Why Preventing ATO Should Top Retailers’ Holiday Checklists

November 29, 2018         By: Michael Reitblat

Experts predict that shoppers will spend 4.1% more this holiday season, giving retailers the opportunity to meaningfully boost revenue compared to 2017. However, fraudsters are also expected to capitalize on favorable sales forecasts by doubling down on scams that will steal these hard-won dollars away from merchants.

One of the most popular scams of 2018 has been account takeover, or ATO, when criminals hijack personal information to log in to an account and masquerade as a returning customer or create a brand new account using a stolen identity. According to Forter’s recent Holiday Fraud White Paper, ATO increased 31% in the past year alone, likely because more than 1/3 of consumers have had their personal data stolen in breaches during the last 12 months. As such, online criminals have access to more sensitive information than ever before. And, at the end of the day, merchants are often the ones stuck paying for this exploitation.

This holiday season, retailers must educate themselves about the increasing threat of ATO fraud and what types of payment methods are most vulnerable to attacks in order to better protect their businesses and consumers from becoming victims.


The Rise of ATO

The more complex the online payments world becomes, the more opportunities fraudsters have to exploit weaknesses in the system. With so much of our personal data now online, there are many new ways fraudsters can take advantage of us that were unthinkable just ten years ago. For instance, a recent NRF and Forrester study found that chip-based credit cards, which were originally developed to eliminate fraud, have actually amplified the problem because savvy fraudsters pivoted their focus from in-store to online theft, which doesn’t require physical cards to process transactions.

Meaning, if a fraudster gets their hands on credit card details, they can wreak havoc whether or not they have the physical card, making the theft harder to quickly detect. The most common methods used by online criminals to get access to personal data are data leaks and guessing login details. The latter often isn’t very difficult since consumers tend to reuse account information, such as passwords and answers to security questions, across platforms. Fraudsters can even use AI and bots to guess login details based on consumers’ other internet activity, which is why it’s wise to vary passwords and change them regularly. Once bad actors have access to an account, financial details like payment information that are pre-loaded and saved to the website are easy to steal.


The Most Vulnerable Payment Methods

Every payment method has its own strengths and weaknesses when it comes to fraud, but there are a number that retailers should be particularly aware of this holiday season when it comes to how shoppers are spending with them.


  • Digital Wallets: Digital wallets give consumers access to a broad range of payment options. However, they also give fraudsters a wide range of targets when it comes to theft. Many sites accept digital wallets, and they are all options for the fraudster to exploit. Digital wallets also often have billing information reflecting past purchases, allowing the fraudster to copy previous order types to increase their appearance of legitimacy. Sometimes payment data can also be extracted from the digital wallet, which the criminal can go on to then use elsewhere.
  • Gift Cards: Gift cards are among the top holiday gifts to give and receive, according to research from Deloitte. Because gift cards don’t have the security features that bank-branded cards do, they are essentially free money for criminals that can either get their hands on them or use automated tools to guess claim codes. In fact, Forter found that fraud attacks on digital goods like gift cards and videogames skyrocketed 167% in 2017. If a consumer attempts to make a purchase only to find that their gift card balance has been depleted, the retailer has no choice but to reimburse them or risk losing their business forever.
  • Loyalty Points: While loyalty programs have become a popular customer retention strategy among retailers, loyalty point abuse is also on the rise. Once a criminal has access to an account through ATO, they can easily steal and monetize a customer’s loyalty points. Some companies such as airlines even offer reward points that can be used to purchase items in different verticals. Most consumers regularly check their bank statements while rarely watching points accumulate on a merchant’s loyalty account, so this scam frequently goes undetected. But when it does, it can ruin customer relationships.


Preventing Fraud

These attack methods and others are even more of a concern during the holidays because the flood of orders is challenging for many businesses to handle, so fraudsters often slip through the cracks while retailers are preoccupied with keeping up with increased demand.

Merchants that review instances of suspected fraud by hand are at a disadvantage because they must spend money to hire and train new manual reviewers. Additionally, since shopping behaviors change during the holidays it is harder to rely on old patterns to distinguish between a good customer purchasing gifts for family and friends, and a fraudster. AI-driven fraud prevention systems that analyze thousands of data points in real-time to pick up on small inconsistencies that might be difficult for a human reviewer to catch, are much more effective. However, AI systems are only as smart as the information they are fed, so the best anti-fraud solutions use machine learning algorithms that are informed by continuous human research into the newest scams and vulnerabilities.

Between the rise in EMV cards and the enormous amount of personal data that has been leaked, it is no surprise that one of the most popular and fastest-growing fraud MOs is account takeover. Fraud is everywhere, but many merchants still rely on technology that can no longer keep up with this developing threat. To guard against attacks, retailers must accept responsibility and keep shoppers safe by staying aware of the fraud-related dangers both during checkout and throughout the entire consumer lifecycle.