Criminals increasingly take over the retail accounts of legitimate consumers or use stolen identity data to create phony accounts that they use to commit fraud against online retailers. This criminal activity spikes during the holidays, when retailers’ fraud-prevention teams are stretched thin. Here are some ways to protect yourself.
Account takeover fraud and new account fraud rates are rising. Impostor attacks by organized criminals are targeting retail, travel, gaming and other verticals. False declines are on the rise, too, costing merchants far more than fraud. And the holiday shopping season, also a peak season for ecommerce fraud, is almost here. How can merchants sort out the fraudsters from the good customers this holiday season?
ATO, new account fraud and false declines by the numbers
Mobile ATO has increased 200% year over year for four years in a row, according to Experian. Javelin’s 2019 Identity Fraud Study reported $4 billion in ATO losses last year and new account fraud losses of $3.4 billion. ATO fraud also rose 31% during the 2017 holiday season. As the overall rate of ATO fraud keeps rising, there’s no reason to expect this holiday season will be different.
Simply tightening fraud-screening parameters won’t help merchants, and it can create a bigger problem: false declines. A new Aite research report sponsored by ClearSale found that in 2018, merchants lost $331 billion to false declines, 75 times more than the $4.4 billion lost to CNP fraud. And 62% of merchants surveyed for the report said their false decline rates rose over the past two years. The way to prevent false declines is to manually review all flagged transactions. But merchants’ manual review capacity is often strained during the holidays.
What’s the solution? To get ahead of ATO and new account fraud this holiday season, merchants must understand the threats and risks. From there, it’s possible to create a plan to weed out impostor shoppers without turning away good customers.
ATO threats to merchants take many forms
ATO can happen in many ways, and so can new account fraud. Both start with stolen information. In the case of ATO, it’s stolen login credentials. For new account fraud, it’s stolen identity data. Here are some of the ways that criminals can get that information.
- Buying stolen credentials and personal information on the dark web. The data breach reporting site Have I Been Pwned has found 8.5 billion compromised accounts and rising.
- Credential stuffing to break into accounts. There are at least 115 million to 250 million attempts to log in with stolen credentials every day, because thieves know most people use the same password for many sites. So, if a thief has the login credentials for your Amazon account, they’ll try those credentials on other sites. Maybe they’ll luck into your credit card, bank or email accounts.
- Calling customer service for a password reset. This is uncommon because it’s hard to scale, but it can cause major problems for high profile victims. A teenage British hacker did this in 2015. The teen hacked the then-CIA director’s email account by tricking Verizon and AOL into sharing account and password reset data over the phone. Then he accessed sensitive documents about US operations abroad.
- Impersonating brands allows fraudsters to phish for credentials via social media, email and text messages. Credential phishing increased by 59% from the second half of 2018 to the first half of 2019. All it takes is a copied logo, a faked email sender name, and a copycat website with a URL close to the real brand. With these things, scammers can trick some customers into sharing their login, payment and contact data.
- Formjacking has been described as the online version of fuel-pump skimming. Criminals insert malicious code into a website to collect any data that visitors key into forms. The best known example of this was the wave of Magecart attacks in the second half of 2018, which hit Ticketmaster, British Airways and at least 800 other ecommerce sites worldwide. Formjacking is hard to detect and can be very costly. The Magecart attack on British Airways’ website exposed the data of half a million customers and led to a $230 million fine for violating GDPR. [GDPR is the General Data Protection Regulation, data-privacy legislation that took effect in the European Union in 2018.]
- SIM swapping gives thieves access to virtually all accounts that can be accessed on the victim’s phone. To pull off this scam, attackers need to know the victim’s phone number and wireless carrier. Then they can impersonate the victim or bribe a carrier employee to assign the phone number to a SIM card they control. SIM swapping made headlines recently when Twitter founder Jack Dorsey’s phone and Twitter account were compromised this way.
- Creating new accounts with merchants or banks requires stolen identity data—or the takeover of an email or bank account that might give thieves access to that information.
ATO poses special risks to merchants
ATO and new account fraud can bypass some fraud controls. For example, established customers may be subject to less intense fraud screening than new customers. After all, those accounts have been good in the past.
When victims discover their accounts are hijacked or their identities impersonated, it can be hard to report that to the merchant, because they’ve been locked out of their accounts. That’s one of the reasons it takes an average of 54 days for fraudulent new accounts to be detected and shut down.
Meanwhile, the customers who are locked out of their merchant accounts can’t make purchases. They may shop with the competition out of necessity. They may also abandon the merchants where their accounts were compromised even after the problem is fixed. Abandonment can lead to lower customer lifetime value, bad word-of-mouth and higher customer acquisition costs. And then there’s the cost of fraud-related chargebacks and damage to the merchant’s chargeback ratio.
How merchants can protect themselves from ATO and account creation fraud
There’s no one-step fix that will detect ATO and new account fraud. Layers of protection are the best approach for detecting fraud and preventing false declines. Merchants can take these steps to fight ATO and new account fraud:
- Manually review all flagged transactions. Don’t automatically reject those orders, to avoid an increase in false declines. Talking to customers on the phone can help sniff out ATO attempts.
- Arrange for outsourcing of manual review during sales peaks or year-round. This can maintain timely order approval and thorough screening.
- Screen orders from established customers. Look for recently updated contact and shipping information combined with a change in the type of items ordered, order value and/or shipping speed. Another fraud flag is an unusually rapid spate of orders placed from an established account. This can indicate that a fraudster is trying to steal as much merchandise as possible before getting caught.
- Use behavioral biometrics to detect changes in customer location, site navigation habits, phone handling and other fraud flags.
- Update the password requirements for customer account creation. Require longer, more complex passwords and encourage customers to choose a unique password for each account.
- Let customers know your brand will never ask them for their credentials via email, text or chat.
- Launch or outsource a brand monitoring program. Search out impostor social media accounts and websites that may be tricking your customers into giving up their credentials. For example, fraudsters hosted thousands of fake Fortnite websites in 2018 to scam gamers out of credentials and payment data.
- Implement continuous monitoring and code scans of your site, including third-party apps. This can detect malicious formjacking code snippets.
- Consider offering two-factor authentication via an authenticator app rather than SMS, which is vulnerable in SIM-swap attacks. Know that 2FA may increase friction and cart abandonment, especially during the holiday season when consumers are racing to complete their shopping. Monitor your cart metrics closely if you adopt 2FA.
Finally, keep up with the latest news on ecommerce fraud trends and prevention best practices. They’re always evolving, cat-and-mouse style. Merchants who keep tabs on fraud tactics, add layers of security and reduce false declines can beat fraudsters and keep good customers happy during the holidays and year-round.