Account takeover fraud plagues businesses of all sizes. In 2022, the Federal Trade Commission (FTC) received 725,000+ reports of impostor scams, a decrease from 2021’s peak. However, losses hit a new high, with consumers losing $2.67 million in 2022, up from $2.4 million in 2021.

The best approach to account takeover protection requires early detection and fast action. ATO fraud is alarmingly hard to spot until it’s too late. However, automation and machine learning in platforms like Fraud.net are helping businesses in multiple industries reduce the risk of an ATO attack on employees and customers. 

What is account takeover fraud?

Account takeover fraud (ATO fraud) is a form of identity theft in which a criminal gains control of a consumer’s account, gaining access to confidential information. During this attack, the perpetrator is able to change account settings, such as the statement mailing address, username, and password—enabling them to make unauthorized withdrawals or commit further types of fraud. 

Criminals gain access to user credentials either indirectly through data breach marketplaces on the dark web or directly by using malware or phishing. Once they have access to a victim’s account, the perpetrator will update the account credentials and contact information so the victim no longer has control over the account. Victims may be totally unaware that their account has been compromised until the damage is done. 

There’s been a 112% increase in reported account takeover incidents year-over-year. Partially, this has to do with the different types of online accounts that most consumers have—increasing the opportunities for account takeover fraud. 

Types of account takeovers

ATO ​ can involve one or multiple accounts of the victim. Most consumers have a few different online accounts that can be infiltrated—including, but not limited to, a bank account, email inbox, phone, utility, social media, travel, or online shopping accounts. Likewise, there are a few approaches a criminal could take to break into these accounts. 

There are two common scenarios that result in account takeover: data breaches and brute force attacks. A data breach could be direct or indirect. Direct breaches occur when credentials are compromised on the same site the data originated from. For instance, if your credit card provider is hacked or has a database that is improperly configured, a criminal may be able to access the credentials and use them to access your credit card account. 

Alternatively, the indirect use of stolen credentials to execute an account takeover may appear as credential stuffing. Credential stuffing uses a bot to “stuff” stolen usernames and passwords into multiple websites to see if they can gain access. These attacks succeed because many users repeat the same password for multiple sites. 

Password spraying is similar to credential stuffing in that it attempts to log in to many user accounts with a smaller number of passwords. Where they differ is that the attacker will often attempt to use common passwords against many users, not just one. 

Other common ways of performing account takeover fraud result from phishing and malware. These strategies rely on tricking the user into revealing his or her login information, such as by directing a user to a fake login page or recording a user’s keystrokes as they authenticate to an account.

Brute force attacks involve attempting many passwords on a single account. These attacks are simple, easy to create, and reliable. While account takeover protection measures can combat this form of attack, it’s almost effortless that it remains a viable method of ATO fraud.

How to recognize an account takeover attack

One of the reasons why account takeover attacks are so successful is that they are extremely hard to detect. The best way to avoid ATO fraud is to implement sophisticated account takeover protection. However, there are ways to recognize when an account takeover has taken place

One telling sign is that multiple accounts suddenly share similar features. “After accessing the credentials, fraudsters do not want anyone else to take over the account,” wrote Colby College. “Instead of changing every aspect, they alter a single field. For example, if 20 customers change their contact details to the same number on the same day, their accounts may have been taken over.” 

Sudden changes in account details can also be a sign that an account has been hacked. If the customer updates their account details, then logs in from a new device, and makes a new purchase within 24 hours, it could be a sign that their account is compromised. Look for behaviors outside the customer’s regular pattern. 

“Customers typically have a single and specific IP address as they log in from similar locations every time, generally using the same device. A large number of IP addresses is a good indicator of account takeover,” wrote Colby College. 

There are many ways criminals can exploit your customers’ credentials. Fortunately, you can mitigate ATO fraud with the right methods and technologies. 

Best Practices for Account Takeover Protection

Because account takeover can be perpetrated in a variety of ways, it can be difficult to mitigate this risk completely. Increasingly, simple rule-based prevention systems just aren’t cutting it. Automation is a key component in your approach to account takeover protection. 

In practice, this means implementing a detection solution that automatically scans and detects patterns in login data that could be red flags for account takeover. Fraud.net uses machine learning, anomaly detection, geolocation, and behavioral analyses to detect high-risk sessions on your site and prevent most fraudulent logins.  

Our solution also factors in the location of the login. Deep learning models built into the Fraud.net platform detect the sometimes subtle patterns of fraud and use behavioral analysis to flag high-risk sessions.

In addition, Fraud.net partners with payment processors, data organizations, and merchants to get anonymous data about fraudulent transactions and users in their systems. This enables us to flag fraudulent transactions before they even take place. 

Criminals rarely act alone; they often share techniques and stolen data with other criminals. Fraud.net’s platform analyzes relationships between bad pieces of data and fraudsters to differentiate between a single fraud attempt and a full-on attack. 

Learn more about Fraud.net’s approach to account takeover protection and other risk management solutions. Sign up for a demo today.