Prevent Account Takeover Fraud

smiling woman shopping on laptop with here credit card out

Retailers encourage customers to create accounts to gather customer data that can be used to personalize marketing and help create a smooth, streamlined checkout experience for future purchases. However, fraudsters who gain access to these customer accounts can wreak financial havoc on customers and merchants.

Account takeover fraud (ATO) is a form of identity theft where bad actors gain access to online accounts and make legitimate-appearing changes to them in order to use the accounts to make fraudulent actions or purchases.

As retailers encourage customers to create accounts, it is imperative to emphasize the secure handling of sensitive information, including bank accounts, social security numbers, and credit card numbers, especially during peak seasons. Here’s what to keep in mind as you prepare for a surge in transactions.

What Is Account Takeover Fraud & How Does it Work?

Account takeover (ATO) fraud is a form of identity fraud and one of many types of eCommerce fraud where individuals gain unauthorized access to a user’s account and exploit it for various fraudulent activities. Here’s a breakdown of how account takeover fraud typically works:

Stolen Credentials: Fraudsters often acquire login credentials (username and password) from data breaches via phishing emails, malware, or purchases on the Dark Web. These stolen credentials may come from various sources, including previous data breaches on other platforms. Phishing is closely linked to ATO fraud and often serves as the primary method employed by cybercriminals to gain access to user’s accounts.
Credential Stuffing: Once fraudsters have a list of stolen account details, they use automated tools and techniques, such as credential stuffing. This involves systematically inputting these stolen credentials and account information, like logins, phone numbers, and passwords, into numerous websites and online services, exploiting the common practice of users reusing passwords across multiple accounts.
Automated Login Attempts: Hackers use automated scripts or bots to conduct a large number of login attempts using password combinations in a short period, trying to gain access to user accounts. Since many people use passwords across different platforms, attackers have a higher chance of successfully logging in with the stolen credentials.
Legitimate-Appearing Changes: Once inside an account, fraudsters make changes to avoid detection. These changes can include altering the account password, email account, and shipping address or adding an authorized user. Making these legitimate-appearing changes helps them maintain access to the compromised account without raising immediate red flags.
Fraudulent Actions and Purchases: With control over the compromised account, fraudsters initiate various fraudulent activities. Account takeover attacks can include making unauthorized purchases, changing account settings, or exploiting stored financial information.
Exploiting eCommerce Practices: In the context of eCommerce, fraudsters may exploit “Buy Online, Pick Up In Store” (BOPIS) or “Buy Online, Pick Up at Curbside” (BOPAC) options. They might set up proxy pickups or take advantage of lenient identification processes during in-store pickups, making it easier to receive fraudulently purchased goods.
Delayed Detection by Victims: Victims often don’t realize they’ve fallen victim to ATO until they notice unauthorized transactions on their account or are blocked from accessing their account due to changed passwords. If fraudsters operate within the typical behavior patterns of the account holder, detection becomes even more challenging.
Chargebacks and Financial Gain: Fraudsters may have purchases shipped to addresses associated with stolen credit cards and later initiate chargebacks, resulting in financial losses for both the retailer and the legitimate account holder.

This type of fraud is a significant challenge for businesses and consumers alike, requiring constant vigilance, cybersecurity measures, and user education to mitigate the risks associated with compromised accounts.

woman with head buried in hands after becoming victim of account takeover fraud

When does a customer realize they’ve been hacked?

Recognizing that their account has been compromised is a realization that often dawns on customers only after encountering telltale signs. The typical moment of awareness occurs when they observe unauthorized charges listed on their credit card statement or find themselves unexpectedly barred from accessing their account due to a changed password.

While credit card companies and financial institutions equipped with robust fraud detection functionality may promptly send customers notifications of any suspicious activity on their cards, the challenge intensifies when fraudsters operate discreetly within the established behavioral patterns of the account owner. Detecting an account takeover (ATO) becomes particularly elusive until conclusive evidence of fraudulent transactions surfaces across multiple victims’ accounts.

So, how can retailers protect customers from ATO attacks?

Retailers play a crucial role in safeguarding their customers from account takeovers (ATO), and implementing comprehensive strategies is essential. Here are five key measures that retailers can adopt to protect customers from ATO and phishing attacks:

Customer EducationLaunch an educational campaign to raise awareness about account takeover risks. Many customers may be unaware of the threats associated with using the same password and other sensitive information across multiple accounts. Encourage strong password practices and consider educating customers about the benefits of two-factor authentication, multi-factor authentication (MFA), or biometric authentication for enhanced security.As part of customer education, it is crucial to raise awareness about phishing scams that aim to compromise personal data, including credit card numbers, social security numbers, and other sensitive information. Empowering customers to use secure practices and robust tools, such as a reliable password manager, contributes significantly to the overall protection of their personal data.
Employee Training for In-Store PickupsTrain retail associates to be vigilant during in-store pickups, especially for orders placed through “Buy Online, Pick Up In Store” (BOPIS) or similar services. Ensure that employees ask for proper identification during pickups and are aware of the procedures for identifying and addressing suspicious behavior.
Complete Data Sharing with Fraud Protection ProvidersProvide comprehensive data to fraud protection providers, enabling both manual reviews and automated detection systems to make well-informed decisions. Ensure that all necessary information, including details about proxy pickups and other relevant data, is shared to enhance the effectiveness of fraud prevention measures.
Regular Process Reviews and UpdatesConduct regular reviews of security processes with retail associates to stay abreast of the latest fraud strategies. Learn from past fraud experiences and update processes accordingly. Keeping fraud prevention top of mind for employees helps maintain a proactive stance against evolving threats.
Collaboration with Retail Fraud ExpertsPartner with eCommerce fraud protection experts, such as specialized service providers like Radial. Leverage the experience of fraud prevention professionals to implement sophisticated measures tailored to the retail industry’s unique challenges. By collaborating with retail fraud experts, retailers can effectively address vulnerabilities and leverage advanced technologies like machine learning to detect and prevent sophisticated attacks. Furthermore, partnering with these experts ensures comprehensive reviews of security processes, staying ahead of evolving fraud strategies.

By combining these measures, retailers can significantly enhance the protection of customer accounts, creating a more secure and trustworthy environment for online transactions. It’s crucial for retailers to continually reassess and adapt their strategies to stay ahead of emerging threats in the dynamic landscape of account takeover fraud.

person on laptop monitoring for account takeover fraud in real time

Real-Time Monitoring Safeguards Against Scams and Financial Losses

Radial offers fully managed fraud prevention services designed specifically for merchant fraud protection. With deep expertise in retail (including ten years in BOPIS) and a vast network of customer data across the retail industry, we are able to detect account takeover attempts to help keep your customer accounts secure.

We assess for risk factors, such as:

Are the account changes being requested similar across other businesses?
Do the changes follow typical account takeover patterns?
If personal info is being changed, is that info associated with fraudulent or risky behavior elsewhere?
Is there a sudden large volume of login attempts, change requests, multiple changes to an account in one session, transfers of a large number of reward points, shipping addresses being changed, very large purchases, or suspicious changes in browser use, ISP, country, or VPN, etc.?

In addition to the proactive measures outlined above, staying informed about current eCommerce fraud trends and analyzing relevant eCommerce fraud statistics can further enhance retailers’ readiness to combat evolving threats during peak seasons. As retailers prepare for peak and high volumes of transactions, taking the time now to add additional measures to mitigate account takeover is essential. Radial is here to help advise on fraud protection and provide complete fraud solutions.

Follow Radial on LinkedIn, Facebook and Twitter.

Talk to us today.

Cookie	Duration	Description
cli_user_preference	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store whether or not the user has given consent for cookie usage. It does not store any personal data.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
CookieLawInfoConsent	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the default button state of the corresponding category along with the status of CCPA.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_li_id	2 years	Leadinfo places two 1st party cookies that only provides Radial insights into the behavior on the website. These cookies will not be shared with other parties.
_li_ses	session	Leadinfo places two 1st party cookies that only provides Radial insights into the behavior on the website. These cookies will not be shared with other parties.
lpv138061	30 minutes	This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view.
visitor_id138061	1 year	The Pardot visitor cookie includes a unique visitor ID and the unique identifier for the Pardot account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in the Pardot account. This cookie is set for visitors by the Pardot tracking code.
visitor_id138061-hash	1 year	The Pardot visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-855c3697d9979e78ac404c4ba2c66533 stores the hash 855c3697d9979e78ac404c4ba2c66533, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_X5L4QD6SPV	2 years	This cookie is installed by Google Analytics.
_gat_UA-8721228-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behavior and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
pardot_utm_campaign	1 month	This cookie is set by Radial to track a visitor's original utm_campaign value.
pardot_utm_content	1 month	This cookie is set by Radial to track a visitor's original utm_content value.
pardot_utm_medium	1 month	This cookie is set by Radial to track a visitor's original utm_medium value.
pardot_utm_source	1 month	This cookie is set by Radial to track a visitor's original utm_source value.
pardot_utm_term	1 month	This cookie is set by Radial to track a visitor's original utm_term value.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_uetmsclkid	3 months	This is the Microsoft Click ID, which is used to improve the accuracy of conversion tracking.
_uetsid	1 day	This contains the session ID for a unique session on the site.
_uetvid	1 month	UET assigns this unique, anonymized visitor ID, representing a unique visitor. UET stores this data in a first-party cookie.
AnalyticsSyncHistory	1 month	Used by LinkedIn to store information about the time a sync took place with the lms_analytics cookie.
ANID	13 months	This cookie is used to show Google ads on non-Google sites.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
CLID	1 year	Identifies the first-time Clarity saw this user on any site using Clarity.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
guest_id	2 years	Twitter installs the guest_id cookie to enable Twitter integration and for social media advertising. This cookie helps to track user behaviour for marketing, to enable sign in and personalize the user's Twitter experience across devices.
guest_id_ads	2 years	Used by Twitter to assign a unique id to guest users of their content for the purposes of advertising.
guest_id_marketing	2 years	Used by Twitter to assign a unique id to guest users of their content.
IDE	13 months	This cookie is used to show Google ads on non-Google sites.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	2 years	Used by LinkedIn to store consent of guests regarding the use of cookies for non-essential purposes.
li_sugr	3 months	Used to make a probabilistic match of a user's identity outside the Designated Countries
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
MR	session	Indicates whether to refresh MUID.
muc_ads	2 years	Twitter sets this cookie for tracking and targeting purposes.
MUID	1 year	This is a Microsoft cookie that contains a GUID assigned to your browser. It gets set when you interact with a Microsoft property, including a UET beacon call or a visit to a Microsoft property through the browser.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
pxrc	2 months	This cookie is used for analytics and orchestration purpose provided by Demandbase products. This cookie is used to deliver adverts more relevant to you and your interests. It is also used to limit number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign
rlas3	1 year	This cookie is used for analytics and orchestration purpose provided by Demandbase products. This cookie is used to deliver adverts more relevant to you and your interests. It is also used to limit number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign.
tuuid	1 year	This cookie is used for analytics and advertising services provided by Demandbase products.
tuuid_lu	1 year	This cookie is used for analytics and advertising services provided by Demandbase products.
U	3 months	LinkedIn uses this browser Identifier for users outside the Designated Countries.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.