Account Takeover Alerts: When to Flag Suspicious Logins

Account takeovers – or account hacking, as your customers may call it – are terrible for your brand reputation. Each successful attack can cost the business up to $12,000 and will also tarnish your reputation with customers.

This is why, when an ATO happens, time is of the essence. A responsive, effective and robust alerting system is crucial.

Let’s see what an account takeover alert should look like and how you can start deploying them today.

What Is an Account Takeover Alert?

An account takeover alert is a system designed to notify a company or user(s) that a suspicious login which might indicate an account takeover attack has taken place. It may be triggered based on a number of parameters, such as a login from a new device or IP address, as well as combinations of these parameters.

The most sophisticated account takeover alerts can look at user behavior to identify suspicious actions. For instance, a large number of withdrawals or a password reset could be considered high risk. 

As for the alerting system, you may be able to deploy an internal solution or leverage a third-party tool, usually in the form of fraud prevention software. 

What Industries Should Deploy Account Takeover Alerts?

The short answer is all of them. Any business that offers user accounts should be proactive about protecting them against takeovers, to minimize fraud, protect its revenue and safeguard its reputation. However, fraudsters tend to target these more often:

• neobank accounts
• social media accounts
• BNPL accounts
• e-wallets 
• iGaming accounts where the balance can be withdrawn
• online store accounts – especially those with loyalty points or store credit

The Pros and Cons of Account Takeover Alerts

Account takeover alerts can be a powerful security tool. They can also be a serious hindrance to good business.

The biggest advantage of creating an alerting system, both for your business and your customers, is that you’ll be able to catch any suspicious activity before an account is compromised. 

This will block fraudulent activity at the source, which can have a positive impact in a variety of ways, from reducing chargebacks to better data safeguarding or even maintaining a good relationship with your customers. 

The downside, however, is that alerts can be hard to calibrate. It requires trial and error, as you want the rules to be effective but not too strict.

If you are too careful and ask customers to confirm their ownership of the account every time they use a new device or IP address, for instance, you’ll be asking for trouble. Too much friction is frustrating and may cause your customers to look for less stringent alternatives – also known as customer churn.

Aside from the false positives, it’s also worth considering the manual efforts required to tweak your fraud detection rules and to restore login privileges to the right customer – which may translate into extra resources for the customer service department.  

When to Trigger an Account Takeover Alert

Your account takeover alerts should be tailored to your risk challenges. You should hopefully have a good understanding of what a good login looks like and know how to recognize a suspicious one. 

Broadly speaking, there are two types of alerting systems:

• Static rules: In that scenario, you are looking for specific data points, such as an IP address pointing to a certain geolocation or a previously unseen device.
  
• Velocity checks: A more sophisticated approach aims to understand user behavior by looking at specific user actions over a set timeframe. 

Below are examples of what SEON has identified as potentially risky user behavior after a fresh login, with examples from both kinds of alerting systems. 

Examples worth highlighting include:

• Multiple changes to an account in one session: Without even looking at the kind of changes made, you could infer that the person who is currently logged in is trying to make the account theirs if there are several different changes within the same session. This is particularly obvious if you are looking at address changes, a password reset, or bank detail updates.
  
• Suspicious device configurations: A key technique of fraud rings is to deploy virtual machines and emulators to fool IP and device checks. But these configurations of software and hardware still leave a trace. A good fraud detection engine, for instance, will be able to recognize a VPN, Tor connection, or even something as granular as an unusual browser window size.
  
• Unusual user behavior: This may be reflected in a surprisingly large number of transactions or deposits – and of course a high number of chargeback requests. 

Using SEON for Account Takeover Alerts

SEON is designed to give you as much information about your customers as possible, whether they are signing up for the first time, making a payment, or logging into their accounts. You can deploy custom risk rules, industry-specific presets and even machine learning suggestions to automatically flag and block suspicious activity. 

This allows you to protect your customers’ accounts when someone else wants to log in, but also to ensure you don’t accidentally add friction for legitimate users, causing frustration and churn. 

On top of being able to automatically create alerts, you can even integrate SEON with other tools via Zapier. Set up custom alert systems that ping you directly on Slack or Gmail, and stay on top of all your login security however you see fit.

FAQ

Sources

• Veriff: Account takeover fraud statistics