Solutions overview
Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Account security
Policyabuse
Marketplace fraud
3DSecure
Resource Zone
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
Blog
The latest fraud & payments updates
Insights
In-depth guides to fraud, payments & security
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Press
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Policy abuse
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
3D Secure
Ravelin 3DS & SDKs
Resource zone
Global Payment regulation map
Read more about our happy custmomers
Blog / Account Takeover
Account takeover happens when fraudsters use genuine customer accounts - which is what makes it so difficult to detect. Here are six things to look for to spot an account takeover attack.
Share this article:
Account Takeover is a growing form of fraud where fraudsters target genuine customers accounts, instead of simply using stolen cards. A fraudster uses stolen customer credentials to log in and pose as a genuine, existing customer and place orders. As well as the cost of the goods lost, an account takeover incident can put a huge dent in customer loyalty and business reputation.
What makes account takeover successful is also what makes it so hard to detect. A fraudster poses as a real customer with a healthy purchasing history and no indicators of fraud - making it more difficult for systems to spot abnormal behavior and prevent the attack.
So how can you stay on top of the growing threat? Here are six things to look out for to protect your customer accounts and prevent losses.
#1: Multiple accounts suddenly changing to have shared details
Some fraudsters want to claim an account, so that no one else can attempt to take it over after them. To do this, they change details on the genuine customer profile. They don’t have to change all details - often only one field needs to change.
In one case, we noticed a mass change of contact telephone number across a huge number of customer accounts. When we investigated we found all the customers had changed this to exactly the same phone number - likely owned by a fraudster.
#2: New account details, new device and new delivery address
When there are no links or common details between customers, how can you spot the attack? Even the most sophisticated fraudsters still follow the same behavior patterns. We’ve found a combination of events that show an account has been hacked:
#3: Accounts with multiple IP address countries
A high number of country IP addresses is a good indicator of account takeover. When a fraudster is doing mass logins in order to check if they can access accounts, they don’t know the location of each customer, so they can’t check they are using the right IP address every time.
Plus, there are often multiple fraudsters trying to access the same accounts, usually soon after a breached account list becomes available online. Even the most well-travelled customers couldn’t manage to span the globe this quickly!
#4: Lots of customer detail changes happening at once
We often see a fraudster accessing an account in a takeover, and then doing nothing right away. In this case, we flag the login and the merchant takes precautionary actions to prevent account takeover, such as by sending the customer an alert.
This can trigger the fraudster to panic and try to secure the accounts they have taken over by quickly changing the email and passwords on all their victim accounts. We’ve recorded massive spikes in email changes immediately after precautionary action has been taken.
#5: Ratio of known/unknown device models
Fraudsters often use software to try and hide what device they’re using - called device spoofing. This means that their devices come up with ‘unknown’ as the model. Victim accounts are usually connected to more ‘unknown’ devices than genuine devices with a known model.
#6 - Multiple accounts linked to the same device
Often, fraudsters don’t mask their device between logging into new accounts. This means all the affected accounts are linked to one device - the fraudster’s. However, it’s important to remember that devices may also be shared by family, friends or work teams so you should also look for other factors to confirm an attack.
If you notice two or more of these signs in your customer data, it could be the sign of an account takeover which you should investigate as soon as possible. If it’s a confirmed attack, the next step is to contain it - stay tuned for our recommendations on how to alert customers and manage the aftermath. Find out more about how to protect your customers from account takeover here.
To learn more about how account takeover works, check out our insights page here.
Jessica Allen, Head of Content
Blog / Fraud Analytics
Fraud prevention is a delicate balance between stopping fraud and maintaining good customer experiences. But what is the most effective way to measure this outcome?
Ravelin Technology, Writer
Blog / Machine Learning
Online payment fraud is one of the biggest threats facing grocery merchants. And it’s only gotten worse. How are fraudsters using the cost of living crisis to take advantage of your business?
There’s a new fraud threat on the rise – and it’s your customers. First-party fraud is infamously tricky to catch and a huge revenue risk. How can you detect and deter criminal behavior in your customer base?