What is an account takeover?

An account takeover, or ATO, is a form of fraud that happens when a bad actor gains unauthorized access to an online store account. 

When fraudsters gain access to the online accounts of legitimate customers, they obtain a wealth of high-value information. The fraudulent transactions they are able to commit with this information are harder to detect and stop because they look like they are made by known customers. ATOs are also more damaging than other forms of card-not-present (CNP) fraud: in addition to the lost revenue from stolen loyalty points and the costs associated with chargebacks and reacting to fraud incidents, these attacks have a devastating impact on brand reputation and the lifetime value of a customer. 

Data storage has become a major perk for digital consumers, making online shopping more seamless, but it also means store accounts are more lucrative, and more vulnerable, to fraudsters. All a fraudster needs to take over an account is the simplest entry point – a full name, email, date of birth, you name it – and they work to take over the account from there. 

account takeover image

ATOs are different from garden-variety CNP fraud. In typical CNP fraud, a fraudster buys stolen credit card details, usually on the dark web, and uses it to make purchases. Account takeover attacks add an extra step: before committing the fraud, a bad actor gains access to a good customer’s eCommerce store account. 

From there, there are plenty of fraud opportunities they can attempt, from using stored payment methods to make purchases, to using unrelated stolen CC details, to transferring or using valuable loyalty points, such as air miles. 

Since transactions by repeat customers are broadly recognized as “safe,” merchants are less likely to question them, which allows more ATOs to happen undetected.

How does an account takeover happen?

One of the unintended side effects of encouraging customers to open store accounts is how appealing a target these accounts are for fraudsters. ATO attacks have become increasingly lucrative – and easy. Nowadays, ATOs are so common that the attack process is completely streamlined. Even an amateur fraudster can get inside a good customer’s account in a matter of minutes. 

Often, phishing specialists manipulate and trick account holders—in some cases, even customer service representatives—into surrendering credentials. Other times, fraudsters will create a mockup of a popular site, like Amazon.com, and prompt users to reset their passwords. Kits for creating such mockups are sold on the dark web.

Online fraudsters rely on a few large-scale approaches to account takeovers. Some of the most recognized paths to ATO are:

  • Phishing attacks: A common way for digital fraudsters to trick individuals into supplying them with personal and account information. These attacks come in the form of phone calls, text, and most commonly, emails. 
  • Credential stuffing: When fraudsters gain access to data compromised in a breach, they get a list of usernames and password combinations, and can then use bots to test the credential sets at many different online stores. The process is done en masse: hundreds and thousands of potential logins are tested.

What happens after an account takeover?

When fraudsters gain access to legitimate customers’ store accounts, they obtain a wealth of high-value information. The fraudulent transactions that follow are harder to detect and stop because they look like they are made by known customers. Once a good customer’s account is obtained, fraudsters can attempt a number of fraud schemes. 

They can make purchases with stored payment methods, expend loyalty points (think frequent flier miles), and steal valuable personal information to use and sell elsewhere. The types of personal data shoppers regularly store in their online account include their address, email, phone number, payment methods, and ID numbers, including passport numbers. 

ATOs are more costly, too: In addition to the lost revenue and the costs associated with chargebacks, these attacks have a devastating impact on brand reputation and the lifetime value of a customer.

Cost of ATO attacks

  1. Direct fraud costs: ATOs result in chargebacks – and, while merchants today have a tough time tracking which chargebacks and loyalty points transactions are the result of ATOs, the hidden and clear losses are significant.
  2. Customer service costs: When customers have their accounts taken over, and nobody reaches out proactively, they’re likely to call or email the merchant to complain. With sensitive personal information at stake, agents need to verify that they are in fact speaking to the account holder, and not a fraudster trying to break into an account. The amount of work hours it takes to resolve one of these tickets add up quickly. 
  3. Loss of customer lifetime value (CLV): Nearly half of customers (43.2%) say they wouldn’t shop at an online store ever again if their account was compromised, according to a Riskified survey.   
  4. Brand damage & resulting losses: ATO attacks have a devastating impact on brand reputation. In extreme cases, attacks can end up in the media, and even cause stock price collapses. The damage can be hard to quantify, but brand reputation can be the most serious business issue on the line when a customer account is breached. 

How to prevent account takeovers

There are several security measures online merchants can take to prevent account takeovers, but first merchants should understand how vulnerable their company or eCommerce store is. 

After establishing the risk and fallout, they should decide how conservative their store needs to be – merchants need to decide on a threshold of risk by considering their potential fraud vulnerabilities. Equally important, merchants should also consider how their customers would react to additional safety measures. 

The next step would be to determine when and how to block bad users, notify customers of suspicious login attempts, or request identity verification. Considering how little data about the user you have when they try to login, making these decisions is not an easy task. A data sharing program with other merchants can help fill in critical information. 

A machine learning solution that includes identity linking and a strong merchant network is one of the most powerful tools a merchant can have in defense of ATO attacks. 

Learn about Account Secure