Account takeover fraud rates skyrocketed 282% over last year

ATO is the weapon of choice for fraudsters leading up to the holiday shopping season, new data from Sift shows, and consumers place account security burden on businesses.

Lock on enter key

Image: iStock/Stock Depot

Account takeover (ATO) fraud attempts to steal from consumers and e-commerce merchants swelled 282% between Q2 2019 to Q2 2020, new data from digital trust and safety provider Sift finds. The ATO rate is the ratio of attempted fraudulent logins over total logins. ATO rates for physical e-commerce businesses jumped 378% since the start of the COVID-19 pandemic, Sift's Q3 2020 Digital Trust & Safety Index found. This indicates that fraudsters are leaning heavily on this attack vector to steal payment information and rewards points stored in online accounts on merchant websites, according to the company.

SEE: Identity theft protection policy (TechRepublic Premium)

The index includes analysis from Sift's global network of 34,000 sites and apps and from a survey of US consumers, the company said.

According to Deloitte's annual holiday retail forecast, e-commerce sales are forecasted to grow between 25% and 35% and are expected to generate $182 billion and $196 billion this season. When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online, Sift said. "This can have a devastating impact on companies including financial repercussions and brand abandonment,'' the company said.

Account hacking leads to brand abandonment

ATO attacks also create significant and lasting brand damage, Sift said. In surveying 1,000 US adult consumers, the company said it found that more than one-quarter (28%) of respondents would completely stop using a site or service if their accounts on that site were hacked.

SEE: How to combat cyber threats amid the shift to remote working (TechRepublic)

And while consumers can secure their accounts by using tools like password managers, multi-factor authentication, and by using unique passwords, they largely ignore these best practices, according to Sift.

In fact, 66% of consumers surveyed said they either don't use any type of password manager or aren't sure if they do, despite 52% of them having concerns about becoming victims of ATO in the future, Sift said. Further, 25% of respondents said they have already had their accounts hacked at least once before.

Additional research from Sift's Q3 Digital Trust & Safety Index found:

  • Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation to overwhelm trust and safety teams.
  • Fraudsters sneak in and cash out: Of those who have experienced ATO, 41% of respondents reported that payment details were stolen and used to make purchases, and 37% of victims had money taken directly from their accounts. Another 37% had rewards points or credits taken and used to buy goods and services.
  • E-commerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61% said their e-commerce (both physical and digital goods and services) accounts were hacked.

Other online destinations on which consumers reported experiencing ATO include:

  • Social media sites: 36%
  • Financial services sites: 35%
  • Online dating sites: 22%
  • Travel sites: 19%

Customer security as customer experience

 Businesses have been forced to adapt to an immediate shift in consumer behavior since the beginning of the global pandemic—and so have fraudsters, said Jason Tan, CEO of Sift.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

"The surge in account takeover attacks indicates that merchants can't leave the burden of account security to their customers,'' said Tan, in a statement. "Rather, companies should treat account protection as part of the overall customer experience and as a key part of their digital trust and safety strategy, which allows for seamless transactions while preventing fraud."

Also see

By Esther Shein

Esther Shein is a longtime freelance writer and editor whose work has appeared in several online and print publications. Previously, she was the editor-in-chief of Datamation, a managing editor at BYTE, and a senior writer at eWeek (formerly PC Week)...