How to raise awareness and get buy-in for an account takeover solution in ecommerce

Account takeover (ATO) happens when fraudsters target the accounts of genuine customers. Often, they'll use their stolen credentials to place fraudulent orders or refund claims, or pose as that genuine customer to conduct any number of other fraudulent schemes.

ATO continues to grow

In 2025, CIFAS reported a year-on-year 76% rise in account takeovers while, in the US, phishing and related techniques that can lead to ATO are the top type of complaint received by the FBI's IC3.

With more customers storing sensitive personal information as well as payment cards in their online accounts, including ecommerce accounts, there is more at stake today than before when it comes to account takeovers.

Despite the alarming rise in costs, merchants’ response has been slower. An account takeover looks very different from typical card-not-present fraud.

A single incident can affect hundreds of different genuine customer accounts at the same time. By the time the Payments team notices a chargeback relating to an account takeover, often the damage has already been done across multiple other accounts. Many businesses struggle to react quickly if they don’t have specific protection in place for this style of attack.

The challenge of buy-in

It's obvious enough that losing a bank account to takeover would be catastrophic, but what about ecommerce? We often hear from merchants who say it’s a challenge to get business leaders to recognize the risk of account takeover and allocate budget to the problem.

Aside from the C-suite, account takeover affects many different teams - it impacts Fraud and Payments but also the Risk, Product and Marketing departments.

Defining the right way to deal with account takeover is complicated by the goals and priorities of each. For example, the Marketing department may prioritize ease of ordering over repeating authentication checks when a customer logs in using a new device.

So, how can you get various departments involved - and your leadership team - to pay attention to the risk of account takeover? Here are our recommendations.

1. Make sure everyone understands the cost of account takeover

Protection against typical online card fraud has advanced, and so fraudsters are switching to new sophisticated tactics. Use statistics to highlight the dangerously mounting risk - attacks tripled between 2016-2017 and mobile account takeover attacks increased again in 2018.

Because fraudsters use genuine customer accounts with existing history, account takeover can be harder to detect than typical payment fraud, and can have a much higher impact on a business and its customers. Costs in the US were estimated at an eye-watering $5.1 billion in 2017. But it’s important to remember the cost of account takeover is not limited to chargebacks - they are just the tip of the iceberg. Under GDPR and other privacy laws, fines relating to customer data can be in the millions.

In today’s world of seemingly endless data breaches, 90% of companies say business security is a competitive differentiator and can help win new customers.

When multiple customers are the victim of an account takeover, customers often believe the merchant is insecure, regardless of whether they were the source of the data breach or not. News of a hack spreads fast on social media, and this reputational damage can cause you to lose new/repeat business and lead to customers closing their accounts entirely.

2. Investigate the real impact of account takeover on your business

Talking about general statistics will only go so far - to get buy-in you need to relate to your own business. Look into instances of account takeover in your business.

Find specific cases of customer complaints about their accounts being impacted on social media, investigate how this affected a real customer, listen to calls or read email complaints. Look into how long it took to resolve the issue across different teams and how the time impacted your response.

3. Unite all the departments involved in a taskforce

Account takeover is not only one team’s problem - it impacts Marketing, Product, Risk and Sales/Customer Service. Any solution will need to get approved and agreed on by various different departments. Collaboration is key - create a taskforce to discuss possible solutions that work for your business. Make sure everyone understands why the issue is so important - by using the examples and statistics above.

4. Understand different teams' priorities and talk about what matters to them

As well as including different departments in the conversation, you also need to speak in their language. Speak about the aspects of account takeover that matter to them.

• The Marketing and Product team want to make it easy for customers to sign up easily and make orders - but equally, understand it’s much easier to get an order from an existing customer than from a new customer. Marketing also understands the lifetime value of each of your customers.
• Executive Boards and Communications teams consider business reputation critical and want to avoid bad press related to an account takeover.
• If you’re working in Europe or anywhere with privacy laws, Risk and Compliance teams will want to protect your business from fines and scrutiny as a result of having to disclose data breaches and account takeover attempts.

Linking the risks of account takeover back to the goals of each department will help you get teams engaged to find a solution.

We hope you find these tips useful when opening the discussion on account takeover.

Learn more about Ravelin's account takeover prevention solution.