New Trends in Account Takeover Fraud

It wasn’t surprising that when Equifax announced the compromise of more than 143 million records in September 2017, there was an almost immediate 53% increase in account takeover fraud.

Account takeovers are proving to be extremely profitable for fraudsters – and what’s even scarier are the new ways account takeover fraud is evolving. Here’s what eCommerce brands need to know.

Account takeover fraud occurs when a fraudster uses piece of a victim’s identity, like their Social Security number or email address, to gain access to and take over the victim’s account. It’s not just checking and savings accounts that are at risk. Even online shopping, brokerage and loyalty accounts can be compromised by fraudsters.

In 2018, account takeover fraud cost merchants and customers an estimated $5.1 billion worldwide, a 120% increase from 2017. And that number is expected to continue to grow in 2019, particularly as these three trends continue to emerge.

Trend 1: Cross-Account Takeover

In this version of account takeover fraud, criminals take over multiple accounts to perpetrate the theft. For example, a fraudster may take control of an unsuspecting customer’s account at a financial institution and then use the customer’s email account to steal funds from the compromised financial account.

Trend 2: Intermediary New-Account Fraud

Fraudsters are also using customers’ stolen data to open new accounts in the victim’s name. Fraudsters then use these new accounts to access and drain the victim’s existing financial accounts.

The frequency of this type of fraud exploded in 2018, affecting 1.5 million customers in 2017, compared with 400,000 victims the year before.

Trend 3: SIM Card Swapping

An even more complex new fraud scheme is on the rise, in which mobile phone store employees get involved with the theft. In this new ploy, the store employee exchanges the SIM card in the fraudster’s phone with the SIM card in the phone of an innocent customer. This gives the criminals full control of the victim’s mobile account. The fraudsters then take over the account by resetting passwords and intercepting the subsequent password reset texts and emails.

With the right victim, this can be especially lucrative: In early 2018, bitcoin trader Michael Terpin allegedly lost roughly $24 million in cryptocurrency when he fell prey to this scam.

How to Protect Against Account Takeover Fraud

As fraudsters are finding new ways to hijack customer identities, merchants must consider implementing smarter security solutions to protect both themselves and their customers. Here are a few ways to get started:

Encourage Customers to Change Passwords Regularly

The success of account takeover fraud relies on criminals having access to at least a few key pieces of customer data. But hackers are less likely to be successful at compromising accounts if a customer is regularly changing passwords and not using the same password for each of their accounts.

Have Customers Sign Up for Credit Card Alerts

Many credit card companies offer their customers alerts by email or text when a credit card transaction exceeds a certain amount or when a purchase is made online. These notifications can help stop account takeover fraud before it does significant financial damage to customers and retailers.

Add Two-Factor Authentication

Offer — and then encourage customers to use — two-factor authentication when placing orders. That way, even if a hacker has the password to access a customer’s account, they’ll still need full access to the customer’s mobile device or email to get the second code.

Be Cautious With Stored Payment Methods

While storing payment data makes for a simplified customer experience, it puts customers at increased risk if your website is compromised. Consider adding security measures that require customers to re-enter credit card information if your system notices changes to passwords, devices or browsers, or shipping or billing information.

Watch Order Velocity

If you notice a dramatic change to a customer’s ordering patterns — for example, they go from placing one order a month to several a week — hold the orders until you can confirm they’re legitimate.

Implement a Robust Fraud Prevention Solution

With data breaches showing no signs of slowing, merchants must take a proactive stance against fraud and eliminate the vulnerabilities in their e-commerce store. Using a combination of advanced artificial intelligence and highly trained analysts can make a big difference with reducing your risk exposure.

ClearSale has been using this combined approach for more than 16 years, protecting our clients while offering a seamless customer purchasing experience.

Our free download, “Merchant Guide for e-commerce Fraud Protection,” can help you identify what risks you face and the right solution for protecting your business, your profits and your good reputation.

Merchant Guide for E-Commerce Fraud Protection