State of ATO Fraud

A Fraud Team's Guide to Account Takeover Fraud

Account takeover (ATO) fraud can sink revenue - and the customer relationship. Learn how your ecommerce business can fight back.

This guide was published in September 2024.

img-hero

The historic ecommerce growth the industry saw in 2020 has since been joined by a corresponding increase in ecommerce fraud. With everything from remote work to social media driving people to spend more time on phones and connected devices, account takeover fraud, or ATO fraud, has become one of the fastest-growing forms of ecommerce fraud.

What is ATO fraud? It occurs when a fraudster gains access to a customer's login credentials or other personally identifiable information (PIl) to take over the account and commit fraud, usually changing the account's contact information so the victim can't recover it.

As more consumers embrace online shopping and create ecommerce accounts, this has created fertile ground for this type of fraud to grow. A Security.org report found that 22% of U.S. adults have been victims of account takeover, with social media accounts the most commonly hacked, accounting for 53% of victims.

img-pos-hero

New Ecommerce Channels Create ATO Fraud Opportunities

Every ecommerce channel is susceptible to fraud, not just traditional websites. Even the newest ecommerce channels are being targeted. One of the most prevalent targets is social media.

consumers-click__image

Social commerce ATO fraud is increasing

Social commerce offers a tremendous growth opportunity for online retailers. Emarketer estimates that U.S. retail social commerce sales will pass the $100 billion milestone in 2025. It only follows that ATO fraud on social commerce is running rampant as well. But there are a few elements exacerbating the situation.

Let's start with passwords. Four of the top five most common passwords are some variation of "123456" - the second most common is "password." Neither makes for much difficulty to crack.

The other issue is a lack of password variance. Most people are creatures of comfort and convenience, so it's no surprise that Security magazine found more than 39% of individuals use the same password for multiple accounts. One data breach opens the door for hackers to access bank and credit card accounts, and the fraudulent spending spree begins.

Text scams lead to ATO fraud

The U.S. Federal Trade Commission (FTC) warns that text message-based scams are especially popular, and one reason may be that texting is cheap and easy.

Known as "smishing"- a combination of "SMS" and "phishing" - these attacks take many forms. In particular, scammers will pretend to be a known company, bank or agency and warn the user of an urgent issue - suspicious activity in their account, a bill past due or a job interview.

Scams perpetrated through text messages tempt users with links and downloads that add malware to users' devices. Fraudsters use malware to capture keystrokes as users enter usernames, passwords and emails. From there, they can wreak havoc by accessing accounts and using funds to make fraudulent purchases.

img-fraud-opportunities-2

Recurrent payment accounts fly under the radar

Another channel fraudsters take advantage of is subscriptions. Subscription and recurrent payment fraud often slip under the radar because the transactions are so small compared to "high-risk" purchases. But that lack of monitoring makes recurrent payments a popular ATO fraud target.

And because most banks and processors allow customers up to a year to request a chargeback, online businesses may not even recognize they're being targeted until months later.

logo-header

BOPIS makes ATO fraudsters faster

The introduction of new channels has presented even more opportunities for fraudsters.

Buy online, pickup in store (BOPIS), curbside pickup services and home delivery volumes grew exponentially during the pandemic and are still quite popular. In fact, grocery is on pace to be the largest ecommerce category in the United States by 2026.

The advantage to fraudsters? Faster delivery. What once took days to deliver can now be picked up right away or received within hours, creating a much shorter window to keep the fraudster from carrying out their plan.

Fraudsters Leverage Technology to Increase ATO

ATO isn't a new type of fraud - it's been a growing problem for years. However, pandemic-related fear and confusion, combined with better technology, has helped fraudsters get better at their craft.

Some recent trends target the many workers who now work remotely. In one employer text scam, fraudsters pretend to be the employee's boss, send texts that request the purchase of gift cards, and ask for the numbers and codes to be sent back.

In another, fraudsters post fake remote job listings. By tricking job seekers into giving up personal information such as their Social Security number and date of birth, they obtain information that can then be used for identity theft. Or mule schemes involve individuals unknowingly taking remote jobs that require them to reship stolen goods or transfer fraudulent money through their bank accounts.

Al has made it all too easy for fraudsters to combine real and fake information to create a false identity, which is then used to open credit lines and run up debt without any intention of repayment.

consumers-click__image (1)

Hacks and breaches

Data breaches and hacks of banking institutions and social media sites like Facebook and Linked n have become much more common lately.

Statista reports that in 2023, the number of data compromises in the United States stood at 3,205 cases. Meanwhile, over 353 million individuals were affected in the same year by data compromises, including data breaches, leakage and exposure. IBM's Cost of a Data Breach Report 2023 revealed increased threats:

hacks-and-breaches_card_01
hacks-and-breaches_card_02
hacks-and-breaches_card_03

Al-powered fraud

Criminals now use automated tools or bots powered by Al to perform tasks in the same way a human would, but infinitely faster. Chatbots are being used to improve the effectiveness of phishing e-mails, and the bots can even do reconnaissance to identify security countermeasures and retool their attacks to evade detection.

As a result, their complex signatures are difficult to detect without sophisticated analysis. Al bots are even being used to penetrate the metaverse with microtransaction fraud, spam and scams.

Security magazine identifies a few schemes to look out for:

Text messages: Generative Al makes it easy for fraudsters to speak in a familiar way that seems like an authentic exchange. This sets up the opportunity for criminals to perpetrate multiple attacks via text at the same time, where multiple victims are tricked into transferring money.

Fake video or images: Al models can be trained to use photos, images and videos to create content that appears real. These models can also superimpose images on top of other images and in videos. What's more alarming is that all of this can be done by a criminal with almost no design or technology skills, which increases the potential for attacks.

"Human" voice: Fraudsters can now employ realistic, Al-generated voices that can impersonate anyone and convince a victim to provide personal and financial information.

Chatbots: Finally, Al chatbots can be used in bad faith to develop rapport with victims, developing emotional connections and increasing the likelihood that the victim will share personal information.

Global unrest and use of cyberattacks

Recent global events have resulted in a massive uptick in cyberattacks. So much so, international banks are on the alert and taking measures to prepare, while experts increasingly caution the public to change and improve their passwords to avoid becoming victims of cyberattacks.

ATO Fraud Threatens Ecommerce Business Viability

While the impact of ATO fraud on consumers is significant and incredibly frustrating, online businesses have much to lose as well. If ATO fraud is not on your ecommerce business's radar, it absolutely should be. The impacts on your customers don't just trickle down to vour sales and revenue numbers - they can become a tsunami that your company may not survive.

We can start with the most obvious impact: chargebacks.

img-fraud-threatens-ecommerce

Chargebacks eat away at revenue

As soon as a customer recognizes a fraudulent transaction, they will most likely dispute the purchase, setting in motion the chargeback process. The more fraudulent transactions your business allows through, the higher your chargeback rate and the more potential for being placed on a chargeback monitoring program.

For small businesses, that can signal the beginning of the end. They simply can't afford to pay the high fees that continue to accrue as chargebacks multiply.

bn

For an enterprise-level organization, chargebacks are often considered a necessary evil. You certainly don't want them, but there are bigger issues to consider, such as false declines.

False declines threaten customer experience

A typical reaction to fraud, especially ATO fraud, is to turn on generic rules and filters with the assumption that they will weed out suspicious transactions based on address mismatches, transaction amount and the like.

The problem is this "one-filter-fits-all" tactic typically backfires, setting your business up to decline valid transactions.

logo-header

False Declines Cost You More Than Fraud

Approving more orders means happier customers and more sales.

START SELLING MORE
img

ATO fraud can give your store a bad reputation

Online reviews mean a lot to customers - they influence behavior and can be the determining factor for where customers do business. If your company falls prey to a data breach, customers will be less likely to trust you with their sensitive personal information. The same goes for customers who experience ATO fraud on your website or app.

Whether or not your site is insecure and the source of fraud, customers are likely to blame your businesses. After all, they need to point the finger somewhere, and who else can they blame?

That can damage your reputation and cost you both recurring and new customers.

In fact, in our original research, "Consumer Attitudes About Ecommerce, Fraud & CX 2023-2024." we found that 84% of consumers will never again shop with a business that approved a fraudulent order with their payment information.

GDPR and PSD2 are serious about data privacy

As if those impacts weren't enough, any business selling into Europe also must consider the fees and fines associated with compromised personal data.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in existence today and the first law designed to address data privacy and protection. It gives a set of privacy rights to customers who provide their information to businesses.

Under this law, any organization that stores personal data belonging to an EU citizen must fulfill a rigorous set of requirements:

img (1)

They must justify why the data is being collected and only collect what's absolutely necessary.

They keep the collected data accurate.

The data can only be kept for a set period of time.

All data must be encrypted.

Here's the kicker: Penalties for violating GDPR start at 20 million euros or 4% of the ecommerce business's global revenue, whichever is higher.

img-green-box-2

Similarly, PSD2 (Payment Services Directive 2), adopted in 2015, sets out the rules for all retail payments in the EU, euro and non-euro, domestic and cross-border. The directive applies to businesses selling into the European Economic Area (the EU countries plus Norway, Iceland and Liechtenstein) and requires new provisions such as strong customer authentication (SCA) for card-not-present transactions.

These extra measures require online businesses and their customers to jump through multiple hoops, which will increase checkout friction and could cost you customers. If you sell into any of the countries impacted, you'll need to be ready and stay ready. The European Commission has identified new types of fraud for which PSD2 is not equipped, and a Payment Services Directive 3 (PSD3) and Payment Services Regulation will come into effect sometime before 2026.

So, what can your business do to prevent ATO fraud?

Shopping Online Imagens AdobeStock Preview 1

ATO Fraud Protection: Smart Tactics for Ecommerce Businesses

As we've seen, ATO fraud is on the rise, and the results can be devastating to consumers and businesses. Based on your business size, liability tolerance and customer experience goals, there are combinations of fraud prevention tactics to consider.

The most important tactic is to choose a solution that will reduce your fraud levels without compromising customer experience and revenue growth.

Let's take a look at those tactics and how they can work for both small businesses and enterprise retailers.

logo-header

3D Secure

3D Secure, or 3DS, was introduced in the late 1990s to increase transaction security by requiring authentication for online purchases and shifting the liability away from businesses onto credit card issuers. The technology has evolved to analyze multiple data points, giving online companies a greater level of confidence and reducing chargebacks. It has been especially useful for mobile commerce.

However (and it's a big however), 3DS has its downsides.

For starters, the extra authentication takes time, which can translate to more cart abandonment. It also adds friction with multiple hoops to jump through, driving good customers away. While your chargebacks may decrease, your false declines will almost assuredly increase - we've already covered why that is problematic.

Lastly, 3DS provides little to no intelligence across your payments landscape. If you work with 20 payment processors, you will have 20 disparate 3DS connections to manage and no ability to see patterns across them.

Our Take: 3DS is potentially a good solution for a small ecommerce business with very limited payment processors. Once you get into multiple payment options and large quantities of transactions, you risk missing fraud patterns and/or increasing false declines.

img-ato-fraud-protection-2

Automated solutions

Automated solutions allow businesses to hand their fraud protection over to a third party where transactions are processed through automated systems. They're approved or declined based on preset parameters and filters.

While this solution has advantages, such as fast processing time and hands-off fraud protection, it also limits your insight about the customers and fraudsters making transactions. Quite often, these solutions are hampered by slow adaptation to when consumer behavior changes, as is the case during the holiday season or when they're on vacation.

And purely automated solutions tend to treat any potential fraud like actual fraud. That means more false declines, lost lifetime revenue and unhappy customers.

Our Take: Automated solutions are just one part of the overall fraud prevention/protection solution that online businesses should consider.

Hybrid solutions

A hybrid solution offers the best of everything: Preliminary fraud filters to identify potential fraud, secondary review to allow or deny those transactions, and Al to automatically approve transactions that pass with flying colors.

This solution tends to result in higher approval rates and fewer false declines. And, because the Al "learns" customer behavior, it can spot fraud patterns and reduce chargebacks. Generally, transactions that should be approved are done so more quickly. Not to mention the data intelligence businesses get from having all transactions pass through the same solution. You get smarter while the Al machine gets smarter.

Granted, some transactions will take longer to process and a subset of those will be valid customers, so you'll need to communicate to consumers that you're protecting their data - and that may mean a delay here and there.

Our Take: A hybrid solution can be adapted for any size business. Small businesses will benefit from processing all transactions (or at least peak shopping time transactions) through a hybrid process. For enterprise retailers, a customized hybrid solution can augment the intelligence, analytical prowess and productivity of fraud analysis teams during periods of high volume or when staffing is low.

consumers-click__image (2)

ClearSale Works With Online Retailers to Fight ATO Fraud

ClearSale brings a global network and dataset to distinguish between a valid customer and a fraudster.

How? By combining intelligent technology with intelligent people and processes. Our proven, proprietary statistical algorithms are combined with the vast intelligence shared among our team (the world's largest) of highly trained fraud analysts.

What distinguishes ClearSale from other ATO fraud protection and prevention solutions is the level of detail we capture that allows us to identify the differences between valid customers and a fraudster who has taken over. Fighting ATO ecommerce fraud requires using every tool in the toolkit to evaluate each order.

Utilize AI and machine learning Utilize AI and machine learning

We utilize an AI-enabled algorithm that leverages trends, intelligence and data gathered from decades of fighting fraud in the most high-risk regions of the world. The client-specific data is also used to “teach” our system which of their transactions should truly be considered fraudulent.Using this technology, we can automatically approve or decline most orders quickly with a high level of accuracy. Instead of declining suspicious orders, they’re flagged for contextual reviews.

Expert contextual reviews Expert contextual reviews

The small percentage of flagged orders (about 2%-3%) are evaluated by our more than 2,000 fraud analysts who have the experience to recognize some of the hardest-to-spot fraud patterns. If necessary, our analysts may reach out to customers, but they do so in a way that is in line with exceptional CX.

Purchase history Purchase history

Looking at purchase history allows us to confirm the user is valid and prevent a false decline. The scope and detail of our database can evaluate a consumer’s purchase history across businesses. That way, a first purchase on Wish.com can be cross-checked with a longstanding Amazon account to ensure the information agrees. 

Leverage new data Leverage new data

The additional data gleaned from those contextual reviews is leveraged to help our system distinguish valid transactions from fraud with even more accuracy. This continues over time, with our system becoming “smarter” as we process more and more of the client’s transactions — which increases their approval rate and revenue. ClearSale can also conduct a full analysis of any client’s database to provide visibility into the fraud trends that have been encountered, as well as customer behaviors and attitudes.

If you're looking for a partner to help prevent ATO, contact us and one of our analysts will work with you to create a solution specific for vour company's unique needs.

cta-understanding-ecommerce-chargebacks-a-complete-guide

Get started with ClearSale and empower your business to grow

The Best Ecommerce Fraud
Protection Solution For Online Stores.

Increase Your Approval Rate With Our
Merchant Chargeback Insurance Solution

Privacy Policy