State of ATO Fraud Guide
Intelligence to move  securely

State of ATO Fraud

A Fraud Team's Guide to Account Takeover Fraud

Account takeover (ATO) fraud can sink revenue — and the customer relationship. Learn how your ecommerce business can fight back. 

This guide was published in May 2022.

While 2020 was a year of historic ecommerce growth, 2021 was marked with a massive increase in ecommerce fraud.

One of the fastest-growing forms of ecommerce fraud is account takeover, or ATO fraud. 

What is ATO fraud? It occurs when a fraudster gains access to a customer's log in credentials or other personally identifiable information (PII) to take over the account and commit fraud, usually changing the account's contact information so the victim can't recover it. 

And as it turns out, the past couple of years — with its influx of brand-new ecommerce accounts — have created fertile ground for this type of fraud to grow.




New Ecommerce Channels Create ATO Opportunities

New Ecommerce Channels Create ATO Opportunities

Every ecommerce channel is susceptible to fraud, not just traditional websites. Even the newest ecommerce channels are being targeted. One of the most prevalent targets is social media.

Social commerce ATO fraud is increasing

Social commerce offers a tremendous growth opportunity for online retailers. In 2021, 50% of U.S. adults made a purchase through social media — and this type of ecommerce is projected to grow to more than $604 billion by 2027.

It only follows that social commerce ATO fraud is running rampant as well. There are a few elements exacerbating the situation, however. 

Let’s start with passwords. The most common password used in the U.S. is “123456” – the fifth most common is “password.” Neither make for much difficulty to crack.

The other issue is a lack of password variance. Most people are creatures of comfort and convenience, so it’s no surprise  more than 50% of people use the same password for many sites. One data breach opens the door for hackers to access bank and credit card accounts, and the fraudulent spending spree begins.

Related Reading: How Safe is Your Social Commerce Channel From ATO Fraud?

Text scams lead to ATO fraud

Fraudsters access user credentials through text scams as well. According to Australia’s Scamwatch, the top five scams in 2021 were:

  • Fake investments, which accounted for losses over $149 million

  • Romance scams (over $45 million in losses)

  • Remote access scams (over $14 million)

  • Fake billing (over $14 million)

  • Arrest scams (over $11 million)

Most of these scams are perpetrated through text messages with links and downloads that add malware to users’ devices. Fraudsters use malware to capture keystrokes as users enter user names, passwords and emails. From there, they can wreak havoc by accessing accounts and using funds to make fraudulent purchases.

Recurrent payment accounts fly under the radar

Recurrent payment accounts fly under the radar

Another channel fraudsters take advantage of is subscriptions. Subscription and recurrent payment fraud often slip under the radar because the transactions are so small compared to “high-risk” purchases.

But that lack of monitoring makes recurrent payments a popular ATO fraud target.

And since most banks and processors allow customers up to a year to request a chargeback, online businesses may not even recognize they’re being targeted until months later.

BOPIS makes ATO fraudsters faster

The introduction of new channels has presented even more opportunities for fraudsters.

Buy online, pickup in store (BOPIS), curbside pickup services and home delivery volumes grew exponentially during the pandemic and are still quite popular. In particular, grocery ecommerce volumes are expected to reach nearly $243 billion by 2025.

The advantage to fraudsters? Faster delivery. What once took days to deliver can now be picked up right away or received within hours, creating a much shorter window to keep the fraudster from carrying out their plan.

Fraudsters Leverage Technology to Increase ATO

Fraudsters Leverage Technology to Increase ATO

ATO isn’t a new type of fraud — it’s been a growing problem for years. However, pandemic-related fear and confusion, combined with better technology has helped fraudsters get better at their craft.

Hacks and breaches

It seems as though data breaches and hacks of banking institutions and social media sites like Facebook and LinkedIn have become much more common lately. To illustrate just how concerning the problem is, thought leadership platform, published a cybersecurity summary with some pretty alarming statistics:

  • The cost of data breaches grew to $4.24 million in 2021, marking the highest level in the last 17 years.

  • Remote working gave hackers more vectors to attack, including mobile devices, laptops and PCs. At the same time, only 3% of companies protect their employees’ devices.

  • About 95% of security breaches in 2021 were due to people clicking on links and downloading files on their devices.

  • Over 93% of health care organizations have experienced a recent data breach, putting highly sensitive information on the dark web for sale.

Related Reading: Top 3 Online Retail Fraud Methods and How to Prevent Them in 2022

Artificially intelligent bots

Data hacks are sophisticated. Criminals now use automated tools or bots powered by artificial intelligence to perform tasks in the same way a human would, but infinitely faster.

bots accounts lead to ATO

Bots account for 86% of attacks that lead to account takeover (ATO) fraud.  

Not only do these bots account for 86% of attacks that lead to account takeover (ATO) fraud, they do reconnaissance to identify security countermeasures and retool their attacks to evade detection.

As a result, their complex signatures are difficult to detect without sophisticated analysis. AI bots are even being used to penetrate the metaverse with microtransaction fraud, spam and scams.

Global unrest and use of cyberattacks

Recent global events have resulted in a massive uptick in cyberattacks. So much so, international banks are on the alert and taking measures to prepare, while experts increasingly caution the public to change and improve their passwords to avoid becoming victims of cyberattacks.

ATO Fraud Threatens Ecommerce Business Viability

ATO Fraud Threatens Ecommerce Business Viability

While the impact of ATO fraud on consumers is significant and incredibly frustrating, online businesses have much to lose as well.

If ATO fraud is not on your ecommerce business’ radar, it absolutely should be. The impacts on your customers don’t just trickle down to your sales and revenue numbers—they can become a tsunami that your company may not survive.

We can start with the most obvious impact: chargebacks.

Chargebacks eat away at revenue

As soon as a customer recognizes a fraudulent transaction, they will most likely dispute the purchase, setting in motion the chargeback process. The more fraudulent transactions your business allows through, the higher your chargeback rate and the more potential for being placed on a chargeback monitoring program.

For small businesses, that can signal the beginning of the end. They simply can’t afford to pay the high fees that continue to accrue as chargebacks multiply.

Related Reading: Advance Strategies to Eliminate Ecommerce ChargebacksFor an enterprise-level organization, chargebacks are often considered a necessary evil. You certainly don’t want them, but there are bigger issues to consider, such as false declines.

False declines threaten customer experience

A typical reaction to fraud, especially ATO fraud, is to turn on generic rules and filters with the assumption that they will weed out suspicious transactions based on address mismatches, transaction amount and the like.

The problem is this “one-filter-fits-all” tactic typically backfires, setting your business up to decline valid transactions.

What is this costing businesses? 

Losses due to ecommerce fraud are projected to reach $6.4 billion by 2021. But losses due to false declines are projected to reach $443 billion by 2021 – nearly 70x more than losses from fraud itself.

Not only is that a stomach-churning amount of missed revenue for any ecommerce business, it's often missed lifetime revenue: 40% of the respondents in our 2021 Consumer Attitudes Report would be unlikely to ever return to a business that declined their legitimate order. 

Even worse, 34% will take their beef to the streets (or their social media channels, to be exact). If we break this down by generation, younger shopper are most likely to complain. They’re also positioned to be your most frequent shoppers in the future, so you don’t want to lose their business.

CTA - False Declines Cost You More Than Fraud

ATO fraud can give your store a bad reputation

Online reviews mean a lot to customers — they influence behavior and can be the determining factor for where customers do business.

If your company falls prey to a data breach, customers will be less likely to trust you with their sensitive personal information. The same goes for customers who experience ATO fraud on your website or app.

Whether or not your site is insecure and the source of fraud, customers are likely to blame your businesses. After all, they need to point the finger somewhere and who else can they blame?

That can damage your reputation and cost you both recurring and new customers. In fact, in our 2021 Consumer Attitudes report, 84% of consumers reported they would never again shop with a business that approved a fraudulent order with their credit card.

credit card fraud

84% of consumers reported they would never again shop with a business that approved a fraudulent order with their credit card.

GDPR and PDS2 are serious about data privacy

As if those impacts weren’t enough, any business selling into Europe also must consider the fees and fines associated with compromised personal data.

Published in 2018, the General Data Protection Regulation (GDPR) is the toughest privacy and security law in existence today and the first law designed to address data privacy and protection. It gives a set of privacy rights to customers who provide their information to businesses.

Under this law, any organization that stores personal data belonging to an EU citizen must fulfill a rigorous set of requirements:

  • They must justify why the data is being collected and only collect what is absolutely necessary.
  • They keep the collected data accurate.
  • The data can only be kept for a set period of time.
  • All data must be encrypted.

Here’s the kicker: Penalties for violating GDPR start at 20 million euros or 4% of the ecommerce business’ global revenue, whichever is higher. 

Podcast Episode - Gateway to Ecommerce - The State of Privacy & Data Protection in 2021

Similarly, PSD2 (Payment Services Directive 2) applies to businesses selling into the European Economic Area (the EU countries plus Norway, Iceland and Liechtenstein) and requires new provisions such as strong customer authentication (SCA) for card-not-present transactions.

These extra measures require online businesses and their customers to jump through multiple hoops, which will increase checkout friction and could cost you customers.

Whether or not your business is subject to PSD2 is to be determined, but if you sell into any of the countries impacted, you’ll need to be ready.

So what can your business do to prevent ATO fraud?

ATO Fraud Protection: Smart Tactics for SMBs and Enterprise

ATO Fraud Protection: Smart Tactics for SMBs and Enterprise

As we've seen, ATO fraud is on the rise, and the results can be devastating to consumers and businesses.

Based on your business size, liability tolerance and customer experience goals, there are combinations of fraud prevention tactics to consider.

The most important tactic is to choose a solution will reduce your fraud levels without compromising customer experience and revenue growth.

Let’s take a look at those tactics and how they can work for both small businesses and enterprise retailers.

3D Secure

3D Secure or 3DS was introduced in the late 1990s to increase transaction security but requiring authentication for online purchases and shifting the liability away from business onto credit card issuers. The technology has evolved to analyze multiple data points, giving online companies a greater level of confidence and reducing chargebacks. It has been especially useful for mobile commerce.

However (and it’s a big however), 3DS has its downsides.

For starters, the extra authentication takes time, which can translate to more cart abandonment. It also adds friction with multiple hoops to jump through, driving good customers away. While your chargebacks may decrease, your false declines will almost assuredly increase—we’ve already covered why that is problematic.

Lastly, 3DS provides little to no intelligence across your payments landscape. If you work with 20 payment processors, you will have 20 disparate 3DS connections to manage and no ability to see patterns across them.

Our Take: 3DS is potentially a good solution for a small ecommerce business with very limited payment processors. Once you get into multiple payment options and large quantities of transactions, you risk missing fraud patterns and/or increasing false declines.

CTA - S01E05 - Understanding 3DS and Potential Issues for Ecommerce Merchants - Mid

Automated solutions

Automated solutions allow businesses to hand their fraud protection over to a third party where transactions are processed through automated systems. They are approved or declined based on preset parameters and filters.

While this solution has advantages, such as fast processing time and hands-off fraud protection, it also limits your insight about the customers and fraudsters making transactions. Quite often these solutions are hampered by slow adaptation to when consumer behavior changes, as is the case during holiday season or when they are on vacation.

And purely automated solutions tend to treat any potential fraud like actual fraud. That means more false declines, lost lifetime revenue and unhappy customers.

Our Take: Automated solutions are just one part of the overall solution that online businesses should consider.

Hybrid solutions

A hybrid solution offers the best of everything: Preliminary fraud filters to identify potential fraud, secondary review to allow or deny those transactions, and artificial intelligence to automatically approve transactions that pass with flying colors.

hybrid solution

A hybrid solution offers the best of everything: Preliminary fraud filters to identify potential fraud, secondary review to allow or deny those transactions, and artificial intelligence to automatically approve transactions that pass with flying colors.

This solution tend to result in higher approval rates and fewer false declines. And, because the artificial intelligence “learns” customer behavior, it can spot fraud patterns and reduce chargebacks. Generally, transactions that should be approved are done so more quickly. Not to mention, the data intelligence businesses get from having all transactions pass through the same solution. You get smarter while the AI machine gets smarter.

Granted, some transactions will take longer to process and a subset of those will be valid customers, so you’ll need to communicate to consumers that you are protecting their data and that may mean a delay here and there. Cons:

Our Take: A hybrid solution can be adapted for any size business.  Small businesses will benefit from processing all transactions (or at least peak shopping time transactions) through a hybrid process.

For enterprise retailers, a customized hybrid solution can augment the intelligence, analytical prowess, and productivity of fraud analysis teams during periods of high volume or when staffing is low.

ClearSale Works With Online Retailers to Fight ATO Fraud

ClearSale brings a global network and dataset to distinguish between a valid customer and a fraudster.

How? By combining intelligent technology with intelligent people and processes. Our proven, proprietary statistical algorithms are combined with the vast intelligence shared among our team (the world's largest) of highly trained fraud analysts. 

ClearSale can also conduct a full analysis of any client’s database to provide visibility into fraud trends as well as consumer behaviors and attitudes.

If you are looking for a partner to help prevent ATO, contact us and one of our analysts will work with you to create a solution specific for your company’s unique needs. 

Not a small business?

Don't worry. Our enterprise solution is customized to your organization.

Small Business Ecommerce Fraud Protection - How It Works With ClearSale

ClearSale Reviews


Saves a ton of time and headaches!

"I don't have to spend time researching orders to see if they are fraud or not. I love that ClearSale backs up their approvals with a money-back guarantee if the order turns out to be fraud."



Amazing Company to work with

"Their customer service is the best. They are quick to respond and answer questions regarding orders that are denied."

Teresa E.


ClearSale Has Been Amazing!

"Quick fraud detection on all orders. Ease of use on the platform. Never had a chargeback."



Excellent service - both timeliness and fraud control

"I have always received immediate response and minimal fraud rejection -- which leads to increased sales."



Ready to
Get Started?

Let’s Talk!

Find out how to prevent chargebacks AND sell more.
Talk with a ClearSale CNP fraud expert today!