As the prevalence of digital commerce continues to surge, cybercriminals relentlessly seek innovative ways to exploit the vulnerabilities that persist in online systems.
March 14, 2023
6 minutes read
Safeguarding against the risks of fake accounts and account takeover necessitates a comprehensive approach that integrates robust authentication techniques, fraud detection tools, and continuous vigilance for suspicious activity.
As the prevalence of digital commerce continues to surge, cybercriminals relentlessly seek innovative ways to exploit the vulnerabilities that persist in online systems. Two particularly prevalent forms of online account-related fraud are fake account creation or new account fraud and account takeover. These fraudulent activities are not only financially detrimental to individuals and businesses, but they also pose a significant threat to the trustworthiness of online platforms, potentially resulting in reputational harm.
Fake accounts are online profiles created for malicious purposes, often with the intention to exploit promotions or discounts that businesses offer to new customers. Fraudsters create multiple accounts to take advantage of these offers repeatedly, often using temporary or disposable email addresses, same devices, virtual mobile numbers, and even synthetic identities. This practice is known as "coupon fraud", and it results in lost revenue for businesses.
Another reason for the creation of fake accounts is to carry out chargeback fraud. In this type of fraud, the fraudster disputes a legitimate transaction and receives a refund from the business. This can result in significant financial losses for businesses, especially smaller ones. In addition to coupon and chargeback fraud, fake accounts can also be used for other types of fraudulent activities, such as account takeover or social engineering attacks. These attacks involve gaining access to a legitimate user's account and using it to carry out fraudulent activities.
Fake accounts and bots are also what the industry refers to as invalid traffic. According to a study by CHEQ, invalid traffic makes up to 40% of the web traffic. Invalid traffic prevalence has a significant impact on nearly every marketing funnel, campaign, and operation, often resulting in detrimental effects.
In 2021, losses due to fake accounts or new-account fraud (NAF) increased dramatically, reaching a total of $6.7 billion. Javelin's research revealed a significant 109% surge in NAF losses from 2020 to 2021. Fake account fraud is undeniably a growing concern and is expected to continue to rise in the coming years.
Account takeover, or ATO, occurs when a perpetrator gains unauthorized access to a genuine user account, including social media, e-commerce, email or online banking. Attackers typically use stolen information, brute force, or social engineering tactics to obtain sensitive data, making it difficult to detect such type of fraud. ATO attacks increased 307% between 2019 and 2021 based on Sift’s Q3 2021 Digital Trust & Safety Index while sources reported 22 percent of U.S. adults have been victims of account takeovers, which amounts to over 24 million households(Security.org).
Attackers use a variety of methods to perpetrate ATO fraud, including social engineering, phishing, and malware attacks. Social engineering involves tricking the victim into divulging sensitive information, such as login credentials or personal identification numbers (PINs), through methods like phone calls, emails, or texts. Phishing involves sending the victim a fraudulent email or text message designed to look like a legitimate communication from a trusted source, such as a bank or social media platform. When the victim clicks on the link in the message, they are redirected to a fake website that looks like the real thing, but is actually a ploy to steal their login credentials. Malware attacks involve infecting the victim's device with malicious software that can steal login credentials or other sensitive data.
The consequences of ATO fraud can be severe, both financially and emotionally. In 2021 alone, ATO losses increased by 90%, totalling a staggering amount of $11.4B (Javelin 2022 ID Fraud Study). ATO fraud is a significant threat that requires vigilance and action from both businesses and individuals. By implementing robust security measures and staying alert for signs of fraud, businesses can protect themselves and their customers from the devastating consequences of ATO fraud. Consumers must also take responsibility for their online security and take proactive steps to protect themselves from this pervasive threat.
In addition to implementing a sophisticated identity verification and authentication system, businesses must adopt a range of strategies to combat the creation of fake accounts and account takeover. One such strategy is to implement real-time machine learning fraud detection solution that can analyze customer data and detect patterns of behavior that are indicative of fraudulent activity. Machine learning can identify unusual patterns in account creation, such as the use of similar email address structure, use of disposable email addresses or a high number of account creations from a single IP address, multiple account creations from the same device and so on. Advanced fraud detection solutions would be able to identify risks during account login as well based on analysis of unusual patterns, user, device, and behavioural data to detect account takeover attempts.
Another aspect would be to implement robust device fingerprint and device risk technology that is capable of generating a stable and unique device ID as well as identifying potential risks associated with the end-user device. A distinctive device ID allows businesses to track and correlate unique devices to user accounts, IP address, email address or mobile number, raising suspicious flags when multiple accounts creation is attempted from a single device or device is found linked to multiple IP addresses within a short period of time, multiple accounts login attempted from the same device and more. Device risk analysis on the other hand would help detects fraudulent tools such as bots and automated scripts that are typically used for mass fake account creations or malicious software that are used for credential stealing, device tampering, GPS location changing and more.
The combination of machine learning and device fingerprint technology can help businesses quickly identify and prevent fraudulent activity, ultimately protecting users and maintaining the integrity of the platform.
To prevent and mitigate the risks of such fraudulent activities, it is essential that individuals and businesses adopt proactive measures. One such measure is the use of strong authentication techniques, such as multi-factor and biometric authentication, which can prevent unauthorized access to accounts. Similarly, fraud detection tools, such as machine learning algorithms and device fingerprinting, can aid in identifying suspicious activity and thwarting fraudulent transactions.
Remaining watchful for dubious activity, such as unexpected login attempts or unusual account behavior, is also essential in preventing such fraud. Regular account activity reviews and timely reporting of any suspicious activity to the relevant authorities or platform administrators are some other recommended measures.
In conclusion, safeguarding against the risks of fake accounts and account takeover necessitates a comprehensive approach that integrates robust authentication techniques, fraud detection tools, and continuous vigilance for suspicious activity. By adopting these proactive measures, we can create a safer and more secure online environment for everyone.
The implications of fake accounts and account takeover fraud are far-reaching and can result in significant consequences for both businesses and individuals. In the case of businesses, such fraud may lead to financial losses, reputational damage, and erosion of customer trust. On the other hand, individuals may suffer from financial losses and identity theft.
CHEQ (2022). The Impact of Invalid Traffic on Marketing
Javelin (2022). Identity Fraud Losses Total $52 Billion in 2021, Impacting 42 Million U.S. Adults
Sift (2021). Q3 2021 Digital Trust & Safety Index: Battling the new breed of account takeover fraud
Security.org (2021). Account Takeover 2021 Annual Report: Prevalence, Awareness and Prevention