No business wants to suffer an account takeover (ATO) attack, but few realize the true extent of the damage it can cause. Once a cybercriminal gains unauthorized access to a legitimate user account, the possibilities for fraud abound. Read on to learn how fraudsters use compromised accounts for monetary gain, leaving damaged brand reputations and financial losses in their wake.
1. Make Fraudulent Purchases
Consumers often store credit card numbers, gift card balances, loyalty points and airline miles in their accounts for easier checkout. In fact, 45% of consumers prefer this. Attackers who compromise user accounts are free to go on a shopping spree, courtesy of the ATO victim. Cybercriminals typically purchase gift cards that they can either sell on a secondary market, or use the gift cards themselves to purchase electronics and other high-value items for resale. Businesses suffer financial losses due to refunds, chargebacks and processing fees, additional customer support resources and damage to brand reputation.
2. Commit Warranty Fraud
Fraudsters can change the email and shipping address associated with an account after a successful takeover. After looking back in the account purchase history, they can call customer support to complain that an ordered item was never delivered, arrived damaged or broke while under warranty and demand a replacement. This can cost businesses inventory that they’ll never get back. Fitbit, for example, experienced a warranty fraud attack where bad actors asked for replacements of its $250 premium fitness tracker. After getting swindled out of merchandise, Fitbit responded by locking compromised accounts. It took two weeks for them to resolve the problem and unfreeze the accounts, much to the frustration of their legitimate customers.
3. Create Fake Accounts
Cybercriminals can use the personally identifiable information (PII) stored in a compromised account to open fake accounts using that name across other sites. Using fake accounts, fraudsters can distribute malware, post fake reviews and conduct all the activities mentioned above. This allows them to commit fraud on a much larger scale that extends far beyond the user’s original account. The damage surpasses what can be done by any single breached account and businesses are left to suffer the consequences of account fraud multiple times over.
4. Funnel Money on Online Marketplaces
Because digital currency is often used to transfer funds on online marketplaces, cybercriminals have more avenues to siphon money on these platforms. They start by creating fake accounts on the marketplace offering fake products or services. Next, they take over legitimate accounts and use stored funds to purchase their own fake services. This allows them to secure the digital currency immediately across multiple fake accounts and then cash it out little by little. Alarm bells will usually ring if an account balance is drained in one go, but this technique enables fraudsters to fly under the radar.
5. Submit Fake Credit Applications
Online financial accounts — such as banks, stock investments, mortgages, loans and insurance — are an especially appealing target for cybercriminals because these often contain the most complete and sensitive personal data, including social security numbers. Attackers can use the information stored in financial accounts to take out fake loans and lines of credit, leaving victims in significant debt. The financial business will also suffer major losses, including the direct fraud costs from the event, customer service and IT costs, loss of consumer trust and reputation damage.
6. Post Fake Reviews
Fraudsters can post fake reviews using compromised accounts, artificially disparaging or praising a product or service. This is a way for cybercriminals to damage a competitor’s reputation or promote their own product or service. Since reviews are usually highly trusted by potential customers, fake reviews can have a lasting impact on a company’s bottom line.
7. Distribute Malware
Malware, or malicious software, is used to steal data or damage computers and networks. Fraudsters commonly distribute malware through infected links in phishing emails or spam messages on social media. When a bad actor takes over a legitimate account, they can send a malicious link to that person’s address book. It’s far more likely that unsuspecting recipients of the email message will click on the enclosed link because they recognize the sender’s email address. The same premise holds true when social media accounts are hacked. Even the savviest of users can be tricked if they believe a link is sent from a trusted friend. Because it is used to steal login credentials, payment data and other PII, malware paves the way for additional ATO attacks and begins the attack lifecycle all over again.
Don’t Let Cybercriminals Take Over Your User’s Accounts
ATO can have long-lasting repercussions for online businesses, including significant financial losses and damage to brand reputation and consumer trust. Research has found that e-commerce merchants can lose 18-23% of net revenue due to malicious bots, and financial institutions can lose 5-9% of revenue generated from monthly average users. And with bot attacks up 106% YoY, cybercriminals show no signs of slowing down.
So, how can brands protect themselves and their customers? The following tips are a strong start:
- Encrypt or hash stored credentials on your website.
- Require good password practices and multi-factor authentication (MFA).
- Proactively monitor compromised credentials to flag and prevent logins with stolen usernames and passwords.
- Adopt a behavior-based bot management solution to stop ATO attacks against your web and mobile apps and APIs.
According to a statement by President Biden, businesses in the private sector should “deploy modern security tools…to continuously look for and mitigate threats.” PerimeterX Bot Defender uses a combination of machine learning, behavioral analysis and predictive methods to detect and mitigate bots with unparalleled accuracy. The solution reduces the risk of data breaches, improves operational efficiency and safeguards your revenue and reputation. Contact us to learn more.