Digital Fraud Wiki

Your source for the latest fraud intelligence, insights, research, and commentary.

Account Takeover (ATO) Fraud

Imagine that you’re logging into your online banking app. You enter your credentials – but they don’t work. You’re sure you’re using the right user ID and password, but you keep getting an error message. Quickly, you request to reset your credentials, and while that gets you into your account, it’s already too late. Your account is drained – an Account Takeover is to blame!

What is an Account Takeover (ATO) Fraud?

An Account Takeover – or ATO – happens when a bad actor uses stolen credentials to take over ownership of someone’s account. Once they access the account, they typically change the password to lock out the account owner and proceed to transfer funds, make fraudulent payments, buy things or open new accounts such as credit cards in the victim’s name. By the time the customer or the bank realizes that the account has been commandeered, they may have already incurred substantial losses.

In the U.S., financial institutions are legally required to reverse any unauthorized transactions, if the victim reports the fraud in a timely manner. However, the inconvenience customers experience and impact the bank’s reputation, not to mention its bottom line. That’s why account takeover protection is an essential part of a solid enterprise fraud strategy.

How Common is Account Takeover?

According to the Javelin 2022 ID Fraud Study, 22% of U.S. adults have been victims of account takeover fraud, representing 24 million households. ATO losses increased 90% in 2021 alone, reaching $11.4 million, and one in every 140 logins during the early 2021 holiday season was an ATO attempt.

What is the Impact of Account Takeover Fraud?

When a fraudster succeeds at taking over an account, the customer can incur monetary losses. They may also spend a lot of time trying to fix the problem, which is frustrating and creates a terrible customer experience. They may lose trust in the organization that didn’t stop the ATO, and if it happens multiple times, the company could suffer reputational damage.

How Does Account Takeover Attack Happen?

Fraudsters either steal credentials or purchase them on the dark web. They can also require them through social engineering scams, data breaches and phishing attacks.

Let’s have a closer look at some of the common methods fraudsters use to obtain credentials and commit ATO fraud:

  • Phishing

    Phishing attacks occur when a fraudster sends a fake text or email, or posts a social ad that takes customers to a fake bank login page. Customers may not notice subtle differences between the fake page and the real page, and willingly enter their login credentials. Like stealing candy from a baby, the bad actor simply takes those credentials, uses them to log in to the real website, gains access and takes over the bank account.

    According to APWG research, phishing attacks reached an all-time high in 2021, with more than 300,000 attacks recorded in December alone. And that’s not the scariest part: one in three employees are likely to click the links in phishing emails, and one in eight will share information requested by the email.

  • Credential stuffing

    If at first you don’t succeed, try try again! Credential stuffing involves fraudsters using sophisticated, AI-powered bots to automatically test random combinations of credentials. This is sometimes referred to as a “brute force” attack. Where do they get all those combos? The dark web.

    You may wonder how credential stuffing can be successful – mostly it’s the user’s fault. Over 80% of users reuse passwords across two or more sites, and 25% use the same passwords across the majority of their accounts. According to Okta, credential stuffing accounts for 34% of all attempted logins.

  • Social engineering scams

    Social engineering refers to a broad range of attacks used to obtain credentials and other information from people directly, simply by tricking them into believing that it’s for a legitimate reason. Bad actors may also prey on consumers’ emotions and fears in order to obtain information. Nearly all – 98% of cyber attacks include some form of social engineering, and the average organization is targeted by over 700 social engineering attacks every year.

  • Cybersecurity issues and vulnerabilities

    The rate of IT expansion is off the charts, thanks to trends such as digital transformation, remote working and mobility, which means IT has their hands full keeping equipment and software updated with the latest security measures and protocols. Outdated hardware and software may have vulnerabilities that fraudsters can exploit to infiltrate the network and steal data and customer information. What’s more, so-called shadow IT that’s unsanctioned may not be on the security team’s radar, and forgotten or idle devices can sit for months or longer, opening the door for an attack.

  • Call center fraud

    A particularly deceptive form of social engineering is call center fraud, when fraudsters contact an organization’s call center pretending to be a legitimate customer. This type of fraud increased by 75% in 2020, as businesses struggled with the challenges of the pandemic. What’s more, Neustart, a TransUnion company, found that fraudsters are targeting agent-led authentication methods over the phone channel, and this activity has led to a $5.8 billion increase in consumer fraud losses in 2021.

Is Account Takeover Considered Identity Theft?

Account takeover fraud is just one type of identity theft. There are several others, including debit card and credit card fraud, driver’s license theft, mail theft, senior identity scams, and more. While both ID theft and account takeover fraud involve stealing personal information, account takeover identity theft is limited to account takeovers. ID theft, on the other hand, causes people to lose control of their entire lives.

Since some people don’t report identity theft, it’s difficult to say how many victims exist – but the FTC estimates that roughly 9 million identities are stolen each year.

Since there are many ways fraudsters can obtain user credentials and use them to commit ATO fraud, a comprehensive approach to account takeover prevention is essential. Here are some useful tips:

  • Avoid high-friction authentication methods that can frustrate good customers.
  • Leverage machine learning and AI to analyze web session logs, cross-account linkages, digital fingerprints, profile details, and account behaviors.
  • Continuously monitor customer events such as logins, transactions and password changes to forecast potential ATO.
  • Use visualization tools to accelerate decision-making.

DataVisor combines advanced machine learning and AI with rules-based detection, enabling comprehensive defense against account takeover fraud. Learn more about our solutions for account protection, and how our fraud detection platform helps uncover account takeovers early, so you can block fraudsters before they cause damage. Book a time to talk with our team.