Account Takeover

ATO Attacks Severely Harm User Experience and Brand Reputation

March, 2, 20236 min Read

Account takeover (ATO) attacks, where bad actors  gain unauthorized access to genuine user accounts and abuse them for criminal activities, have evolved into a thriving 'business' for attackers and a nuisance for companies, as they often lack full visibility into the volumes of ATOs they face.

Account takeover (ATO) attacks are among the biggest issues in cybercrime today, and they’re only becoming  more frequent. Fraudsters commit these attacks to drain funds directly from accounts and/or use compromised accounts as launchpads for various other crimes—such as money laundering, phishing scams, and sending out spam. On the other hand, businesses spend time, effort, money, and reputation, trying to clean up the mess.

However, by implementing a robust authentication solution, like that of Arkose Labs, businesses can not only reduce the risk of account takeover, but also save precious resources and time. This also leads to better ROI and cost savings, as businesses don't need to rely on manual processes to handle fraud cases. Furthermore, an authentication solution can also be used to reduce false positives and increase the efficiency of fraud prevention operations.

What is the true cost of ATOs in your business?

Lack of visibility

The  lack of visibility into the extent of damage caused by ATOs  makes them challenging to detect. This lack of visibility is clearly highlighted in the results of a recent Arkose Labs' survey of 100 IT professionals across industries. Nearly 30% of the companies polled reported no increase in ATO attacks in 2020 while half of the companies reported only a slight increase.

This statistic is in stark contrast with the volume of ATO attacks recorded on the Arkose Labs network—a 50% spike over the second half of 2020, and a 90% increase in Q4. This shines the spotlight on the lack of visibility into the volumes of ATO attacks that businesses face.

Businesses face financial and reputational losses

Often, the effects of account takeover attacks are discovered once downstream abuse has been committed and financial losses incurred. In addition to losing millions of dollars every year, ATOs adversely impact the good user experience (with 90% of the companies agreeing) to cause brand erosion and customer churn. These are rather long-term damages as it takes years of effort to build a brand and acquire customers.

The Arkose Labs' survey reveals that 5% of the large companies (with over 10,000 employees) reported annual costs exceeding $1 million, while 10% of the companies reported losses of between $500,000 and $1 million. However, it is important to note that these losses do not include cleanup costs, application downtime, operational costs, and reimbursements to customers for loss of funds. This means the actual losses are much higher.

Another big concern pertains to regulatory compliance. When bad actors are able to successfully scale up ATO attacks, affected businesses attract regulatory attention, hefty penalties, and uncomfortable questions regarding the lack of adequate security on their platforms. 

Luckily, with the right security measures in place, businesses can protect themselves from automated attacks and remain compliant with the latest regulations. This can not only help them save costs, but also improve their ROI by ensuring their data and customers are kept safe from malicious threats. Additionally, businesses can use this opportunity to gain an edge over the competition by demonstrating their commitment to security and compliance, which can help them build trust in the market.

Account takeover attacks are pervasive across industries

Although every industry is facing the brunt of ATOs,  some of the worst affected include professional services, healthcare, financial institutions, and e-commerce platforms.E-commerce firms are obliged to keep user accounts safe as it can harm them through fraudulent transactions, payments fraud, and negative brand reputation, which can, in turn, impact their revenues.

With the most valuable customer data in their possession, financial institutions are a prime target for attackers. They are also the most regulated industry, which means a successful ATOs  can result in massive fines and greater regulatory measures imposed on them, with the legal and compliance costs adding up to the financial losses. A whopping 94% of financial institutions polled in the Arkose Labs' survey agreed to ATO attacks degrading user experience for their customers.

Who keeps an eye on ATOs?

There is no clear-cut consensus on who, in an organization, is responsible when it comes to fighting fraud—each department believes it is the role of the other. For instance, while a majority of the respondents in our survey would hold the information security department responsible, others say preventing ATO is the responsibility of the fraud, engineering, or product teams. The verdict is also divided according to the size of the company, with 55% of the larger companies saying information security should handle ATOs, followed by fraud 29%, and engineering at 14%.

Fighting ATO attempts, however, must be the prerogative of all organizations, regardless of their size, with a dedicated team to handle them centrally. That said, investments in fraud prevention are abysmally low with a majority of companies reported spending 1-5% of their tech budget on fraud and 3% having no dedicated budget at all! This is at a time when the volumes of account takeover attacks are increasing and estimated costs of handling them can add up to 8% of the annual revenue for digital businesses.

By investing in fraud prevention, businesses can not only reduce the cost of ATO attempts, but also save on costs in other areas such as customer service and chargebacks. With better security, businesses will also see a better ROI in the long run, with the potential for increased customer retention and better customer experience.

Adopt a proactive, zero tolerance to fraud approach

Businesses often take reactive steps to stop ATOs , which include implementing more stringent controls, banning accounts, and classifying higher percentages of traffic as suspicious. These measures, however, disrupt the digital experience for authentic users and often lead to false positives. Therefore, the most viable approach to fighting ATO attacks is to stop the attackers right at the entry gates.

Arkose Labs adopts a zero tolerance to fraud approach which uses friction smartly to ensure authentic users can continue to enjoy seamless user experience, while bad actors are accurately identified and challenged. Based on each user's risk assessment, enforcement challenges are presented. These challenges continually step up in complexity to wear out malicious users and undermine cyberattacks. 

To gain further insights into the state of account takeover attacks in your industry, please download a copy of the survey report now.