Account Takeover Fraud

What is account takeover fraud (ATO)?

Account takeover fraud (ATO) happens when a cybercriminal gains access to the victim’s login credentials to steal funds or information. Fraudsters digitally break into a financial bank account to take control of it and have a variety of techniques at their disposal to achieve this, such as phishing, malware, and man-in-the-middle attacks, among others. ATO is a top threat to financial institutions and their customers due to the financial losses and mitigation efforts involved.

Fraudsters can takeover existing accounts, such as bank, credit card and ecommerce. Some account takeovers begin with fraudsters harvesting personal information from data breaches or purchasing it on the Dark Web. Personal information such as email addresses, passwords, credit card numbers and social security numbers harvested are valuable to cyber thieves for financial gain. When an account takeover attack is successful it can lead to fraudulent transactions, credit card fraud and unauthorized shopping from compromised customer accounts. Account takeover is often referred to as a form of identity theft or identity fraud, but first and foremost it’s credential theft because it involves the theft of login information, which then allows the criminal to steal for financial gain. Account takeover fraud is continually evolving and is a constant threat that comes in different forms. A successful account takeover attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised financial accounts.

Fraudsters try to remain unnoticed in ATO

In a successful account takeover scenario, fraudsters try to avoid any unusual activity that has compromised accounts. Instead, they often try to change the account information, password, and even notifications so the legitimate owner will not be aware of the illicit activities happening in their account. Perpetrators will often steal money from a bank account by making a payment to a fraudulent company or by transferring funds to another account. Fraudsters can also put in a request for a new credit card, new account or another financial product. In addition to these types of actions, they have the power to carry out any number of unauthorized transactions that cause financial harm.

Thieves also can obtain account numbers in many ways, including online hacking, stealing mail, lifting wallets, and ATM and card skimmers. However, there are some signs of account takeover fraud. If multiple users suddenly request a password change or if there is an accumulation of unsuccessful login attempts, these could be indicators of account takeover fraud. Once a cardholder discovers ATO, the merchant can expect to see a number of chargebacks and customer transaction disputes. When account takeover attempts are successful they can put a strain on the relationship between the account holder and the financial institution, and also damage the bank’s brand. For example, if multiple users suddenly request a password change or if there is an accumulation of unsuccessful login attempts, this could be an indicator of account takeover.

Account takeover fraud ebook

Account Takeover Fraud: How to Protect Your Customers and Business

Help prevent account takeover fraud and secure customers at every stage of their digital journeys.

Download Now

Methods used in account takeover fraud


People remain the weakest security link because of their natural tendency to trust, which is essential to successful social engineering attacks. Phishing scams impersonate well-known and trusted brands and individuals. They appear to be legitimate and can ask for donations with emotional appeals that persuade users to click on links that redirect them to a fake banking portal or to open an attachment that will install a piece of malware that harvests credentials. The most common form of phishing is email, but text messages (SMS) and social media messaging services can also be used. In the case of mobile users, they don’t even need to download an attachment. A link within an SMS can direct a user to a web page that automatically installs malware on their device.

Credential Stuffing:

Fraudsters typically buy a list of stolen credentials off the Dark Web. These can include, among other types of data, email addresses and the corresponding passwords, often from a data breach. Credential stuffing attacks usually involve bots that use automated scripts to try to access an account. This information can also be used to gain unauthorized access to multiple accounts based on the assumption that many people reuse the same user names and passwords over and over. However, if the financial institution’s authentication process involves multifactor authentication, such as a fingerprint and one-time password, gaining access becomes more challenging. Another significant method, known as credential cracking, is also referred to as a “brute force” attack because it involves trying to guess the correct account password by making multiple login attempts with a different password each time.

SIM Card Swapping:

Swapping a SIM card is a legitimate service offered by mobile phone carriers when a customer buys a new device, and the old SIM card is no longer compatible with it. Fraudsters can abuse this service with a relatively simple hack. In a SIM card swap scam, a fraudster uses social engineering techniques to transfer the victim’s mobile phone number to a new SIM card. The fraudster contacts a customer’s mobile phone carrier and impersonates the customer, convincing a call center agent to port the mobile phone number to the illegal SIM card. As a result, the user’s banking app can be activated on the fraudster’s phone. If the bank’s authentication mechanism includes text messages as a means of delivering one-time passwords, then taking over the victim’s number becomes an attractive way for a criminal to perform fraudulent transactions, add payees, or perform other operations during a banking session.


Malware is another way to take control of a bank account by installing malicious software or “malware” on the victim’s computer or mobile device. This is done by downloading apps from untrusted sources, or it can be in other programs; for example, masquerading as a Flash player update. Some malware, called key loggers, will intercept everything the user types, including their banking credentials.

Mobile Banking Trojans:

One common technique utilized by mobile banking trojans is an overlay attack in which a fake screen is put on top of a legitimate bank application. The malware then captures the victim’s authentication credentials and can remain active while other banking transactions are performed. For example, the malware can modify transaction data by intercepting a funds transfer and redirecting the money to a fraudulent account. These attacks are destined to grow as smartphone use continues to increase globally.

Man-in-the-Middle Attacks:

In a Man-in-the-Middle attack, fraudsters position themselves between the financial institution and the user in order to intercept, edit, send, and receive communications without being noticed. For example, they can take over the communication channel between the user’s device and the bank’s server by setting up a malicious Wi-Fi network as a public hotspot in a coffee shop and give it an innocuous but legitimate sounding name, such as “Public Coffee.” People take advantage of public hotspots, not realizing they may be transferring their payment data through a network controlled by a bad actor. A Man-in-the-Middle attack can also take place through a vulnerable mobile banking application that isn’t secure.

How to detect account takeover fraud

ATO can be challenging to detect because fraudsters can hide behind a customer’s positive history and mimic normal login behavior. Continuous monitoring provides the ability to detect signs of account takeover fraud before it begins.

An effective fraud detection system will give financial institutions full visibility into a user’s activity before, during, and after a transaction. The best defense is a system that monitors all activities on the bank account because before a criminal can steal money, they need to perform other actions first, such as setting up a new payee. Monitoring all of the actions on an account will help identify patterns of behavior that indicate the possibility of account takeover fraud. Since criminals need to take actions such as this before transferring money out of an account, a fraud detection system with continuous monitoring will find patterns and clues to determine that a customer may be under attack.

This type of fraud detection system can also assess risk based on data such as location. For example, if a customer first accesses their account in North America and then again in 10 minutes from Europe, it’s clear that is suspicious and could indicate that two different individuals are using the same account.

If there is a risk of ATO fraud, the fraud prevention system will challenge the person transacting on the account with a request for additional authentication. That could include using an approach known as adaptive authentication or Intelligent Adaptive Authentication. By asking for a higher level of authentication before the transaction is allowed to be carried out – such as a fingerprint biometric or a facial scan – the bank can help prevent account takeover. If the authentication is successful, the transaction can proceed. In the case of a criminal, they will not be able to meet the biometric challenge and the fraud attack would be stopped.

How banks can help prevent account takeover fraud

Single-factor authentication (e.g., static passwords) put financial institutions and users at risk. The first line of defense is using multifactor authentication (MFA). This could include biometrics such as fingerprint scan or facial recognition, which are difficult to impersonate.

The battle for customers’ bank accounts also needs to be fought with machine learning and continuous monitoring, or watching transactions as they happen, to help prevent account takeover fraud. From the moment a customer lands on a banking session webpage or opens their mobile banking app, continuous monitoring identifies a customer’s normal online journey and interactions with their accounts and devices.

Continuous monitoring using machine learning allows new behaviour to be identified that might indicate an attacker or a bot. Typical data points that a fraud prevention system will analyze include: new devices, cookies, headers, referrers, and locations. These can be monitored in real time for discrepancies that don’t match the customer’s usual behavior.

This combines seamlessly with other layers of protection such as two-factor authentication (2FA) and technologies that enable dynamic linking (also known as transaction data signing or transaction authorization). Dynamic linking is a requirement of Europe’s Revised Payment Services Directive (PSD2) that ensures there is a unique authentication code for each transaction that is specific to the transaction amount and recipient.

The importance of real-time fraud detection and prevention

Machine learning is very effective at identifying emerging attacks while fraud rules are best at combatting known fraud. Without the ability to accurately detect fraud in real time using a risk engine powered by machine learning, fraud teams struggle to keep up with bot activity and other sophisticated and emerging account takeover fraud techniques. For example, a customer’s email address, phone number, or home address associated with their bank account, credit card account, ecommerce account, or loyalty account suddenly changes in the bank’s system. Was this activity an indication of an account takeover, or did the customer ask for the changes for legitimate reasons? To stop the attack, it’s essential to know as quickly as possible. That’s why the ability to detect account takeover fraud in real time is vital.

ATO is relentless because attack scenarios are always evolving, and new tools are constantly being developed to buy on the Dark Web. That’s where artificial intelligence, combined with a continuous fraud detection system that uses fraud rules, can help.

Strategic importance of a fraud prevention system

The threat landscape for account takeover fraud is constantly expanding due to the number of methods that criminals can use to gain access to their victims’ accounts. This makes it especially challenging for financial institutions to build an efficient system to foil all possible account takeover scenarios. However, a fraud prevention system that relies on a combination of anti-fraud rules and machine learning provides a real-time risk analysis that is better at detecting, mitigating, and managing fraud.

Get in touch with us

Get in touch with one of our security experts to learn more about how our solutions can help with your digital security needs