Fraudsters create fake ‘lookalike’ websites to capture data of subscribers / users to capture data for ATO fraud.
In a recent monitoring scan for one of the leading ecommerce portals we found more than 30 fake websites (in this case market places) created to fraud genuine subscribers / users which potentially increases the risk of ATO fraud. This technique is increasingly becoming widespread where an ordinary digital user falls to the trap and hands over critical information to a scamster who misuses it.
How it works?
A fake marketplace is created using exact elements of the genuine one making it difficult for an average digital user to make any distinction and become suspicious. The fake marketplace has the same logo, colour scheme, fonts, listing style, and even the same product details to make a user believe that it is the authentic one.
Since, over 85% of users access internet using a smartphone, the complete url address is hidden as mobile browsers do not have space to show up the complete link name. The fraudsters typosquatt the url name so that a user confuses and there is nothing to doubt.
After the fake marketplace opens in the browser, the user is allured to sign-in or fill up a form to avail great deals, enter into a competition, etc. The user taking things at the face value enters the details and starts dreaming about the reward promised.
Meanwhile, the fraudster celebrates by getting all the details which include password, mobile number and other account information shared over this infringed identity. Now it can log into the genuine account and also change critical information like mobile number and email linked to the account. Now the account is completely in control of the fraudster who can buy products, possibly also use money in wallets linked to account, redeem points earned, and much more. At times, especially in the case of OTT accounts, the fraudster can simply share the account details for other devices.
All this would be happening in the name of a genuine customer, who will get no alert as all the mediums have been reconfigured.
What does it result in?
One can understand that due to ATO fraud, the personal details of a genuine user are compromised, and fraudster can ‘enjoy’ the benefits of a subscriber / user without becoming one. This is itself very damaging. But what does it translate into?
Here are some of the implications of an account takeover fraud.
- First and foremost is the financial loss which can happen in many ways to both the parties – subscriber as well as the marketplace / platform offering services and products. The subscribers existing balances could be used to make purchases, etc. Nowadays, many platforms are offering pay later option. This would increase the liability of a user without actually buying anything. Hence, the transactions would turn to be disputed where either or both the parties will lose money.
- The second major issue is of breach of trust and privacy. A user shares very crucial information including card details, passwords, etc., with a platform in all trust and faith. While the user is at fault by not perhaps being extra cautions, its primarily the duty of the platform that it doesn’t get infringed. The data could be abused as a scamster would get to know a lot about the behaviour and profile of a user by checking the transaction history. Imagine someone buying an airline ticket for a particular city, then receiving a call about being offered services while in that city. The user may feel excited that some AI powered application is proactively offering the best of the experience. But it could be a scammer duping of money in the name of advance booking of any service typically required while travelling to another city.
- The marketplace will also face serious credibility and reputation issues resulting in paying subscribers signing off from it. Even a subscriber who may be spending just Rs 1,000 pm with the marketplace, would result in a substantial LTV loss by disengaging. This means a perpetual opportunity loss.
As growth continues to drive from non-metro cities and towns which has been repeatedly shown as a trend by all major ecommerce marketplaces in the country, it is highly likely that the awareness about such issues will be next to negligible. This could be easily trapped by the fraudsters.
Even the regulators cannot shy away by running very ineffective campaigns increasing awareness about such scams. The regulator and the cybercrime apparatus have also to become effective and more proactive in its stance where such frauds become difficult to thrive. We have seen in cases like unauthorised card swipes, etc., banks do not take the responsibility and shed off by excusing behind the awareness drives and ‘buyer beware’ principles.
Brands (marketplaces) which are concerned for their reputation need to proactively create multiple layers of protection where brand infringement becomes almost impossible. This will result in users only engaging with the real platform where information exchange and transactions could be done without any worry.
Are you unsure of any brand infringement case about your marketplace or other consumer facing digital assets? Connect with us today and we will help you get the right picture.