Report: Account Takeover Becomes Weapon of Choice for Fraudsters Leading Up to Holiday Shopping Season

With attempted account takeover rates skyrocketing 282 percent year-over-year, new data shows consumers place account security burden on businesses

SAN FRANCISCO, Sept. 30, 2020 (GLOBE NEWSWIRE) -- Sift, the leader in Digital Trust & Safety, today released its Q3 2020 Digital Trust & Safety Index, which examines how cybercriminals have been employing Account Takeover (ATO) Fraud to steal from consumers and e-commerce merchants. The Index, which includes analysis from Sift’s global network of 34,000 sites and apps and from a survey of U.S. consumers, revealed that attempted ATO rates (the ratio of attempted fraudulent logins over total logins) swelled 282 percent between Q2 2019 to Q2 2020. Likewise, ATO rates for physical e-commerce businesses—those that sell physical goods online—jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.

According to Deloitte’s annual holiday retail forecast, e-commerce sales are forecasted to grow 25-35 percent and are expected to generate between $182 billion and $196 billion this season. When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.

Account Hacking Leads to Brand Abandonment

According to Sift’s research, ATO attacks also create significant and lasting brand damage. In surveying 1,000 U.S. adult consumers, Sift found that more than one-quarter (28 percent) of respondents would completely stop using a site or service if their accounts on that site were hacked. And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.

Additional research from Sift’s Q3 Digital Trust & Safety Index found that:

  • Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
  • Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
  • E-commerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their e-commerce (both physical and digital goods and services) accounts were hacked.
    • Other online destinations on which consumers reported experiencing ATO include:
      • Social media sites: 36 percent
      • Financial services sites: 35 percent
      • Online dating sites: 22 percent
      • Travel sites: 19 percent

Account Takeover as a Means to Financial Gain

Like payment fraud and content abuse—two of the other links in the fraud supply chain—account takeover is typically a means to a financial end. Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web. While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.

Customer Security as Customer Experience

“Businesses have been forced to adapt to an immediate shift in consumer behavior since the beginning of the global pandemic. Unfortunately, fraudsters have too,” said Jason Tan, CEO of Sift. “The surge in account takeover attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”

The Sift Digital Trust & Safety Index gives online merchants visibility into the covert economics that impact business—along with industry expertise to help businesses protect their customers without losing money or momentum.

The full Sift Q3 2020 Digital Trust & Safety Index can be found here.

About Sift

Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of 35 billion events per month, and a commitment to long-term customer partnerships. Global brands such as Twitter, Airbnb, and Twilio rely on Sift to gain a competitive advantage in their markets. Visit us at and follow us on Twitter @GetSift.

Media Contact

Victor White
Director of Corporate Communications, Sift

Photos accompanying this announcement are available at:

Sift_Q3-Digital_Trust _ Safety_Index_0929205 Sift_Q3-Digital_Trust _ Safety_Index_0929207