Post-COVID-19 World
Account takeover fraud (ATO) is becoming one of the most common types of internet fraud globally. The hackers infiltrate existing accounts on eCommerce platforms to make unauthorized cash advances, fake purchases or alter account information to ensure the actual owners are not notified of these changes.

Many experts assumed that 2019 was the worst year in data breaches and attempted account takeover frauds. But, in 2020, attempted ATOs might triple in numbers. Most cybersecurity experts agree that this form of fraud and other types of online fraud attempts have increased vastly since the pandemic.

An Increase in Stolen Data

There has never been so much stolen data available in human history. The ‘dark web’ is where possessors of this stolen data operate. These fraudsters hijack any account with poorly secured IDs/passwords. In the past, these hackers operated manually, but since 2020, botnets have become more common.

Botnets can decode eight-character passwords in less than a minute. If initial data breach attempts don’t put an eCommerce customer’s account login credentials in threat, that doesn’t mean their accounts won’t be targeted again in hostile takeover attempts.

Is 2-FA Completely Safe?

To make online payments more secure, government bodies worldwide have launched mandatory security guidelines that all vendors, payment service platforms, and customers have to abide by. For instance, the EU’s Payment Services Directive II (PSD2) compels all vendors to use the two-factor authentication system while processing online payments.

Modern-day data breaches expose consumers’ SIM numbers. Then, they contact the consumer’s wireless carrier to switch the SIM number to a separate device. So, the fraudsters have the stolen phone number connected to a device they possess. Hence, they can easily break into the consumer’s payment accounts. SIM swapping renders the two-factor authentication system ineffective.

Account Takeovers in 2020 – How Will They Attack?

There are many ways frauds can take over consumer accounts, phishing is the most common process. In these processes, hackers trick account-holders into downloading viruses via emails. Then, they slowly access the users’ email addresses, SIM numbers, etc., to attack their online banking and credit card accounts.

Some other common ways of Account Takeovers in 2020 will include - 
  • Installing malware
  • Stealing credit card data
  • Hacking phones
  • Hacking eCommerce accounts

The longer the consumers take to realize oddities in their payment accounts, the more time the hackers have to drain the accounts via direct stealing or via fraudulent purchases.

How Account Takeover Fraud Will Impact eCommerce Businesses in 2020

Stealing account information of eCommerce shoppers is easier and more profitable for scammers than stealing credit card data because – 
  • There are bigger returns for the scammers as they have more time to act (until the customer notices).
  • Accounts on eCommerce platforms often contain easy to guess or reused passwords.
  • Scammers can specifically target accounts that have the most reward points, bonuses, etc. They can even make purchases in the legitimate account holder’s name.
  • On most platforms, consumers have zero-liability policies meaning they don’t pay for fraudulent charges.

eCommerce vendors suffer the most because the increase in ATO fraud leads to -

  • More ‘false declines’ – eCommerce vendors that are constantly targeted by scammers tend to block any transaction that seems suspicious. In their bid to protect revenue, they lose customers and future ones. In 2016, false declines were 58% of all declined transactions. 32% of the customers who face false rejections never deal with the same merchant again.
  • No way to recover losses - Once eCommerce merchants send out their products to scammers, they have no way to recover their losses. They lose their product, revenue earnt on that product, and additional chargeback fees.
  • More security measures hamper checkout processes.
  • Loss of brand reputation


Batting ATO Fraud in 2020

Adopting stringent security measures is the only way to detect ATO attempts proactively. Ideally, online payments should only be processed after they’ve gone through biometric authentications, document inspection, and 24x7 customer risk assessments.

Investing in Fraud Prevention Technology

Investing in the latest account takeover fraud detection tools is the only way to assess risks such as fake authorization attempts preemptively. Some of these latest tools can track payment gateways 24x7 to spot risky or suspicious user behavior. Unlike manual handlers, the software tools make data-driven decisions on the spot, so the risk of false declines is minimal.

Some other steps vendors can take -

  • Mandating the use of longer passwords and unique usernames that are not related to the customers’ email IDs.
  • Offering 2-FA that’s not dependent on the consumer’s phone number (e.g. instead of only sending SMS messages, they can send separate codes via email).
  • Customer and employee training regarding the best practices in online
  • Investing in biometric verification systems
  • Conducting stringent employee background checks
  • Monitoring all account statements daily
  • Using only approved vendor listings
  • Preparing for long periods of remote working
  • Communicating online security-related details across all stakeholders and staff
eCommerce vendors offering promotional, loyalty bonuses, are targeted more by scammers as accounts on those platforms hold a lot of value. So, investing in real-time verification tools is the only way for eCommerce vendors to prevent ATO fraud.