Account Takeover Fraud – An Overview


In the last few years, the use of technology has skyrocketed. Whether in financial institutions, educational institutions, or whichever industry you look at, there is some use of technology. Unfortunately, crimes have moved into cyberspace. Criminals have made technology their new frontier to extend their nefarious actions. They use various techniques and methods to exploit the vulnerabilities in these institutions’ technology.

Cybercriminals are organized, adaptive, creative, and highly intelligent. They are now using bots to conduct stealth criminal operations on their victims. Detecting bot or botnet operations is hard, and that is why hackers prefer using them. They also can perform an attack at a faster rate compared to a human being. Bots and botnets can target many victims simultaneously in stealth mode, making the attacks more complex while remaining virtually undetectable. In this post, we will look at account takeover fraud.

Account takeover fraud?

Account takeover is the act through which a fraudster steals credentials and other sensitive information and assumes control of a victim’s account. According to a recent study on the prevalence, prevention, and awareness of account takeover, 22% of adults in the US have been account takeover victims. This translates to over 24 million households. The same study also found that the average financial losses emanating from account takeover fraud were about $12,000. From the study, account takeover fraud is among the most lucrative online crimes. With account takeover fraud becoming more prevalent and pervasive, individuals and organizations need to know how the attack happens, the vulnerable sectors, and how to prevent it.

How is Account takeover Fraud carried out?

Have there been many changes in customers’ details like email addresses and other personally identifiable information? Who made these changes? The answer to these questions may be vital in unlocking an ongoing ATO fraud. Account takeover fraud is a three-pronged process that eventually locks you out of your financial, social media, or academic account. The process is as follows;

Getting a victim’s credentials

First, the attacker gets your credentials. They may buy them from the dark web through phishing attacks, social engineering, or a previous data breach in an unrelated service. The attacker then employs various methods like brute force attacks and credential stuffing to validate the credentials. Bots are essential at this stage because of their work rate. They can test hundreds of credentials in a minute. When the attacker gets the valid credentials, they use them to access your account.

Changing the victim’s account details

After an attacker logs in to your account, they make various non-monetary alterations to your details. These include;

  • Changing the personally identifiable information
  • Adding another authorized user
  • Changing the password, and
  • They may also request a new card.

These are the changes that lock you out of the account. At this stage, they have already taken over your account.

Committing the fraud

After the modifications above, the attacker has complete control of your account; they can now perform various unauthorized transactions as the account owner. They can withdraw money from your account, make purchases on your e-Commerce account, or implicate you in various crimes. The potential frauds from account takeover are endless. The most harmful effect is identity theft. Account takeover Fraud results in substantial financial losses to the affected person or victim.

Why is account takeover fraud so insidious?

The potential harm of a successful ATO attack is many. There can be financial losses, frustrations, and loss of time as they try to undo the effects on the victim. Depending on the extent of the harm, ATO fraud can also be depressing. Imagine a successful account takeover draining your account or your life-saving. The effect can devastate and can be a cause for depression.

For Companies and organizations, the effects of ATO fraud can be far-reaching. It can damage its customer relations, brand, and reputation. The company can make losses through the lawsuits that follow. Building a reputable brand takes both time and money, and frequent account takeover attacks threaten it.

Enhancing security while ensuring little or no friction with the customers

After a successful ATO attack, customers hold the company responsible for its lax security that gave them access to their account. They also get frustrated when a company asks them to make minor changes that result in increased scrutiny.

Therefore, a company must balance giving its customers a seamless experience and implementing measures that ensure adequate security. How can a company keep the fraudsters at bay while ensuring little or no friction with its customers?

Using a comprehensive solution

A cannot afford to lose or alienate its customers because of account takeover or account management access that is restrictive. Combatting ATO fraud requires a real-time, comprehensive understanding of abnormal and normal account maintenance activities within the company. The knowledge can help you flag these suspicious activities before they even occur. The good thing is that many comprehensive solutions like DataDome, Cloudflare, and Radware can help a company with this. They combine behavioral analysis, artificial intelligence, and machine learning to determine if the modification in an account’s details is coming from the owner or a fraudster.

Basic precautions that can help prevent an account takeover fraud

Financial institutions, healthcare institutions, social media, e-Commerce applications are the biggest targets of account takeover fraud. However, while customers can blame the company for its lax security measures leading to an ATO attack, online security is a shared responsibility. Below are some of the basic precautions that a customer must ensure;

Do not use the same password

According to a 2019 security survey by Google, 65% of the people use the same password on all or across multiple accounts online. A data breach in one account can end up affecting all the accounts. If the credentials from these data breaches are shared online, the attackers may use them to affect an account takeover fraud. Therefore, ensure that you do not use the same credentials in multiple accounts online. A password manager or a cryptographically secure storage device can help you store the passwords.

Carefully evaluate links before opening them

Attackers use phishing to get credentials that they use to perform account takeover fraud.

Before opening a link, email, or document, check if it comes from legitimate sources. Some links stealthily download and install keylogging scripts that send your keyboard entries to an attacker. This data is then used to perform account takeover fraud. If you get a suspicious email from a financial institution, call your bank’s customer support.

Activities that a system admin can perform to prevent account takeover fraud

Blocking the suspicious IP

As we said, online account security is a shared responsibility. A system admin should block all suspicious traffic and activities. If there are different requests to authenticate the seen account from different IPs, the admin should block all those requests and contact the registered user.


The other way that a system administrator can help prevent account takeover is by displaying a CAPTCHA after a specified authentication attempt. Bots are used in credential stuffing, a precursor to credential stuffing. CAPTCHAs are effective in stopping bots. Therefore, if the log-in attempts come from a bot, displaying a CAPTCHA can effectively thwart the attack.


As we have seen, account takeover fraud has devastating effects. Vigilance is critical in preventing account takeover fraud. Securing online accounts is a shared responsibility between the customer and the service provider. With account takeover fraud being so insidious, preventing it before it happens is better than addressing it after it happens. The security mechanism chosen must ensure minimal friction between the company and the customers.

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More