Account Takeover Fraud – How to Stop It Before It Hurts Your Business and Users

Author avatar

by Tamas Kadar

Account takeover fraud (ATO) still costs businesses millions of dollars each year. Here’s how to prevent it from happening.

Just imagine waking up one morning and not being able to log into your crypto wallet. You’ve been logged out, and no matter how many times you enter your password, you still can’t get into the app.

At first you might think it’s a glitch. But what if something more sinister had happened? Had someone with bad intentions logged into your account, what kind of damages could they cause? Credit funds to an unknown wallet? Find your personal address and bank details? 

This is precisely why account takeover attacks, or ATO, are so damaging. As the services that support our digital lives are increasingly interconnected, losing access to one account could mean losing all of them. 

And it’s a crime that hurts everyone. Victims end up paying $263 out of their own pocket to resolve an ATO, not to mention the time, stress, and efforts needed to overcome the problem. It results in a loss of brand trust, and damages company’s reputations. Luckily, in this post and our accompanying dedicated ebook, we’ll show you how to stop them in the first place.

What Is An Account Takeover Attack?

Account takeover fraud, or an ATO attack, happens when a fraudster logs into someone else’s account. The goals are to drain it of funds, to mine it for personal and financial information, or to resell the account on the darknet. The practice, which is a form of identity theft, is also known as credential stuffing, and costs organizations millions of dollars each year.

What an ATO Attack Looks Like From Your Side

The problem with account takeover fraud is that by the time it happens to your customer, it’s already too late. Still, there are telling signs an ATO attack could be underway:

  • You are getting unusually high numbers of chargeback requests: someone is purchasing items with someone else’s account, and it could cost you a lot in chargeback fees.
  • Hundreds of login attempts on one account: another sign something strange could be going on. If the user doesn’t remember their login and password, why don’t they get in touch with support?
  • Mass password reset requests: the first thing fraudsters will do after a successful ATO is changing the password. Keep a close watch on strange password reset requests.
  • Shipping address changes: while these happen all the time, they shouldn’t decrease suspicion.
  • Very large purchases: again, not a clear indicator of fraud, but a good reason keep an eye on the transaction details.
  • Multiple changes to an account in one session: one of the clearest signs something wrong could be happening. Users rarely need to change their passwords, credit card details and shipping info all at once, for instance.
  • Credit of a large number of reward points: bonuses and rewards attract fraudsters who take over accounts to drain them.
  • Suspicious IP addresses: for instance multiple users sharing the same address or device, IPs pointing to proxies, such as VPN or TOR usage.
  • Strange user behaviour: looking at keystroke velocity, mouse movements, user scrolling and device orientation can go a long way in spotting bot attacks designed to bypass Captcha verifications.

Now while some of these scenarios can be detected manually by eagle-eyed business owners and fraud managers, in most cases you’ll need specific tools, especially if you’re looking at user behaviour. We’ll get to these tools below, but now that we know what ATOs look like, let’s also see how they happen. 

What Makes Your Users Susceptible to ATO

The bad news is that fraudsters are attracted to all kinds of accounts, no matter what vertical your business operates in. 

There’s value in anything digital, and while a bank account or e-wallet is the ultimate goal, fraudsters won’t hesitate to take over accounts from media streaming (Netflix, Spotify) to ecommerce and social accounts (Facebook, Twitter). In fact, account flipping can be so lucrative that many fraudsters do it full time.

account takeover market value
The value of stolen accounts on the dark web, as reported by TrendMicro

But how do they get these accounts in the first place? It has primarily to do with data breaches.

Anytime you hear about a company losing millions of accounts, these records end up on darknet marketplaces, where they are bulk sold and bought. 

In fact, we’re now seeing an increase in clearnet sites selling illegally acquired accounts for account takeover. This means the market is much bigger, as no technical expertise is needed, and speaks volumes about the bravado and confidence of these criminals and fraudsters.

account takeover clearnet marketplace
Screenshot from a clearnet account marketplace

Then, there are plenty of other ways fraudsters can log into you users’ accounts:

  • Lax password protection: Despite numerous warnings, studies show that more than 52% people still reuse passwords on multiple sites and apps. One batch of compromised info can therefore potentially unlock accounts all across the web for the same person, allowing access to credit card numbers or a social security number.
  • Brute force: the trial and error method can work, especially with users who have unsafe, commonly used passwords such as “123456” or “qwerty”. This can be performed at scale with bots, and is also referred to as password-spraying.
  • Phishing: fraudsters send an email that links users towards a fake landing page. Email recipients are asked to login, and the website stores that information, for instance credit card data.. Or they can just pass as the email sender and ask for the email manually, which counts as a form of social engineering.
  • Malicious software: keyloggers, trojan viruses, spyware, and various other types of malicious software are used by fraudsters to intercept or harvest sensitive information like credit card info.
  • SIM hijacking: a worrying technique due to the rise of SMS authentication. Fraudsters ask mobile carriers to switch a phone number to another SIM card under their control. They then access all online accounts tied to the phone number as well as incoming SMS messages, allowing them to easily bypass 2FA (two factor authentication).
  • Advanced phone hijacking: more sophisticated methods will see fraudsters posing as fake WiFi public hotspots or even cell towers to intercept mobile data.

Finally, if fraudsters manage to get someone’s email info, they can use cloud recovery systems to reset an account’s login and password, and take control of it. 

The Best Tools to Prevent Account Takeover Fraud

The best strategy, from a merchant’s perspective, is to assume ATOs will happen. So first and foremost, there must be an effort to educate your users about the value of their login details. 

You can nudge them towards using a password manager, using stronger authentication methods, and being vigilant. In fact, you can even ensure they don’t use a password that’s already been found in a database breach, using a tool like HaveIBeenPwned, and integrating into your platform.

But it’s not always enough. And while account takeover attacks increase in sophistication, luckily so do the fraud prevention solutions at your disposal.

ip analysis icon

IP Analysis: The easiest and most cost-effective way to discover suspicious use is to look at IP addresses. You will immediately know if someone is using TOR or a VPN to connect to your site or web app. While not all IP spoofing methods are a sign of fraud, it’s a good place to start.

device fingerprinting icon

Device fingerprinting: For more sophisticated analysis, you’ll want to look at the combination of software and hardware of our users. Each combination can be logged via a hash, or unique ID, which lets you know when someone starts using a new device or web browser.

Emulators and virtual machines, solutions often used for bot ATO attacks, can also be detected. In fact, SEON’s device fingerprinting tracks thousands of data points, even when users are in incognito mode or when they reinstall their browsers.

velocity rules icon

Velocity rules: this uses algorithms that look at user behaviour over time. For instance, too many login or transactions attempts during a certain time frame can increase suspicion. You could even look at vey granular details such as the amount of scrolling or the speed of keystrokes to get a good idea of who you’re dealing with.

dynamic friction icon

Dynamic friction: an invisible security layer that lets you remove suspicions without making it too frustrating for legitimate users. For instance, if SEON’s fraud prevention engine finds that there are too many red flags during a login, you can use dynamic friction to trigger additional authentication methods, for example email verification.

Thanks to data enrichment, it’s also possible to get more information about your users every time they log into your site. This will allow you to get more precision when calculating risk. This risk calculation is done by SEON’s powerful fraud detection engine, using your own rules, preset rules tailored to your industry, and machine-learning suggested rules. 

Don’t Let ATO Attacks Damage Your Business

At SEON, we understand that account takeover creates a vicious cycle of fraud. Those who manage to get into your business without authorization damage the relationship between you and your users, and they hurt your bottom line.

This is why we’ve designed our fraud detection solution to incorporate all the most powerful tools possible to detect ATO before it’s too late. 

Including machine learning, device fingerprinting and modular data enrichment, it gives you complete control over how you can prevent fraud and grow your business and user base with full peace of mind. 

Share article

Learn more about our products


Author avatar
Tamas Kadar

Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.

Sign up to our newsletter