A Guide To Account Takeover Fraud (ATF)

Haseeb Awan
calender icon
April 5, 2023
Modified On
April 5, 2023

In This Article


SIM Swap Protection

Protect Your SIM Now

Protect Your Calls and Data


Access to specific types of information—such as passwords, credit card numbers, and social security numbers—that can be sold or used to make money will always result in a marketplace for malicious actors to emerge to target and steal this information.

The average American had 27 online accounts that required passwords in 2019. Today, with the world shut down due to Covid, that number is likely even higher as people are forced to become more comfortable conducting transactions online.

The transition to digital has made several activities more user-friendly (why go to a physical bank when you can do so online?). Account takeover fraud, on the other hand, has opened up additional possibilities.

Like most kinds of fraud, account takeover fraud harms your business's reputation and customers' trust in it. We'll go through everything you need to know about account takeover fraud, from what it is to why it's so severe to how to protect your company and consumers.

What is the ATO Fraud?

Takeover (ATO) fraud starts when criminals steal consumer account information and credentials, such as usernames and passwords, which they then utilize to log in to online accounts and perform various illegal activities, including fund theft or data theft.

When cybercriminals infiltrate a company's network or database, one potential goal is stealing login credentials and taking over accounts. However, hackers will also sometimes attempt to plant malware that can collect sensitive information surreptitiously or even lock a company out of its network.

Hackers today conduct massive data mining and social media phishing campaigns to obtain consumer login credentials on a mass scale, resulting in a range of immediate losses and long-term investigation and recovery expenses.

Tax evasion has become even easier thanks to the popularity of unindexed and uncontrolled sections of the internet (also known as the "Dark Web"). Fraudsters no longer need to go through the trouble of hacking into people's accounts and stealing passwords. Instead, they explore those virtual dark alleys, purchase many actual account passwords using cryptocurrencies, and start filing fraudulent tax returns.

With each new digital account we open, the "attack surface" for fraudsters grows broader — at banks, e-commerce sites, utilities, apps, schools, and government - as their tasks get more manageable. While it is well known not to share passwords among our ever-growing internet footprint of dot-coms, many of us still leave common password and pass-phrase crumb trails for hackers to follow and utilize on the hundreds of websites that contain our money and personal information.

ATO fraud is a top danger to monetary institutions and their customers because of the costly direct financial losses and the lengthy post-incident mitigation efforts required.

Fraudsters Operate Under The Radar of ATO

When a fraudulent user attempts to take control of an account, they try to avoid any unusual activity that has previously compromised accounts. Instead, fraudsters frequently attempt to modify the account information, password, and notifications so that the actual owner will not be aware of the unlawful activities in their account. Fraudsters can financially harm their victims in many ways, such as by making a payment to a fake company, transferring funds to another account without permission, or requesting a new credit card or financial product.

Thieves may also obtain account numbers in various ways, such as hacking, stealing mail, grabbing wallets, and installing ATM and card skimmers. On the other hand, account takeover fraud is indicated by specific symptoms. If several people demand a password reset or if there are numerous unsuccessful login tries, these might be signs of account takeover fraud.

If a cardholder's information is stolen and used to make unauthorized purchases, ATO (account takeover) can result in chargebacks and customer transaction disputes for the merchant. Additionally, account holders may mistrust their financial institution if ATO attempts are successful, damaging the bank's reputation. For example, signs of ATO could be multiple password change requests or unsuccessful login attempts within a short period.

Account Takeover Fraud: How Does It Work?

Here are some common ways that account takeovers can occur:

Data Breach Resulting in the Theft of Login Credentials

Every year, trillions of documents about personal information are accessed. Cybercriminals typically require leaked usernames and passwords to take over an account. Because many people use the exact login details for several accounts, ATF scammers will utilize the leaked usernames and passwords to access various online services.

Brute Force Credential Cracking

Brute force credential cracking refers to using automated tools to try and guess large numbers of passwords or other credentials to gain access to a system. This type of attack can be very successful if the attacker has a good list of common passwords or if they can take advantage of weak password policies.

By trying numerous passwords in succession, cybercriminals may discover the correct one and gain access to your personal information. To increase the speed of the process, the scammers take use of bots that can check many password combinations. 8-character passwords can be decrypted in less than an hour using contemporary hacking technologies.

Forging an Email Account and Sending Off a Phishing Campaign

Phishing is a cyberattack that uses fraudulent emails or websites to trick individuals into revealing personal information such as login credentials. The email will generally look like it's from a legitimate source, and the website may even have a genuine-looking domain name once the victim enters their login details on the fake website. Cybercriminals will sometimes ask victims for their login information outright. This is done through phishing scams, where people are tricked into giving away their data. Phishing can happen over emails, SMS, chat conversations, scam websites, malicious phone applications and calls, and more.

Viruses and Malware Leading to Data Loss

Many viruses and malware are capable of performing a variety of activities. They frequently steal information from a user's device. Several viruses can observe your keystrokes when you type in passwords, and others may take control of bank details by monitoring your browser. Once the malicious software is installed, it can record everything typed into the device, including passwords and usernames. The cybercriminal can access the stolen information remotely without the victim knowing. Antivirus applications can help you prevent this.

MITM Attacks

Man in the Middle (MitM) Attacks are a type of cyber attack where an attacker intercepts communications between two parties. This can allow the attacker to eavesdrop on conversations, read private messages, or alter communication traffic. MitM attacks can be complicated to detect and have severe implications for individuals and businesses. When you go online, your traffic passes through several servers before it reaches its destination website. However, if someone intercepts this unencrypted traffic while it's in transit, they could see everything you do on the internet—this includes your usernames and passwords too. These MITM attacks are often carried out via public Wi-Fi networks or home internet routers. The good news is that reliable VPN software can help protect you from these threats.

Why Is It Difficult to Detect?

Genuine Customers Typically Have A Good Spending History

Fraudsters exploit the trust a customer has built with a seller to commit fraud, making it harder to detect. The best time to catch them is at login, so they take steps to make their logins look as legitimate as possible.

Fraudsters' Login Procedures Are Eerily Similar to Those of Genuine Users

Fraudsters utilize proxies or botnets to disguise their attacks as though they're originating from a variety of places rather than just one person. They can choose popular login hours to mimic typical traffic - for example, attempting to log in to a food delivery service around meal times. Automated solutions are available to automate the process of evading CAPTCHA challenges.

Fraudsters Often Pass On Knowledge

There are many instructional videos on performing a user takeover on YouTube. There are also cracking forums where fraudsters provide assistance, tools, and combo credentials files for people who want to make credential stuffing more successful.

The Company's Responses to The Danger

The number of account takeovers is increasing rapidly, but many companies aren't doing anything to stop it. Why?

The Problem with Account Takeovers Does Not Have A Clear Owner

Many businesses are account takeover victims and don't realize it yet. The biggest reason is that this is a relatively new fraud problem without a clear owner, which affects many teams. An account takeover attack differs from card-not-present fraud in that hundreds of customer accounts are infected at once instead of targeting one person. By the time the Payments team notices a chargeback or any form of damage, often, too much has already been done to other accounts affected.

Different Priorities for Logging In and Usability

Since account takeover is such a difficult issue, it's important for all departments - not just Fraud and Payments or Security/Risk - to be involved in the process. This can include Product and Marketing; however, because each department has different goals and priorities - like the ease of ordering vs authentication checks when someone logs in on a new device- defining the right way to handle them becomes much more complicated.

We often hear from anxious merchants who find it difficult to get other business leaders on board with allocating budget to account takeover protection. Many businesses lack the agility to react quickly enough if they don't have prevention methods for this type of attack.

How to Detect and Prevent ATF Scams

The best practices below can assist businesses and consumers in drastically reducing the chance of being a target for ATO fraud. Even tiny accounts or obscure platforms should follow these five crucial tactics.

Create Different Passwords for Each of Your Accounts and Change Them Regularly

Diversifying your passwords is crucial because any password you use risks getting stolen at some point. It's inevitable that, someday, somebody will access one of your accounts. While it may be daunting to have to remember 50 different passwords, it's worth the extra effort.

As we've seen in the TurboTax and Dunkin Donuts cases, people who used different passwords and changed them often were less likely to become victims of fraud. Additionally, randomly generated passwords (rather than ones that use actual words like "football123") will also decrease the likelihood of a malicious party accessing your accounts.

Keep A Close Eye On All of Your Accounts and Statements

ATO fraudsters often start by making a small purchase to see what they can get away with. However, if you take the time to review all accounts regularly—like bank accounts and other financial resources—you might be able to identify and react to their attack before it becomes problematic.

Use Software to Prevent Fraud

No-code development has made it simple and cheap to access the robust, dynamic software necessary for fraud prevention.

One of the most popular no-code development platforms is Airtable. While it was designed as spreadsheet software, people have since used Airtable to create all sorts of apps—including ATO fraud detection and prevention tools. These tools can track IP addresses, geolocation data, and other important information.

Be Cautious About Sharing Information

Be cautious about the information you both give and take. Whether personal or financial, think twice before inputting data online—even if the site looks legitimate. The more cyber footprints you have, your chances of being hacked are higher.

In general, you should only give out information when there is a clear and concise reason for doing so. When in doubt, it's always best to err on caution and keep your information to yourself.

Use Multi-Factor Authentication to Protect Your Accounts.

Adding an extra layer of security to your accounts via multi-factor authentication makes it much harder for unauthorized individuals to access them. Even if they somehow obtain the password associated with an account, using another form of verification will make it highly improbable that they'll be able to log in successfully. Although, you should take care to store the passwords for authentication sources separately.

Here's How You Can Better Shield Yourself Against ATF Scams

It's critical to safeguard your company's data with the greatest levels of security. This should apply to all data that is collected, transferred, processed, and utilized by the business. The following are a few examples of things that should be kept in mind:

  • Always use SSL encryption, especially on pages where users input private information such as credit card numbers or home addresses.
  • Encryption should be used wherever possible, not just for logins.
  • Securing your physical devices is critical for business phones, laptops, and desktop computers – especially in a work-at-home scenario.
  • To prevent future issues, hire ethical hackers, AKA "white hat" hackers. They are researchers independent of your company who will search for vulnerabilities to improve security. For example, Facebook has a bug bounty where the reward for finding an account takeover vulnerability is $40,000.
  • Before a user registers on your site, you can check if their passwords have been exposed by verifying them against credible third-party databases, such as Troy Hunt's Pwned Passwords2 or K-Anonymity. This helps prevent registered users from continuing to use leaked passwords and protects your site from ATO attacks.
  • To keep your website secure, you should restrict user input by limiting HTML input, sanitizing values entered, and using allowlists to check if your site code is clean and not susceptible to SQL or HTML injection attacks.

However, in reality, these processes are substantial roadblocks to your client's journey and can result in a poor user experience. The easiest approach to drive visitors towards more forgiving rivals is to add additional friction at signup or login.

How do you find the perfect equilibrium between security and customer satisfaction? By implementing invisible authentication tools, of course.

Account Takeover Fraud Detection Software

A fundamental issue of detecting suspicious logins is restricted data availability. The more data points you have, the better your judgement can be. When logging on, we typically only have an IP address, device information and general customer behavior.

However, a single data point may be sufficient to block login attempts if real-time enrichment is used to authenticate the data's accuracy.

  • Device fingerprinting identifies devices using data from the browser, operating system, device, and network. This can be used to flag suspicious connections or known fraudsters who make multiple requests from the same computer.
  • IP analysis is an excellent fraud prevention method, but it can also be improved to reveal suspicious VPN proxies or TOR usage.

It may also be beneficial to log the data to establish whitelists for your users. For example, if a user could inform you that they will be travelling, their IP address would most likely be whitelisted as a result.

ATO fraud is increasing, so it's crucial to take preventive measures. By following best practices, using fraud detection resources, and closely monitoring ATO activity, you can dramatically minimize the chances and effects of an ATO fraud attack.

Want Guaranteed Protection Against SIM Swap? Reach Out to Us.

SIM Swap Protection

Get our SAFE plan for guaranteed SIM swap protection.

Protect Your Phone Now

SIM Swap Protection

Get our SAFE plan for guaranteed SIM swap protection.

Protect Your Phone Now

Haseeb Awan
CEO, Efani Secure Mobile

I founded Efani after being Sim Swapped 4 times. I am an experienced CEO with a demonstrated history of working in the crypto and cybersecurity industry. I provide Secure Mobile Service for influential people to protect them against SIM Swaps, eavesdropping, location tracking, and other mobile security threats. I've been covered in New York Times, The Wall Street Journal, Mashable, Hulu, Nasdaq, Netflix, Techcrunch, Coindesk, etc. Contact me at 855-55-EFANI or haseebawan@efani.com for a confidential assessment to see if we're the right fit!

Related Articles

SIM SWAP Protection

Get our SAFE plan for guaranteed SIM swap protection.