Account Takeovers attacks (ATOs) are a problem. My company, Riskified, recently commissioned a survey of about 4,000 customers and 425 merchants and found that 66% of merchants and 69% customers are concerned about their accounts getting hacked. But we also found that a surprisingly large percentage of merchants are completely unprepared to tackle ATOs, with 27% of all merchants reporting that they don’t have measures in place to prevent them.
Account takeovers occur when a fraudster gains access to a legitimate customer’s account, often through stolen login information gained by phishing or a data breach. Once accessed, the fraudster can pose as a legitimate customer, making it harder for merchants to recognize the fraud, and helping fraudsters make off with stolen goods. It’s proven to be a successful tactic – 35% of merchants surveyed reported that at least 10% of their accounts have been taken over in the last year.
So what losses do merchants sustain as a result from an ATO? The obvious answer is chargebacks. Fraudsters love ATOs, and merchants vulnerable to ATOs will eventually have a chargeback problem on their hands. But that’s not all.
Damaging merchants’ brand and future business
To understand the full extent of an ATO’s impact, we must look at what happens to account holders after an attack or, more precisely, what doesn’t happen. Our survey found that of the customers who have been victims of an ATO, only 7.5% say they were contacted about the ATO by the merchant. The other 92.5% learned about it from their credit card company (36.3%), received an order confirmation (26.3%), saw the unauthorized purchase on their account (16.9%) or had their account details or password changed (13.1%).
That’s a terrible customer experience and a huge blow to a merchant’s brand reputation. It’s little wonder that 65% of customers say that they would stop buying from a merchant if their account was compromised. Our survey also found that 54% of customers would delete their account, 34% would go to a competitor, and 33% would tell their friends to stop shopping with the merchant. The revenue losses resulting from an ATO aren’t limited to chargebacks. They include further potential business from a merchant’s account holders and the referrals they could bring.
It’s even more important for merchants to have robust ATO prevention when you consider how much business merchants get from account holders. Sixty-four percent of merchants we surveyed say that at least half of their orders come from account holders, and those account holders spend more (according to 58% of merchants) and shop more frequently (according to 61% of merchants) than guest-checkout users.
Switching to an end-to-end approach
ATOs are hard to prevent effectively because the point at which the fraud occurs gives merchants little data to review. Merchants are working with a login and a password – and not the items purchased and billing and shipping details, for example – so it’s a tough decision based on limited information. Merchants can start by taking into account as much information as possible, such as device and network details, proxy usage, previous logins. They should use all the data points that can help determine in real time if the person accessing the account is the legitimate account holder.
But what’s more important is that merchants understand ATOs from the fraudster’s point of view. For them, the ATO isn’t the goal – stealing customer data or successfully placing an order is. With that in mind, merchants should view ATOs as longer-term events rather than isolated account actions and take steps based on the larger picture, the risk level and customer expectations. With an end-to-end approach, merchants can maximize revenue and minimize customer frustration by viewing account security as a continuum.
If, for example, a customer logs in from a new country and new IP using a unique device, they’re likely to be declined at checkout. That’s a bad customer experience, and it’s far better for the merchant to employ multi-factor authentication at login to verify the customer and approve the purchase rather than decline it at checkout.
But that type of hard verification isn’t always necessary. For account events that fall in a grey area, merchants can wait to see what happens next. If the cart from the initially suspicious login reaches checkout with an order typical of the account holder’s purchase history and shipping to a known address, then merchants can likely safely approve the order and recognize the unfamiliar device for the future.
On the other hand, if a merchant views an account activity as safe, but that’s followed by unusual shopping activity and a high-value cart, the merchant can ask the shopper to verify their identity, potentially preventing a chargeback and the ensuing damage. Viewing transactions from start to finish is invaluable in increasing accuracy.
That’s why it’s also important for merchants to ensure the teams managing the different parts of the shopping journey are communicating and coordinated. This end-to-end approach to tackling ATOs doesn’t just decrease risk for merchants, but results in a better customer experience that helps merchants increase revenue.