How to Thwart Account Takeover Fraud in E-Commerce

Both the beauty and downfall of the internet is the vast amount of people who use it. Countless intelligent minds can contribute to a shared place of learning, documentation, entertainment, commerce and more. But any network that contains and facilitates so much sensitive data is bound to have side effects.

One big one is account takeover fraud (ATO), or when a cybercriminal gains access to a registered customer’s account on an e-commerce store. From 2016–2017, ATO fraud increased three-fold in the U.S.  to cost an estimated $5.1 billion.

Account fraud is a lose-lose for everyone. Customers could incur financial loss. And if the fraud goes undetected for long enough, they’ll have difficulty regaining control of their PII, or personally identifiable information. For e-commerce brands, account takeover results in more order refunds and time involved to address the fraud. But even issuing a refund can’t offset all the reputation damage a brand will experience from an instance of account takeover fraud.

So, what can e-commerce stores do to thwart ATO? Let’s discuss some preventative measures below.

Offer Convenience without Compromising Security

Creating the ideal customer experience in e-commerce is a delicate balancing act these days. Shoppers want modern shopping convenience but the stringent security measures as well. So while allowing customers to store their payment methods offers a seamless checkout process, it also carries considerable risk. Accounts with stored payment data should have specific security protocols attached, particularly when user account details like password, device or address change.

Monitor Order Frequency

What e-commerce store wouldn’t love to see an uptick in customer orders? It could be a sign that a customer retention strategy is working, a reflection of price changes or perhaps an overhaul of fulfillment processes. However, if a customer who orders maybe a few times per year all of a sudden is placing multiple orders in the same month, you may want to put the order(s) on hold until you learn more about the situation. In the event of a false positive, the customer likely won’t mind that their order was placed on hold since it means you had their security top of mind.

Take Extra Steps to Verify Suspicious Orders

You probably didn’t realize you’d be manually scanning reviews for red flags when you decided to open a furniture store. However, doing so is in your best interest if you want to reduce your ATO rate and defend your business in general against rampant cybercrime. Think of the time your store spends reviewing orders for fraud as time spent upholding your business’ reputation, and maybe it won’t feel like tedious and unimportant. When order activity does look out of the ordinary, call customers to make sure they made the order. It’s also a good idea to employ two-factor authentication, either through an email verification or text message, when accounts exhibit unusual activity.

Protect Customer Data at all Costs

The sanctity of customers’ data has long been ignored and subsequently abused by large companies. But the enactment of the Gross Data Protection Regulation (GDPR) last May promises to usher a new wave of consumer data protection. Even if your store doesn’t sell abroad or interact with European citizens’ data, it’s worth shaping your customer data practices to comply with the GDPR anyway. It’s where future data protections are headed, after all. Of course, baseline security measures to adhere to include using ‘https’ encryption, complying with the Payment Card Industry’s Digital Security Standard (PCI DSS), regularly patching your app and requiring users to create strong passwords.

Detecting ATO can be tricky. At first glance, everything seems normal: customers who’ve purchased before are purchasing again. However, knowing what signs to be aware of, and taking every extra precaution to flag and verify a suspicious order before it’s processed, will go a long way in maintaining your store’s reputation and your customers’ trust.