Digital Fraud Wiki

Your source for the latest fraud intelligence, insights, research, and commentary.

Account Takeover (ATO) Fraud

Imagine that you’re logging into your online banking app. You enter your credentials – but they don’t work. You’re sure you’re using the right user ID and password, but you keep getting an error message. Quickly, you request to reset your credentials, and while that gets you into your account, it’s already too late. Your account is drained – an Account Takeover is to blame!

What Is Account Takeover Fraud?

An Account Takeover – or ATO – happens when a bad actor, hacker or fraudster uses stolen credentials to take over ownership of someone’s account with the intent of making fraudulent transactions. Once they access the account and the victim’s personal data, they typically change the password to lock out the account owner and proceed to transfer funds, make fraudulent payments, buy things or open new accounts such as credit card accounts in the victim’s name. They may also take over social media accounts. By the time the customer or the financial services providers realize that an account has been commandeered, they may have already incurred substantial financial losses.

In the U.S., financial institutions are legally required to reverse any unauthorized transactions, if the victim reports the fraud in a timely manner. However, the inconvenience customers experience and impact the bank’s reputation, not to mention its bottom line. That’s why account takeover protection is an essential part of a solid enterprise fraud strategy.

How Common is Account Takeover?

According to the Javelin 2022 ID Fraud Study, 22% of U.S. adults have been victims of account takeover fraud, representing 24 million households. ATO losses increased 90% in 2021 alone, reaching $11.4 million, and one in every 140 logins during the early 2021 holiday season was an ATO attempt.

What Is the Impact of Account Takeover Fraud?

Account Takeover Fraud is a form of identity theft. When a fraudster gains unauthorized access and succeeds at taking over an account and accessing sensitive information, the customer can incur monetary losses. They may also spend a lot of time trying to fix the problem, which is frustrating and creates a terrible customer experience. They may lose trust in the organization that didn’t stop the ATO, and if it happens multiple times, the company could suffer reputational damage.

How Does Account Takeover Attack Happen?

Fraudsters either steal credentials like password combinations to victims’ accounts — or purchase them on the dark web. They can also require them through social engineering scams, data breaches and phishing attacks.

Let’s have a closer look at some of the common methods cybercriminals use to obtain credentials and commit ATO fraud:

  • Phishing

    Phishing attacks occur when a fraudster sends fake emails or text messages, or posts a social ad that takes customers to a fake bank login page that looks like a legitimate way to access their online account. Customers may not notice subtle differences between the fake page and the real page, and willingly enter their login credentials. Like stealing candy from a baby, the bad actor simply takes those credentials, uses them to log in to the real website, gains access and takes over the bank account.

    According to APWG research, phishing attempts reached an all-time high in 2021, with more than 300,000 attacks recorded in December alone. And that’s not the scariest part: one in three employees are likely to click the links in phishing emails, and one in eight will share account information such as credentials, social security numbers or phone number when requested by the email.

  • Credential stuffing

    If at first you don’t succeed, try try again! Credential stuffing involves fraudsters using sophisticated, AI-powered bots to automatically test random combinations of credentials and break into user accounts. This is sometimes referred to as a “brute force” attack. Where do they get all those combos? The dark web.

    You may wonder how credential stuffing can be successful – mostly it’s the user’s fault. Over 80% of users reuse passwords across two or more sites, and 25% use the same passwords across the majority of their accounts. According to Okta, credential stuffing accounts for 34% of all attempted logins.

  • Social engineering scams

    Social engineering refers to a broad range of attacks used to obtain credentials and other information from people directly, simply by tricking them into believing that it’s for a legitimate reason. Bad actors may also prey on consumers’ emotions and fears in order to obtain accout information. Nearly all – 98% of cyber attacks include some form of social engineering, and the average organization is targeted by over 700 social engineering attacks every year.

  • Cybersecurity issues and vulnerabilities

    The rate of IT expansion is off the charts, thanks to trends such as digital transformation, remote working and mobility, which means IT has their hands full keeping equipment and software updated with the latest security measures and protocols. Outdated hardware and software may have vulnerabilities that fraudsters can exploit to infiltrate the network and steal data and customer information, whether by ATO attacks, compromised accounts, man-in-the-middle, malware, or other fraudulent activities. What’s more, so-called shadow IT that’s unsanctioned may not be on the security team’s radar, and forgotten or idle devices can sit for months or longer, opening the door for an attack. Without fraud prevention and mitigation measures, these vulnerabilities substantially increase risk.

  • Call center fraud

    A particularly deceptive form of social engineering is call center fraud, when fraudsters contact an organization’s call center pretending to be a legitimate customer. They might tempt the victim by claiming unusual account activity, or using automated scripts that ask for credentials to verify transactions. This type of fraud increased by 75% in 2020, as businesses struggled with the challenges of the pandemic. What’s more, Neustart, a TransUnion company, found that fraudsters are targeting agent-led authentication methods over the phone channel, and this activity has led to a $5.8 billion increase in consumer fraud losses in 2021.

Is Account Takeover Considered Identity Theft?

Account takeover fraud is just one form of identity theft. There are several others, including debit card and credit card fraud, driver’s license theft, mail theft, senior identity scams, and more. While both ID theft and account takeover fraud involve stealing personal information, account takeover identity theft is limited to account takeovers. ID theft, on the other hand, causes people to lose control of their entire lives.

Since some people don’t report identity theft, it’s difficult to say how many victims exist – but the FTC estimates that roughly 9 million identities are stolen each year.

Since there are many ways fraudsters can obtain user credentials , a comprehensive approach to prevent account takeover fraud and other types of cybercrime is essential. Here are some useful tips:

  • Avoid high-friction authentication methods that can frustrate good customers. Biometrics is becoming a preferred method.
  • Leverage machine learning and AI to analyze web session logs, cross-account linkages, digital fingerprints, profile details, and account behaviors.
  • Use two-factor authentication or multi-factor authentication (MFA) for an added layer of protection.
  • Continuously monitor customer events such as logins, transactions and password changes to forecast potential ATO.
  • Use visualization tools to accelerate decision-making.

DataVisor combines advanced machine learning and AI with rules-based detection, enabling comprehensive defense against account takeover fraud, without impacting the user experience. Learn more about our solutions for account protection, and how our fraud detection platform helps uncover account takeovers early, so you can block fraudsters before they cause damage. Book a time to talk with our team.