’t just personally identifiable information that causes financial losses. With the rise in popularity of social media shopping came the linking of credit and debit cards to social accounts. Whilst customers worship the ease and convenience of this new eCommerce business model, fraudsters are cashing in on a quick win. Using bank details stored within social media accounts, fraudulent purchases can now be made without even leaving the social media site.
A Minefield for Merchants
Despite the fact that individuals are often the target of account takeover attacks, the knock-on effect for merchants can be huge, a fact that is often overlooked by business owners. Once associated with a fraudulent attack, businesses may end up firefighting within customer transaction disputes, putting great strain on operations and customer service teams. What’s more, the customers affected will require a refund, even if the product has already been dispatched to a fraudster’s address. This therefore results in company losses and chargebacks, which are not usually small scale.
Sadly, many merchants can also suffer from declining customer retention due to lack of trust following an attack. Customers may cast blame upon a business for having poor online security protections, or substandard data protection measures, therefore reducing the likelihood of them transacting with the business in the future. Some customers may even display their lack of trust in a business following an attack on online review sites or social media, causing widespread distrust in a business within their customer community.
Stopping Account Takeovers in Their Tracks
Account takeovers are notoriously difficult to stop once an account has been compromised. That’s why it is vital for businesses and individuals to understand the risks, and learn how to spot an attack before it causes too much damage. As such, it’s always best to ensure that data protection practices are meticulously followed at all times. In doing this, businesses and individuals can limit the probability of being victimized by fraudsters.
There are several additional measures to help businesses further minimize this risk across internal systems and company websites. First, companies can look to use SSL on pages that collect sensitive data, or personal identifiable information. Similarly, businesses are advised to use encryption wherever possible, and to ensure that physical devices, such as company phones, laptops, and desktop computers are physically secured at all times.
Some businesses may feel a need to go even further in their efforts to prevent account takeover attacks. The good news is that there are additional steps that can be taken. For example, businesses can hire white hat hackers to find vulnerabilities within systems, which could otherwise be exploited to conduct attacks. What’s more, businesses may feel it’s necessary to restrict user input to ensure that site codes remain clean. However, it’s important to balance these security measures against user friction, so as not to put users off from using a site.
The Time Is Now
Finding this balance can be difficult, but the task has recently been made easier through the advent of real-time, reliable modern fraud prevention solutions.
It is without doubt that the time to tackle account takeover fraud is now. With attacks on the rise, education for both businesses and consumers is imperative to protect from operational, financial, and psychological distress.
PJ Rohall is Head of Fraud Strategy & Education at SEON. A seasoned professional with more than a decade working in the industry, PJ is also the co-founder of About-Fraud, a global community for fraud fighters that provides resources, news, and insights about fraud trends around the world.