Blog / Account takeover

How did a food marketplace reduce account takeovers by 95%?

Hackers are hungry for food accounts. So how did one food marketplace reduce account takeovers by 95%? Could your business see similar results?

How did a food marketplace reduce account takeovers by 95%?

Key takeaways:

  • Account takeover cases dropped 75% with custom rules

  • Cases dropped 95% with a bespoke machine learning model

  • “They don’t have to worry about this type of fraud anymore” - Project Lead

Hackers are hungry for food accounts

“My account has been hacked!” “I’ve been charged for food I didn’t order!”

A popular food marketplace was getting hundreds of these customer complaints everyday. Why? They were a hot target of account takeover attacks.

Account takeover attacks on food accounts is a growing problem. On the dark web, food account mentions have increased 230% since 2019, and login details are easy to buy at $1.50 - $10 each.

So how did this food marketplace eliminate their account takeover problem? What steps did they take to reduce cases by over 95%?

What was the account takeover problem?

Account takeover happens when a fraudster gets access to a genuine customer’s account and uses it to make money. Fraudsters can use your customers’ food delivery accounts to:

  • Order food to resell (or eat themselves)

  • Sell on accounts or personal info

  • Get refunds on recent orders

  • Use & abuse voucher discounts

  • Commit card payment fraud

Attacks cause revenue loss, brand damage, and stress for your customers and fraud teams. So what was the business impact on this food marketplace?

Dissatisfied customers meant refund costs piled on

Account takeovers are stressful for your customers and teams. The merchant’s customer services were feeling the pressure after handling a stream of frustrated customers. The business faced mounting costs of more refunds, and it was likely victims wouldn’t trust their brand again.

Bad press and reputation damage caused concern

When it comes to account takeover, there is such a thing as bad publicity. Reports of data breaches and security issues hit headlines. And since 81% of customers stop engaging with brands following a data breach, it often inhibits your sales and business-growth.

There’s no one-size-fits-all approach to account takeover

What team is responsible for managing account takeover? The task sits outside of the fraud team in 40% of businesses, so there’s no one-size-fits-all.

Customer support, legal, fraud and security teams were all involved, and had a different takes on how to solve the problem. This meant a lot of coordination was needed across teams.

Why was their account takeover problem so bad?

Food marketplaces are an easy target

If your online platform is easy for customers to use, it’s often easy for fraudsters to take over. If a bad actor knows they’ll get away with it, your business will quickly become a favourite target.

“Account takeovers can be incredibly lucrative for attackers because they can launch relatively low effort attacks to target services at scale" - Katrina Scott, Senior Product Manager at Ravelin.

Firewalls aren't enough

Firewalls are a critical layer to protect your business from bad actors - particularly bots. But attacks still get through if a fraudster mimics legitimate traffic. They can change their IPs or reduce the rate of login attempts to sneak under the radar.

This food marketplace had a firewall and basic rules, but fraudsters found a way around them. There were gaps in their defences they needed to fill.

The marketplace’s goal was to stop account takeovers

Ravelin and the merchant’s fraud team joined together to talk about their goals and possible solutions. Together we had to find a way to stop account takeovers, but it wasn’t a ‘do whatever it takes’ situation. We also had to make sure we weren’t blocking good customers. If a customer orders food to a new delivery address, it might seem risky but it could just be that they are hungry at a friend’s house! It’s important to fully understand what risky behavior looks like in your customer base.

The stakes were high. If you mess up the logins and create added friction for good customers, it could mean stopping valuable sales.

Custom rules had immediate impact & cases dropped 75%

They had to immediately relieve the pressure. Based on analysing the customer data, we quickly created and pushed live some custom rules to block less sophisticated hackers.

The result? Account takeover cases dropped 75%.

It was a great first-step, but we knew it had limitations. Rules are a strong layer of defence, but over time fraudsters can side-step them. If you want a lasting and proactive approach to stopping account takeover, machine learning is the way to go.

Training a machine learning model dropped cases by 95%

Machine learning models are great for managing account takeover as they’re trained to understand specific fraud signals in your customer base. This bespoke approach increases the accuracy of predictions, and gets better over time (it gains knowledge like a human brain!)

But you need a certain number of labels to train a model, which requires data and processes the merchant didn’t yet have. So we worked together over a series of meetings, gathered the right information and got the model live.

Compared to rates before integrating the model, account takeover cases dropped by 95%!

Result: account takeover is no longer a threat

Ravelin’s Katrina Scott reflects: “I am thrilled with what this merchant achieved. It was a great collaboration. Working as a team, their account takeover attacks went down to a very low level! They now have fantastic processes & tools in place, and don’t have to worry about this type of fraud anymore.”

If this account takeover problem looks familiar and your business could benefit from a solution, chat with the team now.

Related content