ATOs Took Over the 2021 Holiday Season, and They’re Likely Here to Stay
ATO attacks spiked over the holidays – is your business protected against this growing threat?
Now that we’ve reached the sobering post-holiday time of year, it’s clear that while the season is great to spend time with, and spend money on, your loved ones – it is also a great time for fraudsters to commit their most deviant scams.
Starting in October, Riskified observed a huge volume increase in account takeover (ATO) attempts by bots. The goal of these credential-stuffing attacks isn’t necessarily to commit fraud – it’s to test credentials so that they can be sold to the human fraudsters who go and commit the fraud by hand. Indeed, we saw a spike in volume in human-attempted ATOs over peak shopping season:
Why the spike?
Merchants tend to be especially vulnerable to ATO attacks during the holiday season for one overarching, if a bit obvious, reason: the holidays are busy. Fraudsters find it easier to be a “needle in the haystack” during activity spikes, while merchants find it more challenging to manage their fraud prevention measures. Fraudsters hope this gives them the opportunity to slip under the radar before investigation teams can catch up.
This year, fraudsters not only had the opportunity to commit ATOs, they also had an added incentive: Global supply chain issues, and resulting inventory shortages, led many merchants to limit and regulate their merchandise to make it available to their most loyal customers. By accessing accounts, fraudsters could bypass such policies and access those limited goods – and ATOs are becoming simpler to execute even by entry-level fraudsters. Today, they no longer need to access the dark web in order to attain stores’ account credentials, but can easily find them on the light web and Telegram.
The fallout
Once an account is compromised, fraudulent orders can be placed more easily, credentials, personal information, and stored payment can be intercepted, and valuable loyalty points transferred. The damage in terms of fraud costs, customer trust, and brand reputation is significant, even more so during the holiday season.
Calls to your customer service center
For many of our merchants, we’ve observed a 1:1 correlation between approved ATO orders and complaint tickets. Complaint tickets cost money. Customer success and operations teams whose time could be spent on other things during the busiest time of year instead must scramble to deal with tickets – many merchants even have to bring in temporary employees to deal with complaint surges.
Case investigation resources
Operations and fraud teams conducting manual investigations of ATO attacks and incidents are likely to be completely overwhelmed by volume – even if the ATO rate stays constant as a share of total logins & orders, overall volume will increase. And these backlogged forensics teams might not uncover ATO activity at their store until weeks or months after the incident occurred.
Lost Customer Lifetime Value
Customers who become victims of ATO are likely to stop shopping at your store. Our research indicates “churn” rates for victims is between 10-25%, which sets back customer acquisition goals, hurts revenue, and adds an extra load to your eCommerce, payments, and finance teams. The intensity throughout the holidays is extremely high and the churn might not be visible for several months – at which point you’ll have already lost many good customers.
Data theft and fines
Large-scale ATO attacks create avenues for scraping customers’ data and committing fraud. This can constitute grounds for serious fines. The trend is clear: more and more regulations are being passed which hold merchants accountable for data breaches. That onus usually lands on security and IT teams.
Tips for tackling the fallout on your own
If you were hit by ATOs over the holidays, here are some tips to implement ASAP to deal with the coming fallout.
1. In order to make dealing with tickets as efficient as possible, you’ll want to make sure your customer success teams are asking the right questions and checking the right data points when engaging with customers. Your agents should have data about the login event and order (if there was an order) at their fingertips. The goal is for them to be able to quickly verify if they’re speaking to a customer whose account was compromised–or a liar buyer.
The most important data point to look at: how different was the login in question from the account owner’s usual behavior? If a customer has only ever logged into their account from Michigan, and you see a recent login to their account from Australia, it would be safe to say their story checks out and you may be inclined to honor their claim.
2. Proactively reach out to owners of compromised accounts. Even if you have allowed accounts to be compromised over the holidays, by proactively reaching out you might be able to preempt both customer complaint volume and brand damage. Hearing from the company immediately after an ATO – maybe even before the customer has realized what has happened – can also reinstate customers’ trust and keep your customers loyal. As they say: communication is key.
3. Automate ATO prevention. Automating your ATO prevention allows you to eliminate the cost of manual reviews while ensuring higher accuracy. Automated, machine learning-based solutions detect complex patterns that humans miss. You can also expect faster turnaround on each account verification and even login – we’re talking milliseconds.
Managing the scores, rules, and workflows that go into protecting your customer accounts against ATOs takes extensive labor and resources that aren’t necessarily effective, even under the best of circumstances. Even if you are able to tackle the job – how are you deciding on your risk thresholds? For example, is a new device type always risky enough to challenge the login? It’s a near-impossible task for manual teams to stay on top of changing fraud patterns.
The ATO problem is compounded when login patterns change due to holiday volume surges. If merchants are using rules or scoring for logins – e.g. challenge anything over a risk score of 80 – these rules are likely to go out of whack when the login population changes. These poorly functioning systems are more likely to miss ATOs, but merchants who turn off these rules entirely because of their poor functionality are, of course, left completely vulnerable.
How we can help
Riskified’s Account Secure protects accounts in real-time with a completely automated solution, which is effective against both humans and bots. While most account safety solutions only provide risk scores or workflows that you build yourself, we own the entire flow, while also managing risk thresholds on your behalf. Alongside protecting your accounts from ATO attacks, Riskified helps with account remediation.
Find out how Riskified can help you prevent ATO attacks and protect customers’ accounts, so you can focus on growing your business in the new year. Learn more about our product here.