Post-Crisis, User Accounts May Be Your Weakest Link for Fraud
How would you feel if a thief broke into your house, opened all your drawers and rifled through your things … but didn’t steal anything?
That sounds absurd, but that’s exactly the kind of scenario you’re setting up in the digital realm when your fraud team decides that the only thing that matters is the point of transaction.
If you’re not protecting users’ accounts, fraudsters can break in and look through all the personal information and purchase history that’s stored there. That’s an invasion of privacy, risks losing customer trust, and makes fraudulent transactions, based on that data, more likely to be successful. And let’s not even talk about the danger of social engineering.
Perception has started shifting, slowly, in the industry, to the realization that trusting and securing accounts matters, and transactions aren't enough. However, the pandemic has sped up the scale and the seriousness of the problem — and most companies aren’t ready for that yet.
Breaking in Has Never Been Easier
Phishing attacks started spiking as soon as COVID-19 began making headlines, but many fraud teams haven’t internalized the sheer scale of this increase. At the start of the pandemic, phishing rose by 667 percent and has continued to be a major attack vector. A recent GreatHorn survey found that more than a third of respondents are seeing email threats coming into their inboxes every day — and that’s just in a business context.
What makes this so worrying is that much of it is sophisticated phishing, with emails purporting to come from the right vendors, third parties, colleagues or associates, who might be legitimately contacting the target victims. Similarly, attacks like Magecart have become widespread and harder to spot.
All of this is in a context where consumers are eager for news and normal contact, and too stressed to be as careful as usual. And it’s building on years of extensive data breaches.
Targeting your accounts has never been easier for a fraudster — whether via account takeover (ATO) or by using stolen data to set up new, fake accounts. If you’re not looking out for it, you won’t even know it’s happening.
The Post-Crisis Boomerang
The fresher the data that fraudsters have, the wider the scope of their attacks on your accounts. All this phishing and related activity is going to be boomeranging back to hit your business.
You need to take this oncoming storm seriously. Here's why:
- Customers care about ATO. Sixty-five percent of customers say they would likely stop buying from a merchant if their account was compromised. Since Javelin reports ATOs are trending at the highest loss rate so far, up a staggering 72 percent over the prior year, that’s a lot of lost business.
- Fake accounts are just as bad. With all that new stolen data available, fraudsters will be looking to set up fake accounts using victims’ data. That throws the integrity of your ecosystem off, and makes fraudulent transactions far more likely.
- Data privacy is becoming a hot topic in the U.S., and is already a huge issue elsewhere. Successful ATO compromises your users’ privacy. You need to show you’re taking appropriate steps to prevent that.
- It weakens your transaction protection. Some teams ignore accounts so that they can focus all their efforts on transactions. But doing so is counterproductive. Fraudsters who acclimate an account to their IP and geolocation, and access valuable data about buying history and behavior, look much more convincing at checkout.
- You’re helping fraudsters get their hands on your goods. Solving the shipping challenge is one of the trickiest parts of successful fraud for physical goods. ATO changes that. Fraudsters can add a new address to an account, let it age, and use that. Or they can use the account information to shift an order after purchase to another address, or make it buy online, pick up in-sore (BOPIS). Picking up in-store is the latest thing in our new normal, so that won’t stand out.
- There’s a huge upside to doing it right. If you verify that the users creating and accessing accounts on your site are trustworthy, you can make their experience fantastic. You can dramatically reduce friction, speed up payments and even expand your offering, building a more loyal customer base and enhancing revenue at this critical time.
Protection Starts At the Door
If you’re not protecting account signup, login or such activity as adding new details, it’s past time to start.
Identity validation has evolved by leaps and bounds over recent years, and you don’t need to add friction for good users, except in rare cases. You can use solutions that focus on positive validation (recognizing good users as such, rather than simply trying to identify fraudsters) to protect all stages of account use — well before transaction.
Provider-less options, which enable you to check what you’re seeing directly against the knowledge of other businesses, are valuable here. The reliable freshness of information with these types of solutions, compared to what’s available from third parties, are a good fit for this use case.
Your customer's journey with you doesn’t begin when they reach checkout. Your mantle of protection shouldn’t begin there either.
Account protection is better for your users, your business, and your fraud key performance indicators. And it’s about to move from being “nice to have” to becoming a fraud prevention essential.
Uri Arad is the co-founder, vice president, product and research at Identiq, a truly anonymous verification network.
Related story: Managing the Fraud Prevention Risk Caused by Coronavirus