Account takeover fraud (ATO) is a type of identity theft. A criminal obtains a user’s login credentials and then logs in to an online service such as a bank or an online retailer posing as the user. Once the criminal has gained access to the account they have the ability to change account details, make purchases, withdraw or transfer funds, or even use the information to gain access to other accounts.

Criminals obtain login information from various sources. Below we will talk about just a few of the more common ones. This is by no means a complete list and criminal elements are forever creative in finding new ways to get information that they can use for nefarious purposes.


Phishing is any practice where the criminal tricks the user into revealing information voluntarily. This could be by means of sending emails or text messages, which appear to be legitimate, requesting information or directing users to fake sites to capture information. It could also be by means of a phone call, where a criminal poses as a company representative and requests information be given to them under false pretenses. Sadly phishing relies on the victim to give the information willingly and many do not realize they have been duped until it is too late.


Malware is software designed to steal information from a user’s device. It can use various methods to capture information and then transmit it back to the criminal elements. Devices become infected with malware by various means including faulty apps, unsecured sites, clicking on links in emails to initiate downloads in the background, and hardware such as thumb drives or other USB devices.

Brute Force Attacks 

Brute force is when criminals use automated systems to guess a password by bombarding it with different options until they have success. Password strength is the biggest weakness in these types of attacks.

Man-In-The-Middle Attacks

Man-in-the-middle attacks happen when criminals use special software to intercept data on unsecured networks, such as in coffee shops. 

This all sounds like it is the customer’s problem, doesn’t it? They were not careful with their information and now they will pay the price. Well, account takeover fraud has a huge impact on online retailers. In a typical scenario a criminal will gain access to a customer’s account, make purchases with credit card numbers that have been stored on the system for ease of payment and then change the usual shipping address to one that they access. When they receive the goods they will either keep them or re-sell them. Without good systems in place the real user may only find out about the transaction/s when they check their statements. When that happens they could file a chargeback claim. If the merchant is unsuccessful in contesting the claim it will mean the merchant will forfeit the goods, the cost of shipping and pay penalties. Even if the merchant is successful in contesting the chargeback they will still have paid penalties. It’s a lose-lose scenario for the merchant. And if the merchant has a high rate of chargebacks they could be re-classified as high risk and pay higher fees, or even have their payment services terminated. 

Reputational damage also has to be considered, in this day and age of social media and online reviews word can spread fast, and if your existing and potential customers feel that you are not safe to shop with then your business will definitely decline.

Luckily there are quite a few things online retailers can do to lower the risk of account takeover fraud. Below we discuss some simple measures online merchants can take to provide a safer shopping experience to their customers.

Enforce strong passwords

Your customers will need a password to access their online account with you. Force strong passwords for your customers with minimum character length and different types of characters such as numbers and a mix of capital and non-capital letters. Don’t allow simple popular passwords such as 123456, iloveyou or qwerty to be used. Your website developers should be well versed in password security.


Make sure your online shop is on a secure server. The cost is negligible and is well worth customer piece of mind.

Send confirmation emails

Send your customers emails to confirm their purchase and delivery address. If the customer gets an email confirming a purchase they did not make there is time to reverse the transaction. And in that vein make sure that your customer support is top-notch and that the customer can easily and quickly get hold of you to query the purchase. If a purchase is fraudulent and it is picked up on quickly you will have time to act in terms of not shipping the goods and refunding the customer. Not only will you avert losses but you will also gain customer trust.

Use Multi-Factor Authentication

Use a second layer of protection to safeguard your customers. For example, if a delivery address is changed or added, send an email or text message to the customer asking them to confirm via a verification link. And use a payment provider that includes MFA such as a One Time PIN to confirm payments.

Choose excellent payment providers

When it comes to picking payment partners such as payment processors, gateways and facilitators don’t go for cheap providers that cannot offer excellent security. The lowest price is not always the best if it loses you money and reputation in the long run. 

At Baer’s Crest we know the risks online merchants face on a daily basis. We know that businesses need payment partners with both reasonable rates and excellent security, and we pride ourselves on providing our clients with payment services that come with peace of mind. Talk to us about secure, affordable patent solutions for your business.