Dealing with an account takeover is not a great experience for anyone. Your customers are upset because their accounts are no longer in their control. When your customers are compromised your fraud and customer support departments are taxed with verifying identities and rooting out fraudulent orders. You need to know how fraudsters takeover accounts, the most effective way to stop them, and the best practices for fixing a taken over account.
How Fraudsters Takeover Accounts
According to a 2013 Javelin Study, account takeovers accounted for 28 percent of all identity fraud losses. From 2012-2013 account takeovers for utilities and mobile phone fraud nearly tripled. With this stolen information fraudsters quickly processed orders on sites like eBay, PayPal, and Amazon.
The first step a fraudster takes in an account takeover is to acquire a customer’s personal identification information. Some common ways that fraudsters steal account and personal information include:
- Purchasing credentials via dark web sites
- Searching social media or publicly available databases
- Conducting a phishing scam through email or messaging services
- Leveraging malware to install keyloggers to collect all data
- Using a brute force password cracking tool
Once the fraudster acquires enough personal information, such as billing address, credit card number, or social security number, they will try to access the account and change the contact information. By changing the contact information the fraudsters locks the real customer out of the account. Depending on the business this time allows them to place fraudulent orders, create new accounts, and cause general havoc.
How to Prevent an Account Takeover
As other security holes are closed account takeovers are expected to rise. You should start implementing a solid account takeover and security plan. Here are some basic best practices:
- Offer Education and Training: Provide your customers and fraud department with the knowledge of how account takeovers happen. Even linking customers to an article about how account takeovers happen and why secure passwords are important, will both educate them and cut down on support questions.
- Require Strong Passwords and Offer Two-Step Authentication: Requiring a strong password, that excludes the most commonly used passwords, will reduce your business’s susceptibility to brute force attacks. On top of passwords, give your customers the option to use two-step authentication for added security. With two-step authentication you need to give your customer service team detailed documentation to securely help legitimate customers who get locked out.
- Leverage Complementary Risk Assessment Layers: When building your risk engine, keep account takeovers in mind. Make sure to use complementary solutions, not overlapping ones. By following the Swiss Cheese Model best practices you can build a risk engine that stops fraudsters, even if they have legitimate customer data.
What To Do if Your Customer is Taken Over
If your do detect an account takeover or you receive a support request for a customer you need a quick response to minimize damages. Here are a few universal best practices:
- Lock Down the Account: When an account is in limbo making sure that fraudster cannot make additional purchases is the top priority. By locking the account from purchases you will save the fraud department time and have less fraudulent purchases.
- Check for Contact Information Changes: Fraudsters will quickly change contact information to lock legitimate users out of their accounts. When handling an account takeover make sure you check to see if contact information has been changed and give customers options for verification.
- Have a Written Policy for Account Takeovers: Customer support representatives and fraud departments need an accessible set of guidelines to let them quickly make decisions. This will be different for every company but having standards about verifying identities and reversing fraudulent orders will empower the entire fraud department to make the best decision.
Stopping account takeovers is an eternal quest, but by preparing your fraud prevention and support teams you can save yourself a lot of headaches. Use these best practices to limit account takeovers and provide a quick response for your customers.
Account takeovers are a growing threat and organizations need the best tools to identify and stop them. Visit the Emailage solution page and learn how the solution accurately identifies risk with just an email address.