Account Takeover Fraud: All That Ecommerce Merchants Must Know
With chip technology making in-person credit card transactions more secure, scheming fraudsters are looking for new ways to defraud unsuspecting consumers and maximize their illicit returns.
One of these emerging threats is account takeover (ATO) fraud, which accounted for every fifth login attempt and 13% of U.S. ecommerce fraud costs in 2021.
A type of identity theft, account takeover fraud occurs when a fraudster uses a piece of a victim’s identity, like their Social Security number or email address, to access and take over the victim’s account. Checking and savings accounts, brokerage, and even loyalty accounts can be compromised by fraudsters.
It’s no surprise that ATO fraud has become so prevalent. Despite every recommendation to create distinct, strong passwords for each account, over 50% of users have a single password for all of their accounts, and nearly 60% of scamming victims don’t change their passwords.
Certain high-risk industries, such as the travel and airlines industry, are particularly challenged by ATO fraud for the theft of airline mileage reward points, website credentials for travel websites and travel-related database breaches.
To protect their businesses and their customers against evolving trends, ecommerce retailers need to understand the impact of account takeover fraud and implement strategies that will dissuade fraudsters from compromising innocent customers’ accounts.
What Account Takeover Fraud Is, & How It Happens
There are several ways fraudsters can take over an account, including:
Phishing scams happen when a fraudster sends a link via email, text message, or even social media using well-established website interfaces that seem trustworthy. When the user clicks on the link, it automatically installs software that gives the fraudster access to the users' device. That software is referred to as malware.
2. Installing malware
When fraudsters install malware, or “malicious software,” on a victim's computer it lets the fraudster capture keystrokes as the user enters login IDs, passwords and emails. Using that data, fraudsters access the victim's accounts and make fraudulent purchases. More than 450,000 new malware programs are identified every day and the total number of malware programs is over 1.3 billion.
3. Stealing credit card data
Fraudsters can capture a victim’s credit card data any number of ways — using a skimming device, copying the number at the point of sale or simply stealing the physical card — and then impersonating the victim to make card-not-present purchases.
4. Hacking mobile phones
With the rise of mobile wallets, enterprising hackers are increasingly setting their sights on hijacking mobile phones. Once fraudsters have access, it’s easy for them to compromise any financial accounts that are accessible on the phone. Controlling the victim’s cell phone also gives fraudsters the ability to intercept confirmation calls from banks and other financial institutions and to approve charges and changes to accounts.
After they’ve taken over an account, fraudsters frequently change the account’s contact information and reroute all communication about the account to the fraudsters. The longer the legitimate customer doesn’t realize they aren’t receiving transactional or statement notifications, the more time the fraudster has to drain the accounts.
The Impact of Account Takeover Fraud on an Ecommerce Business
Stolen account information has proven to be far more valuable to fraudsters than stolen credit card data: It can hold its value on the dark web for over a month, while the value of stolen credit card numbers declines from $5 to pennies in just two weeks. But customers aren’t the only victims of account takeover. Here are just a few ways that account takeover negatively affects online merchants.
1. Excessive chargebacks
When customers see purchases on their accounts that they don't recognize or didn't make, they usually contact their payment processor to request a reversal. From there, the payment processor will investigate the transaction and require proof that a legitimate purchase was made. If it's determined that the transaction should be reversed, the merchant must refund the amount of the transaction and pay an associated fee to the payment processor. That fee is called a chargeback.
The more fraudulent transactions a merchant approves, the higher their potential chargeback rate. If their chargeback rate with the payment processor exceeds a set threshold -- typically, 1% -- the merchant will be subject to even more fees and may be placed on a chargeback monitoring program or become classified as a “high risk” merchant.
2. Increased false declines
Concerned that any transaction could be fraudulent, many merchants take the approach of denying every suspicious transaction in an attempt to protect revenue. They often use general filters and rules that automatically decline transactions based on address mismatches, transaction amount and other factors that may not necessarily be fraud. Unfortunately, this effort generally ends up rejecting legitimate customers and losing the value of future transactions. In our most recent Consumer Attitudes reports, we found that 40% of customers experiencing a false decline choose to never return to that merchant.
3. Inability to recoup losses
While credit cardholders are absolved of financial liability when their cards are used fraudulently, ecommerce merchants aren’t so lucky. They have no recourse for recouping lost products, revenue, and the fees and losses associated with chargebacks.
4. Added checkout friction
To filter out fraudulent transactions, some merchants may add security features like two-factor authentication or requiring re-entry of credit card numbers. While these measures increase the likelihood that customers are who they say they are, they also add enough friction to the checkout process to potentially dissuade customers from making a purchase.
5. Damage to brand reputation
If an ecommerce merchant is the victim of a data breach and sensitive customer information is stolen, customers are less likely to trust the merchant in the future with their sensitive personal information. And honest customers who have their transactions declined are often vocal about their displeasure, taking to social media to share their negative experiences.
When we look at it from a generational perspective, Gen Z and millennials are even more likely to complain on social media. Given how critical those groups are to the future success of any ecommerce store, businesses need to approve as many orders as possible.
How Businesses Can Protect Customers From Falling Victim
With account takeover on the rise, ecommerce merchants can help customers avoid being a victim by encouraging them to:
- Change passwords regularly, and not use the same user name and password for every account.
- Review all credit card and bank statements regularly.
- Sign up for alerts when transactions exceed a certain dollar amount or when contact information changes.
- Not click on email links saying an account has been compromised and immediate action is needed.
- Turn on two-factor authentication when offered.
Balancing Speed & Security to Prevent Account Takeover Fraud
In the fast-moving world of ecommerce, merchants want to approve as many transactions as possible — as quickly as possible. But balancing speed and security isn’t easy.
One of the best ways to protect your business and your customers against the damaging effects of account takeover fraud is by reviewing every transaction and ensuring only legitimate ones are approved. That’s when ecommerce merchants need the right fraud protection solution in place.
ClearSale’s Total Protection Solution combines proprietary machine learning technology and a unique high-tech manual review process to help you reduce the number of false declines that can cost you sales and customer relationships. And if you’re worried about expensive chargebacks, we can help protect against those, too.
Contact us today to learn how our managed services solution guarantees your customers will never be inconvenienced again.