Chargeback Prevention

Account Takeover Fraud Protection

Account Takeover Fraud

It’s a horror movie cliché by now, but the implications are still terrifying: “the call is coming from inside the house!” For merchants, few things can be as frustrating as fraud that originates from compromised accounts within your own CRM system. By taking over legitimate customer accounts, fraudsters can bypass many of your anti-fraud defenses and submit fraudulent orders with the real customer’s stored payment credentials.

When the customer catches on, they’re certain to file a chargeback—and they may never again trust that merchant to keep their data secure. What can merchants do to protect themselves and their customers from account takeover fraud?

New call-to-actionFraud often manifests as an external threat: a fraudster acquires a stolen credit card, targets a vulnerable (or lucrative) merchant, and creates a new account. Frequently, they will engage in card testing before placing a larger or more costly order. Many of the most effective anti-fraud tools are designed to prevent this from happening by identifying fraud indicators or unusual orders originating from new accounts.

With account takeover fraud, the fraudster hacks into an existing customer account. They could add a stolen credit card as a new payment method, but more often they’ll just place orders with the customer’s stored payment credentials. Now, the merchant sees the order coming from a trusted customer who already has an order history, and few if any of their anti-fraud tools are scrutinizing this activity.

If your anti-fraud measures don’t include protections against account takeover fraud, that’s like having a house with a deadbolt, security camera, and guard dog at the front door—and an unlocked screen door in the back.

What is Account Takeover Fraud?

To commit account takeover fraud, all a fraudster needs is the means to access a legitimate customer’s account on an ecommerce site. Usually, this only requires a username and password. Usernames can be easy to find or guess—many sites make email addresses the customer’s default username—so the real challenge for the fraudster is to obtain a valid password for a known account.

There are endless ways for a fraudster to figure out somebody’s password. Phishing attacks and social engineering methods are commonly used for this purpose. However, most serious account takeover fraudsters employ one or both of the following tactics:

  • Credential Stuffing

    eCommerce is a big part of our lives now, and that means that the typical digital consumer has several or even dozens of different account login and password combinations to keep track of. Many consumers give up on best security practices and choose login credentials they can easily remember, which means they reuse a lot of the same usernames and passwords for different sites.

    This is great news for fraudsters, who can often gain access to multiple accounts if they can find one working set of credentials. “Credential stuff” refers to the practice of trying out a set of known credentials on multiple ecommerce sites, often with the help of automated bots.

  • Credential Cracking

    The other significant method, “credential cracking,” is also commonly referred to as a “brute force” attack. This involves trying to guess the correct password to an account by making multiple login attempts with a different password each time.

    The key difference between credential stuffing and credential cracking is that the former takes a valid set of credentials and tries to guess which sites they can be used to access; the latter takes a specific target and tries to guess what password will work on it.

    Credential cracking bots might use lists of dictionary words, previously stolen passwords, commonly used passwords, or other data sources to inform their password guesses.

Once the fraudster is inside the hacked customer account, there are various ways they can exploit it for personal gain, depending on the nature of the site. Some fraudsters will discreetly log out and sell the verified credentials to other criminals on the dark web, others will change the customer’s shipping address and place orders for things they can keep or resell.

How Can I Prevent Account Takeover Fraud?

Unfortunately for merchants, you can see from the takeover methods discussed above that the biggest point of vulnerability for account takeover fraud is the customers themselves. Complex passwords can be hard to keep track of, and while customers might use strong passwords for their online bank accounts and email, they’re likely to go for something simple and easy to remember when they’re signing up to place a quick order with an ecommerce site.

As a merchant, you have the power to require strong passwords, two-factor authentication, CAPTCHAs, and other added security protocols for your site. Some customers may be put off by too much of this, so merchants must always carefully weigh how much friction they can get away with adding to their customers’ experience.

Just remember, when a customer becomes a victim of account takeover fraud, there’s almost always a part of them that will be angry with the merchant for not doing a better job of protecting them—even if their password was password1234. You have to be realistic about the damage that fraud can potentially do not just to your revenue but to your reputation.

On the merchant side, network tools can help you identify and block the traffic associated with malicious bots, which will often hail from the same suspicious IP address or geolocation. The telltale signs of account takeover attempts aren’t that hard to spot; you’ll typically see lots of failed login attempts with both stuffing and cracking attacks, and password or shipping address changes often follow a successful attack. By monitoring your network and order activity, you can establish processes to investigate and respond to account takeover fraud.


When a customer comes to you with claims of account takeover fraud, you have an opportunity to refund the fraudulent order and work with the customer to restore the integrity of their account and regain their trust. While merchants should verify these claims by examining network traffic and access logs, the last thing you want to do is stonewall them until they go to their bank to demand a chargeback.

Defending against account takeover fraud can take more time and attention that many busy merchants have, but security experts like the team at Chargeback Gurus can help you implement monitoring and response procedures as part of developing an overarching strategy of fraud and chargeback prevention.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to:

Download your copy of An Introductory Guide to E-Commerce Fraud Prevention