What is account takeover fraud?

In the US alone, it is estimated that losses related to account takeover fraud (ATO) amounted to $11bn in 2021, representing a 90 percent increase from 2020. 

In our 2023 global compliance survey, 39 percent of respondents said the type of fraud they were most concerned about was credit/debit card fraud, closely followed by identity theft (36 percent) – both of which have a close proximity to ATO. 

As fraud and scams continue to evolve, it is critical for compliance teams to enhance their knowledge of specific fraud types so mitigation efforts are targeted and effective. 

What is account takeover fraud (ATO)?

Account takeover fraud (ATO) occurs when a criminal takes control of a victim’s online account to steal funds or sensitive information. This can happen when a customer’s login details – such as username and password – are used without permission to access their bank account, credit card, mobile phone account, or eCommerce account. The cybercriminals then make fraudulent transactions from the customer’s account, using sophisticated techniques to remain undetected and avoid raising suspicions from the victim or their bank.

Commonly, customers’ credentials are stolen or bought on the dark web in order to commit ATO. This cybercrime has become even easier following several high-profile data breaches affecting large corporations. Once the credentials have been stolen, the criminals either financially defraud the victim or sell their details to a third party. For example, a cybercriminal may pay over $1,000 for the credentials to illegally access a PayPal account.

How does account takeover fraud differ from identity theft? 

While account takeover fraud and identity theft are similar, the concepts are not interchangeable. With ATO, a victim’s credentials (username and/or password) are stolen for financial gain. With identity fraud, cybercriminals typically have access to some of the customer’s details, but not their login credentials. 

The two fraud types, however, do have a strong connection. Aite Novarica found that 64 percent of US consumers who experienced identity theft in 2021 also experienced account takeover fraud. 

What methods are used in account takeover fraud?

Common ATO methods include:

• Credential stuffing: With credential stuffing, fraudsters use automated tools, or bots, to test lists or databases to find a match. When people use the same username and password across more than one service provider, this makes it easier for criminals to illegally access customer accounts. This type of cybercrime is also known as list cleaning, breach replay, or password spraying. 
• Brute force attacks: In a brute force attack, cybercriminals use bots to try to hack into accounts by trying multiple different passwords on a single site. This is similar to credential stuffing, but more guesswork is involved. When the bots use random words to try to guess a customer’s password, this is known as a dictionary attack.
• SIM swaps: SIM swapping is a form of social engineering where a criminal transfers the victim’s phone number to their own SIM card. This means they can access the victim’s mobile banking app and intercept security measures such as one-time passwords (OTPs). They can also access any data on the SIM that helps them discover other passwords or personal identifying information (PII).
• Phishing and social engineering: An estimated 22 percent of people in the US have been victims of account takeover fraud, with phishing and social engineering among the most common methods. Fraudsters use information easily discovered online to trick victims into revealing PII. They then use this information to commit account takeover identity theft. Criminals can also send emails to your contacts to try to defraud them too. 
• Man-in-the-middle attacks: Man-in-the-middle attacks are commonly carried out on people accessing public hotspots when they are out and about. Bad actors can disguise their network as a public hotspot and steal payment data from unsuspecting victims. For this reason, many financial institutions encourage customers not to carry out financial transactions over public Wi-Fi hotspots.
• Malware: Criminals adept in account takeover fraud are becoming even more sophisticated, and some are now using malware to intercept OTPs (One-Time Passwords).

How to detect account takeover fraud?

With global e-commerce sales set to reach $8.1 trillion by 2026, it has never been more important to get ahead of criminal trends, technology, and behaviors. 

Compliance and fraud professionals in financial institutions should be aware of red flags related to this practice and trained in how to spot and report illegal activity. Fraud and anti-money laundering (AML) teams should work together to share information in order to provide a high level of ATO protection. A fraud and AML (FRAML) approach can aid early detection, improve efficiencies and help professionals stay ahead of new typologies.

Examples of account takeover red flags include:

• Multiple login attempts
• Multiple password change requests
• Changes to the back-up device or email address where OTPs are sent
• Notifications being turned off
• Changes to contact details, including postal address and zip code
• Setting up of a new payee or authorized user
• Requesting credit cards or cheque books to a new address

While no single red flag will reveal if an account has been compromised, firms should consider each transaction’s relevant facts and circumstances in line with a risk-based approach to compliance. 

How can companies protect themselves against account takeover fraud?

There are a number of methods financial organizations use for account takeover protection. For example, many firms typically:

• Encourage customers to practice good password hygiene: change passwords regularly; use a password manager encryption service; avoid using the same password across multiple sites
• Alert customers if their username or password has been compromised in a data breach
• Offer customers the option to be contacted before their credit limit is increased
• Require customers to request a credit limit increase in a branch or over the phone rather than online
• Recommend customers turn on multi-factor identification (MFA) 
• Send an email and/or text when a change has been made
• Include fraud alerts at relevant points in the customer journey
• Use methods, such as CAPTCHA, to spot and block bots

ATO methods are constantly being devised and adapted by cybercriminals. Firms can use fraud detection tools to look for patterns and identify risks in real-time. Customer screening and transaction monitoring solutions that utilize artificial intelligence can compare a customer’s typical behavior with current behavior to identify and block suspicious activity. In the future, biometrics may also be key to account takeover fraud protection.