Account Takeover Alerts: When to Flag Suspicious Logins
by Gergo Varga
Account takeovers – or account hacking, as your customers may call it – are terrible for your brand reputation. Each successful attack can cost the business up to $12,000 and will also tarnish your reputation with customers.
This is why, when an ATO happens, time is of the essence. A responsive, effective and robust alerting system is crucial.
Let’s see what an account takeover alert should look like and how you can start deploying them today.
What Is an Account Takeover Alert?
An account takeover alert is a system designed to notify a company or user(s) that a suspicious login which might indicate an account takeover attack has taken place. It may be triggered based on a number of parameters, such as a login from a new device or IP address, as well as combinations of these parameters.
The most sophisticated account takeover alerts can look at user behavior to identify suspicious actions. For instance, a large number of withdrawals or a password reset could be considered high risk.
As for the alerting system, you may be able to deploy an internal solution or leverage a third-party tool, usually in the form of fraud prevention software.
Partner with SEON to reduce fraud in your business and stop identity fraud, chargebacks, account takeovers. Enable your growth.
Book a Demo
What Industries Should Deploy Account Takeover Alerts?
The short answer is all of them. Any business that offers user accounts should be proactive about protecting them against takeovers, to minimize fraud, protect its revenue and safeguard its reputation. However, fraudsters tend to target these more often:
- neobank accounts
- social media accounts
- BNPL accounts
- iGaming accounts where the balance can be withdrawn
- online store accounts – especially those with loyalty points or store credit
The Pros and Cons of Account Takeover Alerts
Account takeover alerts can be a powerful security tool. They can also be a serious hindrance to good business.
The biggest advantage of creating an alerting system, both for your business and your customers, is that you’ll be able to catch any suspicious activity before an account is compromised.
This will block fraudulent activity at the source, which can have a positive impact in a variety of ways, from reducing chargebacks to better data safeguarding or even maintaining a good relationship with your customers.
The downside, however, is that alerts can be hard to calibrate. It requires trial and error, as you want the rules to be effective but not too strict.
If you are too careful and ask customers to confirm their ownership of the account every time they use a new device or IP address, for instance, you’ll be asking for trouble. Too much friction is frustrating and may cause your customers to look for less stringent alternatives – also known as customer churn.
Aside from the false positives, it’s also worth considering the manual efforts required to tweak your fraud detection rules and to restore login privileges to the right customer – which may translate into extra resources for the customer service department.
When to Trigger an Account Takeover Alert
Your account takeover alerts should be tailored to your risk challenges. You should hopefully have a good understanding of what a good login looks like and know how to recognize a suspicious one.
Broadly speaking, there are two types of alerting systems:
- Static rules: In that scenario, you are looking for specific data points, such as an IP address pointing to a certain geolocation or a previously unseen device.
- Velocity checks: A more sophisticated approach aims to understand user behavior by looking at specific user actions over a set timeframe.
Below are examples of what SEON has identified as potentially risky user behavior after a fresh login, with examples from both kinds of alerting systems.
Examples worth highlighting include:
- Multiple changes to an account in one session: Without even looking at the kind of changes made, you could infer that the person who is currently logged in is trying to make the account theirs if there are several different changes within the same session. This is particularly obvious if you are looking at address changes, a password reset, or bank detail updates.
- Suspicious device configurations: A key technique of fraud rings is to deploy virtual machines and emulators to fool IP and device checks. But these configurations of software and hardware still leave a trace. A good fraud detection engine, for instance, will be able to recognize a VPN, Tor connection, or even something as granular as an unusual browser window size.
- Unusual user behavior: This may be reflected in a surprisingly large number of transactions or deposits – and of course a high number of chargeback requests.
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Book a Demo
Using SEON for Account Takeover Alerts
SEON is designed to give you as much information about your customers as possible, whether they are signing up for the first time, making a payment, or logging into their accounts. You can deploy custom risk rules, industry-specific presets and even machine learning suggestions to automatically flag and block suspicious activity.
This allows you to protect your customers’ accounts when someone else wants to log in, but also to ensure you don’t accidentally add friction for legitimate users, causing frustration and churn.
On top of being able to automatically create alerts, you can even integrate SEON with other tools via Zapier. Set up custom alert systems that ping you directly on Slack or Gmail, and stay on top of all your login security however you see fit.
An account login may be deemed fraudulent if data or user behavior appears suspicious or even inconsistent with the user’s previously observed behavior. Companies will set up alerts designed to instantly flag or review these suspicious logins in order to protect their customers’ accounts.
An account takeover will usually result in changed account details, such as an email address, phone number or bank account information. This is what a fraudster will attempt to do as soon as they manage to gain access to a consumer’s account. Other signs to watch out for may include an unusual, inconsistent IP address or device configuration.
An account takeover happens when someone illegally logs into your account. It does not necessarily involve stealing your identity. However, if your account contains personal information (PII), the fraudster may use the account as a starting point to steal your ID – which is also known as identity theft.
- Veriff: Account takeover fraud statistics
Showing all with `` tag
What Is Churn Rate & How Can You Reduce It?
Learn About AI Fraud & How AI Can Be Used For Fraud Detection
Fraud Rates: What Are They and Why Are They Growing?
How to Identify High-Risk Customers in The Online Lending Industry
See a live demo of our product
Gergo Varga is SEON’s Product Evangelist. With more than 10+ years of experience in the Hungarian and international risk management sphere, he has developed an astute knowledge of RiskOps and Open Source Intelligence. He is the author of SEON’s Fraud Prevention for Dummies guide.
Sign up for our newsletter
The top stories of the month delivered straight to your inbox