Account takeover is one of the fastest growing types of fraud facing merchants over the past 12 months, according to research by fraud detection and payment acceptance specialist Ravelin.
Ravelin’s research has found that half (48 per cent) of merchants have experienced a significant increase in account takeover activity in the past year, with nearly three quarters (72 per cent) of retail merchants saying it’s in their top three fraud threats, along with online payment fraud and friendly fraud. Nearly a third (29 per cent) go as far as to say account takeover is now their top fraud-related threat.
According to Ravelin, while the threat of account takeover is increasing and data breaches and associated fines are top concerns for all merchants, few are taking steps to detect and prevent it. Just 64 per cent of merchants are tracking account email changes, while only half are tracking logins (52 per cent), password changes (48 per cent), phone number changes (53 per cent), and changes to dormant accounts (52 per cent).
The findings come from Ravelin’s Online Merchant Perspectives, Fraud & Payment Survey 2020 report, which draws on the opinions and experiences of 1,000 fraud and payments professionals around the world, providing an in-depth understanding into merchant fraud teams, their environment, top business threats, fraud activity trends and forecasts.
The industries affected most by account takeover are taxi firms with an average of 65 attacks per year. Gambling companies follow taxi firms with 60 attacks per year as accounts can have significant funds available, while grocers suffer 53 attacks per year, likely during the Covid-19 peak of online grocery shopping, Ravelin says.
Mairtin O’Riada, chief information officer and co-founder at Ravelin said: “Account takeover is an extremely worrying threat for merchants, consumers and banks because it’s hard to assign blame. Who is at fault exactly? The user for reusing passwords? The merchant for allowing the transaction? Or the bank for allowing the purchase to go through? It’s unclear, but whenever it’s unclear, the merchant often takes the hit.
“One of the most effective means for preventing account takeover is two-factor authentication (2FA) at customer login, but it can often be bypassed. Merchants, therefore, need to be able to be able to make smarter decisions using their data and shut down or temporarily freeze compromised accounts before cybercriminals have the chance to make fraudulent purchases. The only way to do that efficiently is through technology, tracking customer activities to identify behavioural patterns and scanning accounts for suspicious activity, because even the most sophisticated fraudsters repeat the same actions subconsciously.”