Account takeover (ATO) fraud is big business for criminals, and it’s on the rise. One study found that ATO attacks on ecommerce retailers selling physical goods increased by 378% during the second quarter of 2020, compared to the same period in 2019. What’s driving this increase? In many cases, it’s personal data that’s all too easy to find online, and it doesn’t even need to be sensitive information like passwords in order to fuel ATO attacks.
Recent news about Facebook and LinkedIn user data underscores just how much material fraudsters have at their fingertips and how they can use even publicly available information to commit fraud. In April, news broke that personal data such as phone numbers, email address, birthdates and genders from more than 500 million accounts on each of the two social networks had been collected by data-scraping tools and shared on the dark web.
Facebook in particular took heat for not notifying users at the time the data-scraping incident was first reported, back in 2019. Both Facebook and LinkedIn have noted that the exposed data was shared by users and wasn’t the result of a breach of secured data. However, security experts quickly outlined a number of ways that the scraped data could be used to commit fraud.
The quantity of email addresses and phone numbers exposed by the data scrapers is particularly worrying, because scammers can target victims for phishing scams via email, text and voice calls to trick them into handing over login credentials and financial information. With those resources, they can take over social media, banking and retail shopping accounts. For example, by targeting Facebook users for phishing scams and stealing their login information, fraudsters then have access to any payment methods the victims have stored in Facebook for social shopping. They also have the ability to sign into the victim’s accounts at online retailers that allow for social logins.
With a bit of research, a scammer armed with a phone number and some other personal data can also commit SIM-swapping fraud by impersonating the victim to their cell provider’s customer service team to take over the victim’s phone number. Then they can get the victim’s messages and calls on a device in the fraudster’s possession, control any SMS-based two-factor authentication the victim has on their accounts and effectively hijack their identity. And because, as one observer noted, most people rarely change their phone numbers and email addresses, this kind of data has a long “shelf life” for fraud once it’s exposed.
How to stop account takeover fraud from hurting your online store
It’s clear that login credentials and social logins can be compromised by fraudsters with stolen data, so the first and simplest ATO prevention step is to review the way you handle customer authentication. If you require customers to sign in with a user ID and a password, consider implementing strong password requirements so their credentials are harder to crack. You can also encourage shoppers to choose a unique password for their store account, to reduce the risk of fraud if their reused password is leaked elsewhere.
Social logins make store account access easy for customers, but they also mean that your customers can lose access to their account with your store if they ever close or are locked out of that social account. You may want to review your use of social logins, to see if the convenience for customers outweighs the cost of fraud due to compromised social accounts. Keep in mind that 44% of Australian shoppers in a March 2020 Sapio survey for ClearSale said they’ve abandoned purchases because of friction during the checkout process, so you need to balance safety with ease of use.
Regardless of how your customers sign in or check out in your store, it’s crucial to screen every order to authenticate the customer—even if they’ve been shopping with you for years. AI-driven fraud programs can quickly detect unusual behavior by existing customers to help spot ATO fraud. These algorithms can also evaluate first-time customers for potential identity theft.
When orders are flagged, they should go immediately to manual review, where experts can decide if the order is good or fraud. That can avoid false declines that drive customers away for good. Among Australian consumers, 38% told Sapio they’d never shop again with a merchant that declined their order, and 22% would say something about the decline on social media. Only 8% said they’d never shop again with a merchant after a fraud experience with their store.
Account takeover fraud shows the risks that merchants take if they assume that their customers—even established customers—are who they claim to be. That’s not an argument for treating shoppers with overt suspicion. Instead, it highlights the need to use best practices and technology to authenticate customer identity in real time for every transaction, even orders coming from longstanding customers, to protect their accounts and your revenue.