Account takeover fraud detection

Account takeover fraud (ATO) takes place when a fraudster uses somebody else’s credentials in order to gain access to their account. Once a fraudster has gained access to the user’s account, they can then monetize it by either transferring funds, making unauthorized purchases, or selling the verified account data to someone else. 

Account takeover fraud can be incredibly difficult to spot and stop. However, there are ways that your business can identify potential threats. After all, even though fraudsters are continually finding new ways to execute their attacks, if your business adopts the correct account takeover fraud detection tactics, then you can stop them in their tracks.

To help you do just that, we’ve put together this guide that includes everything you need to know about account takeover fraud detection.

How to detect and stop account takeover attacks

Account takeover fraud is hugely damaging for businesses and customers alike. Not only does it lead to costly chargebacks, but successful attacks can also have a detrimental effect on the company's reputation and customer loyalty. Due to this, your business needs to detect account takeover attacks as quickly as possible.

Sadly though, not only are account takeover attacks hugely damaging for a business, but they’re also incredibly difficult to identify. This is because, when taking over an account, a fraudster will attempt to mimic the customer’s normal behaviors. Plus, the actions they take when taking over an account (such as changing the password or the email address that corresponds to the account) are carried out hundreds of times a day by honest customers.

Employing the use of a fraud detection system

When considering which account takeover fraud detection processes you should implement, your company must consider the benefits provided by a fraud detection system.

By using an effective fraud detection system, you’ll receive full visibility into a user’s activity before, during, and after every transaction. By monitoring all transactions on an account, you’ll be able to identify patterns of behavior that indicate the possibility of account takeover fraud.

Such a tactic is commonly employed by banks. In this context, the software may detect that the user is trying to make numerous transfers to new payees in quick succession, or is suddenly trying to add several new payees in different countries. Alternatively, the software may spot that although a customer recently accessed their account in the US, another login attempt has been made in Europe.

Whenever there is a risk of ATO fraud, a prevention system will challenge the person who is attempting to make a transaction. In doing so, they will ask for a higher level of authentication before a transaction is executed.

For example, rather than asking for a password, the system will instead ask the customer for a fingerprint biometric or a facial scan. Then, if the authentication is successful, the transaction can be processed. However, if a fraudster is attempting to make the transaction, they will be unable to pass the check and the fraud attack will be stopped in its tracks.

What can you do to prevent account takeover fraud?

Preventing account takeover fraud is difficult. However, if you follow best practice, you’ll limit the likelihood of an ATO occurring. Due to this, you should follow these steps:

Ensure your customers understand the importance of account safety

One of the best ways of preventing account takeover fraud is by ensuring that your customers understand just how valuable their account information is. By changing the behavior of your customers, you can make it much harder for fraudsters to access their accounts.

Due to this, you should remind your users to:

• Stop reusing passwords
• Update their passwords regularly
• Use a password manager
• Access sites directly rather than using email links
• Check URLs for errors and misspellings 

Communicate openly with your customers 

As well as asking your customers to take preventive actions, you should also communicate with them when a change is made to their account.

For example, if a customer changes their contact information, then you should send them an email acknowledging the change. As part of this, you should provide them with contact information. This way, they can get in touch with you immediately if they didn’t make the requested change.

Upgrade your security

Finally, you should also improve your security systems and ensure that data protection practices are followed at all times. For example, you should use SSL on pages that collect sensitive or personally identifiable information, use encryption wherever possible, and limit user input to ensure your site code is not vulnerable to SQL or HTML injection attacks.

As part of this security upgrade, you should upgrade your security so that you’re no longer reliant on static passwords. Instead, you should use a multi-factor authentication solution that includes biometrics such as facial recognition.

What are the signs of an account takeover attack?

Even when you’ve put processes in place that will help you prevent account takeover fraud, you should remain vigilant. This way, you can stop any attacks in their tracks. Common signs of account takeover fraud include:

Typical fraudster behavior

When taking over an account, most fraudsters will follow a similar pattern of behavior. If you know this pattern, you can flag suspicious activity quickly.

After accessing an account, a fraudster will usually initially change the account details, including the email account, phone number, and registered address. Following this, within 24 hours, they will log into the account from a new device. Then, they will place an order and get it sent to a new delivery address.

If these three steps are all followed in quick succession, then it’s likely a fraudster has hijacked the account.

Multiple accounts on the same device

Inexperienced fraudsters may forget to mask their device data. If you notice that the same device number is linked to multiple accounts, then it’s likely that a fraudster has taken over these accounts.

However, you shouldn’t block a user’s account just because the same device is accessing more than one account. This is because friends and family members may share devices. As a result, you should look for more clues that what you’re witnessing is a legitimate case of account takeover fraud before taking action.

Multiple IP addresses linked to an account

Following a data breach, a user’s credentials will be published on the dark web. At this point, fraudsters will then attempt to access the account.

However, these fraudsters cannot possibly know the exact location of each customer from the information provided. This means that they cannot match their IP address to fit the profile.

If you spot that a user’s account has an unusually high number of IP addresses connected to it, or several IP addresses from different countries, then this could be a sign of an attempted takeover.

Multiple changes are made to an account at once

When they take over an account, the majority of fraudsters will leave the details untouched for a period of time. However, if a notification is sent to the customer that a new login has been detected, fraudsters will rush to change the account’s details so the original user can no longer access it.

If multiple account changes are made simultaneously, then this is a sign that the account has been taken over and the fraudster is looking to secure it and block the user out.

What increases the risk of an account takeover attack?

Several factors can increase the risk of an account takeover attack. For example, accounts are at risk if customers reuse passwords on several different sites, or if a business is only reliant on static passwords for authentication purposes.

However, one of the greatest threats to account security comes from darknet markets, which have made account takeover fraud much more attractive to attackers.

Introduction of darknet markets

Thanks to the introduction of darknet markets, attackers no longer need to steal directly from targeted users. Instead, fraudsters can purchase account details on darknet markets. It also means that a fraudster can purchase large batches of user data and target multiple accounts simultaneously.

How Veriff helps with account takeover fraud detection and prevention

Here at Veriff, we offer a number of solutions that can help you secure user accounts and detect account takeover fraud. While our identity verification solution and our AML and KYC solution can help you verify new users, our biometric authentication software can match returning users and detect account takeover fraud.

Our biometric authentication software accelerates the user authentication process, utilizing facial biometrics (via the use of a selfie) to match the returning user. In doing so, it compares the person’s selfie with our existing session data. It can then quickly identify the user, eliminating friction and facilitating a smoother user experience in the process.    

By employing the use of biometrics to confirm a user is exactly who they’re claiming to be, you can take a step beyond passwords and one-time passcodes to secure customer accounts. You can also lock fraudsters out of an account before they can make changes to a customer’s details or attempt to make a purchase.

Led by powerful automation, our software can authenticate any user’s identity in only one second. It’s also 99.99% accurate and authenticates 99% of users on their first try.

Speak with the fraud prevention experts at Veriff

By putting the correct account takeover fraud detection policies in place, your businesses can stop fraudsters from accessing and using the accounts of your customers.

To discover more about how our solutions can help prevent ATO, talk to our fraud prevention experts today. We can provide you with a personalized demo that shows exactly how our solutions can help you.