Back to Insights

Account Takeover: Protecting Retail Customer Accounts During Peak

Blog Post
Here’s what to keep in mind as you prepare for a surge in transactions.
smiling woman shopping on laptop with here credit card out

Retailers encourage customers to create accounts to gather customer data that can be used to personalize marketing, and to help create a smooth, streamlined checkout experience for future purchases. However, fraudsters that gain access to these customer accounts can wreck financial havoc on customers and merchants.

Account takeover fraud (ATO) is a form of identity theft where bad actors gain access to consumer accounts, make legitimate-appearing changes to them in order to use the accounts to make fraudulent actions or purchases. Because ATO fraud can be very tricky to detect, as retailers gear up for peak, monitoring for account takeover fraud becomes more complex.

Here’s what to keep in mind as you prepare for a surge in transactions.

How does account takeover work?

In an ATO, a fraudster uses stolen credentials obtained on the Dark Web to gain access to a consumer account. Since customers often use the same password for all or many of their customer accounts, the fraudster is able to use automated methods like credential stuffing to attempt to access thousands of accounts simultaneously.

Fraudsters do their best to not raise red flags during ATO fraud. The first thing they often do is make legitimate-appearing changes such as changing the account password, address, email, shipping address, adding an authorized user, or adding a fraudulent (aka stolen) credit card to the account. Once these changes are made, the fraudster can make purchases using the account — often having orders shipped to the address of the stolen credit card, and then initiate chargebacks for financial gain.

In ecommerce retail, more ATO fraudsters are taking advantage of BOPIS and BOPAC for the pickup part of their fraud, then they either keep the merchandise or return it. They do this by setting up designated proxy pickups and count on retailers (or even target them) that are not stringent about asking for identification and verifying credentials for store pickup orders.

When does a customer realize they’ve been hacked?

Customers typically do not realize they are the victim of an account takeover until they see fraudulent charges on their credit card statement or are blocked from accessing their account because the password has been changed. Credit card companies with solid fraud detection will often alert customers to any unusual or deviant activity on their card. But if fraudsters stay within bounds of that customer’s normal behavior, it is very difficult to detect an ATO until evidence of fraudulent purchases happens across multiple accounts.

So how can retailers protect customers from account takeovers?

Customers expect retailers to provide a high level of security over their account information. But because account takeover is often predicated on customers using the same password for multiple accounts, there is a level of co-prevention that needs to happen.

Here are 5 ways that retailers can help prevent account takeovers:

  1. Educate customers. Many customers have never heard of account takeover, nor do they understand the risk from using the same password across accounts. Launching an educational campaign about password security and multifactor or biometric authentication ahead of peak can help customers safeguard their accounts. Likewise, retailers can require customers to change their passwords at regular intervals of time, helping to thwart ATOs.

  2. Train retail associates to be diligent about asking for identification for BOPIS/BOPAC pickups. Some retailers no longer allow proxy pickups. If identification doesn’t match up, be sure associates know to direct the “customer” to customer service for resolution or to a store manager or security officer trained in identifying fraudulent behavior.

  3. Be sure you are passing complete data to your fraud protection providers. Manual fraud reviews need to know the names of proxy pickup and other details so that they can make the right decisions. Automated fraud detection also needs complete data to avoid false declines. Your fraud provider should request all the data they need, but don’t be afraid to ask them if anything is missing or if they need something additional.

  4. Review your processes regularly with associates and learn from past fraud experiences. Regular reviews and updates help everyone stay on top of the latest fraud strategies and what to look out for. Also, regular reviews help keep fraud prevention top of mind.

  5. Partner with a retail fraud expert. A retail fraud expert, like Radial, will work on your behalf to help safeguard accounts by using sophisticated fraud detection, best practices, and manual expert reviews.

Radial Fraud Protection is Backed With 30 years of Retail Experience

Radial offers fully managed fraud prevention services designed specifically for ecommerce retailers. With deep expertise in retail (including 10 years in BOPIS) and a vast network of customer data across the retail industry, we are able to detect account takeover attempts to help keep your customer accounts secure.

We assess for risk factors, such as:

  • Are the account changes being requested similar across other businesses?
  • Do the changes follow typical account takeover patterns?
  • If personal info is being changed, is that info associated with fraudulent or risky behavior elsewhere?
  • Is there a sudden large volume of login attempts, change requests, multiple changes to an account in one session, transfers of a large number of reward points, shipping addresses being changed, very large purchases, or suspicious changes in browser use, ISP, country or VPN, etc.?

As retailers prepare for peak and high volumes of transactions, taking the time now to add additional measures to mitigate account takeover is essential. Radial is here to help advise on fraud protection and provide complete fraud solutions.

Follow Radial on LinkedInFacebook and Twitter.

Talk to us today.