As ATO attacks surge, consumers expect merchants to protect them from fraud
Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
According to Deloitte, ecommerce sales are forecasted to grow 25-35 percent and are expected to generate $182 billion and $196 billion this season.
When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.
Account hacking leads to brand abandonment
According to the research, ATO attacks also create significant and lasting brand damage. Based on a survey of 1,000 U.S. adult consumers, 28 percent of respondents would completely stop using a site or service if their accounts on that site were hacked.
And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
Additional findings
- Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
- Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
- Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their ecommerce (both physical and digital goods and services) accounts were hacked.
- Other online destinations on which consumers reported experiencing ATO include:
- Social media sites: 36 percent
- Financial services sites: 35 percent
- Online dating sites: 22 percent
- Travel sites: 19 percent
ATO attacks for financial gain
Like payment fraud and content abuse—two of the other links in the fraud supply chain – account takeover is typically a means to a financial end.
Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.
While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Customer security as customer experience
“Businesses have been forced to adapt to an immediate shift in consumer behavior since the beginning of the global pandemic. Unfortunately, fraudsters have too,” said Jason Tan, CEO of Sift.
“The surge in ATO attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”