Request a demo

account takeover fraud
account takeover fraud

Understanding & preventing account takeover attacks

Gergo Varga

Jul 28, 2023

Account takeover fraud is a global menace that impacts everyone in our ever-connected, digital-first world. Colloquially known as account hacking, it is a form of unauthorized access by fraudsters into a user's online account and the subsequent takeover - a form of digital identity theft.

ATO attacks have been surging since 2019 in size, scale, and sophistication, increasing by  90% in 2021 alone, totaling $11.4B in losses - according to Javelin Strategy

Fraudsters can execute an account takeover (ATO) through various techniques such as social engineering, phishing, or the use of malware applications. Once successfully executed, the fraudster exploits the account for personal gain by conducting various fraudulent transactions.

Fintechs and other online financiers are particularly vulnerable to ATO because of their reliance on online accounts that users access remotely. The growing popularity of online and mobile banking services has made ATO a significant security challenge, as a bank account is one of the most lucrative targets for fraudsters.

In this article, we will walk you through the threat of ATOs, as well as the practical security measures you can take, from properly deploying Multi-Factor Authentication (MFA) to using sophisticated anti-fraud software to protect your users.

Impact of ATO attacks

Account takeover attacks have severe and wide-ranging impacts on businesses, affecting not only their financial stability but also their reputation and customer trust. 

Here are some key impacts of ATO attacks on a business:

  • Financial Losses: Fraudsters exploit compromised accounts to conduct unauthorized transactions, make fraudulent purchases, or transfer funds to their own accounts.

  • Reputational Damage: If customers experience unauthorized access to their accounts or fraudulent activities, they may lose confidence in the company's ability to protect their sensitive information. This can result in negative reviews, customer churn, and damage to the company's brand reputation.

  • Legal and Compliance Issues: Depending on the nature of the attack and the industry, businesses may be subject to regulatory investigations and face penalties or fines for failing to protect customer information adequately: under the GDPR (General Data Protection Regulation), businesses can face fines of up to €20 million or 4% of annual global turnover.

Operational Disruptions: Organizations may need to invest significant time and resources into investigating the attacks, implementing additional security measures, and managing customer inquiries and support.

Obviously, it's in your best interest to protect your users from identity theft. However, getting your protection measures wrong may cause too much friction for your users, which means less customer satisfaction and an increased likelihood of customer churn.

The prime target of ATO: a bank account

According to recent research, online banking logins are being sold on the darknet markets for an average price of $40 per account. 

The value of a bank account on the darknet market can vary depending on the account's transaction history, account balance, and the bank's security practices. 

For example, accounts with a balance of $3,000 from major banks like Bank of America, JPMorgan Chase, and Wells Fargo were reportedly sold for $300, while account login details for other banks have been sold for as little as $5.

As the fintech revolution made moving money easier than ever, these online financial accounts have become a prime target for identity theft.

To adequately protect against ATO, fintechs need to understand the methods that fraudsters use to gain access to user accounts. Organizations that offer online financial services need to keep up with emerging cybercrime tactics, which continuously advance to evade security measures.

How does ATO work? A deeper dive

Account takeover attacks have become increasingly sophisticated and prevalent in the last 5-10 years, with fraudsters continuously evolving their techniques.

In general, account takeover fraud involves fraudsters gaining unauthorized access to user accounts and taking control of them for malicious purposes. These attacks typically start with the acquisition of login credentials through various methods such as phishing, social engineering, or the use of malware applications.

Data breaches are also a boon to cybercriminals, making it easy for them to automatically gain access to online accounts using stolen credentials.

Once fraudsters have obtained the login details, they use them to log in to the targeted accounts. In some cases, they may employ brute-force techniques like credential stuffing or dictionary attacks to gain access.

Credential stuffing or dictionary attacks are an automated way to crack open a large number of accounts by using login details obtained from various data breaches, which inevitably yield results due to the common habit of password reuse among users.

Once inside, fraudsters often change account details, such as passwords and contact information. By doing so, the fraudster locks out the legitimate user and makes it difficult for them to regain control of their account

With control of the online account, fraudsters can conduct unauthorized transactions, exploit personal information, or even sell stolen bank accounts and credentials on the dark web.

Additionally, fraudsters have also started leveraging advanced techniques such as spear-phishing, where they tailor their attack to specific individuals or organizations to increase their chances of success. They may also employ social engineering tactics such as impersonating customer support agents or sending fake security alerts to trick users into divulging their login credentials.

Phishing attack example from the FTC

Now let's look into some of the best practices in use today, and how we have evolved from resetting passwords every few months to more subtle, yet efficient forms of preventing account takeovers.

Account takeover prevention: from passwords to continuous adaptive risk & trust

The evolution of account protection from passwords to the continuous adaptive trust model represents a shift in the approach to cybersecurity, focusing on real-time risk assessment and adaptive decision-making.

Traditionally, account protection has relied heavily on passwords as the primary method of authentication. However, with the increasing sophistication of cyber threats and the vulnerabilities associated with password-based authentication, new approaches have emerged to enhance security.

The continuous adaptive trust model, also known as Continuous Adaptive Risk and Trust Assessment (CARTA), emphasizes continuous cybersecurity assessments and contextual decision-making based on adaptive evaluations of risk and trust.

This model recognizes that risk and trust levels are not static but change dynamically based on various factors such as user behavior, network conditions, and threat intelligence.

Instead of solely relying on passwords, the continuous adaptive trust model incorporates multi-factor authentication, behavioral analysis, and machine learning algorithms to assess the risk and trustworthiness of user activities. 

Furthermore, advanced security measures continuously monitor and evaluate user behavior, network activities, and contextual information in real-time to detect anomalies and potential security threats.

It allows organizations to dynamically adjust security measures based on the current risk posture, enabling a more proactive and agile security approach.

Modern anti-fraud software, such as Oscilar allows you to take into account both historic and real-time data to apply risk-based authentication to your users - carefully balancing between preventing account takeover fraud without introducing too much friction for your users.

Pitfalls of Multi-Factor Authentication

Multi-factor authentication (MFA) is generally considered a more secure method of authentication compared to relying solely on passwords. However, there are still weaknesses in MFA that fraudsters can exploit. 

Here are some common weaknesses and examples of how fraudsters abuse MFA:

  • Social engineering attacks: Fraudsters can manipulate individuals into providing their MFA codes to bypass the authentication process. They may pretend to be a trusted entity and trick users into revealing their authentication credentials through phishing emails, phone calls, or malicious websites.

  • SMS vulnerabilities: The use of SMS for delivering MFA codes can be exploited. Fraudsters can intercept SMS messages through SIM swapping, where they convince a mobile carrier to transfer a victim's phone number to a device under their control. This allows them to receive the MFA codes and bypass the authentication process.

  • Phishing and malware: Fraudsters may use phishing techniques to trick users into providing their MFA credentials on fraudulent websites. They can also infect devices with malware that captures MFA codes or secretly records user interactions, giving them access to authentication credentials.

  • Device compromises: If a user's device is compromised, fraudsters can gain unauthorized access to MFA codes or intercept communication between the device and the authentication server. This can be done through malware, keyloggers, or other techniques that exploit vulnerabilities in the device's operating system or applications.

  • Human error: Users may unintentionally undermine the security of MFA by reusing passwords, sharing authentication credentials, or failing to secure their devices properly. These actions can provide opportunities for fraudsters to gain unauthorized access.

As an example, attackers are increasingly relying on abusing what is known as ‘MFA fatigue’ - continuously bombarding the victim with push notifications, who end up surrendering their code to the attacker just to make the notifications go away.

It's important to keep these weaknesses in mind when implementing MFA, hence organizations and individuals should consider following additional "best practices" that have been adopted across industries.

Top 4 best practices to detect and prevent account takeover fraud

  1. Implementing more secure methods of MFA, such as hardware tokens or authentication apps, which are less susceptible to SMS vulnerabilities.

  2. Educating users about social engineering techniques and the importance of verifying the authenticity of requests for MFA codes or personal information.

  3. Prevent the use of passwords that are known to be associated with data breaches.

  4. Regularly monitor and analyze logs and security alerts for any suspicious activity that may indicate account takeover attempts.

In addition, whatever software you use to prevent account takeovers, your risk or safety & trust team should be enabled to intervene quickly when needed. 

Your decisioning engine should allow the modification of user journeys based on risk signals that are uncovered in real-time, without the need to rely on your cybersecurity or developer teams in the heat of the moment.

The importance of real-time fraud detection and prevention

Real-time fraud detection systems play a crucial role in preventing account takeover (ATO) fraud. ATO occurs when a cyber attacker gains control of a legitimate account and uses it for malicious purposes.

Real-time fraud detection systems continuously monitor user activities and identify patterns that are consistent with fraudulent behavior. They can quickly detect and block unauthorized login attempts, preventing attackers from gaining access to accounts and stealing sensitive information.

Real-time fraud detection systems use various techniques to detect fraudulent activities, such as device recognition, behavioral biometrics, machine learning, and artificial intelligence.

These techniques help create a comprehensive profile of legitimate user behavior and identify deviations from it. When a deviation is detected, the system can take immediate action to prevent further unauthorized access and alert account owners or administrators.

One of the main benefits of real-time fraud detection systems is that they reduce the window of exposure to fraud. By detecting and blocking fraudulent activities in real time, these systems limit the amount of time attackers have to cause damage.

They also provide a proactive defense mechanism that can prevent identity fraud itself before it occurs, rather than relying on reactive remediation efforts after an attack has already taken place.

In addition, real-time fraud detection systems can help reduce false positives and minimize customer friction. By continuously studying user behavior, these systems can identify legitimate login attempts and differentiate them from suspicious activities.

This reduces the number of false positives and ensures that genuine customers can access their accounts with minimal friction.

Overall, real-time fraud detection systems are a critical component of any effective account takeover fraud prevention strategy. They provide a proactive defense against fraud, reduce the window of exposure, and minimize false positives and customer friction.

Account activity monitoring and user profiling

Account activity monitoring and user profiling are crucial in preventing account takeover fraud as they help to detect suspicious or abnormal behavior that may indicate an attacker has gained access to an account.

Account activity monitoring involves continuously monitoring user interactions and analyzing patterns to detect changes that may indicate malicious activity. On the other hand, user profiling involves analyzing user behavior to build a baseline of normal behavior and flag any deviations from that behavior.

By implementing these techniques, organizations can identify suspicious activities and respond promptly to prevent further unauthorized access.

User profiling can help detect early warning signs of an account takeover attack attempt, such as changed login times, unusual geolocations, or unusual transaction types. Real-time monitoring and analysis of user activity can also provide insights into fraudulent activities, such as automated bot attacks or brute force attempts.

Overall, account activity monitoring and user profiling are essential in preventing identity theft and account takeover fraud, providing organizations with the ability to detect and respond to suspicious activity quickly. While the implementation of such monitoring and profiling can be complex and resource-intensive, the benefits of early detection and prevention far outweigh the cost.


Account takeover fraud remains one of the top threats for businesses that rely on their users having online accounts - especially fintechs.

At Oscilar we are building the next-generation risk operating platform. This no-code solution gives autonomy to risk teams - allowing them to be at the forefront of fighting fraudsters and protecting your user accounts.

If you are curious about how our solution looks under the hood, consider booking a demo below.

See it in action – book a demo today

See it in action – book a demo today

Automate 90% of your risk decisions

Make better decisions with ML models tailored to your data

60+ pre-built integrations with popular data sources

Trusted by banks and fintech innovators

Trusted by banks and fintech innovators