account takeovers : Attempted account takeovers grew by 282 percent over the last year, while ATO rates for physical eCommerce businesses — those that sell physical goods online — have jumped 378 percent since the start of the COVID-19 pandemic
The Q3 2020 Digital Trust and Safety Index released today by Sift finds that between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm security.
Attacks are carried out using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing. Hackers gain access to user accounts on a business’s website and then make purchases on that site using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.
See also: Scams, phishing and malware : 60% of emails in May and June were
But while consumers may be the immediate victim of these attacks, businesses ultimately face the real costs, in addition to reimbursing hacked customers, businesses face chargeback fees and payment network fines when ATO leads to payment fraud.
Of those respondents who have experienced an ATO, 41 percent report that payment details were stolen and used to make purchases, and 37 percent have had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
It’s eCommerce sites that are the most popular targets for ATO attacks (61 percent) followed by Social media sites (36 percent), financial services sites (35 percent), online dating sites (22 percent) and travel sites (19 percent).
“Businesses have been forced to adapt to an immediate shift in consumer behavior since the beginning of the global pandemic. Unfortunately, fraudsters have too,” says Jason Tan, CEO of Sift. “The surge in account takeover attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust and Safety strategy, which allows for seamless transactions while preventing fraud.”
The full report is available from the Sift site.
