What is Account Takeover fraud? An in-depth look

Account takeover is a risk to both individuals and businesses alike, especially in an increasingly digital world where fraud is on the rise.

So what exactly is an account takeover (ATO)? In this article, we want to take a closer look at account takeover fraud, showing you first-hand how attackers gain access to user accounts, the impact on businesses, and the best preventive measures to protect your business from account takeover.

Account takeover fraud occurs when cybercriminals gain access to online accounts through the original user's account credentials. Typically such account takeover attempts are focused on financial accounts but also social media, eCommerce profiles and other accounts with a financial element. In many of these accounts, cybercriminals can find not only financial information but also personal details and even previous purchase history. This can be further used in identity theft, unauthorized payments and more.

In general, any and all user accounts can be targeted for account takeovers. Once an attacker has access, they will then target other accounts from the same user for a wider account takeover.

Common targets for an ATO attack include:

• Bank accounts. One of the biggest targets, a bank account, gives an attacker direct access to a user's finances, enabling them to transfer funds or otherwise cause malicious activity.
• E-commerce accounts. Similarly, popular online stores and marketplaces also represent a valid target for attacks. Here, fraudsters can often find credit card and other payment information, as well as user details that can be further used in gaining access elsewhere.
• Social media profiles. Online networking websites are another prime target for online fraud. Fraudsters can use these profiles to send messages in the user's name, often asking for money. It should be noted that business accounts are also often targeted in this way.
• Online payment accounts. Similar to banks, credit cards and other payment providers can also be targeted by fraudsters looking to gain credentials and gain unauthorized access to other people's finances. They can also find payment records and user behaviour records that can be used to gain access elsewhere.
• Business accounts. Finally, it's worth nothing that these attacks are not limited to individuals. Businesses are often attacked directly. Sometimes, this can give users access to their customer credentials, enabling further attacks, or simply to access the company's own secure information.

Naturally, increased security will go a long way to ensuring user accounts are less viable for account takeover attacks. This can include not only ensuring the same password isn't used elsewhere, preventing cybercriminals from gaining immediate access to multiple accounts at once, but also multi-factor authentication, to ensure user credentials alone are not enough.

Most account takeover incidents follow a similar sequence. While the methods and exact user accounts targeted may vary, the general process of ATO attacks are often the same.

1. Information gathering. In the first step, the attacker is looking for any potential valuable data. This can include email addresses, usernames and other forms of identifiable information. Cybercriminals have many means to acquire this data and it is rarely targeted at an individual. Instead, it is often gathered enmasse through a data breach or brute force attack on a given website or service, alongside the likes of social engineering, or buying stolen accounts from others on the dark web.
2. Credential acquisition. Once armed with identifiable information, the attacker uncovers login credentials for targeted accounts through various means, such as phishing and credential stuffing, but also automated means such as keylogging or brute force attacks.
3. Gaining access. Once the necessary credentials are acquired, the attacker can use them to gain access to accounts. If they have multiple sites, usernames and passwords, they will also try different combinations of these user credentials for wider access.
4. Maintaining access. Once inside stolen accounts, attackers will take steps to ensure they can use the victim's accounts. This can include not only changing the password, but also adding recovery emails or numbers in order to limit the legitimate owner's ability to regain access or control.
5. Exploitation. Once access to legitimate accounts is ensured, the attacker can perform numerous activities, such as stealing sensitive data, moving or spending finances, committing identity fraud or even using compromised accounts for spam or malware activity.
6. Covering tracks. The attacker will also go to lengths to hide their activity, deleting notifications, emails and other signs of their activity to prevent the legitimate owner from uncovering the account takeover attack.
7. Exfiltration and monetization. Alongside identity theft, the attacker may also expose user credentials on the dark web for profit. In other cases, they may demand money from the victim directly, before releasing the account back to them.

It's important to note, however, that each incident can vary. Sometimes, the identifiable data is sold at an earlier stage, while at other times it may still be the same individuals or organizations behind every step. Nonetheless, these are the most critical steps behind ATO attacks.

The main reason for an account takeover fraud is that user accounts were exposed or otherwise able to be cracked. Account takeover fraud is the result of leaked data, so it's worth understanding how and why this occurs.

Attackers often rely on automated attacks at the very earliest stages, using various schemes to gain access to detect vulnerabilities. This makes it more efficient for them, as they can quickly pinpoint to more vulnerable accounts once identified.

5 most common fraudster tactics leading to ATO fraud

So how do fraudsters gain access to accounts? There are many ways to gain identifiable information online, the 5 most common being:

• Social engineering. This approach involves replicating well-known organizations, such as banks or stores, in order to trick users into logging in. Such login attempts appear unsuccessful to the user, who may not even be aware of any suspicious activity, but the fraudster has nonetheless gained the sensitive data they need.
• Viruses and malware. Similar to phishing, these can track your credentials and login attempts online. This can also include man-in-the-middle attacks, wherein a cybercriminal hacks the communication between your computer and a website, gaining the information whilst also passing it along.
• Credential stuffing. If an attacker has stolen credentials from one website or app, they can then try these to gain access to other accounts with the same password, email or username.
• Brute force attack. Also known as dictionary attacks, this method deploys bots that automatically go through various combinations of login attempts combining the same username with different password combinations until it is successful.
• Data breaches. In some cases, hackers will gain access to a corporate account with the primary purpose of gaining access to customer details.

While we commonly talk about account takeover in the context of websites or online services, it's critical to note that mobile apps are not immune and are, in fact, a growing area of interest for ATO attacks. Popular eCommerce apps, reward programs and even cryptocurrency apps are all financial accounts in nature, making them highly appealing targets.

Many of the aforementioned methods, such as phishing and brute force, can be used to gain access to mobile apps. This, combined with a general lower level of security on smartphones, makes the need for ATO fraud detection on mobile apps paramount.

One of the best ways to gain access to individual accounts is to target well-known businesses, thereby potentially gaining access to multiple accounts at once. The consequences for a company can be very broad:

• First of all, in many parts of the world, such as Europe, with its strict regulations like GDPR, organizations can pay a big fine if identifiable information is leaked.
• If the hackers gain access to user accounts, they may make payments that are later charged back by the card provider, costing the company more money, in addition to potentially stolen products that will not be returned.
• For companies that provide an online service, compromised accounts may then be sold elsewhere, denying the business of further profits or revenue.
• Furthermore, when customer accounts are also compromised, the company then has to notify the public, which can lead to a decrease in trust and a direct loss of both customers and sales. This can lead to long-term reputational problems.

Let's not forget that businesses themselves are also not immune to identity fraud. With the right account takeover, attackers also have access to the company's own financial information. Organizations have their own bank accounts, social media profiles and more, all of which can be exploited if a business email compromise attack is successful.

To understand the ATO-related risks, you need to detect fraudulent activities that indicate potential incidents. On the users’ end, red flags that identify account takeovers can include, at the earliest stages, failed login attempts. If sufficient additional verification steps are in place, this can alert you to a halted ATO attack or at least one still in progress. Businesses, likewise, may notice multiple IP addresses being used alongside other irregular activity, which can alert them to inspect the respective accounts.

Nevertheless, the ability to make informed decisions starts with understanding your users and their behavioural patterns. By getting familiar with their usual login and usage habits, device preferences, transaction history, and network details like IP addresses, you can better differentiate between normal actions and suspicious behaviour with great precision.

Every interaction with your website or mobile app leaves traces that fall into three key user-related contexts: 

• Hardware and software: the devices and software used by your users when engaging with your service.
• Network: the IP addresses and network locations commonly used IP addresses, and even the timezone of operation.
• Behaviour: how users interact with keyboards, mice, touchscreens, and more. 

Both the anti-fraud industry and fraudsters are well aware of these three contexts. That's why it's essential not to rely only on thorough detection methods but also to employ methods that go beyond the information made available by users and unveil tactics of hiding identities or browser spoofing, for example.

Considering the consequences of ATO, prevention is always the best option, especially considering that even a successful recovery process can be too time-consuming. Therefore, the best approach is to use technologies and measures that either make it harder to access the users’ accounts or otherwise identify suspicious activity when it occurs, taking additional defensive actions in real-time. 

There are many such measures that can be taken here, most notably multi-factor authentication (MFA). But MFA can sometimes add too much friction to the user experience, so real-time detection with AI technology is still the best way to go. Going further with the user-related context from above, let’s see what technology we need to prevent ATO effectively.

Device fingerprinting 

Digital fingerprinting involves tracking software that remembers the last device used to access respective user accounts. If a new or otherwise unrecognized device is detected, this is flagged as suspicious activity, so additional authentication steps are taken. In short, this adds an extra layer of protection against attackers using stolen credentials from a remote location. Critically, when an ATO attempt is detected, blocking the fraudsters is not recommended as a logical next step. This can actually be helpful for fraudsters to know about the risk related to their operation. In return, they can simply retry the operation by slightly changing the context. 

Behavioural biometrics 

Similar to fingerprinting, this approach tracks users’ regular behaviour and activity on their accounts. Activity that does not match the pattern is then flagged in order to add extra authentication layers. 

Read more about how to use behavioural biometrics for fraud prevention.

Continuous authentication

As the name implies, this is a method that operates continuously, using behavioural biometrics and other verifications while the account holder is using the account. Commonly found in the likes of bank accounts, it tracks various data from the start to the end of each session.

Multiple data sources

To boost the value of your data gathered, get more context information about each session and challenge declarative data beyond the information made available by the user. To do so, consider the following signals:

• A log-in from a strange location
• VPN or TOR usage
• A fingerprint mismatch, despite the recognized cookie
• A very long session without logout, despite auto logout in case of user inactivity.

Reverse engineering

Fraudsters constantly update their methods and strategies, so it’s essential to keep an eye on the Dark Web to gather intelligence and reverse-engineer their techniques to improve fraud recognition.

Businesses can also benefit from updated roles and permissions within their organization, ensuring staff only have access to the necessary information, tools and accounts necessary for their job. This will help limit the possibility of business email compromise in a forgotten or overlooked account.

Responding to the need for more robust fraud prevention solutions against ATO, Nethone built a hybrid rule-based and machine learning-powered solution that x-rays every single user on browsers or mobile to know the real intention of the visitor. 

We base our approach to ATO prevention on the following: 

• Powerful profiling solution that exhaustively screens every user uncovers hidden session characteristics and leverages: 

1. Behavioural data to understand user interaction with the keyboard, mouse, touch screen, and touchpad and spot if we’re not attracting, i.e. bots.
2. Digital fingerprinting to automatically analyse device, browser, and network data attributes that can indicate if a user is genuine or trying to hide true location, identity or software to fool the anti-fraud system.

• 100+ named risks based on our Darknet knowledge representing strong indications of undesirable activity, such as.: Fraud tool used, User-agent spoofing, Open ports related to RDP, Mobile emulation, VPN usage, Unauthorized apps installation software
• Explainable AI to detect account takeover fraud in real-time. We deliver a human-readable explanation of the ML results in one place — the Nethone Panel, so you understand why the decision was made and review it manually if necessary. You can also fully customise your decision logic to fit your needs.
• Darknet Insights: our fraud intelligence team dig deep into the fraudster's community, gathers intelligence about the newest fraud tools, and reverse-engineers them to boost fraud recognition. We're training our AI with Darknet insights to identify all fraudulent tactics and tools and help you prevent account takeover fraud.
• Frictionless user experience: We know how important user experience is; that’s why our solution works passively in the background causing no disruption to your customers. We minimise the number of false positives to reject only fraudsters and keep your business running smoothly.  

Check our Account Takeover solution in action and how we helped BlaBlaCar to reduce ATO and account opening fraud.

We hope that the above guide has given you an in-depth and valuable understanding of account takeovers and how to best protect yourself against this digital threat. For more information, we've answered some of the most commonly asked questions below.

How does a bank account takeover happen?

A bank account takeover happens when an attacker gains access to a victim's bank account, usually through social engineering techniques via remote access tools. Typically, this is achieved through gaining credentials, often an email address and password. This is then used to access bank details, whether it's via a bank portal or app, and commit financial fraud. 

What are the stages of an account takeover?

The first step in account takeover fraud is to gain the necessary information to access accounts. This is done via various means, such as malware and scams, alongside brute force attacks and credential stuffing to essentially 'guess' the missing data.

Once accessed, they strive to maintain control of the targeted account while using their access to commit fraud, such as making unauthorized transactions, changing account settings, accessing sensitive information, using the compromised account for further attacks, or selling the account details on the dark web.

What are the risks of an account takeover?

At its worst, account takeovers can lead to identity fraud. Alongside making financial transfers, they can use the same credentials to access numerous other accounts from the same individual, causing significant damage to their personal life.

What are the common indicators or red flags of an account takeover?

Multiple IP addresses, sudden switch from one browser and/or OS to another, device spoofing, and many more.

What causes account takeover?

Account takeovers are caused by stolen credentials, social engineering techniques, malware and keyloggers, credential stuffing, brute-force attacks, and vulnerable security infrastructures.

What is the difference between identity theft and account takeover?

Identity theft happens when an individual's personal information is stolen and used without authorization, typically for financial gain or other fraudulent activities, and account takeover is a common effect of identity theft.

Who benefits from an account takeover?

Multiple parties can benefit from account takeover fraud. Fraudsters and hackers benefit from account takeovers financially, primarily via transferring the users funds or from selling the accounts on the dark web. However, these stolen accounts can also be used by other malicious individuals for spreading viruses and malware as well.

How common is account takeover activity?

Account takeover is becoming an increasingly common form of identity theft and fraud. industry estimates from 2022 suggest account takeover attacks are increasing by 130 to 150% Year on Year.

What type of fraud is an account takeover?

Account takeovers are considered a form of identity fraud. Stolen usernames and credentials can be used to gain access to an individual's accounts by assuming their identity. Using such access to these accounts is considered identity fraud, as the individual is making transactions or other actions under the false assumption of the original user's identity.