Account takeover fraud is a common threat across industries and can result in chargebacks, lost revenue, and brand damage. It can also lead to identity theft and other fraudulent activities.
Fraudsters use stolen credentials from data breaches and phishing attacks to access online accounts. They then use these credentials to commit fraud. Keep an eye out for changes in customer details that occur rapidly and in unusual ways.
Suspicious Transactions
Account takeover fraud occurs when fraudsters use stolen login credentials to access a customer’s online accounts. The fraudster can then take actions on the account, like making purchases, stealing credit card information, or tampering with data transfers between the front-end and back-end of the website.
Fraudsters often use phishing or social engineering tactics to obtain the victim’s credentials, which are then used to steal the account. Once the fraudster can access the customer’s account, they can tamper with data transfer timestamps and IP addresses to mask their activities.
Fortunately, there are some red flags to look for that can indicate fraudsters are taking over an account. One of these red flags is when the account owner suddenly requests changes to their email, phone number, or password. While many of these actions are legitimate, companies need the right systems for account takeover protection to detect suspicious activity and determine whether a change in PII is coming from the real account owner or fraudster. By doing so, businesses can avoid high chargeback rates, reputational damage, and lost revenue caused by account takeover.
Changes in Shipping Addresses
When fraudsters access someone’s account information, they can make illicit transactions. They can redeem rewards, credit cards, or frequent flier miles to their accounts; withdraw funds from bank accounts; place orders on shopping or delivery platforms; redirect unemployment, pension and Social Security benefits (in government benefit account takeovers); or sell stolen credentials and user account information on the dark web.
These activities often result in significant financial losses and can strain customer relationships. And when these activities are repeated over time, they can ultimately damage a brand.
Criminals typically steal accounts through data breaches, then publish or purchase fresh user credentials on the dark web. As a result, if a company’s users begin requesting changes in their account details (like email, phone number or address) and there is an accumulation of login attempts from new devices, this could be a warning sign of an account takeover.
Criminals also gain access to corporate accounts through phishing emails and malware. They may pose as a fellow employee, customer or vendor and trick employees into clicking on malware links and attachments.
Unusual IP Addresses
A person’s IP address is unique and can identify their location, which is important for various reasons. Some of these include accessing geo-restricted websites, receiving CAPTCHA requests, or getting notified by their Internet Service Provider about suspicious activity. But if someone’s IP is malicious, it can compromise your online security and functionality.
Criminals who gain unauthorized control of an account can use it to commit various crimes, such as stealing credit card information, draining bank accounts, and even committing business-to-business fraud or data theft. They can also read private messages, post to friends and family or publicly in your name, scam your contacts, and use resources on your device.
Detecting unusual login attempts and using a password manager to avoid reused passwords can help mitigate account takeover attacks. However, the best way to protect against ATO is to prevent it from happening in the first place. That’s why knowing the warning signs is important to recognize them when they occur.
Changes in Passwords
Account takeover fraud differs from identity theft in that the criminal gains access to a victim’s existing accounts rather than opening new ones in their name. However, the two share many of the same characteristics.
Fraudsters capture victims’ login information through phishing sites, malware infections, or by purchasing data from third-party breaches. They then use that information to attack a victim’s accounts using credential stuffing and brute force attacks. These automated attempts work to guess passwords, and once they get in, they can change account details and steal personal information or make unauthorized purchases.
Weak or reused passwords make these attacks so successful, and the most common consequence of account takeover for individuals is identity theft. Businesses also experience significant financial loss due to higher chargeback rates and inventory costs, and they may lose customer loyalty if the attack impacts their brand reputation. Both of these are preventable through multifactor authentication, educating employees on how to spot phishing and other threats, implementing robust security controls, and monitoring your customers’ accounts at every point in their digital journey.
Suspicious Activity
During account takeover fraud, a fraudster may make unauthorized transactions or steal funds from the bank’s customer accounts. This can lead to significant financial losses for the FI and the customer.
To prevent these losses, the bank should be able to identify suspicious activity and alert customers in real-time when a change is detected on their account. This can include unusual transaction amounts, reward points that don’t add up, password reset attempts that the customer doesn’t request, and login attempts from devices unknown to the user.
Criminals typically access users’ accounts using stolen credentials published or sold on the dark web. This data is usually collected in data breaches targeting individuals and businesses. Once criminals have this information, they can take over social media and email accounts, shop or banking accounts, and government benefits like unemployment payments. They can then use these accounts to withdraw money, purchase items, or extract sensitive information for sale on the black market. This makes account takeover fraud one of the most dangerous and damaging types of cybercrime, and FIS must be able to detect it early.