Account takeover happens when fraudsters target genuine customer accounts, and use stolen credentials to place fraudulent orders, rather than simply targeting stolen cards. It’s a growing problem, with the cost of account takeover rising by 120% from 2016-2017.
Despite the alarming rise in costs, merchants’ response has been slower. An account takeover looks very different from typical card-not-present fraud. A single attack affects hundreds of different genuine customer accounts at the same time. By the time the Payments team notices a chargeback relating to an account takeover, often the damage has already been done across multiple other accounts. Many businesses struggle to react quickly if they don’t have specific protection in place for this style of attack.
We often hear from merchants who say it’s a challenge to get business leaders to recognize the risk of account takeover and allocate budget to the problem. Aside from the C-suite, account takeover affects many different teams - it impacts Fraud and Payments but also Risk, Product and Marketing departments. Defining the right way to deal with account takeover is complicated by the goals and priorities of each; for example, the Marketing department may prioritize ease of ordering over repeating authentication checks when a customer logs in using a new device.
So, how can you get various departments involved - and your leadership team - to pay attention to the risk of account takeover? Here are our recommendations.
Make sure everyone understands the cost of account takeover
Protection against typical online card fraud has advanced, and so fraudsters are switching to new sophisticated tactics. Use statistics to highlight the dangerously mounting risk - attacks tripled between 2016-2017 and mobile account takeover attacks increased again in 2018.
Because fraudsters use genuine customer accounts with existing history, account takeover can be harder to detect than typical payment fraud, and can have a much higher impact on a business and its customers. Costs in the US were estimated at an eye-watering $5.1 billion in 2017. But it’s important to remember the cost of account takeover is not limited to chargebacks - they are just the tip of the iceberg. Under GDPR and other privacy laws, fines relating to customer data can be in the millions.
In today’s world of seemingly endless data breaches, 90% of companies say business security is a competitive differentiator and can help win new customers. When multiple customers are the victim of an account takeover, customers often believe the merchant is insecure, regardless of whether they were the source of the data breach or not. News of a hack spreads fast on social media, and this reputational damage can cause you to lose new/repeat business and lead to customers closing their accounts entirely.
Investigate the real impact of account takeover on your business
Talking about general statistics will only go so far - to get buy-in you need to relate to your own business. Look into instances of account takeover in your business. Find specific cases of customer complaints about their accounts being impacted on social media, investigate how this affected a real customer, listen to calls or read email complaints. Look into how long it took to resolve the issue across different teams and how the time impacted your response.
Unite all the departments involved in a taskforce
Account takeover is not only one team’s problem - it impacts Marketing, Product, Risk and Sales/Customer Service. Any solution will need to get approved and agreed on by various different departments. Collaboration is key - create a taskforce to discuss possible solutions that work for your business. Make sure everyone understands why the issue is so important - by using the examples and statistics above.
Understand different departments’ priorities and talk about what matters to them
As well as including different departments in the conversation, you also need to speak in their language. Speak about the aspects of account takeover that matter to them.
Marketing and Product teams want to make it easy for customers to sign up easily and make orders - but equally, understand it’s much easier to get an order from an existing customer than from a new customer. Marketing also understands the lifetime value of each of your customers. Executive Boards and Communications teams consider business reputation critical and want to avoid bad press related to an account takeover. If you’re working in Europe or anywhere with privacy laws, Risk teams will want to protect your business from fines and scrutiny as a result of having to disclose data breaches and account takeover attempts.
Linking the risks of account takeover back to the goals of each department will help you get teams engaged to find a solution.
We hope you find these tips useful when opening the discussion on account takeover. For more information on account takeover read our free guide.