Six fraud signals to spot account takeover

Account takeover (ATO) is a growing form of fraud where fraudsters target genuine customers accounts, instead of simply using stolen cards.

A fraudster uses stolen customer credentials to log in and pose as a genuine, existing customer and place orders. As well as the cost of the goods lost, an account takeover incident can put a huge dent in customer loyalty and business reputation.

What makes account takeover successful is also what makes it so hard to detect. A fraudster poses as a real customer with a healthy purchasing history and no indicators of fraud – making it more difficult for systems to spot abnormal behavior and prevent the attack.

So how can you stay on top of the account takeover threat?

Link analysis using graph networks is a good starting point, as part of a robust fraud detection solution. Here are six fraud signals to look out for to protect your customer accounts and prevent losses.

#1: Multiple accounts suddenly changing to have shared details

Some fraudsters want to claim an account, so that no one else can attempt to take it over after them. To do this, they change details on the genuine customer profile. They don’t have to change all details – often, only one field needs to change.

In one case, we noticed a mass change of contact telephone number across a huge number of customer accounts. When we investigated we found all the customers had changed this to exactly the same phone number – likely owned by a fraudster.

#2: New account details, new device and new delivery address

When there are no links or common details between customers, how can you spot the attack? Even the most sophisticated fraudsters still follow the same behavior patterns. We’ve found a combination of events that show an account has been hacked:

1. The customer has updated a customer detail (telephone, email, name).
2. The customer has had a login from a new device within a 24hour period of that change.
3. After both 1 and 2, the customer has placed an order with a new delivery location.

#3: IP addresses in multiple countries

A high number of country IP addresses is a good indicator of account takeover. When a fraudster is doing mass logins in order to check if they can access accounts, they don’t know the location of each customer, so they can’t check they are using the right IP address every time.

Plus, there are often multiple fraudsters trying to access the same accounts, usually soon after a breached account list becomes available online. Even the most well-travelled customers couldn’t manage to span the globe this quickly!

#4: Lots of customer detail changes happening at once

We often see a fraudster accessing an account in a takeover, and then doing nothing right away. In this case, we flag the login and the merchant takes precautionary actions to prevent account takeover, such as by sending the customer an alert.

This can trigger the fraudster to panic and try to secure the accounts they have taken over by quickly changing the email and passwords on all their victim accounts. We’ve recorded massive spikes in email changes immediately after precautionary action has been taken.

#5: Ratio of known/unknown device models

Fraudsters often use software to try and hide what device they’re using with device spoofing, emulators, and so on. Sometimes this means that their devices come up with "unknown" as the model. Victim accounts are usually connected to more "unknown" devices than genuine devices with a known model.

#6: Multiple accounts linked to the same device

Often, fraudsters don’t mask their device between logging into new accounts. This means all the affected accounts are linked to one device – the fraudster’s. However, it’s important to remember that devices may also be shared by family, friends or work teams so you should also look for other factors to confirm an attack.

If you notice two or more of these signs in your customer data, it could be the sign of an account takeover which you should investigate as soon as possible. If it’s a confirmed attack, the next step is to contain it - stay tuned for our recommendations on how to alert customers and manage the aftermath.

To stop account takeovers at scale, consider a sophisticated account protection solution such as Ravelin's.