Fraudsters rapidly evolve their tactics as they look for the path of least resistance. How is account takeover fraud evolving?
Unfortunately, traditional fraud prevention methods tend to be reactive as opposed to proactive, which means business is playing catch-up. As fraud prevention solutions become more sophisticated, so do the fraudsters. In 2015, EMV chips were mandated on credit cards as credit card fraud was continuously rising. Then in 2016, we saw a sharp uptick in card-not-present (CNP) fraud as fraud shifted to online channels. By 2018, fraud prevention solution providers closed most CNP fraud opportunities, so fraudsters turned to account takeover (ATO) as a more effective channel to commit fraud.
Account takeover fraud is not new, but it is growing. In 2018 fraud losses due to account takeover were around $4B. In 2021 this number has grown by more than 200% and is estimated to be over $12 billion. So why haven’t solution providers been able to offer a solution that outsmarts fraudsters and shifts their focus to a new approach?
Why Account Takeover Protection Needs to be top of mind
ATO is Cheap for Fraudsters
Fraudsters love account takeover attacks because they are quick, easy, and rofitable. Consumer passwords are readily available for purchase on the dark web and fraudsters can buy thousands of login credentials for a few dollars. Additionally, despite consistent reminders, consumers reuse the same email and password combinations across multiple services, magnifying the value of each credential. ATO attacks are also easy to automate, minimizing the effort on the fraudster. If we want to stop ATO, we must reduce the ROI for the fraudster by making it more expensive and time consuming.
Factor in the Non-Obvious Fraud Costs
While calculating fraud losses, most merchants just look at the value of the transaction and associated fees. This is the obvious cost of fraud. But the non-obvious costs can be significant as well. They include the expense of fighting fraud, and operational resources from across the organization that are involved in reviews and remediation. Additionally, the less-obvious costs include lost revenue from a diminishing brand value. The lifetime value of customers decreases as consumers are less likely to use services where they feel their information is not secure and this is often compounded by the reputational damage of the customer sharing their poor experience with friends and family. In addition to lost revenue, these consumers switch to competitive services and further decrease a brand’s market share.
COVID-19 Accelerated Digital Transformation and Fraud Opportunities
COVID-19 has fundamentally impacted the way consumers interact with businesses. Consumers demand seamless customer experiences, and competitive forces push businesses to abide, or lose valuable customers. Broad adoption of digital wallets and contactless payments had businesses scrambling to incorporate new payment methods. Many businesses were unprepared for these changes, and as a result introduced vulnerabilities that were easy for fraudsters to exploit. In a 2021 study by Poneman Institute, 81% of fraud professionals polled felt their organizations were more vulnerable due to digital transformation efforts.
Sophisticated Account Takeover Types
Not all ATO is created equal. Some is relatively easy to defend, but three high-impact opportunities are proving particularly interesting (and lucrative) for fraudsters.
- Buy Now, Pay Later (BNPL) options have allowed consumers to make purchases that were previously not feasible for them. It allows an easy and fast credit line for underbanked consumers, but also introduces an additional channel for ATO. A fraudster can gain access to a consumer account on a site that accepts BNPL options, make a purchase and since the payment is delayed, the consumer won’t see a charge for weeks after the transaction.
- P2P Payments Peer-to-peer payments have grown tremendously in the last couple of years. They offer many benefits for consumers like speed, convenience, and minimal fees. While P2P payments are generally safe, they have introduced innovative ways for fraudsters to abuse the system. The ease of use of P2P payments means when a fraudster gains access to an account, either by hacking, phishing, or stealing a physical device, they can easily transfer funds to another account. Fraudsters are also using various scams to induce legitimate customers to transfer funds, and since most P2P payments are directly linked to bank accounts, once the money is sent it is nearly impossible to cancel the transaction and get the money back.
- Cryptocurrencies Similar to P2P payments, crypto transactions are impossible to reverse. Once a fraudster gains access to a digital wallet through ATO or targeted attacks, it is easy for them to drain the account, with no repercussions. The low risk, high reward nature of these attacks makes it attractive for fraudsters to continue to exploit.
Two Steps Every Business Should Take to Proactively Address Increased ATO Risks
Protect yourself before the transaction occurs
Companies that are successful in proactively combating account takeover employ prevention tools that enable continuous adaptive trust. Multi-factor authentication works well at the login phase, but it introduces friction to good customers and does not protect the whole transaction. SIM Swaps and man-in-the-middle attacks allow fraudsters to circumvent multi-factor authentication (MFA). Employing continuous adaptive trust beyond the point of login and at specific actions even before checkout ensures your customer is trustworthy throughout the whole journey.
Implement Efficient Manual Review Processes
Manual reviews often get a bad reputation as they are slow and expensive and suffer from being at the end of an inefficient workflow. While it is important to automate decisioning, manual reviews are necessary as your last line of defense to prevent fraud and to approve trustworthy customers. Technology has evolved to improve the internal process and businesses should look at deep links and demand a good UX to speed up the process.
While many rules and guidelines around COVID-19 are winding down, the rate of ATO will not go down with them. Businesses need to streamline their fraud operations as much as they did other operations during the pandemic. Only then will we convince fraudsters to move away from ATO.