How to slam the brakes on account takeover fraud

Account takeover fraud (ATO) took off after the pandemic began, likely because so many of us were at home, busily creating new online accounts to handle the work, shopping, banking, education and socializing that we suddenly couldn’t do in person.

Within this growing landscape of opportunities, ATO fraud quickly became one of the fastest-growing cybersecurity threats, hitting 22% of U.S. adults. While social media accounts are the most frequent targets, new avenues for ATO allow fraudsters to use an array of strategies for parting victims from their money and their data.


ATO costs businesses money, too, by damaging customers’ trust. On average, customers spent 60% less with a business in the year after an account takeover. Some customers never come back. In a March 2021 five-country survey of online shoppers by ClearSale, 84% said they would boycott a website that allowed fraud with their credit card — something that often happens when fraudsters hijack retail customer accounts.

Then there are the account exploitation tactics, where fraudsters hurt businesses by posing as customers. Fraudsters can use stolen credentials from one victim or many (synthetic fraud) to create new accounts to get discount offers or promo deals.

ATO fraudsters may also target businesses themselves. International revenue share fraud (IRSF) happens when fraudsters take over premium-rate numbers that businesses use to contact customers, often for two-factor SMS messages and voice calls, and then use scripts and bots to impersonate customers and generate 2FA calls. Each call costs the business a small amount, but with a large enough call volume and an unscrupulous phone service provider willing to share the haul, fraudsters can enjoy a high return on their investment in the scam.


Steps to prevent account takeover fraud

To avoid these negative outcomes, retailers don’t need to discover a way to stop all ATO fraud once and for all — something that’s unlikely to happen because fraudsters are always developing new tactics.

Instead, businesses can simply make their accounts harder and, therefore, more expensive to exploit. This reduces fraudsters’ ROI in attacking a business and encourages them to move along. Implementing the strategies below can make your business too costly to attack and can deliver additional benefits.

Implement tokenization, encryption or both

This is especially critical for data sent on unsecure networks such as public Wi-Fi and for data sent to and from employees via personal (rather than company-owned) devices. When account hijackers can’t see or decrypt the data, it has no value for them.

Payment data should already be tokenized or encrypted to comply with PCI-DSS requirements. Customer and employee account authentication data, customer loyalty point balances and other customer data should be protected this way as well, in transit and at rest.

Taking extra steps to shroud customer data from takeover artists can also reduce your likelihood of a data breach and the resulting brand damage and potential fines.

Support your IT department

You can do this with tools such as firewalls, antivirus software, spam filters and data encryption. These are investments your IT team needs to fight organized ATO fraud and other security threats to protect your customers and your business. Work with your IT leaders to develop a top-down culture of security that includes regular discussions and frequent training on safe online work practices so employees are less likely to unwittingly contribute to account takeovers.

Giving your IT team tools that automate fraud detection can also free them up for other initiatives like data unification and analytics. That, in turn, can help your marketing, merchandising, fulfillment, and customer service teams deliver a higher-quality customer experience that builds loyalty and increases lifetime customer value.

Strengthen your login credential requirements

For employees, customers and vendors with access to your internal systems, encourage unique passwords to make it harder for ATO fraudsters to credential-stuff reused passwords across websites. While we’re mentioning credential-stuffing prevention, consider requiring a username that’s something other than the user’s email address.

Adjust your password creation settings to require strong passwords that include a combination of letters, symbols and numbers to increase the amount of time it takes bots to guess the combination. Require users to frequently change their passwords, reducing the chance that a fraudster will eventually break them.

Offer multifactor authentication (MFA) options

Instead of relying on SMS texts and voice calls, add or switch to authenticator app codes, or codes sent via email. Why? SMS codes are easy to set up, but they’re vulnerable in at least three ways. First, if someone steals a customer’s phone, they can now authenticate via SMS. Second, old-school SIM-swapping scams are trending upward; these can put fraudsters in charge of a customer’s SMS authentication process even with no access to the customer’s phone. Third, SMS authentication carries the risk of IRSF fraud.

Keep your customers (and employees) in the loop

Send a user alert to the customer’s original email address whenever a user account’s contact information changes or there’s a password change request. The alert should include a way for customers to get immediate support if they didn’t make the changes themselves.

Review your transactional fraud prevention strategy

A combination of artificial intelligence and machine learning can detect both blatant and subtle order discrepancies that can indicate account takeover fraud.

For example, an order from a returning customer that exhibits totally different on-site behavior from past visits (and that comes from a different device and geography from past visits) can indicate ATO fraud, even if the user logged in using valid credentials. However, to avoid accidentally declining a customer who may have just moved and bought or borrowed a new device, orders flagged by the algorithm should go to a secondary review. The review findings can feed back into the ML so that your AI gets better at precisely identifying ATO fraud over time.


Conclusion: Stopping ATO fraud in its tracks

Individually, the above strategies can close gaps that allow fraudsters to score relatively easy ATO wins. Together, they can substantially reduce the amount of ATO fraud your business faces by creating multiple layers of protection that require too much time, effort and investment for fraudsters to get through. By fortifying your business in a way that makes ATO fraud a hassle, you can build a reputation as a retailer that fraudsters want to avoid.


Original article at: