Account Takeover Fraud

What is the definition of Account Takeover Fraud (ATO)?

Account takeover fraud (ATO) occurs when a cybercriminal acquires access to the victim’s login credentials in order to steal dollars or information. Fraudsters use a number of ways to get into a financial bank account and take control of it, including phishing, malware, and man-in-the-middle assaults, among others. Due to the financial damages and mitigating measures required, ATO is a major danger to financial institutions and their clients.

Existing accounts, such as bank, credit card, and ecommerce, might be taken over by fraudsters. Some account takeovers start with fraudsters stealing personal information from data breaches or buying it on the Dark Web. Personal information such as email addresses, passwords, credit card numbers, and social security numbers obtained by cyber hackers are useful for financial gain.

When an account takeover assault succeeds, it can result in fraudulent transactions, credit card fraud, and illegal purchases from stolen consumer accounts. Account takeover is sometimes referred to as identity theft or identity fraud, although it is first and foremost credential theft since it entails the theft of login credentials, which allows the criminal to steal for financial benefit. Account takeover fraud is a constantly developing danger that arrives in several ways. An account takeover attempt that is successful results in fraudulent transactions and unauthorised shopping from the victim’s compromised financial accounts.

What are the methods used in Account Takeover Fraud


People continue to be the weakest link in security because of their inherent desire to trust, which is required for effective social engineering assaults. Scammers imitate well-known and trustworthy companies and persons. They seem real and can solicit donations through emotive pleas that encourage users to click on links that send them to a bogus banking page or open an attachment that installs malware that collects credentials. Email is the most often utilised method of phishing, however text messages (SMS) and social media messaging services can also be employed. In the case of mobile users, there is no need to even download a file. A link in an SMS can take a user to a web page that installs malware automatically.

Credential Stuffing:

Fraudsters usually purchase a list of stolen credentials from the Dark Web. These can contain, among other things, email addresses and passwords obtained as a result of a data breach. Bots that employ automated scripts to try to enter an account are commonly used in credential stuffing attacks. Based on the premise that many individuals repeat the same user names and passwords, this information can also be utilised to obtain unwanted access to several accounts. However, getting access becomes more difficult if the financial institution’s verification procedure includes multifactor authentication, such as a fingerprint and one-time password. Another important approach is credential cracking, which is sometimes known as a “brute force” attack since it includes attempting to guess the proper account password by attempting to login numerous times with a unique password each time.

SIM Card Swapping:

When a consumer purchases a new device and the previous SIM card is no longer compatible with it, mobile phone companies provide a legitimate service called SIM card swapping. With a very easy hack, fraudsters may take advantage of this service. A SIM card switch scam involves a fraudster transferring the victim’s mobile phone number to a new SIM card using social engineering tactics. The fraudster contacts a client’s mobile phone carrier and impersonates the customer in order to persuade a call centre representative to move the customer’s phone number to the unlawful SIM card. As a result, the user’s banking app on the fraudster’s phone can be activated. If the bank’s authentication process incorporates the use of SMS texts to send one-time passwords, taking over the victim’s number therefore becomes an appealing option for a criminal to conduct fraudulent transactions, create payees, or undertake other activities during a banking session.


Another method of gaining control of a bank account is to install harmful software or “malware” on the victim’s computer or mobile device. This is accomplished via downloading software from untrustworthy sites, or by hiding malware in other programmes, such as a Flash player update. Key logger virus intercepts whatever the user inputs, including their banking credentials.

Mobile Banking Trojans:

An overlay attack, in which a phoney screen is placed on top of a real bank application, is a typical approach used by mobile banking trojans. The virus subsequently steals the victim’s login credentials and can stay active while other financial transactions are being processed. For instance, the virus can alter transaction data by intercepting a cash transfer and forwarding it to a bogus account. These attacks are only going to become worse as smartphone usage grows throughout the world.

Man-in-the-Middle Attacks:

In a Man-in-the-Middle attack, fraudsters place themselves between the financial institution and the user to intercept, alter, send, and receive messages while remaining undetected. They can, for example, take over the communication route between the user’s device and the bank’s server by establishing a rogue Wi-Fi network as a public hotspot at a coffee shop and naming it something harmless but legitimate-sounding like “Public Coffee.” People use public hotspots without understanding they are passing payment data across a network controlled by a criminal party. A Man-in-the-Middle attack can potentially occur via a weak and insecure mobile banking application.

How to detect Account Takeover Fraud

Because fraudsters can hide behind a customer’s good history and replicate typical login activity, ATO can be difficult to detect. Continuous monitoring enables the detection of early warning indications of account takeover fraud.

A good fraud detection system will provide financial institutions with complete visibility into a user’s behaviour before to, during, and after a transaction. The greatest defence is a system that monitors every bank account activity since a thief must first do other acts, such as setting up a new payee, before stealing money. Monitoring all account operations will aid in identifying patterns of conduct that signal the risk of account takeover fraud. Because fraudsters must do acts like this before moving money from an account, a fraud detection system with continuous monitoring will look for trends and signals that indicate a consumer is under assault.

A fraud detection system of this sort can also estimate risk based on data such as location. For example, if a client initially logs in to their account in North America and then logs in again 10 minutes later from Europe, this is clearly suspicious and might imply that two separate people are using the same account.

If there is a danger of ATO fraud, the fraud protection system will prompt the individual using the account to provide extra verification. This might include employing a technique known as adaptive authentication, sometimes known as Intelligent Adaptive Authentication. The bank can assist prevent account takeover by requiring a higher degree of identification before allowing the transaction to proceed, such as a fingerprint biometric or a face scan. The transaction can proceed if the authentication is successful. A criminal will be unable to fulfil the biometric test, and the fraud attack will be terminated.

How banks can help prevent Account Takeover Fraud

Single-factor authentication (e.g., static passwords) endangers both financial institutions and users. Multifactor authentication is used as the initial level of protection (MFA). This might involve biometrics like fingerprint scanning or face recognition, which are tough to fake.

To assist avoid account takeover fraud, the battle for clients’ bank accounts must also include machine learning and constant surveillance, or tracking transactions as they happen. Continuous monitoring detects a customer’s regular online path and interacts with their accounts and devices from the time they land on a banking session webpage or open their mobile banking app.

Continuous monitoring with machine learning enables the detection of new behaviour that may suggest an attacker or a bot. A fraud protection system will often examine new devices, cookies, headers, referrers, and geolocation. These may be checked in real time for anomalies that do not correspond to the customer’s regular behaviour.

This works in tandem with additional levels of security, such as two-factor authentication (2FA) and dynamic linking technologies (also known as transaction data signing or transaction authorization). Dynamic linking is a requirement of Europe’s Revised Payment Services Directive (PSD2) that guarantees each transaction has a unique authentication code that is unique to the transaction amount and receiver.

Try IDcentral’s AI enabled Fraud Detection solutionRequest a demo

Request a Demo