Blog / Account takeover , Link analysis & graph databases , Fraud analytics

Six fraud signals to spot account takeover

Account takeover happens when fraudsters use genuine customer accounts - which is what makes it so difficult to detect. Here are six things to look for to spot an account takeover attack.

13 August 2019

Share this article:

Six fraud signals to spot account takeover

Account takeover (ATO) is a growing form of fraud where fraudsters target genuine customers accounts, instead of simply using stolen cards.

A fraudster uses stolen customer credentials to log in and pose as a genuine, existing customer and place orders. As well as the cost of the goods lost, an account takeover incident can put a huge dent in customer loyalty and business reputation.

What makes account takeover successful is also what makes it so hard to detect. A fraudster poses as a real customer with a healthy purchasing history and no indicators of fraud – making it more difficult for systems to spot abnormal behavior and prevent the attack.

So how can you stay on top of the account takeover threat?

Link analysis using graph networks is a good starting point, as part of a robust fraud detection solution. Here are six fraud signals to look out for to protect your customer accounts and prevent losses.

#1: Multiple accounts suddenly changing to have shared details

Some fraudsters want to claim an account, so that no one else can attempt to take it over after them. To do this, they change details on the genuine customer profile. They don’t have to change all details – often, only one field needs to change.

In one case, we noticed a mass change of contact telephone number across a huge number of customer accounts. When we investigated we found all the customers had changed this to exactly the same phone number – likely owned by a fraudster.

Blog image ATO shared phone

#2: New account details, new device and new delivery address

When there are no links or common details between customers, how can you spot the attack? Even the most sophisticated fraudsters still follow the same behavior patterns. We’ve found a combination of events that show an account has been hacked:

  1. The customer has updated a customer detail (telephone, email, name).
  2. The customer has had a login from a new device within a 24hour period of that change.
  3. After both 1 and 2, the customer has placed an order with a new delivery location.

#3: IP addresses in multiple countries

A high number of country IP addresses is a good indicator of account takeover. When a fraudster is doing mass logins in order to check if they can access accounts, they don’t know the location of each customer, so they can’t check they are using the right IP address every time.

Plus, there are often multiple fraudsters trying to access the same accounts, usually soon after a breached account list becomes available online. Even the most well-travelled customers couldn’t manage to span the globe this quickly!

Blog ATO global IP

#4: Lots of customer detail changes happening at once

We often see a fraudster accessing an account in a takeover, and then doing nothing right away. In this case, we flag the login and the merchant takes precautionary actions to prevent account takeover, such as by sending the customer an alert.

This can trigger the fraudster to panic and try to secure the accounts they have taken over by quickly changing the email and passwords on all their victim accounts. We’ve recorded massive spikes in email changes immediately after precautionary action has been taken.

#5: Ratio of known/unknown device models

Fraudsters often use software to try and hide what device they’re using with device spoofing, emulators, and so on. Sometimes this means that their devices come up with "unknown" as the model. Victim accounts are usually connected to more "unknown" devices than genuine devices with a known model.

#6: Multiple accounts linked to the same device

Often, fraudsters don’t mask their device between logging into new accounts. This means all the affected accounts are linked to one device – the fraudster’s. However, it’s important to remember that devices may also be shared by family, friends or work teams so you should also look for other factors to confirm an attack.

Blog image ATO shared device

If you notice two or more of these signs in your customer data, it could be the sign of an account takeover which you should investigate as soon as possible. If it’s a confirmed attack, the next step is to contain it - stay tuned for our recommendations on how to alert customers and manage the aftermath.

To stop account takeovers at scale, consider a sophisticated account protection solution such as Ravelin's.

Screen Shot 2019 08 13 at 16 12 52

Jessica Allen, Head of Content

Share this article:

Related content

Blog / Press release

RavCon 25 wrap-up: What we learned & #RavCon25 in numbers

Our takeaways from the day's seven insightful sessions on fraud, payments and data.

1669287463716 2023 12 07 164059 ybjd

Nikoleta Dimitriou, Senior Content Manager

Blog / Press release

RavCon 25: Photo highlights

Image gallery from #RavCon25.

Ravelin Symbol Blue 1

Ravelin Technology, Writer

Blog / Payment fraud

Global 3D Secure rates: Country data comparison

Which countries are performing better in terms of SCA and 3D Secure? Where are the highest and lowest authentication rates and frictionless rates? Who could do better in terms of authentication and who has set a shining example?

1669287463716 2023 12 07 164059 ybjd

Nikoleta Dimitriou, Senior Content Manager

Catherine Jones

Catherine Jones, Product Director

Don't miss a thing!
Stay up to date on fraud & payments

Subscribe to our newsletter to get the latest fraud & payments updates sent direct to your inbox.

Subscribe