With attempted account takeover rates skyrocketing 282 percent year-over-year, new data shows consumers place account security burden on businesses
Consumers Are Constantly At Risk
Consumers aren’t ignorant about the dangers of account takeover, and when we asked those who’ve experienced ATO where their credentials were hacked, social media and digital e-commerce sites topped the list. But the rest of the internet is cause for concern, too, with fraudsters finding victims everywhere from financial services platforms to food delivery apps and dating sites.
Account Takeover in Numbers
We asked consumers if they’ve ever been a victim of account takeover, and their responses paint an unfortunate picture: one-fourth of participants have already experienced ATO and dealt with its repercussions (in some cases, multiple times)—and over half are concerned about their personal accounts being compromised in the future.
SAN FRANCISCO, Sept. 30, 2020 (GLOBE NEWSWIRE) — Sift, the leader in Digital Trust & Safety, today released its Q3 2020 Digital Trust & Safety Index, which examines how cybercriminals have been employing Account Takeover (ATO) Fraud to steal from consumers and e-commerce merchants. The Index, which includes analysis from Sift’s global network of 34,000 sites and apps and from a survey of U.S. consumers, revealed that attempted ATO rates (the ratio of attempted fraudulent logins over total logins) swelled 282 percent between Q2 2019 to Q2 2020. Likewise, ATO rates for physical e-commerce businesses—those that sell physical goods online—jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
According to Deloitte’s annual holiday retail forecast, e-commerce sales are forecasted to grow 25-35 percent and are expected to generate between $182 billion and $196 billion this season. When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.
Account Hacking Leads to Brand Abandonment
According to Sift’s research, ATO attacks also create significant and lasting brand damage. In surveying 1,000 U.S. adult consumers, Sift found that more than one-quarter (28 percent) of respondents would completely stop using a site or service if their accounts on that site were hacked. And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
Additional research from Sift’s Q3 Digital Trust & Safety Index found that:
Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
E-commerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their e-commerce (both physical and digital goods and services) accounts were hacked.
Account Takeover as a Means to Financial Gain
Like payment fraud and content abuse—two of the other links in the fraud supply chain—account takeover is typically a means to a financial end. Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web. While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Customer Security as Customer Experience
“Businesses have been forced to adapt to an immediate shift in consumer behavior since the beginning of the global pandemic. Unfortunately, fraudsters have too,” said Jason Tan, CEO of Sift. “The surge in account takeover attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”
The Sift Digital Trust & Safety Index gives online merchants visibility into the covert economics that impact business—along with industry expertise to help businesses protect their customers without losing money or momentum.
The full Sift Q3 2020 Digital Trust & Safety Index can be found here.
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of 35 billion events per month, and a commitment to long-term customer partnerships. Global brands such as Twitter, Airbnb, and Twilio rely on Sift to gain a competitive advantage in their markets. Visit us at sift.com and follow us on Twitter @GetSift.
Director of Corporate Communications, Sift
Photos accompanying this announcement are available at: