Fraud Management

Account Takeover Fraud – How it Happens and How to Prevent It!

October 1, 2021 Comments Off on Account Takeover Fraud – How it Happens and How to Prevent It!
Account Takeover Fraud

E-commerce businesses are looking forward to a COVID-19 related boom during the 2020 holiday season.

But the expected 35% increase in online sales compared with the same period in 2019 will also be a great opportunity for fraudsters – particularly those who specialize in account takeovers.

What is Account Takeover (ATO) Fraud

ATO is the online version of identity theft.

Fraudsters use bots – or the dark web – to gain access to an individual’s log-in credentials (username and password) for a particular website, and are then able to use that account as their own.

Worse, they can use the same bots to test those credentials against numerous other sites – specifically targeting banks and e-commerce businesses

Why Criminals Love ATO Fraud

And because so many people still use the same credentials to access many different sites, these attempts are often successful.

Once logged in, posing as the true account holder, fraudsters may then make unauthorized purchases using card details held online, transfer money to another account or amend mailing and shipping addresses – in fact, do anything that the legitimate customer can do.

And while it’s true that the initial cost of the fraud will fall on the account holder, the long-term cost to you as a merchant can be disastrous in terms of chargebacks and brand reputation.

How to Prevent ATO Fraud

The good news is that you can protect both your customers and your business by –

  • deploying software to monitor the IP addresses and restrict the number of log-in attempts of those attempting to access your site;
  • using an address verification service (AVS) and a payment card security protocol such as 3D Secure 2.0;
  • employing a two-factor log-in authentication system – for example, a one-time code sent to a cell phone;
  • making available a strong password generating tool and encouraging its use; and
  • advising customers not to reply directly to emails purporting to come from you – and never requesting personal or account details by that means.