Top Account Takeover Fraud Schemes and How to Protect Against Them

OneSpan Team,

In an industry survey by the Aite Group, 89% of financial institution (FI) executives pointed to account takeover fraud (ATO fraud) as the most common cause of losses in the digital channel1.

Account takeover fraud is a type of identity theft crime where criminals gain access to the victim’s financial data in order to turn a profit. It is related to but differs from another type of identity theft called synthetic identity fraud. In an account takeover scenario, a criminal uses a legitimate customer’s stolen data or personally identifiable information (PII) to access their existing account. With synthetic identity fraud, however, this data will be interlaced with fabricated details to create a fake identity used to open a new account.

Both types of fraud can cause serious damage to your customers. In this blog post, we will focus on account takeover fraud by describing some of the most pernicious account takeover strategies and explore how, by applying a layered approach, FIs can detect and protect against this type of fraud.

Account Takeover Fraud Techniques

Data Breaches

Some account takeover attacks begin with fraudsters harvesting personal data. This can happen long before a fraudulent transaction takes place. Bad actors simply purchase personal data leaked as part of a previous data breach. The many recent breaches of large corporations have exposed billions of usernames, email addresses, passwords, credit card numbers, and social security numbers. 

With this leaked data, cybercriminals can prepare targeted phishing campaigns. They can also gain unauthorized access to accounts by using an automated attack (or in the case of less experienced fraudsters, by manually typing in combinations of credentials). If an FI’s authentication mechanisms rely on weak security measures such as static passwords, criminals will use a technique known as credential stuffing. Credential stuffing is when an army of bots checks a list of stolen credentials against a range of websites hoping for a match. If the authentication process includes multi-factor authentication (e.g., fingerprint and one-time password), gaining unauthorized access to an account will require more effort.


Phishing attacks are a form of social engineering that preys upon certain human qualities by creating a sense of urgency or exploiting our trust in established institutions. A phishing email, for example, may look exactly like a valid communication from the recipient’s financial institution alerting the user that their account is at risk. It may also contain items masquerading as a document from the bank or include other trappings of a legitimate email, such as logos, email signatures, and real employee names.

In such a scenario, clicking the link in the email would redirect the user to a fake website that looks identical to their bank’s site. From there, the web page would trick the user into divulging their credentials. Alternatively, opening an email attachment could install a piece of malware on their device that will intercept their banking credentials the next time they are entered into the bank’s legitimate site. Finally, the phishing email could prompt the user to call a requested number. On the other end of the phone will be a well-trained fraudster who will impersonate a bank representative.

Phishing has many faces, including:

  1. Spear phishing: A phishing attempt that targets a specific individual or group.
  2. Whaling: An attack that targets a high-profile individual.
  3. Vishing or “voice phishing”: A phishing scam over the phone. 
  4. Smishing: Text messages that can include a link to a fake banking portal or a messenger-based scam. 

SIM Swap Attacks

Mobile phone operators offer a legitimate service to swap a user’s SIM card. Often, customers take advantage of this service when they switch to a new device that no longer supports their previous SIM card. Fraudsters can abuse this service. They use social engineering techniques to de-activate a victim’s SIM card and obtain a new card with the user’s phone number and data. In this way, the fraudster can target banking solutions that use mobile phones in the authentication flow. For example, if enrollment of a mobile banking app happens via the SMS channel, SIM swapping may enable fraudsters to activate this app on their phone. Also, if the bank’s authentication mechanism includes text messages as a means of delivering one-time passwords, then taking over the victim’s number is an attractive way for criminals to authenticate fraudulent transactions or perform other operations within the banking session.


Another way to take control of a bank account is through malware. This malicious software may be installed on the victim’s computer or mobile device through a wide range of user actions. These include visiting risky websites, opening attachments from phishing emails, or downloading mobile apps from untrusted sources. It can also be bundled with other programs (e.g., masquerading as a Flash Player update). Malware programs can perform different kinds of attacks. Some will install configuration files on the infected computer in order to redirect the victim to a malicious website. Some, called key loggers, will intercept everything the victim types, including their banking credentials. Others can infect a web browser by installing as an add-on. Known as a Man-in-the-Browser attack, they are capable of intercepting credentials or modifying transaction details or other data. 

Mobile banking Trojans are a threat that has been growing in number and complexity, reaching a historic high last year. One of the functionalities of a mobile banking Trojan is an overlay attack. In an overlay attack, a piece of malware will create an additional layer over the user interface on the mobile device. This additional layer is actually a window covering the legitimate banking application and mimicking its design. Once it detects that the banking app is running, it will activate, push the targeted app to the background, and display its own login interface instead. An unaware victim will go through the authentication process, and the malware will gather the user’s credentials.

Mobile banking Trojans can cause even further damage. The malware can remain active and modify the data while the victim performs other actions within the banking session. For example, a banking Trojan can intercept a transfer of funds and redirect the money to a fraudulent account. If you would like to read about such an attack in more depth, check out our blog, “Protecting against the BankBot Android Banking Malware Using RASP.”


In this type of attack, fraudsters position themselves between the FI and the user in order to intercept, edit, send, and receive communications without raising suspicion. Taking over the communication channel 
between the user’s device and the server can be done by setting up a malicious Wi-Fi network as a public hotspot (known as a rogue access point). Through this access point, a fraudster is able to intercept all data the victim sends and receives. 

Man-in-the-Middle attacks can also affect the mobile banking channel. People take advantage of public hotspots, not realizing they may be transferring their payment data through a network controlled by a bad actor. Of course, mobile banking apps should apply certain security measures when communicating with a server. However, improper design can make an app vulnerable. Incorrect configuration or lack of a secure channel for mobile data-in-transit also increases the risk of this type of attack.

Missing media item.

Multi-layered Protection against Account Takeover Fraud

Without a solid set of security measures, an account takeover attack can go unnoticed for weeks or even months, especially if fraudsters manage to reroute all the banking communication from the victim into their digital channels. Sometimes, the victim will only spot the attack when they notice odd activity in their account statement.

Despite countermeasures taken by banks, such as customer education, many users still fall into the trap. A multi-layered security approach is the best way to minimize the risk of an FI’s customers falling victim to account takeover fraud. This approach brings together several solutions that protect bank operations and customers without any negative effect on user experience.

Prevention – Securing the User and the Application

With attack scenarios increasing in variety and complexity, it is important for FIs to offer solutions that will help their customers avoid confusion, thereby minimizing the risk of interaction with a fraudster. A fraud prevention system should combine capabilities that shield both users and their devices.

Protecting the User

OneSpan’s Cronto® visual transaction signing capability helps protect users from social engineering, Man-in-the-Middle attacks, and subsequently from becoming victims of account takeover fraud.


OneSpan’s Cronto transaction signing solution creates a unique transaction signature for each transaction using data such as account numbers, transaction amount, and a time stamp.

Cronto limits the possibility of modifying the contents of the transaction being signed, because the generated visual code is directly connected to the financial transaction itself. Any change in these details will invalidate the code. Transaction details are clearly visible for the user while authorizing a transaction, preventing the Man-in-the-Middle scenario. In addition, no fraudulent party is able to tamper with the creation of a Cronto code. That code can only be generated with the involvement of the bank, based exactly on the details of the transaction requested by the user.

Protecting the Application and the Communication Channel

A mobile application can be part of the authentication process in online banking. It can also constitute a separate, mobile banking channel — currently one of the top priorities for FIs, but also a very valuable attack vector for fraudsters. Mobile devices can become a vulnerability in the digital customer journey, but with proper security controls, they can actually become an asset contributing to a safe user experience.

With OneSpan’s Mobile Security Suite, FIs can gain visibility into mobile channel risk and help to mitigate fraud. The solution helps establish trust and applies a comprehensive approach to mobile security by taking into account: the app, device, interface, communications, storage, and users. It can detect vulnerabilities in the user’s device and apply precisely defined security measures. With application shielding and runtime protection, it helps block overlay attacks, key loggers, and other malicious technologies from stealing or modifying user data. For example, OneSpan App Shielding has a built-in mechanism to detect how the application was put in the background state, which, together with other criteria, can help determine whether the user is a victim of an overlay attack.

Proactive Fraud Detection across all Digital Channels

FIs need the ability to proactively detect signs of an account takeover before their customers are affected. There are signals in user, device, and transactional data that can provide indicators that customers are under attack. An overview of all customer actions can also help catch suspicious combinations of events. For example, if multiple users suddenly request a password change or if there is an accumulation of unsuccessful login attempts, this could be an indicator of account takeover.

OneSpan Risk Analytics can help. Risk Analytics scores every action and every user in all digital channels. It gathers knowledge on all actions before, during, and after the banking session to create a complete overview of the situation. It utilizes a risk analytics engine that leverages machine learning to analyze hundreds of data points, spot anomalies in user behavior, and recommend authentication requirements based on highly accurate risk scores. Finally, it can help prevent various account takeover scenarios, like unauthorized creation of new payees, new account profile changes, and fund transfers.  

Intelligent Adaptive Authentication – Improve the Customer Experience while Strengthening Security

OneSpan’s Intelligent Adaptive Authentication (IAA) solution provides the precise level of security at the right time for each transaction, based on real-time risk analysis of user, device, and transaction data. Every authentication journey is different – that’s why the solution evaluates all user actions case by case to determine the most suitable authentication method(s) based on the level of risk. Tailoring the authentication flow to each unique transaction makes it more difficult for fraudsters to predict and plan their attacks. This unpredictability thwarts a fraudster’s attempt to turn a fast profit with minimum effort.

Looking ahead to the Future of Account Takeover Fraud

Account takeover fraud will only continue to grow and grow quicker. It is a relatively easy source of profit for bad actors who will continue to exploit all available weaknesses in the financial banking system. However, a modern and multi-layered security approach can significantly contribute to mitigating the attacks that lead to account takeover. Solutions that protect the user, the device, the app, and the communication channel, combined with a comprehensive risk analytics engine and intelligent authentication framework, are essential to moving forward in the fight against account takeover fraud.

1. Digital Channel Fraud Mitigation: Evolving to Mobile-First, Aite Group LLC,

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.