By Doriel Abrahams, Head of U.S. Analytics, Forter
Account takeover (ATO) fraud is a rapidly growing and costly challenge for businesses. In fact, it’s expected to surpass malware as the top cybersecurity concern in the not-too-distant future.
The COVID-19 pandemic certainly added fuel to the fire, as droves of consumers suddenly came online to create new accounts with stores and apps they had never visited before. Some of those customer accounts have since gone dormant, while many others remain inadequately protected due to weak passwords or the absence of safeguards like multi-factor authentication (MFA).
In working with many global brands over the years, I’ve been able to follow the ever-evolving trends in both customer behavior and fraud attack methods. What’s interesting to see is how ATO is playing out across the different industries and geographies – and more importantly, how businesses are responding.
Evolution of ATO
A decade ago, fraud prevention was largely focused on chargebacks and online checkout. But as merchants got better at protecting checkout, fraudsters got more creative with ways to attack. They’re no longer targeting just checkout, but the entire digital customer journey, of which ATO is a large part.
Fraudsters like going after online accounts for the same reasons customers open them: they make it easy to do business with merchants, whether it’s to purchase a product, cash in loyalty points or take advantage of a promotion. Consumers enjoy convenience and discounts. For fraudsters, it’s like walking into a candy store as a legitimate-looking customer with a sweet array of options to do damage.
The bad news is only getting worse for retailers, as fraudsters grow bolder and go after more valuable items than ever before. Across Forter’s own network, we’ve seen the average order value of items in ATO attacks increase by 51% in the past year.
Shifting Trends = New Opportunities
Always looking to exploit emerging trends, fraudsters are adept at tracking changes in the market. Attacks are up across many verticals, including digital goods, travel and cryptocurrency. And while all industries are ripe targets for ATO fraud, some are more attractive than others.
For example, the beauty industry has seen ATO attacks increase by 94%. Beauty and cosmetics has traditionally been a high-touch, in-person experience where customers often want to test the products before purchasing them and consult with a store associate on colors, scents and application techniques. This model isn’t going away, but more transactions have shifted from in store to online over the last few years.
One explanation for the continued growth in beauty e-commerce is the exclusivity and special offers associated with online accounts. Beauty brands have long been masters at inspiring loyalty and enthusiasm for their products. Their carefully curated programs are successful at winning and keeping customers, but also open the door to new opportunities for fraudsters.
Beauty isn’t the only industry that fraudsters have followed with a keen eye. Online apparel also continues to grow with some brands even integrating app-based purchase and interaction capabilities into their physical stores. It’s no surprise that ATO fraud against apparel companies has increased by 28% compared to 2021.
Proven Prevention Strategies
As criminals become more sophisticated, their fraud tactics are also evolving. So what can you do to protect your company from ATO without sacrificing the customer experience?
Every business has its own unique set of challenges, but here are three strategies that are widely effective at stopping ATO attacks in their tracks:
1. Stop ATO up front. Don’t wait until checkout to put up your defenses. Start right out of the gate by protecting the sign-up and login process. Putting in safeguards at the first point of entry helps dramatically ease the burden at checkout. We’ve consistently seen about a 35% reduction in ATO at checkout among merchants that add login protection.
2. Block bot attacks. Bots are everywhere, wreaking havoc at account creation, checkout and points in between. Because bots are designed to work at scale, once they break through, they keep going forever. But if you show bots that they’re not going to get in, they’ll simply move on. When you can identify and block bad bots successfully, ATO attempts will go down.
3. Use friction judiciously. All friction is not created equal, and applying friction only where it’s appropriate – usually at login – gives a customer a chance to prove themselves and ensures you’re not letting in the wrong person. For instance, implementing multi-factor authentication (MFA) has proven to be highly effective for our merchants. Some two-thirds of MFA challenges failed, confirming the block was in the right place, and the remaining third was able to continue their journey without further hiccups.
With strong and ongoing growth in e-commerce, ATO fraud will remain a huge risk for online merchants. The good news is there are many ways you can protect your business – and your customers – at every critical point along the digital journey.