Account Takeover and Alternative Payments: Understanding the Impact of the Fraud Economy

May 24, 2022 | By: Justin McDonald, Sr. Risk Management Consultant, The Fraud Practice


Does your organization have a 360° view on the many risks associated with account takeover attacks? From direct financial losses, to brand risks and the lost lifetime value (LTV) of customers, just quantifying account takeover (ATO) risks is a challenge. Further, merchants must not only be concerned with ATO targeting their user accounts, but also fraudulent purchase attempts via digital wallets, Buy Now Pay Later (BNPL) and other alternative payment accounts that have been taken over by illegitimate users.



Understanding Your Organization’s ATO Risk Exposure


The first step to managing risk is to understand it. Organizations should perform an ATO audit to understand their ATO risk exposure, and reevaluate these risks every so often. Much of an organization’s ATO risk exposure stems from what type of information may be stored with, visible or usable from a user’s account. Other considerations include how and when trusted accounts may see reduced fraud screening, as well as factors such as password policies, bot checks and other risk mitigation practices at the login event. Reviewing these policies and practices can help an organization understand how valuable their user accounts are in the hands of fraudsters, suggesting how likely they are to be targeted, and help the organization gauge whether their current ATO mitigation strategy is adequate relative to their ATO risk exposure.



Direct ATO Risks


When merchants and other organizations review their account takeover exposure and risk mitigation efforts, there tends to be a focus on direct ATO attacks. This refers to when bad actors takeover user accounts under the custodianship of the merchant or organization, which could be leveraged by the fraudster to scrape users’ personally identifiable information (PII), make a purchase from the account with their payment instruments or other schemes.


According to a consumer survey by Sift, 45% of ATO victims had money stolen from them directly, 42% had stored payment devices used to make unauthorized purchases and 26% lost loyalty or rewards points.


These direct ATO attacks tend to have the most direct impact on the organization, and therefore receive the most attention in terms of efforts focused on thwarting ATO. An unauthorized user accessing an account and its payment credentials to make purchases will lead to chargebacks, while forcing the legitimate user to reset their password to unfreeze their account creates friction, at minimum, but often disdain and contempt towards the merchant in response. The financial and brand risks are felt most directly with direct ATO attacks and, although more difficult to quantify, the losses associated with brand risks are also severe.


According to a survey from Sift, 74% of consumers will stop using their account if they suffer account takeover on a specific site or app.



Peripheral ATO Risks


Merchants are less like