New research finds attempted account takeovers are skyrocketing leading up to the holiday shopping season.
Sift released its Q3 2020 Digital Trust & Safety Index, which examines how criminals have been employing Account Takeover (ATO) Fraud to steal from consumers and e-commerce merchants. The Index includes analysis from Sift’s global network of 34,000 sites and apps and from a survey of U.S. consumers. It finds that attempted ATO rates (the ratio of attempted fraudulent logins over total logins) increased 282 percent between Q2 2019 to Q2 2020.
ATO rates for physical e-commerce businesses—those that sell physical goods online—jumped 378 percent since the start of the Covid-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
“According to Deloitte’s annual holiday retail forecast, e-commerce sales are forecasted to grow 25-35 percent and are expected to generate between $182 billion and $196 billion this season,” Sift noted in a statement. “When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.”
Account Hacking Leads to Brand Abandonment
According to Sift’s research, ATO attacks also create significant and lasting brand damage. In surveying 1,000 U.S. adult consumers, Sift found that more than a quarter (28 percent) of respondents would completely stop using a site or service if their account on that site was hacked. And, while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
Additional research from Sift’s Q3 Digital Trust & Safety Index found that:
- Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
- Fraudsters sneak in and cash out: Of respondents who had experienced ATO, 41 percent reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
- E-commerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their e-commerce (both physical and digital goods and services) accounts were hacked.