Account takeover fraud

Account takeover fraud (or ATO fraud) is when someone uses stolen credentials to gain unauthorized access to your online accounts. This could include anything from bank accounts, investment, crypto or gambling platforms, to e-commerce or social media accounts.

During account takeover attacks, criminals use compromised personal information to get into your account. This compromised information can include email addresses, usernames, passwords, credit card numbers, and social security numbers. Once in, they can change account details, withdraw funds or make unauthorized purchases. 

Some account takeover fraud statistics from 2023 put the problem into perspective. Roughly 1 in 4 US adults have been a victim of account takeover fraud. And in the case of financial account takeovers, the average loss per incident is nearly $12,000.

Account takeover definition

The act of ‘taking over’, in other words breaking into, someone else’s online account with the intent of committing fraud or other malicious activity.

Methods used in account takeover fraud

Some of the methods used in account takeover fraud include data breaches, credential stuffing, and brute force attacks. Below, we run through these and other methods in detail.

Data breaches

During a data breach, hackers steal, copy, or gain access to confidential personal data, including emails, passwords, phone numbers, and Social Security numbers (SSN). Often, this data is then sold on the dark web. Atlas VPN found compromised Social Security numbers cost as little as $4 on the dark web. Fraudsters and criminals can purchase leaked personal information on the dark web and then use it to take over an account.

Credential stuffing

During credential stuffing attacks, fraudsters use bots to automate the input of compromised information into multiple login forms. Often, they will have lists of compromised personal information to scale up this type of attack. Bots will work through the list, inputting the account information into login forms across multiple sites. Scaling up these types of attacks gives fraudsters a higher chance of success. 

In this scenario, people who have reused login information or passwords across multiple accounts will be most at risk. This is why it’s so important to use unique login information across different accounts. If one account is compromised, at least fraudsters can’t use those same credentials to hack another account.

Brute force attacks

Brute force attacks share some similarities to credential stuffing. Fraudsters use scalable, automated tools to attempt to guess passwords and hack an account. The main difference is that unlike credential stuffing — where they use stolen credentials — they use random characters often strung together with common passwords. So a good defense against brute force attacks is to use strong, unique passwords, that include uppercase and lowercase letters, numbers, and special characters.

Man-in-the-middle attacks

Man-in-the-middle attacks are a type of cyberattack where the attacker intercepts two parties (for example business and consumer) who believe they are communicating with one another. In reality, attackers intercept information shared between the victim’s computer and a server. They can then eavesdrop on the information being shared and then use this information to their advantage, for example redirecting victims to a spoofed website. Most of these attacks occur on public wifi because connections are generally less secure than home routers.

Phishing attacks

During a phishing attack, fraudsters pretend to be a legitimate business, brand or trusted individual. They will then communicate with the victim, asking them to undertake certain actions. For example, getting them to click a malicious link that will install a piece of malware that harvests credentials, or asking them to make an unauthorized purchase or transaction. Some examples of phishing could be an email suggesting that your account is compromised and that you need to reset your password (via an illegitimate malicious link). Or, an email from a high-level employee asking you to purchase vouchers. The most common form of phishing is email, but fraudsters also use text messages (SMS), social media messaging services, and even phone calls. 


Malware is a type of malicious software. It’s often installed on someone’s computer, tablet, or smartphone after they click a malicious link (for example, attached in a phishing email) or after downloading software from suspicious sources. Some malware, called key loggers, records keystrokes and intercepts everything the user types, including their banking credentials, which fraudsters can then use to hack their account.

What are the risks of account takeover fraud?

Account takeover fraud poses several risks to both businesses and consumers. 

Risks for consumers:

  • Monetary loss: For consumers, the most pressing risk is probably financial loss. If fraudsters get into your bank account, they can make unauthorized withdrawals or purchases. 
  • Additional account takeovers: There’s also an increased risk that your other accounts might be hacked, especially if you re-use passwords or login information.
  • Identity fraud: If an attacker obtains enough of your personal information, there’s a risk they may go on to commit other crimes using your identity — for example, taking out credit in your name.

Risks for businesses:

  • Financial impact: Businesses are responsible for any chargeback costs associated with account takeovers. These costs can slowly add up and ultimately impact the businesses’ bottom line.
  • Reputational damage: Account takeovers are stressful for customers. If their data is compromised in a breach, or their account taken over, they will likely hold the business at least partially responsible.
  • Loss of customers: In extreme circumstances, customers might even jump ship if they feel a business can no longer be trusted.

What accounts are at risk from account takeovers?

Some of the main types of accounts fraudsters might target in an account takeover are:

  1. Bank/financial accounts: In a bank account takeover, attackers gain access to a bank or savings account to steal personal information, change account details, transfer or withdraw funds, or make unauthorized purchases in your name.
  2. Social media accounts: During a social media account takeover, attackers access your online profiles. From there they can steal personal information, send scams to social media contacts, and post using your account.
  3. Government/benefits accounts: This mostly applies to online tax accounts or similar. If they gain access, criminals file fraudulent tax returns or claim benefits in your name.

How to spot the signs of account takeover

Some of the warning signs of an account takeover include:

  • Unfamiliar charges on an account
  • Changes to your personal information (such as phone numbers and email addresses)
  • Password reset requests
  • New login notifications from the account platform
  • Fraud notification from the account platform
  • Emails, letters or calls about purchases, benefits, transfers or withdrawals you haven’t authorized

How to prevent account takeover fraud

Businesses and consumers can both take steps to prevent account takeover fraud. Consumers should stay vigilant and aware, and take the following steps to safeguard their accounts:

  • Never reuse passwords: Roughly 60% of account takeover victims used the same password across multiple accounts. Re-using passwords means if it’s compromised once, an attacker can get into multiple accounts. Password managers are an excellent tool to generate unique, high-security passwords for individual accounts, and to keep track of your account logins.
  • Enable 2FA: Where available, two-factor authentication (2FA) can add an extra layer of protection. This allows you to add an additional login step to accounts (such as receiving a verification code via SMS).
  • Check active logins: Keep an eye on any logged login sessions to your accounts. If any of these look unfamiliar, it could be a sign someone is trying to hack your account.
  • Check whether you’ve been a victim of a data breach: Dark Web scanners allow you to see if your information has been leaked online. If it has, you’ll know to reset any leaked account information.
  • Use a VPN: This can help to protect your home Wi-Fi network against man-in-the-middle attacks.

Businesses can take steps to reduce the risk of account takeovers by introducing 2FA, or similar methods of re-verification. This could include a biometric check, such as facial recognition, which is very hard to steal or impersonate. Businesses should also monitor activity across customers’ accounts, so that they’re able to trigger notifications or re-verification requests at the moment of risk, to prevent fraud in real time.

Onfido’s account takeover fraud prevention solution

Combining Onfido’s Document and Biometric Verification solutions are a high-assurance way to verify customers at account creation, and beyond. By verifying a customer’s biometrics when they sign up for an account, businesses can then re-verify against those credentials at moments of high risk — like account recovery or payment authorization — to support account takeover fraud detection.

During Onfido’s biometric re-verification, users are prompted to submit a new selfie or motion capture. We then confirm it matches the document verified at onboarding.

Discover Onfido’s Biometric Verification

See how you could leverage biometrics for account takeover fraud detection.

Learn more