Account Takeover Fraud: Detection and Prevention

Account Takeover (ATO) fraud is one of the main cyber-safety concerns that businesses must address heading into 2024. The statistics are incredibly alarming on the matter, with every new data report painting a grimmer picture.

Sift’s Q3 2023 Digital Trust & Safety Index, for example, reported that account takeover fraud attacks saw an increase of 354% year-over-year in Q2 of 2023.

These statistics are nothing short of incredibly alarming. Especially for businesses, with 73% of those affected blaming the brand for improper data security and protection. The verdict seems unanimous from the public: businesses need to implement more robust measures to prevent account takeover fraud and protect their customers and users from the threat of identity theft and financial exploitation.

So, since we published a blog earlier this year on fraud detection and prevention in the business landscape, we thought an expansion on the matter appropriate. Technology is progressing at a breakneck pace, and scammers are developing new tricks so fast that even an eight-month-old guide can quickly end up insufficient. So, with that said, come along with EA and learn exactly what ATO fraud is, and how you can protect your customers and your business from the threat of these malicious attacks.

What is Account Takeover Fraud?

Account takeover fraud is pretty much exactly what the name suggests. Someone unauthorized gaining access to an account under your name, or made by a user on your service.

Take Amazon for example. Anyone with an Amazon account has their personal information, such as address and credit card information, among many other identifying credentials saved on Amazon’s servers.

The Importance of Account Takeover Fraud Detection and Prevention

If someone who is not you manages to gain access to your account, they now have all of your credentials at their disposal. Now this person can potentially use your Amazon account to make many purchases, have them sent to their preferred address, and leave you with the credit card bill. Such frauds are rampant in the e-commerce industry, and as the Sift report suggests, are growing drastically more common in Fintech.

Now think about every service and company that you have an account with, and who have your sensitive information saved in their database. Just like that, your data is in jeopardy from account takeover fraud attacks to other businesses, and other people’s data is at risk with your own business. The entire business ecosystem gets severely damaged thanks to these ATO attacks. Users become immensely concerned about their data and hold businesses accountable for any successful account takeover fraud attacks. Businesses, meanwhile have to somehow deal with deterring account takeover fraud, while simultaneously worrying that their data might be compromised by an associated business.

Account Takeover Fraud can leave businesses stripped of their entire consumer base, and outside of major corporations, chances of recovery are very slim. And ignoring the PR disaster, there are severe legal consequences in store as well for businesses that fail to uphold a certain standard of user data security.

This is why it is up to us as a business community to band together and take action against identity theft and account takeover. It all starts at home, and if every business starts taking ATO fraud seriously, we can overcome this obstacle and move towards a fair and honest business world. Things are rarely that utopian, of course, but why not aspire for as close to an ideal scenario as possible?

Common Tactics Used to Commit Account Takeover Fraud

Credential Stuffing

Credential stuffing is when scammers and cyber-criminals use prior-obtained stolen data, such as passwords, to try and access user accounts. As reported in a poll held on behalf of Google, 65% of Americans reuse passwords, particularly among online retail sites. 52% of Americans, meanwhile, incorporate publicly available personal information into their passwords; such as a relative’s name, or their high school football team’s name, etc.

These poor password safety practices are the primary reason why credential stuffing is so successful. People are either too lazy to come up with new, different passwords for every account. Or they just find it more convenient to only need to use the same one everywhere. Whatever the reason, the bottom line is that this lax attitude towards password management leaves a hole wide open for malicious actors to exploit.

Phishing Attacks

Phishing attacks are another very common tactic used by cyber-criminals. They send you an email that looks official, typically with a document or link attached that they intend for you to open, infecting your device with a virus that allows them to steal your data and use it to access your account. They may even pose as your bank, and ask you to log in from a fake link that just gives them your login credentials.

Phishing attacks are a tactic as old as email itself. Things have escalated to the point that banks have to consistently send users reminders that they will never directly contact any user through email. Unfortunately, there is still a sizable portion of the public that falls prey to such scams every year, and now with AI making these fake emails seem all the more legitimate, we cannot even rely on spelling and grammar mistakes as a telltale sign of a scam.

Brute Force Attacks

With sophisticated AI and algorithms easily accessible, the barrier to entry for becoming a hacker has been lowered considerably. Much like in movies like National Treasure, where they use software to try multiple password combinations until one works, reality has progressed to a point where it has become that simple.

When all else fails, scammers turn to simple brute force. They do not care who they hack, just that someone ends up hacked at the end of the day. So, just be playing the numbers game, eventually, one or two accounts get breached by brute force. Now multiply this by however many thousands of scammers are constantly running software scripts to access user accounts, and you end up with hundreds of thousands of accounts affected.

Social Engineering Attacks

A relatively niche, yet still relevant tactic is social engineering attacks. Cyber-criminals will contact unsuspecting users, and use various social manipulation tactics to try and squeeze out sensitive information. They could pose as a colleague, a law-enforcement officer, or anyone for that matter. After that, it is just a matter of whether they can coax you into surrendering information.

Things like online surveys, pirated software downloads, pharming, vishing, and many other tactics fall under the umbrella of social engineering. The bottom line is that they are trying to make you volunteer the information yourself without ever realizing it. And by the time you realize, you may have long fallen victim to identity theft and financial fraud.

A Multi-faceted Strategy for Account Takeover Fraud Detection and Prevention

Leveraging User-Behavior Analytics

One of the most efficient ways to counter account takeover fraud is by using user-behavior analytics. Suer-behavior analytics includes things like typical login times, known IP addresses, login location data, etc.

By implementing user-behavior-based security checks into your account security protocol, you can catch subtle signs of an illegitimate login. The software will raise a red flag if it detects unusual activity, and the business can lock the account down and contact the user to make sure it is them and not a cyber-criminal trying to access their information.

This manner of data security can seem a tad excessive, and perhaps not all your users will be happy with it, but it is a very effective measure to counter account takeover fraud. A little annoyance at login is far better than being defrauded for the sake of convenience.

Mandatory Two-Factor Authentication (2FA)

An old but almost infallible way to prevent account takeover fraud is two-factor authentication. Banks are among the few services that mandate the use of 2FA and are thus some of the most cyber-secure places on the internet.

A lot of the time, businesses prefer to leave the choice of activating 2FA to the user, with a disclaimer in the Terms of Service (ToS) that they take no responsibility for consumer ignorance. This works out for massive corporations like Amazon, who can shrug off any reputational damage from account takeover fraud and hold customers responsible for ignorance. However, small businesses do not have the luxury of telling their users that it’s their fault they got victimized.

All this will do is breed animosity among the user base and do great harm to your reputation. So, the best course of action in such scenarios is to instead mandate 2FA for your website. It may be a few seconds more hassle to log in for customers, but it greatly reduces the risk of account takeover fraud and can be a great argument in your favor if you come under regulatory scrutiny in case a breach happens. Remember, the authorities do not expect you to be infallible, they just expect you to have done everything you could to prevent a foreseeable situation.

Promote Cyber-Literacy and Spread Awareness

As we mentioned a little while ago, most people end up victims of identity theft and account takeover fraud because they lack the knowledge that it is possible. A lot of the older generation, as well as teenagers are not completely cyber-literate.

By cyber-literacy, we do not mean knowing how to operate gadgets. Rather, cyber-literacy is all about keeping yourself safe in the digital landscape. This means knowing how scammers and cyber-criminals operate and educating your users on how they can save themselves from being attacked.

Once people realize just how vulnerable a reused password leaves them, a good chunk will surely try to make an effort toward protection. Some people will choose to stay lax, of course; but by spreading awareness and telling people how they can stay safe, you drastically reduce the chances of account takeover fraud.

Just imagine how ineffective phishing would be if people were aware of the tricks to figuring out if they are being scammed. For example, checking the email address of a business to make sure it is real. Some scammers use masking software to hide email addresses as well, in which case users can simply not engage the potential scammer and directly contact the business to find out the truth.

By informing people about these simple and effective tips, you are doing your due diligence as a business, and in general, making the business world safer for everyone. One word of advice we can give is that when spreading awareness, try to maintain an educational tone and not make your users feel self-conscious about their intelligence. A little tact goes a long way.

Conclusion: Paving the Road to an ATO Fraud-free Future

Ultimately, account takeover fraud will inevitably happen at some point. The point of this little discussion was not to solve the ATO fraud crisis but to get the word out to entrepreneurs that this is a problem that concerns them. We hope this proved an enlightening read, and as always, there is still much more to be said on cyber-security. But that’s for another day. Check out EA’s general accounting and bookkeeping services on your way out, and if your curiosity is piqued, you can schedule your very own consultation with EA CEO Haroon Jafree, veteran CPA, and learn how to keep your business’ accounting and other data safe from cyber-attack.