Identity fraud is rampant today and it holds no prisoners when it comes to payments. If a fraudster gets hold of a consumer’s credentials, everything is at risk of takeover. Following the Covid-19 pandemic, with increasing numbers of consumers making first-time online purchases, we take a detailed look into the salient dangers associated with Account Takeover Fraud (ATO).

Account Takeover Fraud occurs when a fraudster gains access to an account that doesn’t belong to them, so they can make unauthorised transactions or other non-monetary changes. These can include changing login credentials or personal information to lock a consumer out of an account, requesting a new card, or adding a new authorised user.


The threat is real

Account Takeover Fraud has accelerated so much in recent years that the losses it causes grew from $4bn in 2018 to $6.8bn in 2019.  And this growth has only been exacerbated by COVID-19.  The expanded use of eCommerce shopping methods in the pandemic, and the resulting increase of personal information stored online, has seriously upped the ante for fraudsters. Why? Because more online data means greater potential profit, not to mention that fraudsters have leveraged consumer anxiety in relation to the pandemic to trick them into registering for false replicas of government websites, and a whole host of other fake information sources.


Detection complexity

Account Takeover Fraud essentially takes place behind a screen, making it notoriously difficult to detect. This is because fraudsters use clean details that hide behind your customers’ positive shopping history to simulate normal login behaviour.  Therefore, no red flag will be raised.

As a result, account takeovers aren’t often spotted until it’s too late – about the same as the customer puzzles over their bank statement or finds themselves locked out of their account.


Popular account takeover methods

So, how exactly do they do it, and how can you get ahead of the undetectable?  For a start, merchants must understand how data is stolen, what an attack might look like, and then act to mitigate the risks.

Below, we’ve broken down three of the most popular account takeover tactics, along with the steps you can take to defend against them:


  1. Phishing scams

    Phishing attacks are a cheap and easy way to secure consumer data automatically, making it a top fraudster favourite – indeed, pretty much everyone online these days has borne witness to the abundance of phishing attacks currently in operation. While they can range dramatically in sophistication, all have the same overall strategy: the scammer disguises themselves as a trustworthy entity, and then proceeds to trick the consumer into giving away personal or payment data online.

    Common phishing attack scams include emails offering merchant discounts, or promotions which trick consumers into entering their payment credentials or infecting their computer or phone with malware to steal payment or account data. It’s favoured so much so that, more recently, we’ve seen a rise in phishing attack variations, such as vishing (scams conducted over the phone rather than online) and smishing (scams using texts or SMS messages).


  3. “Pharming” digital campaigns

    Fake digital campaigns or websites (known as pharming) can be directed at individuals or companies. A fraudster can conduct account takeovers by building a fake website emulating an official company website, or by redirecting an authentic website’s traffic to a fake website, and then manipulating users into entering confidential information which is then stolen.

    In other cases, the fraudster assumes the identity of a superior body (such as a boss or a governing body). Under this guise, they ask those that report to them (i.e., junior members of staff or members of the public) to share sensitive information, or even carry out instructions like transferring funds.


  5. Stuffing credentials

    Next up, we have credential stuffing. This is when a fraudster steals a consumer’s login details from one account and uses an online fraud tool (a bot) to run a software programme (a script) to see which of their other accounts on merchant sites it can access.  Unfortunately, this account takeover method is extremely popular since it takes advantage of the many consumers who use the same password across multiple accounts.

    It also means that, while your business may not have actually experienced a data breach, if another business has, yours could still be at risk. And this is critical, because many consumers use the same log-in details on different websites, which makes it easier for fraudsters to target merchants with fraudulent transactions that look legitimate.

    Account takeover fraud impacts both mobile and desktop devices

    So, how can merchants protect themselves and their customers from Account Takeover Fraud?


  7. Educate

    Educate both employees and consumers on the risks and signs of various phishing, vishing and smishing scams and other digital fraud campaigns. Show examples of how fake emails or promotions are designed to look real, and show customers how to check if a website URL is authentic. Remind your customers not to click on hyperlinks or URLs found in emails or text messages from unknown sources. Tell your customers how you will contact them, and that they should never give their payment or account details to anyone who contacts them outside of your usual channels.

    In addition, encourage your customers to use different passwords for each other their accounts and reinforce the value in this.


  9. Monitor

    Keep an eye out for email addresses and other identifying factors that don’t add up to the information expected from the consumer – no matter how legitimate the email may seem.

    Track failed login attempts or device, location, and IP address details that differ from known user information. Anti-fraud solutions can help you monitor and identify failed login attempts from different cards with the same email address or different IP addresses or devices. By implementing automated alerts and login rate limits, you can slash the rate of fraudulent transaction attempts.


  11. Validate

    To prevent issues like POS cloning, merchants must make sure that no sensitive information is recorded on receipts. When validating online transactions, ensure you’re using both Card Verification Value 2 (CVV2) and Address Verification Service (AVS) to confirm your customer’s identity.


  13. Collaborate

    Of course, the payments industry is working to respond to the rise in account takeovers and other types of fraud used against merchants and their customers. Merchants and payment schemes, industry associations and consumer groups, should welcome the opportunity to share information on fraud trends and best practices to keep merchants and their customers aware and protected.


  15. Defend

     During attempted account takeover, the fraudster often tries to add or change payment methods, contact details or passwords. Merchants using Strong Customer Authentication and 2-Factor Authentication security protocols can ensure that the customer is who they say they are, by challenging them to authenticate themselves securely. And your customers will be reassured that you’re taking every step to protect their data.


    Remember: there is a fine line that needs to be walked when heightening authentication measures – checkout that are too stringent can deter genuine customers, but if they are too lax, fraudsters may slip through the net…


    By embracing next-generation solutions that do the heavy lifting for you, such as the Credorax Smart 3D Secure solution and Smart Guard, you can protect your business, your customers, and keep the payment part simple.

    For more information on how to protect your business against Account Takeover Fraud, and for details on our Smart 3D Secure solution, contact us at: