Account takeover fraud doesn’t make headlines like chargebacks but still significantly impacts business. It strains customer relationships, hurts brand reputation and increases the cost of fraud prevention for the company. Detecting these attacks requires a combination of the right people and tools.
There are many types of account takeover frauds (ATO), and it is a major problem for businesses. It allows criminals to monetize valuable data and customer loyalty points by accessing accounts such as email, social media, financial, etc. In most cases, attackers rely on “credential stuffing” attacks by purchasing leaked credentials from the dark web and testing them against various sites to find valid combinations of usernames and passwords. Continuous monitoring is vital to help detect this type of fraud early. Once fraudsters take over a consumer’s account, they can use it to carry out all types of unauthorized transactions, including stealing money from their bank account, shopping at fraudulent retailers or even making wire transfers. These transactions can lead to costly consequences for the consumer and their company. In addition to monetary loss, these incidents can strain customer relationships and cause long-term damage to the brand.
The first sign that a business’s customers are targeted is unusual communication patterns or a sudden change in account management actions such as rapidly resetting passwords, changing contact information, or contacting organizations they have not previously been in touch with. Additionally, if a customer has a highly sensitive account with access to financial decision-making tools and online payments, any changes in behavior should be a red flag.
Hackers can steal login information for account takeover attacks from various sources, including huge lists of credentials purchased on the dark web or stolen from data breaches. Once they have these usernames and passwords, they can use bots to repeatedly attempt login combinations at various sites, such as banks, e-commerce, health insurance, or social media. This type of attack is called credential stuffing. Attackers can also use automated tools to guess passwords until they hit one valid – this approach is known as password cracking. Once inside an account, a fraudster can steal several things, from money to rewards and loyalty perks. They can also spy on accounts for reconnaissance and surveillance of customers and their networks. They can tamper with account settings, such as location or device changes or alter the billing address to make fraudulent purchases. Often, the first warning sign of an account takeover attack is an uptick in unusual or suspicious transactions. In addition, an unauthorized change to a customer’s shipping or pickup address indicates that someone else has taken over their account. An advanced security solution uses Self-Learning AI to understand each bespoke business from the inside out, so when activity deviates from ‘normal,’ it automatically isolates suspicious accounts and neutralizes evolving threats.
Social engineering fraud is when criminals use psychological manipulation to trick their victims into sharing sensitive information or even transferring funds directly to them. Unlike hacking, which involves modifying a software system’s code or systems, social engineering attacks are non-technical and can be accomplished through email, phone, or in person. Fraudsters often impersonate employees, vendors, suppliers, customers or CEOs to gain their victims’ trust.
A key to preventing social engineering fraud is informing staff of the latest scams through various communication channels. It’s also important to refresh messaging and training regularly because scammers constantly update their tactics.
For example, a phishing attack may pretend to be from the IT department requesting access to an employee’s computer so they can “diagnose” a problem or a caller might pose as an IRS auditor asking for sensitive banking or credit card information. The best way to fight social engineering fraud is by utilizing tools that can detect certain behaviors like typing patterns, mouse doodling and session length to differentiate real users from the fakes.
Whether it’s a phishing attack, a smishing, a vishing or a whaling attempt, all forms of social engineering fraud work by exploiting people’s natural tendency to be helpful and trust others. Fraudsters are counting on this, which is why it’s so important for companies to train their teams and utilize technologies such as Adaptive Multi-Factor authentication that can detect social engineering attempts in real-time.
Account Takeover by Hacker
As the name implies, account takeover fraud by hackers occurs when criminals gain access to a user’s credentials, including their password. Criminals can do this either by stealing the credentials, purchasing them on the dark web or from data breaches, using bots that will endlessly test username/password combinations on accounts until one of them works (also known as credential stuffing or card cracking), and even through old-fashioned phishing attacks and malware.
Once criminals have gained access to an account, they can do several things. The most common goal of account takeover by hackers is to steal money. This is done by changing and rerouting account transfer details, stealing credit card and bank account information, stealing rewards points, reselling subscription information and more. However, other reasons include reconnaissance (to spy on a target) and bypassing security controls like two-step authentication.
For businesses, the financial impacts are severe. Companies will lose revenue from any monetary transactions made by the bad actors, may incur chargeback fees from customers and payment processors and could even be banned by their payment provider if they experience too many account takeover attacks. The best defense against this type of account takeover is to ensure that the business has processes to detect changes to customer accounts and prevent hackers from exploiting them.