One of the biggest and scariest fraud threats is having your account taken by a fraudster. In this article, we will discuss the top takeover fraud scenarios that may lead to fraudsters accessing and having control of your assets.
What is account takeover (ATO) fraud?
Account takeover fraud, also known as account compromise, refers to fraud which occurs when a fraudster gains access to a legitimate user’s account to make unauthorised transactions.
Fraudsters take over online accounts using stolen credentials such as passwords and usernames. Cybercriminals buy credentials on the dark web, usually through social engineering, data breaches, and phishing attacks. They use these credentials to deploy bots that test passwords and username combinations on travel, retail, finance, eCommerce, and social media sites.
Attackers compile a list of validated credentials and sell or abuse them to make a profit. Fraudsters can also commit identity fraud through ATO fraud, causing identity theft as they use someone’s personal details to commit fraud.
Users rarely change passwords and reuse login information. Bots can carry credential stuffing and brute force assaults to take over accounts. Cybercriminals can also hack mobile sites, webpages, and native mobile APIs.
How does ATO work?
Account takeover takes place in four simple steps, they are:
- Credential stealing: Fraudsters find a way to access user credential details using various attacking methods. Depending on the mode of attack, the fraudster might change the login credentials of the legitimate user
- Login: During login, fraudsters utilise bots to test the stolen login details against the online sites.
- Session: After successful login, fraudsters make unauthorised transactions such as transferring funds or buying high-value goods online.
- Checkout: Regarding eCommerce, Fraudsters leverage methods like:
- One-click payment
- Saved payment method
- Loyalty points
Fraudsters typically change the delivery address and then proceed to make payments.
Attack methods used in account takeover fraud
Credentials are critical to a successful account takeover. Below are several ways hackers take over a valid account:
- Brute-force attacks: These include password spraying and credential stuffing (guessing complete credential pairs). The attacker tries a username/password combination on several accounts until one works. Attackers utilise common passwords and dictionary terms to guess passwords.
- Breach replay attack/credential stuffing: Many people reuse passwords across accounts, which is a bad practice. Any online account with the same username, email address, and the same password is at risk of one of these frauds.
- Phishing. Credential phishing is a practical approach to stealing a victim’s password. Phishing primarily affects accounts without multi-factor authentication (MFA).
- Malware attacks: Keyloggers, stealers, and other malware are used to expose user passwords, giving attackers account access.
Attackers can also download cracked passwords from darknet markets to attempt an account takeover.
These methods used in ATO can lead to many account takeover scenarios, with the most common being the following 5:

Subscriber Identity Module (SIM) Swap
SIM swap fraud occurs when con artists use your phone number to access your accounts.
SIM swap occurs when criminals call your cell service provider to activate a new SIM card. Fraudsters will then control your phone number. Calls and text messages to your number are routed to the fraudsters’ device rather than yours.
By committing SIM swap fraud, con artists can access your accounts, such as bank credentials. The Hacker will try to access your accounts, and if you have 2-factor authentication, the code will be sent to your sim card via text message. Unfortunately, the fraudsters will be the ones with access to your sim.
SIM swap is avoidable. It involves preventing unauthorised access to your online accounts, such as banking details and credit card accounts. Also, keep an eye out for SIM swap warning indicators.
Malware
Account takeover fraudsters use social engineering techniques such as malware, pop-ups, and so on to infect vulnerable machines in your network. A malware replay attack is one of the most used account takeover attacks.
Once your device has been infected, cybercriminals can use the malware to steal login credentials or perform a replay attack.
During a replay attack, attackers capture data packets transferred from your network to a financial institution and modify and retransmit it.
The good news is that detecting a malware attack is possible. Below are some of the warning indications for a malware attack:
- Your system becomes slower: Malware usually uses system resources, hence making it to be slower
- A sudden increase in traffic
- Sudden receiving of unfamiliar error messages
- Receiving spam emails
- Unusual ads and pop-ups
Data breaches
Every year, billions of personal information documents are stolen in data breaches. Data breaches might include usernames, passwords, and occasionally even secret answers.
The disclosed usernames and passwords are sometimes all hackers need to take over accounts.
Since most individuals use the same login credentials for several accounts, hackers will attempt to access additional online services using the same compromised passwords and usernames.
Credential Stuffing & Cracking
Credential stuffing is excellent for use against online shops. It is a low-cost and low-effort attack technique that is far simpler to execute on a big scale for a lesser payoff across several victim accounts. In this process, the fraudster deploys an automated tool or script to perform login requests using the compromised credentials to acquire access to user accounts.
The tool analyses the username and password combinations against a login page. This analysis is like having many keys and trying each on the front door of a residence. With credential stuffing, you are more likely to have the correct ‘key’ due to the repetition of passwords, which is why users should not use repetitive password across account and make sure to use strong passwords.
Social Engineering
Social engineering is a broad category of malicious operations carried out through human interaction. It utilises psychological manipulation to deceive users into committing security errors or disclosing sensitive information.
Social engineering attacks can happen through phishing, smishing and vishing, and consists of multiple phases. A perpetrator initially analyses the intended victim to obtain background information, such as potential entry points and weak security protocols required to proceed with the attack. The attacker attempts to acquire the victim’s trust and give stimuli for later acts that violate security norms, such as disclosing sensitive information or granting access to vital resources.
Social engineering is extremely harmful because it relies on human error rather than software or operating system weaknesses. Legitimate user errors are significantly less predictable, making them more challenging to detect and prevent than malware-based intrusions.
Social engineering theft usually utilises three main types of account takeover. These are:
Phishing
Phishing is a fraudulent attempt to obtain your valuable personal information. In many cases today, this is accomplished using phishing emails.
Smishing
Smishing is a form of phishing that uses text messages or short messaging systems. Frequently, you will receive a message from a bank or service provider requesting that you check in to a specific website or dial a particular number.
Vishing
Vishing is another form of phishing that uses phone calls to solicit sensitive personal information. This is becoming highly common as people are becoming more lenient and view phone calls as more authentic than emails.
Best practices to detect and prevent ATO
Account takeover differs from regular online payment fraud in appearance. Monitoring login rates, devices, and customer credentials are essential. One of the best ways to detect and prevent ATO is by leveraging the use of machine learning (ML) to create different ML models to best suit the fraud prevention and detection needs based on the historical data held.
2020-2021 UK Statistics shows that there has been an increase of 125,000 identity theft within two years, which led to over £2.3bn loss.
Here are some methods for preventing or containing an attack.
- Cross-reference login information with existing records
- Look for breached credentials
- Verify a user’s identity whenever they modify any account information
- Send users notices about account modifications
How Udentify – Fraud.com can help
Udentify provides a complete solution to any business to prevent account takeover fraud. Udentify provides ID verification and authentication of your customer, user, business partner, patient, or student within seconds. Through liveness detection, Udentify can drastically prevent ATO fraud. Below are some of the ways in which Udentify can help you:
1. User Onboarding
2. Age Verification
3. Passwordless Authentication
4. KBA Replacement
5. KYC & AML Compliance
6. Strong Customer Authentication
7. Fraud Prevention