Every week, over a quarter (26%) of companies are targeted by account takeover fraud.
Account takeovers – which involve fraudsters gaining access to your business’s, or your customers’, accounts to engage in further illicit activity – can be hugely damaging.
They can lead to data breaches, to increased chargebacks, and – as a consequence – can cost you your relationships with your employees, your customers, and even your payment service provider (PSP). This comes with knock-on effects of both a financial and a reputational kind: bad news not only for customer loyalty, but for your sales, revenue, and public perceptions, too.
Fortunately, account takeover fraud is both preventable and detectable – providing you understand what it is, where it happens, and how hackers can gain access to your accounts.
We’ll explain all this below, as well as our top tips for detecting and preventing account takeover fraud – and how Checkout.com can help your business do both.
What is account takeover fraud?
Account takeover fraud happens when a cybercriminal gains unauthorized access to a legitimate user’s (perhaps you, or one of your customers or employees) online account.
A form of both credential and identity theft, account takeover fraudsters – after infiltrating an email account, social media profile, online shopping account, or even a bank account – can then use that access to commit further crime against the legitimate user and their network.
This could include draining that person’s bank account of funds, taking out loans under their name, or masquerading as them, through their social media profile, to defraud their friends and followers. Scammers can also make purchases under the real user’s name through ecommerce sites they have accounts with, and even leverage access to one stolen account to unlock others.
Worse still, account takeover fraudsters can change your passwords to lock you out of your online accounts, or – more insidiously – tinker with your account’s information and notification settings to remain undetected. Ultimately, account takeover scammers are looking to gain any information of either a personal (such as your name, address, and Social Security Number) or financial (such as your bank account details and debit or credit card information) nature.
So how do they do it?
How does account takeover happen?
Fraudsters use a variety of tactics to break into your business’s online accounts. One of the most common – not to mention one of the hardest to defend against – is social engineering.
Implicated in a staggering 98% of cyberattacks, social engineering is when a fraudster uses knowledge of human psychology and behavior to trick you into giving up your personal or financial information, or that which could compromise your business.
First, a social engineer will build rapport with you over the phone – often pretending to be an employee of an organization you trust – before creating a sense of urgency or panic to pressure you into making an on-the-spot decision.
Phishing – in which a fraudster, impersonating a legitimate organization, sends you an email or SMS containing a malicious link – is one form of social engineering. And, in a business context especially, this can be particularly damaging: leading not only to compromised accounts, but to data breaches, reputational hits, and the ruination of your revenue.
But account takeover fraud doesn’t always involve hackers tricking their way – a la the Big Bad Wolf in Little Red Riding Hood – into your accounts.
Sometimes, they simply huff, puff, and blow your house down. These strategies include:
- Brute force attacks, in which hackers – armed with an arsenal of AI-driven bots – systematically and automatically try thousands of different username and password combinations in a ‘trial and error’ approach.
- Credential stuffing, in which hackers – having gained access to one of your accounts – attempt to reuse that stolen information to repeat the trick across other online platforms. This technique is based on the (often well-founded) assumption that people and businesses tend to repeat the same passwords across multiple different accounts.
- Malware, in which hackers infect your business’s computer network with keyloggers or spyware. These sit secretly on your devices: capturing keystrokes and screen activity, and extracting stored credentials from affected computers and smartphones.
Where does account takeover fraud happen?
Account takeover fraud can happen wherever you, or your customers, have sensitive information saved online. This includes:
- Email accounts – especially in a corporate context. By gaining access to your business email account, hackers can essentially impersonate you: convincing your colleagues to disclose sensitive information, and using your privileges to access confidential data.
- Ecommerce accounts, where your customers have debit and credit card information shared for later use. By gaining access, hackers can engage in ecommerce fraud: making fraudulent purchases, accessing store credit, and even taking advantage of buy now, pay later (BNPL) schemes under the real account holder’s name.
- Social media accounts, which fraudsters can use to publish content under your brand’s name, or lure your trusting followers and partners into divulging sensitive information.
Impacts of account takeover fraud on businesses
Account takeover fraud doesn’t just affect your customers – it affects your business.
Here’s how.
Higher processing fees
Should your customer fall prey to a financially-motivated account takeover – for example, hackers purchasing goods through their account with your ecommerce business – they’ll end up raising any fraudulent transactions this leads to with their bank.
This is called a chargeback, or credit card dispute, which the issuing bank will arbitrate. In all probability, the bank will side with your customer in a case like this, and issue a refund. This leaves you out of pocket not only for the goods the hacker ordered under false pretenses, but the revenue, too: in addition to a punitive chargeback fee.
Should this happen a lot, your business will not only incur higher processing fees, but potentially end up in the crosshairs of a dispute monitoring system (such as Mastercard’s Excessive Chargeback Program (ECP) or the Visa Dispute Monitoring Program (VDMP)), too.
And, should it keep happening, you could end up losing your relationship with your PSP, and being unable to accept credit and debit payments through a reliable, reputable company.
Loss of customers
When a customer has an account they hold with your business hacked, chances are they’ll be pointing the finger straight in your business’s direction. (Even, in all likelihood, if it was their fault, because of a weak or easily guessable password.)
This, coupled with a perception that your business’s platform is no longer safe or secure to use, can lead to a loss of confidence and trust not only in that platform, but in your brand as a whole. This can result in negative reviews, reputational damage, and – when that customer takes their custom elsewhere – to a direct impact on your business’s long-term profitability.
Reputational damage
If your business becomes known as a hotbed for account takeover fraud, it not only discourages new customers from signing up for accounts – it dissuades your existing customers from sticking with you. This can snowball to wider, negative perceptions (and even publicity) denouncing your business’s lackluster approach to security, which taints your brand’s image.
How to detect account takeover
Detecting account takeover (ideally, before it has a chance to impact on your business), requires constant vigilance. That means you’ll need to monitor your business’s transactions for unusual or suspicious behavior, such as:
- Login attempts from unfamiliar locations or devices
- Changes to account settings, or in the frequency of login attempts
- Strange purchasing patterns (hackers often, for example, engage in card testing fraud to assess a stolen debit or credit card’s viability with multiple small transactions – then, if the card information is valid, use it to make a larger purchase)
- Abnormally high-value transactions (especially in the context of the specific account)
Effective account takeover fraud detection also requires you to implement risk rules: pre-defined triggers that, when met, suggest probable fraud. By setting that red flag waving immediately, you can catch account takeover fraud as it’s happening (or soon after it’s happened), allowing you to mitigate its impact on your business. (For example, voiding a fraudulent transaction before it’s settled to minimize the risks of it becoming a chargeback.)
To do all this, though, you’ll require a payment service provider that can support you with your business’s full breadth of fraud detection and prevention needs.
Here at Checkout.com, for example, we use machine learning algorithms to protect your business: feeding them with data of both legitimate and fraudulent transactions – constantly, and in real time – to help our AI distinguish between the two. With this in place, you’ll be able to scan automatically for transactional discrepancies, then feed these to your fraud team for manual review: a two-pronged, highly effective approach to account takeover fraud detection.
How to prevent account takeover fraud
We’ve discussed how to combat account takeover fraud as it’s happening – but what about before it happens?
Read on to learn how to prevent account takeover fraud from taking over your business.
Strong authentication factors
The best way to prevent account takeover fraud? Knowing your customer – which, essentially, means being as sure as possible that the person making the purchase is the owner of the account they’re attempting to transact from.
This isn’t just good practice from a fraud detection standpoint either – it’s a crucial part of your obligations to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations. So how do you achieve it?
As a starting point, implement multi-factor authentication (MFA). Building on two-factor authentication (2FA), MFA requires your customers to supply at least three different forms of authentication – or ‘factors’ – when transacting. This could be a mix of:
- Things the person knows (such as passwords or the answers to security questions)
- Things the person owns (specific devices, such as their smartphone or computer)
- Things the person is (this is their biometric information, such as fingerprints or face)
That said, MFA can lead to unnecessary friction at the checkout, and it won’t be necessary for all transactions. Here’s where risk-based authentication comes in. Also known as adaptive, or step-up, authentication, this approach triages transactions based on their perceived level of risk – then determines the appropriate level of authentication. Used dynamically, 2FA, MFA, and risk-based authentication are all excellent ways of preventing account takeover fraud.
For more information about the difference between 2FA and MFA – or to learn about the multiple forms of ID verification you can use to authenticate a payment – our guides will help.
Monitoring and auditing
We’ve discussed monitoring at length above, but – to truly equip your business with the tools to prevent account takeover fraud – you’ll need to be auditing, too.
This means, at a minimum, running regular security audits of your business’s systems, applications, and infrastructure to spot what vulnerabilities or weaknesses hackers could exploit there. You’ll also want to review your access control policies: making a note of who has access to your business’s most sensitive data and resources, and limiting this only to those who require this knowledge to do their job.
This means that, should your business fall prey to account takeover fraud, it will be harder for hackers to access the data that, if stolen or leaked, could do the most damage to your business.
Education and awareness
Remember social engineering schemes, and how instrumental a role they can play in account takeover fraud?
Well, the reason these schemes are so successful – their ability to prey on the innate characteristics and weaknesses of the human psyche – is also what makes them simple to mitigate against. How? Through educating the humans of your organization.
By running regular cybersecurity awareness training for your team, you can arm them with vital knowledge around the latest social engineering and phishing trends and tactics: equipping your employees with the know-how to spot and report these fraud-enabling techniques.
Incidentally, this type of training will, under the bolstered PCI 4.0 compliance guidelines that came into effect on 1 April 2024, constitute an important part of your regulatory responsibilities – so even more reason to build cybersecurity education into your business’s strategy. (For more about the exciting possibilities PCI 4.0 presents, read our article.)
How to prevent account takeover with Checkout.com
What’s better than a fraud detection and prevention tool for combating account takeover?
One that comes built into – not bolted on to – your payment service provider. This way, there’s no additional integration needed, and no long-winded onboarding processes to wade through. Just a high-quality fraud prevention tool that protects your revenue, while allowing you to build frictionless payment flows for a slick, seamless customer experience.
Where can you find that? Checkout.com’s Fraud Detection Pro solution is a good place to start.
Fraud Detection Pro synthesizes robust risk rules with machine learning, enabling a tailor-made approach to monitoring, managing, and mitigating against activity like account takeover fraud. You can pick which types of transactions to challenge, and scale authentication up or down based on risk – streamlining manual reviews and minimizing false positives.
And, by adding extra information to your payment requests, you can build meaningful customer segments (based on geography, product risk, or purchase frequency, for example) to take a clever, customized approach to combating fraud. That won’t be limited to solely account takeovers, either, but the many different types of payment fraud out there: including that of the affiliate, true, and even the ‘friendly’ varieties.
Want to know more? Get in touch with Checkout.com’s team of fraud experts today for a friendly, no-obligation conversation about how we can meet your organization’s needs.