The Harsh Reality of Account Takeover Fraud and the Future of Prevention [Infographic]

Account takeover (ATO) fraud is when a bad actor seizes control of an online account, changes information such as the username, password or other personal information, and then makes unauthorized transactions with that account.

ATO is on the rise, and businesses and banks are in the crosshairs. 2022 had the second-highest number of data compromises in the U.S. in a single year, impacting at least 422 million individuals.

ATO fraud shows no sign of slowing, which is not surprising considering the daily barrage of data breaches (many of which include the theft of usernames and passwords) and the parallel growth in the dark web and cyber toolkits to perpetrate attacks via bots.

It is more important than ever for organizations to invest in robust cybersecurity measures and identity verification solutions to prevent account takeovers and protect their customers’ assets and information. Whether your company provides financial services, travel, mobility, healthcare, social media or any other industry that is a target for fraud, here is what you need to know about ATO attacks and what effective fraud prevention looks like in the digital age.

What Is Account Takeover Fraud?

Account takeover (ATO) fraud is a form of identity theft in which a fraudster gains unauthorized access to someone else’s account information, such as a bank account, email account, or social media account, and takes control of it. Once the fraudster has gained access, they can change information such as the account’s username, password, or other personal information, and then use the account to make unauthorized transactions or engage in other fraudulent activity.

Cybercriminals steal personally identifiable information (PII), such as social security numbers and login credentials, and use it to take over user accounts. Identity theft can lead to chargebacks and other issues for both individuals and financial institutions.

Types of accounts most vulnerable to attack:

• Online banking accounts
• Credit card accounts
• Email accounts
• Social media accounts
• Healthcare portals
• Government service portals
• Utility service accounts
• Gaming and entertainment accounts

The Impact of a Successful Account Takeover

For financial institutions, the impact of a successful account takeover can be devastating. Not only can it result in significant financial losses, but it can also damage the institution’s reputation and erode customer trust. The impact can be felt across the organization, from the front-line employees who must manage customer complaints and account recovery, to senior executives who must navigate the financial and legal fallout.

Account takeovers can also result in regulatory fines and legal action, particularly if the institution is found to have inadequate security measures in place. In addition, financial institutions may be required to provide compensation to account holders who have been victims of fraud, further adding to the financial impact.

Additionally, e-commerce businesses are a prime target for ATO attacks, as they deal with a large volume of user accounts and financial transactions. Cybercriminals can use compromised accounts to make unauthorized purchases or steal funds from the business.

Methods Used in Account Takeover Fraud

Account takeover (ATO) fraud is a serious threat to individuals and organizations alike. To carry out an account takeover attack, cybercriminals use a range of tactics, including:

• Phishing: A social engineering technique where attackers send fake emails or messages to trick users into giving away their login credentials or other sensitive information. Phishing attacks often look legitimate and may appear to come from a trusted source.
• Credential Stuffing: This method involves using stolen username and password combinations to gain access to accounts. Attackers use automated scripts to try these stolen credentials on multiple websites in the hopes that users reuse their passwords.
• Malware: Hackers can use malware to infect users’ devices and steal their financial accounts and other sensitive data. Malware can be distributed through phishing emails or malicious websites.
• Scams: There are various types of scams, such as fake tech support or prize-winning schemes, to trick users into giving away their login credentials or other sensitive information.
• SIM Swapping: Attackers can use SIM swapping to take control of a victim’s phone number, allowing them to intercept SMS messages containing two-factor authentication codes or password reset links.
• Brute Force Attacks: By using automated scripts, fraudsters try multiple password combinations until the correct one is found. Attackers use this technique to take advantage of vulnerabilities to gain access to victims’ accounts.
• Man-in-the-middle Attacks: Cybercriminals intercept communication between two parties and can steal sensitive information or manipulate the conversation.

Common ATO Attack Red Flags

• Sudden changes in login behavior: This includes login attempts from new devices, new locations, or at unusual times.
• Multiple failed login attempts: A brute force attack can be indicated by a number of multiple failed login attempts within a short period of time.
• High-volume login attempts: An unusual spike in login attempts can indicate a botnet attack.
• Change in account details: If there are sudden changes to an account’s email, phone number, or other personal information, it can indicate an ATO attack.
• Suspicious transactions: When there are suspicious transactions, such as a high volume of chargebacks or a large number of purchases from new or unusual locations, it can indicate an ATO attack.
• Unusual changes in account behavior: This includes changes in browsing behavior, the addition of new contacts, unusually high message volume, or other unusual activity

What to Do if You’re a Victim of ATO

If you suspect you or your customer has been a victim of an account takeover, taking immediate action is critical in preventing further damage. Here are the steps to take:

1. Contact your Financial Institutions. The bank or credit card company will help you freeze your account preventing any further damage.
2. Change your passwords. Do this for all your accounts, including your email, social media and financial accounts. Use strong and unique passwords and enable multi-factor authentication where possible.
3. Report to the appropriate authorities. File a report with the Federal Trade Commission (FTC) and your local police department. This can help to prevent future incidents and may be required for reimbursement.
4. Invest in Enhanced Fraud Protection. Using dynamic biometric authentication stops fraudsters before they gain access to sensitive information.

How Financial Institutions Can Prevent Account Takeover Fraud

Account takeover attempts are rapidly rising, which is why companies need to reconsider the password as their go-to authentication methodology. We’re living in a Zero Trust World, so we need to start behaving that way and building in the necessary safeguards to more reliably ensure that the user logging in is the actual account owner and not a fraudster impersonating that user with stolen login credentials.

Fortunately, there are several tailwinds that may signal a change and willingness to forsake the username and password paradigm. In fact, the vast majority of CIO, CISO and Security VPs would abandon password authentication if they could. 

The Future of Secure and Seamless Customer Authentication

In this era of no trust, it’s not surprising that companies are starting to pay more than lip service to online security and alternative authentication methods. While conventional wisdom holds that consumers will value speed over all else, more and more consumers are placing a premium on security and prioritizing it above convenience for the majority of their applications, particularly for money-related applications.

Secure and seamless customer authentication is paramount for businesses and financial institutions. It is not only about the functionality, enhancing security and improving the customer experience, but it also represents a fundamental shift in how we approach identity verification.

Multi-factor authentication (MFA) is becoming increasingly important for securing customer accounts. MFA requires users to provide two or more forms of authentication to access their accounts, making it more difficult for fraudsters to bypass security measures. However, implementing MFA can also present challenges such as added friction for customers and the need for seamless integration with existing systems.

Biometric authentication offers a more reliable and secure way to verify identity, without the need for physical documents or personal information. 72% of consumers globally would rather use face biometrics than passwords for secure online processes. This trend has been accelerated by the broad adoption and familiarity of facial recognition integrated within the most popular smartphones (e.g., Apple Face ID and Samsung’s facial recognition feature).

The Importance of Real Time Fraud Detection and Prevention

Real-time fraud detection and prevention is crucial in today’s digital landscape. As digital payments and online transactions continue to rise, so does the threat of fraud. Fraudsters are constantly finding new and sophisticated ways to bypass traditional fraud prevention methods, making it imperative for businesses to be vigilant in detecting and preventing fraud in real-time.

Real-time fraud detection and prevention allows for suspicious activity to be flagged and investigated as they happen, providing businesses with the opportunity to quickly take action and prevent further fraudulent activity. By using advanced machine learning algorithms and artificial intelligence, businesses can analyze large amounts of transaction data in real-time to detect and prevent fraud before it occurs.

Strengthen Your Security with Jumio

Jumio helps companies prevent account takeover through explicit authentication (ID verification and selfie-based biometric authentication) as well as implicit authentication, which analyzes risk signals such as device risk and geolocation checks. These implicit checks are passive and do not require input from the user, so you can run them silently in the background before you prompt the user to take a selfie.

Even better, if you want to reduce friction for your legitimate users, you can configure your workflow to use explicit authentication only if needed. For example, you might trigger biometric authentication when the risk score from the implicit signals is over a certain threshold, or when the transaction exceeds a certain amount. Our recommended authentication workflow is:

Device risk check + geolocation check -> risk score check -> selfie-based authentication (if needed)

Account takeover fraud is a pervasive and costly issue that affects individuals and businesses alike. The consequences of a successful attack can be devastating, leading to financial loss, reputational damage, and loss of trust among customers.
As the threat landscape evolves, it’s crucial to stay vigilant and adopt a multi-layered approach to security that includes proactive measures such as monitoring account activity and implementing strong authentication methods. With the right tools and strategies in place, businesses can better protect their customers and their bottom line.

Just how real is ATO? Check out this infographic to better grasp the depth and current dangers of account takeover fraud.

(Originally published July 22, 2019; updated in 2023)