How to identify account takeover fraud
Global e-commerce rose by 3% from 14% in 2019 to 17% in 2020. While this might be because of the lockdowns imposed because of the pandemic, digital commerce has been steadily rising since 2017. According to Statista, the value of e-commerce is projected to show an annual growth rate of 8.76% by 2025. For institutions like banking, insurance, and logistics, it means there has been an increase in revenues. Today these institutions have many clients. To accommodate these ballooning purchases, it forces businesses to store more data than ever online. Having limited mechanisms to protect customer and business data from fraud accords the fraudsters an expanded matrix for stealing sensitive data and compromising accounts.
Using bots and botnets, criminals can target hundreds of accounts at once. The rate at which the bots work and their ability to operate in stealth mode magnifies the complexity of the attack. It makes them virtually undetectable. Account takeover refers to the act by which fraudsters steal sensitive information and assume control of an account. According to a study conducted by Forter, account takeover increased by 31% year-on-year in the third quarter of 2017. With the account takeover ever-growing, how can you stay ahead of it? Here are several methods on how to identify account take over and take precautions.
When a user has new account details, a new delivery address, and a new device
How can you identify an attack when there are no links or common details between customers? The most sophisticated fraudsters and criminals attempting account takeover use the same behavior patterns. The occurrence of a combination of the events below can hint at an account takeover.
- When a customer updates their customer details be its name, phone number, or email.
- When the customer logs into their account from a new device within 24 hours after changing their details, and
- When a customer places an order with a new delivery address after performing (1) and (2) above
A lot of changes in customer details happening at once
In most cases, when a cybercriminal accesses an account in an account takeover, they rarely do a thing with the compromised account right away. The merchant flags the login action, and they take precautionary measures to protect from an account takeover, like sending an alert to the customer. The cybercriminal responds by panicking and tries to secure the account that they have taken over. They do this by changing the login credentials like emails, usernames, and passwords on all the accounts that have fallen victim. When massive spikes in credential changes to an account after precautionary measures have taken place, they point to an active account takeover.
Performance of same changes on multiple accounts
Some cybercriminals want to hold on to an account such that nobody else can take it over from them. The fraudsters accomplish this by changing the details on the customer profile. Rather than change all the details, in most cases, they change one field. For instance, you can notice massive changes in the email or phone number field. A closer look may show the use of the same phone number or email across all the changes. It is most likely the fraudster’s phone number. It is a red flag primarily associated with account takeover attacks. Using the same phone number is possible because, in many countries, there is a limitation to the number of phone numbers an individual can register.
Presence of multiple accounts that are linked to the same device
Some fraudsters hire networks rather than develop them. Often, cybercriminals do not mask their device between new account logins. Therefore, all the victim accounts have a connection to one device that belongs to the cybercriminal. Since a family, people working in teams, or friends may use the same device; it is important to put such factors into consideration to confirm the attack.
Accounts having IP addresses from multiple countries
If an account has IP addresses from multiple countries, it is a good sign of an account takeover. When malicious actors are attempting mass logins to examine their access to the accounts, they do not know the location of each customer. Therefore, they can not verify if they are using the correct IP address country each time. Multiple cybercriminals may attempt to access the same accounts after a data breach list is available online. A cybercriminal from the UK may try accessing the same account just accessed by another from Australia. Within the last 10 minutes, a fraudster in the USA may have accessed the same account. Such traversal of the globe isn’t possible even by the most well-traveled customers.
Monitoring customer behaviors
You can detect certain anomalies by observing a customer’s account history. Is there a user who is suddenly spending larger than usual amounts or placing suspicious orders in a short period? You should further investigate such a customer and check if there have been recent changes in the account details. Any presence of such changes might be an indicator of an account takeover attack.
The ratio of known to unknown devices
Device spoofing is a method by which software is used to mask the device in use.
Cybercriminals heavily rely on spoofing to hide their devices. When they access the network, their device models come up as unknown. An increase in the unknown models means fraudsters are attempting account takeover attacks since the genuine devices show their known models.
Conclusion
Have you noticed two or more of the above signs in your customer data? It is most likely that you have an active account takeover attempt on your hands. Prompt investigation is necessary to thwart any losses, be it financial or data. Ensure that you have collected enough data around these indicators, particularly the verified changes to the account like a change in payment methods, passwords, and contact details. Keep the data in such a way that you can easily cross-reference it. You should promptly notify the affected customers when you see such signs. Unfortunately, many merchants attempt to handle the situation and rarely alert their customers about data breaches or account takeovers.