Account takeover or ATO attacks, where a bad actor accesses a consumer’s account to commit various kinds of fraud, increased 39% on marketplaces in the first half of 2022 compared to last year, a new report states, with overall ATO attacks across sectors up 131%.
The report, from fraud prevention platform Sift, found the incidence of ATO up 71% in fintech, 34% in on-demand services and 9% in digital goods and services, such as subscription content like Netflix and Spotify. Researchscape International polled 1,105 U.S. adults online in July on behalf of Sift. The findings were also based on data from Sift’s global network of more than 34,000 sites and apps comprising 70 billion monthly events.
According to recent reports, the top consequences of ATO in 2021 included fraudulent credit card transactions and funds being drained from person-to-person (P2P) accounts on platforms like PayPal and Venmo.
[Note: Sift is taking part in a free Multichannel Merchant webinar tomorrow, Oct. 20 at 2p EST, “Strengthening Ecommerce Fraud Operations During Economic Uncertainty.” You can register here.]
Not surprisingly, given how much we all live there, consumers responding to Sift’s survey reported that social media was the most common place that consumers discovered an ATO attack (61%), vs. 34% for financial services and 31% for digital goods and services.
“ATO acts as a key pillar in the global fraud economy, powering payment abuse and content scams by adding apparent legitimacy to fraudulent transactions and posts,” Sift said in its Q3 Digital Trust and Safety report. “It gets fraudsters behind the gates, where they can either remain dormant and wait for profitable opportunities to arise—or immediately hijack anything of value before disappearing back into the dark web to sell the data they’ve stolen.”
Kevin Lee, VP of trust and safety at Sift, said ecommerce companies have gotten better at defending against creation of fake customer accounts in order to illegally procure goods since the pandemic started, so more fraudsters are shifting their game to ATO, which is more difficult to detect.
“During COVID they had a chance to build out their defenses a bit for the low-hanging fruit,” Lee said. “If I’m a fraudster, and not having the same level of success with fake accounts, the next target is ATO, and that’s an area where a lot of businesses tend to struggle. Now I’m going to use one of your existing customers as a vehicle to exploit your system, and it’s much tougher for them to protect themselves.”
Lee said companies may see a fraudster who has taken over someone’s account making slightly larger purchases each month, from different locations and across devices, but red flags generally aren’t raised because historically he’s been a good customer. “They let the transaction go through, and that’s where trouble can arise,” he said.
While the actual account takeover is bad enough, with fraudsters stealing goods and draining loyalty points, Lee noted the bigger pain for retailers and brands is losing the lifetime value of a loyal customer they may have been cultivated for years.
“ATO feels like a violation, especially now that consumers have so much choice,” he said. “If they suddenly take their business somewhere else, it’s incredible damaging to the merchant. A loyal customer has been compromised, and you’re losing future transactions as well.”