Post-COVID-19 World

Account takeover fraud (ATO) is becoming one of the most common types of internet fraud globally. The hackers infiltrate existing accounts on eCommerce platforms to make unauthorized cash advances, fake purchases, or alter account information to ensure the actual owners are not notified of these changes.

Most cybersecurity experts agree that this fraud and other online fraud attempts have increased vastly since the pandemic. Many experts assumed that 2019 was the worst year for data breaches and attempted account takeover frauds. But, in 2020, attempted ATOs might triple in numbers.

An Increase in Stolen Data

There has never been so much stolen data available in human history. The ‘dark web’ is where possessors of this stolen data operate. These fraudsters hijack any account with poorly secured IDs/passwords. In the past, these hackers worked manually, but since 2020, botnets have become more common.

Botnets can decode eight-character passwords in less than a minute. If initial data breach attempts don’t threaten an eCommerce customer’s account login credentials, that doesn’t mean their accounts won’t be targeted again in hostile takeover attempts.

Is 2-FA Completely Safe?

Government bodies worldwide have launched mandatory security guidelines that all vendors, payment service platforms, and customers must abide by to make online payments more secure. For instance, the EU’s Payment Services Directive II (PSD2) compels all vendors to use the two-factor authentication system while processing online payments.

Modern-day data breaches expose consumers’ SIM numbers. Then, they contact the consumer’s wireless carrier to switch the SIM number to a separate device. So, the fraudsters have the stolen phone number connected to a device they possess. Hence, they can easily break into the consumer’s payment accounts. SIM swapping renders the two-factor authentication system ineffective.

Account Takeovers in 2020 – How Will They Attack?

There are many ways frauds can take over consumer accounts; phishing is the most common process. In these processes, hackers trick account holders into downloading viruses via emails. Then, they slowly access the users’ email addresses, SIM numbers, etc., to attack their online banking and credit card accounts.

Some other common ways of Account Takeovers in 2020 will include - 
  • Installing malware
  • Stealing credit card data
  • Hacking phones
  • Hacking eCommerce accounts

The longer the consumers take to realize oddities in their payment accounts, the more time the hackers have to drain the accounts via direct stealing or fraudulent purchases.

How Account Takeover Fraud Will Impact eCommerce Businesses in 2020

Stealing account information of eCommerce shoppers is easier and more profitable for scammers than stealing credit card data because – 
  • There are more significant returns for the scammers as they have more time to act (until the customer notices).
  • Accounts on eCommerce platforms often contain easy-to-guess or reused passwords.
  • Scammers can specifically target accounts with the most reward points, bonuses, etc. They can even make purchases in the legitimate account holder’s name.
  • Consumers on most platforms have zero-liability policies, meaning they don’t pay for fraudulent charges.

eCommerce vendors suffer the most because the increase in ATO fraud leads to -

  • More ‘false declines’ – eCommerce vendors constantly targeted by scammers tend to block any suspicious transaction. In their bid to protect revenue, they lose customers and future ones. In 2016, false declines were 58% of all declined transactions. 32% of the customers who face false rejections never deal with the same merchant again.
  • No way to recover losses - Once eCommerce merchants send out their products to scammers, they must cover their losses. They lose their product, revenue earned on that product, and additional chargeback fees.
  • More security measures hamper checkout processes.
  • Loss of brand reputation


Batting ATO Fraud in 2020

Adopting stringent account takeover prevention measures is the only way to detect ATO attempts proactively. Ideally, online payments should only be processed after they’ve gone through biometric authentications, document inspection, and 24/7 customer risk assessments.

Investing in Fraud Prevention Technology

Investing in the latest account takeover fraud detection tools is the only way to preemptively assess risks such as fake authorization attempts. These latest tools can track payment gateways 24/7 to spot risky or suspicious user behavior. Unlike manual handlers, the software tools make data-driven decisions on the spot, so the risk of false declines is minimal.

Some other steps vendors can take -

  • Mandating longer passwords and unique usernames unrelated to the customers’ email IDs.
  • Offering 2-FA that’s not dependent on the consumer’s phone number (e.g. instead of only sending SMS messages, they can send different codes via email).
  • Customer and employee training regarding the best practices in online
  • Investing in biometric verification systems
  • Conducting stringent employee background checks
  • Monitoring all account statements daily
  • Using only approved vendor listings
  • Preparing for long periods of remote working
  • Communicating online security-related details across all stakeholders and staff
eCommerce vendors offering promotional and loyalty bonuses are targeted more by scammers as accounts on those platforms hold much value. So, investing in real-time verification tools is the only way for eCommerce vendors to prevent ATO fraud.