What is account takeover fraud?

Methods used in account takeover fraud

Fraudsters have a toolbox of go-to attack strategies, but also increasingly leverage sophisticated new methods like artificial intelligence (AI).

Here’s a closer look at the most common (and emerging) account takeover methods:

Data breaches

During a data breach, hackers steal, copy, or gain access to confidential personal data, including emails, passwords, phone numbers, and Social Security numbers. Often, they sell this data on the dark web for a quick, easy payday.

According to PrivacyAffairs’ latest Dark Web Price Index, stolen online banking logins cost just $60 on average. Fraudsters and criminals can purchase leaked personal information on the dark web and then use it to take over an account.

Credential stuffing

During credential stuffing attacks, fraudsters use bots to automate the input of compromised information into multiple login forms. Often, they will have lists of compromised personal information to scale up this type of attack. Bots will work through the list, inputting the account information into login forms across multiple sites. Scaling up these types of attacks gives fraudsters a higher chance of success.

In this scenario, people who have reused login information or passwords across multiple accounts will be most at risk. This is why it’s important to use unique login information across different accounts. If one account is compromised, at least fraudsters can’t use those same credentials to hack another account.

Brute force attacks

Brute force attacks share some similarities to credential stuffing. Fraudsters use scalable, automated tools to attempt to guess passwords and hack an account. The main difference is that unlike credential stuffing — where they use stolen credentials — they use random characters often strung together with common passwords. A good defense against brute force attacks is to use strong, unique passwords that include uppercase and lowercase letters, numbers, and special characters.

Man-in-the-middle (MITM) attacks

Man-in-the-middle attacks are a type of cyberattack where the hacker intercepts two parties (for example, business and consumer) who believe they are communicating with one another. In reality, attackers intercept information shared between the victim’s computer and a server. They can then eavesdrop on the information shared and use it to their advantage, such as redirecting victims to a spoofed website. Most MITM attacks occur on public Wi-Fi because connections are generally less secure than home routers.

Phishing attacks

During a phishing attack, fraudsters pose as a legitimate business, brand, or trusted individual to deceive their target. They communicate with the victim, often asking them to take specific actions, such as clicking a malicious link that installs malware designed to steal credentials, or making an unauthorized purchase or transaction. For example, a phishing email might claim that your account has been compromised and prompt you to reset your password through a fake link.

Another tactic could involve an email from someone impersonating a senior employee, requesting that you buy gift vouchers. While email is the most common form of phishing, fraudsters also use text messages (SMS), social media messaging, and even phone calls to carry out their schemes.

SIM card swapping

SIM card swapping is a method fraudsters use to hack a victim's account by hijacking their mobile number. The attacker typically starts by gathering personal information about the victim, often through phishing or social engineering. With this information, the fraudster contacts the victim’s mobile carrier, posing as the account holder, and requests a new SIM card, claiming the original was lost or damaged. Once the mobile carrier issues a new SIM card, the attacker gains control of the victim’s phone number.

With the victim’s phone number now linked to the attacker’s device, the fraudster can intercept calls and text messages, including two-factor authentication (2FA) codes sent by banks or other services. This allows them to reset account passwords and gain unauthorized access to sensitive accounts, such as banking, email, and social media.

Malware

Malware is a type of malicious software. It’s often installed on someone’s computer, tablet, or smartphone after the user clicks a malicious link (such as one attached in a phishing email) or after downloading software from suspicious sources. Some malware, called key loggers, records keystrokes and intercepts everything the user types, including their banking credentials. This allows fraudsters to hack their account without having to guess their password.

Generative AI

Hackers are increasingly leveraging generative AI technology as a tool for account takeover attacks. In fact, according to Onfido’s latest Identity Fraud Report, 2024 saw a 3,000% jump in the use of AI-enabled deepfakes.

Deepfakes involve using AI to create highly realistic (yet fake) images, videos, or audio that mimic the appearance or voice of a real person. Fraudsters can leverage this technology to impersonate individuals, such as company executives or trusted contacts, in order to deceive victims into providing sensitive information or authorizing financial transactions.

For example, a deepfake video might feature a seemingly legitimate message from a high-level executive instructing an employee to make an urgent payment or transfer funds. In some cases, audio deepfakes are used during phone calls to convince victims they are speaking with a known and trusted person.

This level of realism makes deepfakes particularly dangerous, as they can bypass traditional methods of verifying someone’s identity, such as video calls or voice recognition.

Example: Hacker group “Scattered Spider”

Typically, ATO fraud doesn’t involve just one of the above methods, but a combination of them. Take the case of Scattered Spider, for example.

Scattered Spider is a hacker group known for its sophisticated approach to account takeover fraud. Their primary method involves targeting individuals through phishing and smishing (SMS phishing) campaigns. Once a victim responds to these deceptive messages, Scattered Spider actors typically initiate a SIM card-swapping attack, allowing them to gain control of the victim's mobile number.

After successfully executing a SIM swap, the group seeks to gather personally identifiable information (PII) about the victim. They focus on extracting answers to security questions and identifying usernames and passwords.

With this sensitive information in hand, the threat actors employ social engineering tactics to manipulate IT help desk personnel to reset passwords and multi-factor authentication (MFA) tokens. This enables them to execute account takeovers, particularly within single sign-on (SSO) environments, allowing access to a variety of accounts linked to the compromised credentials.

What are the risks of account takeover fraud?

Account takeover fraud poses several risks to both businesses and consumers.

For consumers, account compromise could lead to:

• Monetary loss: When fraudsters crack your bank account they can make unauthorized withdrawals or purchases.
• Additional account takeovers: If your account is taken over, it can increase the risk of your other accounts being hacked, especially if you use the same passwords or login details. About 70% of ATO victims reported their compromised accounts didn’t have unique passwords, increasing their susceptibility to attacks.
• Identity fraud: If an attacker obtains enough of your personal information, there’s a risk they may go on to commit other crimes using your identity — for example, taking out credit in your name.

The business impacts are just as devastating and can include:

• Financial loss: Businesses are responsible for any chargeback costs associated with account takeovers. These costs can slowly add up and ultimately impact the businesses’ bottom line.
• Reputational damage: Account takeovers are stressful for customers. If their data is compromised in a breach, or their account taken over, they will likely hold the business at least partially responsible.
• Loss of customers: In some circumstances, customers might jump ship if they feel a business can no longer be trusted. More simply, allowing ATO fraud can drive consumers away and lead them straight to your competitors.

What accounts are at risk?

Fraudsters primarily target accounts with the greatest likelihood of holding sensitive information. These include:

• Bank/financial accounts: In a bank account takeover, attackers gain access to a bank or savings account to steal personal information, change account details, transfer or withdraw funds, or make unauthorized purchases in your name.
• Social media accounts: This occurs when attackers gain unauthorized access to your online profiles. From there, they can steal personal information, send scams to social media contacts, and post using your account.
• Government/benefits accounts: This mostly applies to online tax accounts or similar use cases. In this case, cybercriminals who steal such accounts can file fraudulent tax returns or claim benefits in your name.

How to spot the signs of account takeover

Some of the warning signs of an account takeover include:

• Unfamiliar charges on an account
• Changes to your personal information (such as phone numbers and email addresses)
• Password reset requests
• New login notifications from the account platform
• Fraud notification from the account platform
• Emails, letters, or calls about purchases, benefits, transfers, or withdrawals you haven’t authorized

Spotting these early warnings is challenging for businesses, but it’s much easier with fraud detection software. With the right solution, organizations can automatically identify suspicious activities in real-time. Fraud detection tools analyze user behavior, transaction patterns, and account activity to spot anomalies that may indicate a potential breach.

For example, if an account experiences unfamiliar charges or attempts to change personal information, the fraud detection system can flag these actions for further review. Additionally, the software can monitor login attempts, alerting businesses to unusual login locations or times that differ from a user's typical behavior.

By leveraging fraud detection tools, businesses can quickly identify warning signs of account compromise, allowing them to take swift action to mitigate the impact. This proactive approach not only helps protect customer accounts but also enhances overall trust and security within the organization.

How to prevent account takeover fraud

Businesses and consumers can both take steps to prevent account takeover fraud. Consumers should stay vigilant and aware, and take the following steps to safeguard their accounts:

• Never reuse passwords: Almost 75% of people who’ve been exposed to two or more breaches in the past year reused passwords across multiple accounts. Password reuse means if your credentials are compromised once, an attacker can hack any accounts that share the same credentials. Password managers are an excellent tool to generate unique, high-security passwords for individual accounts, and to keep track of your account logins.
• Enable multi-factor authentication: Where available, MFA can add extra layers of protection. This allows you to add steps to access your accounts (such as receiving a verification code via SMS).
• Check active logins: Keep an eye on any ongoing login sessions to your accounts. If any of these look unfamiliar, it could be a sign someone is trying to hack your account.
• Check whether you’ve been a victim of a data breach: Dark Web scanners allow you to see if your information has been leaked online. If it has, you’ll know to reset any leaked account information.
• Use a virtual private network (VPN): VPNs can help protect your home Wi-Fi network against man-in-the-middle attacks.

Businesses can also take steps to reduce their risk of ATO fraud. These include:

• Use biometric checks: Incorporate biometric verification methods, like facial recognition or fingerprint scanning, which are difficult for fraudsters to replicate, adding a strong defense against unauthorized access.
• Monitor account activity: Regularly track and analyze customer account activity to identify unusual patterns or behaviors that may indicate a compromise. This can help detect potential fraud early.
• Trigger real-time notifications: Set up automated alerts to notify customers of suspicious activities, such as login attempts from unfamiliar locations or changes to account information, prompting them to take immediate action.
• Conduct security awareness training: Educate employees and customers about common phishing tactics and security best practices to help them recognize potential threats and respond appropriately.
• Implement risk-based authentication: Use adaptive authentication methods that adjust the required verification levels based on the risk associated with a transaction or login attempt, providing extra security when needed.

Account takeover fraud prevention with Onfido

Combining Onfido’s Document and Biometric Verification solutions is a high-assurance way to verify customers at account creation and beyond. By verifying a customer’s biometrics when they sign up for an account, businesses can then re-verify against those credentials at moments of high risk — like account recovery or payment authorization — to support ATO fraud detection.

With Onfido’s biometric re-verification, the solution prompts users to submit a new selfie or motion capture. We then confirm it matches the document verified at onboarding, ensuring the individual is who they claim to be.

The result? Fewer risks for you and your customers. In fact, the combined powers of AI-powered fraud detection tools can decrease residual fraud by 90%.