What is Identity Theft?
Identity theft happens when your (or your customers’) personal and financial data is stolen. This could include your ID, bank account details, or credit/ debit card info. The stolen data is then used to make transactions or purchases or sold to other criminals.
Identity theft can happen in a number of ways. Fraudsters combine a set of tactics to steal personal info and gain unauthorized access to accounts. These include phishing, credential stuffing, malware, or man-in-the-middle attacks. The stolen info is then used to commit fraud.
Identity theft has grown over the last year, since the start of the pandemic. And with the rate of attacks going up, merchants are under pressure to ramp up safety measures without affecting the user experience.
What is Account Takeover Fraud?
Account takeover is a form of online identity theft. In account takeover fraud, a fraudster gains unlawful access to an account that you (or your customer) own. They use stolen login details to break into your account and steal your money or your information. They can make online purchases, use your loyalty credits, or sell your data on the dark web. Plus, they can also change your personal info, for instance, your account and contact details.
A recent report by Kaspersky found that in 2020, every second case of fraud was an account takeover. Account takeover has increased proportionally with the rise of identity theft.
In a successful account takeover, fraudsters will hide their tracks to avoid detection. They can make changes to an account, such as changing the login password or the notifications. In such a scenario, these fraudsters can carry out any number of illegal transactions that cause financial harm.
This is also damaging to your business. When a customer finds out about an account takeover, they are bound to dispute these transactions and raise more chargebacks. This, in turn, can strain their relationship with you and your brand.
How does Account Takeover Fraud happen?
Fraudsters use several sophisticated tactics to carry out account takeover fraud. These are:
Phishing scams target unsuspecting users by posing to be a trusted and well-known brands or websites. Users are sent a link via email, SMS, or social media that redirects them to a fake website or downloads malware to steal their private info.
2. Credential Stuffing
This involves fraudsters buying stolen personal info from the dark web, which includes email IDs and passwords. This info is then run through automated bots and scripts to crack accounts and illegally access them. Since many people use the same passwords for different accounts, this tactic can correctly guess passwords that lead to theft or misuse. A related tactic is credential cracking or a brute force attack. In a brute force attack, fraudsters guess the right password by making multiple login attempts.
This tactic involves downloading malicious software onto a user’s PC or mobile phone via a link. When a user clicks on the link, the malware gets installed on their system. It can then track everything that the user types, including bank or account details and passwords.
4. Man-in-the-middle Attacks
In a man-in-the-middle attack, a fraudster uses malware to intercept and alter messages sent from a victim’s device to the bank servers. For instance, fraudsters can set up a malicious Wi-Fi network as a public hotspot. Unsuspecting people who log into this network risk having their personal info stolen when they share their data over such a network.
How can you safeguard against these?
You can take several steps to protect your business from account takeover fraud.
1. Continuous monitoring with machine learning tools
First, you should continuously track your transactions in real-time. Machine learning tools can identify patterns of behavior based on how your customers shop online. They can help you to understand how your customers interact with their accounts and devices online. If there is any deviation from the customer’s usual behavior, the system can detect and flag it. Thus, you can quickly deal with threats when they arise.
2. Two-Factor Authentication
Second, use two-factor authentication (2FA) to verify your transactions. The revised PSD2 norms in Europe mandates the use of 2FA.
This process requires users to give a code that is sent to their email ID or phone number. It also uses biometrics, either a fingerprint or iris scan, to verify users. This prevents fraudsters from accessing an account, even if they happen to have the right password. It is a highly effective approach that works well.
3. Safe Browsing Practices
Safe browsing habits are crucial for online safety. Avoid suspicious websites, apps, or links. Report and delete suspicious emails. Send regular reminders to your customers to practice safe browsing and to frequently update their passwords.
4. Fraud management strategy
Build a robust fraud management strategy that is well-suited to you. Avoid one-size-fits-all solutions. Stay alert but also ensure that your payment experience remains frictionless. This will help you to focus on your customers while fighting fraud.
How a payments partner can help
Account takeover fraud is a sophisticated form of fraud, and newer forms are emerging. Hence, it is critical to protect your business and your customers from these events. The right payments partner can help you with the strategy and tools that you need to fight back against account takeover fraud. With AI-powered risk management, merchants can now access all the best resources that they need to protect their payments.
Antony Robinson is the Chief Marketing Officer at Novalnet. He is an information technology expert and an avid reader with more than 30 years of experience in web technologies, UX, media and marketing. He has extensive experience in managing global teams in every inhabited continent.