What Is Account Takeover Fraud (ATO)? Detection & Protection

Having trouble protecting your user accounts? In this guide, we’ll see why accounts are targeted, how fraudsters acquire them, and, of course, which steps you should take to secure them.

This is your complete guide to understanding and detecting account takeover (ATO) fraud in your business.

What Is Account Takeover Fraud?

Account takeover fraud (ATO) refers to a fraudster gaining unauthorized access to an online account by stealing login credentials. It is a form of identity theft, as the attacker exploits the account for various malicious purposes.

Users might call account takeover fraud “account hacking” when they realize someone has stolen their online credentials. This type of identity theft occurs when someone logs into an account that isn’t theirs to exploit it.

Most ATO attacks are intended for financial gain, but fraudsters may have other motives, such as:

  • Acquiring sensitive personal information
  • Impersonating the account owner
  • Accessing funds or payment cards
  • Using the account to defraud the owner’s contacts
  • Conducting schemes like phishing or CEO fraud

How Does Account Takeover Fraud Work?

There are many paths to successful ATO fraud. It works different depending on the attack vector:

  • Opportunistic: A fraudster stumbles upon someone’s login details. This could be accidental, or more sophisticated, for example following a mass phishing email campaign. It could be because of an easy-to-guess password, brute force, or via malware such as a keylogger
  • Bought credentials: Every huge data breach means a proliferation of ATO attempts is sure to follow due to the account details being sold in bulk for cheap on the darknet
  • Credential stuffing: This is when fraudsters automate attacks (usually with bots) using login details they bought from a leaked database.
  • Exploiting security vulnerabilities: This is where unpatched security holes are used to gain unauthorized access to a system. For example, Cross-Site Scripting (XSS) and Server Side Request Forgery (SSRF)
  • Targeted attack: Fraudsters will often target specific accounts which they know to be valuable. In social media and gaming, for instance, there is a huge market for what is known as OG accounts or accounts with a rare, short handle. To target these accounts, fraudsters often rely on spear-phishing techniques (targeted phishing), or SIM-Swapping attacks.
Protect Your Business from Account Takeover Fraud

SEON’s anti-fraud tools are designed to detect suspicious usage and uncover hidden fraudsters

Find Out More


How Much Does ATO Cost Businesses?

According to research from Kaspersky, more than half of all fraudulent attacks are in fact an account takeover.

While it’s harder for businesses to put a monetary value on ATO losses than, say, credit card fraud, it doesn’t mean it’s a victimless crime. There are very real consequences for affected businesses:

  • Hacks and security issues put a strain on your IT team.
  • Support is overwhelmed by customer requests while attempting to reclaim their account.
  • The finance department must fight chargebacks.
  • Users turn to competitors due to a loss of reputation and brand trust.

In the worst-case scenario, stocks can even plummet after a publicized breach. According to Bitglass research, this can be down by as much as 7.5%.

chart representing percentage in types of fraud like ATO

What Are the Signs of Account Takeover?

Employees, individuals, and IT teams must look out for numerous signs of account takeover. These range from unfamiliar transactions and unusual activity on an account to changes to personal details. Let’s look at some of the signs that should cause your Spidey-Senses to tingle:

  • Unfamiliar transactions: If you see something you don’t recognize, such as an email in your Sent Items that you didn’t send, an item on your bank statement you don’t remember buying, or a log-in alert for an account you’ve not tried to log in to, it’s a major red flag. This could be account takeover fraud, so don’t ignore it. Notify your IT department, bank, the company the account is with, and/or whoever else is relevant to the account.
  • Unusual activity: Higher-than-usual purchase values or changes in purchase frequency could indicate a bank, credit card, or ecommerce account has been taken over. Different log-in patterns (in terms of log-in location, time, or device, for example) could indicate a user account has been taken over. Whatever the type of account, unusual activity is something to watch for.
  • Personal information changes: There are plenty of genuine reasons why an account holder might change their registered email address, phone number, or shipping address. That said, when two or three of these all change at once, it is a cause for suspicion.

Businesses should be on the lookout for all the above signs of ATO. It’s also possible to spot attempted account takeover: Repeatedly failed log-in attempts are often a sign of a fraudster trying to get into an account by brute force, so it’s crucial to be alert to this, too.

Account Takeover Fraud Detection

While it can be challenging to catch ATO attempts, these attacks can be detected by monitoring for out-of-the-ordinary account behavior. Deploying end-to-end fraud prevention and detection software helps you keep track of user activity and helps you spot suspicious patterns.

  • Flag suspicious behavior: Look for suspicious account changes in real time, recognize suspicious IP addresses and identify unknown devices or multiple accounts being used from the same device. 
  • Spot connections between users: Identify fraud rings and sophisticated multi-accounting users who jump from one account to the next by recognizing recurring patterns and connecting seemingly unrelated users. 
  • Harness the power of Machine Learning: An AI-powered machine learning tool (ideally consisting of both a whitebox and blackbox model) gets increasingly accurate with your feedback and helps you identify the patterns and typical behavior the human eye wouldn’t be able to notice.

Implementing the right fraud prevention and detection solution equips you with the essential tools to proactively monitor user activity and swiftly identify suspicious behavior, effectively blocking account takeover attempts.

Methods for Account Takeover Fraud Detection

Detecting suspicious logins can be challenging due to the limited availability of data. However, deploying fraud detection software and tools can enhance your ability to extract additional information to get a better understanding of who exactly is logging into the account. This can be achieved through the following methods.

Device fingerprinting

Device fingerprinting is essentially the process of collecting information about the device a customer is using to access your service, including hardware and software information. This is highly effective in preventing users from logging in with unknown devices or browsers. It can also detect the use of suspicious emulators or virtual machines, which fraudsters often use to make multiple login requests.

IP analysis

IP analysis pinpoints the user’s location, monitoring regular geolocation patterns and flagging unusual connections. This extends beyond the indicated location, as new VPN or Tor connections may also raise red flags. Logging this data helps in creating user whitelists to reduce false positives. For instance, if a user informs you of their travel plans in advance, their IP address can be added to the whitelist accordingly.

Behavior analysis with velocity rules

If an account takeover is already underway, you can still catch it by spotting suspicious user behavior. Whether it’s inspected through a dedicated fraud prevention system or through manual investigation, here are some of the signs that an ATO attack might have happened.

How ATO Detection Works with SEON 

At SEON, we’ve built a number of ATO detection features into the core of our end-to-end fraud detection platform. We also took great care to put user experience front and center, reducing the processing time to a minimum while allowing you to leverage:

  • Powerful device fingerprinting: Instantly know when a user is connecting with a suspicious combination of software and hardware
  • Whitebox machine learning: SEON’s algorithm learns from your ATO patterns and retrains itself numerous times a day. You get results via human-readable rules, which you can use to backtest your login data to identify false-positive rates.
  • Velocity rules: Collect and screen complete user activity on your website via custom API calls relating to any data point you wish to send. It’s the closest thing to behavior analysis to help you understand precisely when someone is acting suspiciously. 

The good news is that protecting individual user accounts and your general business interests can be done using the same tools. Using the flexibility and customization options provided by both  SEON risk rules and our API calls provides your business with the level of fraud protection you need.

Frequently Asked Questions About ATO

What is the difference between identity theft and account takeover?

Account takeover involves someone accessing an account owned by another individual without authorization, whereas identity theft involves the fraudulent creation of a new account using stolen identity information. Account takeovers can affect both businesses and individuals, whereas identity theft exclusively impacts individuals.

What is the recommended method for detecting account takeover?

Monitoring account activity in real time, in addition to user behavior analysis and automated alerts for suspicious behavior is the best method to detect ATO. Additionally, regularly screening user credentials against known breaches and educating users about risks are essential components of an effective detection strategy.

What industries are most at risk of ATO attacks?

Industries most at risk of ATO attacks include but are not limited to financial services, ecommerce, healthcare, iGaming and government and education sectors due to their access to valuable data and financial assets.

Share article

Speak with a fraud fighter.

Click here

Author avatar
Bence Jendruszak

Bence Jendruszák is the Chief Operating Officer and co-founder of SEON. Thanks to his leadership, the company received the biggest Series A in Hungarian history in 2021. Bence is passionate about cybersecurity and its overlap with business success. You can find him leading webinars with industry leaders on topics such as iGaming fraud, identity proofing or machine learning (when he’s not brewing questionable coffee for his colleagues).

Sign up for our newsletter

The top stories of the month delivered straight to your inbox