Account takeover fraud, also known as ATO fraud, is a form of identity theft where fraudsters use your compromised credentials to log in to an online app or service as you. Imagine trying to get money out of an ATM, but your ATM card PIN no longer works. When you try to log into your account using the bank’s app, you discover your password has been changed. You must now prove your identity to the bank, after which you learn your bank account has been completely drained by a fraudster.
Financial services, online retail, social media, video streaming and entertainment are among the most targeted industries for account takeover fraud. ATO fraud uses existing, legitimate accounts and their stored (or stolen) credit card information, loyalty points and other data. A fraudster gains access to the account, makes purchases, then uses or resells the merchandise, seeks refunds and/or sticks merchants with chargebacks.
Riskified's 2021 study found that ATOs are on the rise, with 43 percent of U.S. merchants saying ATO fraud accounted for over 10 percent of their chargebacks. Losses went beyond direct costs and included lost customer lifetime value (CLV), costs associated with customer service operations, and long-term damage to the brand's reputation.
Credential stuffing tools, password cracking tools, phishing and social engineering schemes, combined with personal identifiable information (PII) available on the dark web, make account takeover attacks common. A 2020 study by the Digital Shadows Photon Research Team found 15 billion stolen credentials available on the dark web, including username-password pairs for online banking, social media accounts and music streaming services.
Online payment fraud will cost eCommerce merchants $25 billion annually by 2024.
Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2020-2024, Juniper Research