Julie Fergerson, CEO of the Merchant Risk Council, has over 25 years of experience developing and promoting Internet-based technologies.
Account takeover (ATO) is the process by which criminals use a variety of methods, including purchasing stolen information from the dark web, social engineering, phishing, password cracking or credential stuffing to take ownership of online accounts that do not belong to them for a variety of nefarious purposes.
Unfortunately, this attack method has seen an uptick during these turbulent times. In the last year, 27% of the global merchants that participated in the 2022 Global Payments and Fraud Report experienced some form of ATO fraud, and this attack method now ranks as the fifth most prevalent for North American merchants.
While this data is troubling, there are effective methods for fighting back. What follows are high-level strategies merchants can employ to reduce their exposure to ATO fraud and, in the process, better protect customer accounts, data and their own brand.
1. Enforce Good Security Practices At Sign-Up
Encouraging customers to take security seriously is one of the more significant challenges merchants face. Social engineering, or even simple negligence, can be difficult to defend against due to the limited efficacy of machines in correcting for human behavior. After all, how do you train a computer to stop someone from providing their personal identifiable information (PII) over the phone to someone pretending to be their bank?
That said, there are steps that can be taken during the initial customer onboarding process to ensure some degree of mandated security. Options like implementing two-factor authentication (2FA) and secure passwords, along with regular mandatory password changes, can go a long way.
When communicating with customers during the authentication process, raising awareness around best practices can be valuable. For example, specifying in all 2FA communications that no merchant representative will ask a customer for the provided code and that anyone attempting to do so has malicious intent. This serves to educate the consumer while simultaneously protecting the merchant’s interests.
The additional security does add friction to the customer’s login or checkout process, and it’s understandable that merchants want to avoid that added complexity. Keep in mind though, that if a customer’s account is taken over, they will likely blame the merchant for failing to protect it. The potential consequences of that perception, including brand damage, can be difficult to quantify.
Every merchant needs to find the appropriate balance of security and user experience that works for them, though erring on the side of caution is highly recommended.
2. Communicate With Other Merchants And Law Enforcement
Businesses tend to be black boxes when it comes to their competitors, and there are valid reasons for this. However, it can’t be overstated how valuable sharing relevant information on cybersecurity can be.
Chances are high that merchants in specific industries are facing similar external threats and often the same external threats. Discussing preventative strategies with competitors, as legally appropriate, doesn’t just benefit one company, but potentially the entire industry and possibly the public at large.
Law enforcement can also be an incredibly valuable partner when it comes to cybersecurity, both in terms of knowledge of preventative measures and as a repository of information on fraudster strategies. Government institutions can also share trends from multiple businesses without attribution, meaning it’s often possible to gain insights and contribute while remaining anonymous.
3. Flag Fraud Early By Knowing Customers
Recognizing and quantifying customer behavior patterns can go a long way toward identifying suspicious behavior before it becomes an issue. There are entire industries dedicated to the idea of understanding and predicting customer behavior, and many use the concepts below as a starting point.
Geolocation: Used to identify where a user is located. A high volume of suspicious logins from an unexpected country could be a red flag, for example.
Behavioral Biometrics: The science behind identifying specific customer behavior, such as how someone uses a mouse, their typing patterns or their vocal patterns. Excellent for identifying bots or machines pretending to be human.
Unusual Network Activity: Recognizing standard network patterns from customers can be hugely helpful. If a familiar IP address is suddenly attempting multiple logins or password resets, or if strange routing behavior is detected, further identity verification may be required. Occasional unusual behavior isn’t necessarily a cause for concern, but it should trigger more scrutiny.
Not every merchant can effectively monitor or quantify all the relevant data, however, which is why seeking assistance from a third party is often a productive solution.
4. Find The Right Technologies And Partners
Fraud prevention is an enormous industry, with bright and motivated professionals making breakthroughs all the time in the ongoing fight against fraud. It’s likely there is a company that knows a merchant’s industry or vertical, that understands their specific needs and that either offers a beneficial product that fits nicely into an existing tech stack or can build a new one that does.
A machine learning company, for example, may be able to help reduce manual review and provide space for your fraud prevention team to focus on better securing against credential stuffing attacks. Or, a third-party cybersecurity vendor focused on identifying and trapping bots might free up resources to invest in better biometric authentication processes, helping a merchant better understand their customers and more easily identify suspicious behavior during attempted logins.
Every merchant’s needs will vary, but relying on a trusted, thoroughly vetted vendor is often more practical than attempting to build every solution in-house, especially for smaller merchants. It will likely add cost, but so does a highly publicized data breach.
It’s important to know that as fraud fighters get better at implementing ATO prevention measures like 2FA, those attempting ATO fraud will only become more ambitious, resourceful and entrepreneurial.
All the more reason merchants should strive to find a trusted solutions partner, business peer or law enforcement confidant that can help them defend against ATO and other types of fraud.
Forbes Finance Council is an invitation-only organization for executives in successful accounting, financial planning and wealth management firms. Do I qualify?