What is Account Takeover (ATO) Fraud? How to Detect & Prevent ATO

Account takeover fraud (ATO) is a form of identity theft where fraudsters overtake an online account and pose as real users. Typical means for ATO include compromised credentials, session-hijacking, social engineering, and device takeover. 

For example, ecommerce sites are common targets for ATO fraudsters for a variety of reasons, including the fact that quite a lot of sensitive and financial data are stored there, and yet individual users may be less vigilant with their security than in some other verticals. Once bad actors gain access to an ecommerce account, they can make purchases with the card on file, but they can also view sensitive personal data such as credit card numbers, home addresses, phone numbers, and email addresses. Not only does this example show how an ecommerce platform can be damaged by ATO, but it also highlights how ATO is used for identity theft. Similarly, a bad actor may seek access to an online banking portal in order to transfer funds or to harvest enough PII to use elsewhere – for example, at another financial institution to apply for a loan under a stolen identity.

ATO is a problem in most industries that do business online. The following industries are especially common targets for ATO:

• Financial services

• Online retail & ecommerce

• Healthcare

• Social media

• Video streaming & entertainment

• Online gaming

• Utilities

Common ATO Red Flags

• Odd Login Behavior: Logins from new devices, new locations, new times, or anything outside of previous common behavior is considered a red flag.

   

• Large Number of Failed Login Attempts: When multiple login attempts occur in a short period of time, this may indicate a brute force attack, which involves repetitive attempts to “guess” a password based on minimal pieces of PII.

   

• Login Spikes: Bots are commonly used to flood the system, similar to a brute force attack.

   

• Account Detail Changes: If there are changes to an account’s preferred email, phone number, or security/account recovery details, especially all at once, this can indicate an ATO.

   

• Suspicious Activity: High volumes of chargebacks or purchases from new locations should be considered suspicious.

Credential stuffing tools, password cracking tools, phishing and social engineering schemes, combined with personal identifiable information (PII) available on the dark web, make account takeover attacks a common fraud technique. According to research by Sift’s Q3 2023 Digital Safety and Trust Index, ATO attacks are on the rise, jumping an eye-popping 354% year-over-year. Nearly one-fifth (18%) of those surveyed have experienced account takeover attacks, with 62% of those taking place in the past year. Over 34% of victims were defrauded 2+ times, typically while using sites or apps for digital subscriptions, online shopping, and financial services. To make matters worse, global fraud losses are projected to be 20% higher than they were last year, and set to cost merchants and consumers billions by the close of 2023.

Furthermore, according to Sift’s research, most consumers (73%) believe the brand is accountable for ATO attacks and responsible for protecting account credentials; while fewer than half (43%) of account takeover victims were notified by the company that their information had been compromised. With the responsibility for sensitive information falling on brands, ATO prevention must be taken seriously.

Impact of ATO Fraud

ATO fraud isn't limited to personal accounts. The FBI recently announced that $50 billion has been lost in both domestic and international business email compromise. This is a $7 billion increase from 2022. From December 2021 to 2022 alone, there was a 17% increase in reported global losses to BEC. With this form of account takeover, the fraudster gains access to a business's email account and makes unauthorized fund transfers.

• Financial losses: Unauthorized transactions, fund transfers, and access to linked accounts using pilfered login credentials can lead to substantial financial setbacks for individuals and businesses. According to a Security.org study, the average financial losses resulting from Account Takeover (ATO) incidents amount to approximately $12,000. Additionally, businesses may incur costs associated with disputing and processing chargebacks stemming from fraudulent transactions caused by ATO attacks

   

• Identity theft: Personal information theft, including social security numbers, credit card details, and login credentials, exposes individuals to the risk of identity theft. The aftermath can entail significant monetary losses and diminished credit scores.

   

• Reputational damage: Businesses grappling with ATO fraud may suffer reputational damage potentially resulting in customer loss and revenue decline.

   

• Negative impact on user experience: ATO attacks can also impact user experience and brand image. For example, eCommerce firms must safeguard user accounts to avoid negative repercussions such as fraudulent transactions, payment fraud, user mistrust, and damage to brand reputation.

Account takeover is completed through a series of steps:

1. The fraudster gains access to victims' accounts, typically using compromised credentials.
   
   
2. The fraudster starts with small, non-monetary changes to account details, such as:
   
   
   • Modifying personally identifiable information (PII)
   • Requesting a new card
   • Adding an authorized user
   • Changing the password
     
     
   These activities are regular occurrences, so they are harder to detect as fraudulent.
   
   

3. After one or more of the changes is successfully completed, the fraudster is free to continue with financial and other transactions. Victims' accounts may include saved payment information, additional PII or rewards points that provide useful data for money transfers, large purchases, taking out loans in victims' names and taking over more accounts. The more information the fraudster can gather, the easier it becomes to access more of the victim's accounts and services.

Examples of account takeover fraud exist in many industries. Because these attacks can go undetected for months, bad actors remain active. When financial gain is the goal, account targets can include banking, credit cards, e-commerce sites and any business where employee credentials could lead to a payout. A bad actor that takes over a bank account or credit card account can send funds to their own accounts or make purchases on e-commerce sites, including gift cards. The purchases can then be sold, making them hard to trace.

In addition to financial gain, other reasons for account takeovers include: collecting data about family, friends and colleagues for additional attacks; collecting healthcare and other sensitive information for extortion; and/or damaging reputations using compromised social media accounts. Social media account takeover can be detected quickly if the user is high profile and the fraudulent posts are obvious. For example, in 2016, Katy Perry's Twitter account, with 89 million followers, was taken over and used to slur other singers and urge Perry's followers to follow another account.

Cybercriminals can get creative with their actions. For example, a fraudster can take over a victim's Airbnb account or other booking service account. The booking looks legitimate to Airbnb and the credit card company, so the fraud goes undetected. The victim only discovers the fraud after seeing the credit card bill, but the victim is locked out of their Airbnb account. The fraudster can continue booking trips while the victim attempts to reclaim their account and get the charges removed.

There are numerous methods a bad actor can use to get the credentials needed for account takeover, in addition to data breaches or buying them on the dark web. Account takeover fraud methods include:

Phishing

Phishing schemes, often conducted via email or text, are designed to get victims to provide account information to fraudsters. This type of social engineering is characterized by tricking victims by impersonating legitimate organizations, like government agencies and banks, or victims' family and friends. We've all gotten emails or texts from "banks" saying our accounts are locked and we need to provide login information for account recovery. Or "friends" who ask us to click on a link, which will install spyware or other malware on our computer or mobile device. Victims who unknowingly fall for these types of fraud provide bad actors with easy access to their accounts.

Phishing goes beyond these classic schemes and continues to evolve with the help of AI-assisted tools. Recent advanced phishing tools apply the more advanced Adversary In The Middle (AITM) attack, which is even resistant to some MFA methods such as OTP.

Phone Scams

Seniors are often the target of phone scams, since they may have listed phone numbers, own a home and have savings and good credit. Seniors with dementia or other challenges are at higher risk of fraudsters repeatedly taking advantage of them. This form of social engineering is perpetrated by scammers pretending to be tech support in need of access to the victim's computer or a grandchild who needs banking information in order to transfer funds for an emergency. The FBI estimates elder fraud results in $3 billion in losses annually.

Unsecure WiFi

Personal WiFi needs to be secure, which may require changes to default settings. The same is true of security settings on Internet of Things (IoT) devices that use WiFi, like doorbell, thermostat and garage door apps, which can be hacked and allow access to a network. Public WiFi should never be used for anything important, especially when it involves logging into accounts. A bad actor can set up a man-in-the-middle attack by creating a fake wireless access point in a public location, like a coffee shop, and use it to intercept your internet activity.

Credential Stuffing / Password Cracking / Brute Force Attacks

Credential stuffing uses bots to test compromised credential combinations on multiple websites or apps to access accounts. Password cracking tools automate the use of leaked or stolen usernames with dictionaries of common passwords, sometimes supplemented with custom dictionaries, to access accounts. Brute force attacks are a popular cracking technique that involve trying different variations of symbols or words until the correct password is figured out.

Session Hijacking

Authenticated user sessions are maintained by storing a session and authentication token on the client device (e.g. cookie in the browser). Attackers may bypass the login and take over an account by stealing a valid token. Stealing a token may be done using different techniques such as Man-In-The-Middle (MITM), Man-In-The-Browser (MITB), and others.

Rise of AI in ATO Fraud

The rapid developments in artificial intelligence are changing the fraud landscape as both attackers and those who fight to stop them are leveraging AI to be more effective. Fraudsters use generative AI to create more accurate and convincing social engineering campaigns at a large scale, developing phishing emails, scam texts, and scripts. Generative AI can also be used to create realistic voice and video fakes, and may be utilized to fake identities and identity documents in an attempt to bypass identity proofing. Meanwhile, counter-fraud tools also leverage AI, creating more accurate AI models using recent technological breakthroughs and leveraging LLMs as part of the fraud analytics process, offloading some of the human labor involved in fraud analysis. This makes finding the right fraud prevention team and tools so important in 2024 and beyond.

• Email and communications monitoring: Fraudsters make phishing attempts or other requests for information via email or text message, so it’s important to monitor communications to identify and block these attempts.

   

• IP reputation: Fraud often originales from suspicious IP addresses. It is useful to look at IP reputation overall as well as other IP information such as country of origin to help spot attempted fraud.

   

• Machine learning: Machine learning models can help you more effectively identify suspicious users and sessions with greater speed and accuracy.

   

• Device information: A high number of “unknown” devices interacting with your site or app may be a sign of an ATO attack. Additionally, if a single device is accessing more than one account, this may also be a sign of an attacker targeting multiple accounts for ATO.

   

• AI-based fraud detection: Today’s attackers are making use of AI to mimic legitimate users and make their attacks harder to detect, but in turn, AI-based detection technology can help identify these attacks.

Protecting data from cybercriminals has to be a joint effort by individuals, enterprises and law enforcement. The cost of ATO fraud grows exponentially if left unchecked. For enterprises that fail to stop compromised accounts, the losses extend beyond the direct costs connected to each individual account. Customers often hold companies responsible for the success of fraudsters and high-profile ATOs make the news. The effects of ATO fraud continue for years, from lost customer revenue to damage to brand reputations.

Watch this short video to learn more about Ping's threat protection solution for detecting ATO, PingOne Protect.

Data Protection

As an individual, there are a few things you can do to reduce the risk of ATO fraud. Stay current on threats and guard your credentials from phishing attacks, phone scams and other cyberattacks. Use unique, complex passwords every time and don't share them with anyone. Make sure your WiFi and IoT devices are secure, and avoid using public WiFi to access your business and personal accounts.

Security Protocols

Businesses need to be proactive in their efforts to reduce account takeovers, while making sure they don't frustrate or overburden legitimate users with endless verification steps. A holistic approach of combining identity and access management (IAM) solutions with fraud detection tools can stop bad actors before they are able to access user accounts.

Two-factor authentication (2FA) and multi-factor authentication (MFA) provide enterprises with an added layer of security to prevent cybercriminals from using compromised credentials to access accounts, and individuals should add these options to their accounts when available. MFA and 2FA require users to provide additional forms of authentication to prove their identity, which fraudsters do not possess, so access to accounts is denied.

Identity verification, also called identity proofing, is another security tool that is used to ensure a user's digital identity is tied to their real-life identity. Businesses can choose to deploy an identity verification step for high-risk or high-value transactions to further reduce the chance of fraud.

For enterprises, the threat of fraudsters taking over legitimate user accounts is amplified by the fact that insiders and verified users can also be bad actors. An identity and access management (IAM) system integrated with fraud detection tools can help enterprises automate real-time fraud mitigation during a session to prevent bad actors from carrying out their fraudulent activities.

Fraud Detection Tools

Modern online fraud detection tools use artificial intelligence (AI) to examine hundreds of unique user data points generated by human-to-device interactions, device attributes and account activities to distinguish between legitimate users and fraudsters. Behavioral and context-based analysis identify automated (bot) and fraudster behavior because they don't follow the same pattern as legitimate user activity. Fraud detection tools can be activated when a session begins, which allows them to recognize unnatural activity during the session and stop fraud before transactions are made.

To learn more about online fraud, please read our Ultimate Guide to Fraud Prevention.