Now, fraudsters target dormant e-commerce accounts

MUMBAI: You probably do not care much about your inactive accounts on online platforms such as Amazon or Flipkart. But do you know that your dormant e-commerce accounts are being targeted by fraudsters?

Unlike financial transactions which usually leave a trail and are notified to users through mobile alerts or messages, suspicious transactions made through e-commerce accounts tend to go unnoticed which is the reason they are easy targets for fraudsters.

Your e-commerce accounts already keep details of your cards or payment methods intact and once compromised, fraudsters use them for unauthorised purchases, loyalty-point abuse, refund frauds or mule account activity, experts said.

"When you use UPI, you sim-bind it but that's not done for e-commerce platforms. You don't need to have an e-commerce app on your phone to use it. People can use it through a phone that belongs to a family member," said Venkat Srinivasan, chief analytics and risk officer at Bureau, an AI-powered risk decisioning platform which helps organisations prevent digital frauds.

The modus operandi

How are fraudsters getting access to your dormant accounts in the first place? They are often able to do that through leaked passwords, phishing attacks, malware or sim-swap techniques, said Capt Praveen Dahiya, founder & MD at InQuest Global.

A sim-swap is a process which allows cybercriminals to get access to a victim's mobile phone number--they do this by convincing a mobile carrier to transfer the victim's number to a sim card under their control, allowing them to intercept SMS-based authentication codes and reset passwords, according to cybersecurity platform SentinelOne.

Device farming enabling large scale frauds

The frauds are being done at a large scale, too. The rapid growth and consumer adoption of online commerce is giving rise to more sophisticated ways of triggering frauds--in this case, the underlying technique is often "device farming" which allows criminals to target multiple accounts at the same time.

Device farming is basically the large-scale use of mobile devices, sim cards and automation tools to mimic genuine consumer activity online. It allows fraudsters to run and control dozens, sometimes hundreds of accounts simultaneously switching between them at speeds no individual user can match.

Amazon, Flipkart and Meesho declined to comment on the issue.

Tighter checks needed

E-commerce companies should increasingly put in place a mechanism mandating users of dormant accounts to reset their passwords every few months and enable multi-factor authentication to avoid account takeover by fraudsters. Platforms should also devise ways to alert users about unusual buying activities besides disabling default payment methods, said Sachin Yadav, partner at Deloitte India.
Ready to Make a Smarter Property Decision? Build Your Legacy with TOI Homes.