Understanding account takeover and its impacts

July 10, 2020
3 minute read
Sydney Green
Sydney Green
Cybersource | Sr. Director, Risk Product

How can you recognize suspicious activity related to account takover activities, and stop it in its tracks? Find out here.

Account creation perks

Do you encourage or require customers to set up accounts when they shop with you? While it offers a smoother checkout experience on any device, fraudsters in possession of customer account information stolen from one website can use those credentials to log in to accounts on other sites. 

Smooth checkouts

When customers set up accounts with your company, you can offer a smoother checkout experience for them on any device, with no need to re-enter shipping and payment details each time they shop. And with the insight you gain into customers' purchase histories, you can develop deeper relationships and drive additional sales with personalized communications and promotions.

But customers don't always take all the right steps to protect the accounts they set up on websites like yours. In particular, many will reuse the same or a variation of the same password on multiple accounts. One study shows that 91% of shoppers know that doing so is a risk, but that 66% do it anyway.1 This can leave their accounts vulnerable to takeover by fraudsters, which can have financial and other impacts on your business and your customers.

What is account takeover fraud?

We've all seen headlines about phishing and smishing attacks and large-scale data breaches in which customer account information is stolen. The businesses targeted by these attacks and breaches get a lot of negative coverage, and may face penalties for failing to adequately protect their customers' data.

But the fraudsters don't stop there. A fraudster in possession of customer account information stolen from one website will use those credentials to try logging in to accounts on other sites. These attacks are typically automated through the use of credential stuffing tools, which can attempt thousands of account logins simultaneously on multiple websites. And given the rate of password reuse, such attacks often bear fruit.

Once logged in to a customer account, the fraudster will take it over by changing the password and other details. Then, posing as the real customer, they have free rein to make fraudulent purchases and steal loyalty points and rewards.

The impact on your customers and your businesses

Naturally, the fact that the fraudster logs in using legitimate credentials can make account takeover fraud particularly challenging to spot. Customers should take appropriate steps to protect themselves, as discussed in this blog by Visa. But it's important for you to be able to recognize suspicious activity that can indicate account takeover, and to stop it in its tracks. Inability to do so could have the following consequences.

A customer whose account is taken over will find themselves locked out if they attempt access. They may be unaware of the account takeover until they see unauthorized transactions on a card statement. Their personal information may also be compromised.

A business whose customer accounts are taken over can suffer financial and reputational losses, including:

  • Fraudulent transactions may come back as chargebacks. This may cause the business to bear costs associated with disputing and processing chargebacks. Customer refunds and inventory losses can add to the financial impact.
  • Higher chargeback rates may have a negative effect on the business's reputation, leading to higher decline rates from issuers and potential penalty measures from card schemes. And as the fraudsters attempt to use card-on-file credentials or stolen cards, it's also likely this will be recognized and stopped by issuers, which can affect the business's overall decline rate.
  • Loss of customers and future revenues may occur, as customers whose accounts are taken over lose trust in the brand and walk away.
  • Brand and reputation may suffer, as the business may find itself unfairly accused of a data breach, which could lead to negative publicity, fines, and further lost business.

Protecting against account takeover

Protection against account takeover fraud typically sit outside of a fraud screening solution, so you'll need to consider what other tools and techniques can help. You'll find more support and advice in future blog posts in this series, where we'll look at:

  • What makes loyalty points a target for fraudsters who take over accounts.
  • Best-practice approaches to guarding against account takeover and loyalty fraud.

In the meantime, you can find out more about how Cybersource can help you prevent account takeover fraud by visiting the Account Takeover Protection page.

1"Psychology of Passwords Report," LastPass, May 2020