What is account takeover fraud?

Account takeover (ATO) fraud is a form of identity theft in which a cybercriminal — or, increasingly, a well-organized gang of cybercriminals — breaks into and takes control of someone’s online account.

There are many different kinds of ATO fraud, but the end goal is always the same: to hijack an account and use it for financial gain. Once fraudsters have gained control of an account, they can steal information, withdraw funds, make purchases, or use the account for other criminal purposes.

With identity theft on the increase, ATO fraud is now a major threat to both consumers and online brands.

According to Javelin Strategy, account takeover attacks tripled in 2017, leading to direct losses of $5.1 billion.

The true impact is far higher, since ATO fraud also takes a toll on corporate brands, and increases the cost of acquiring, supporting, and retaining customers.

How has COVID affected ATO fraud?

The COVID-19 crisis has created new targets for cybercriminals and left both consumers and businesses at increased risk of ATO fraud. The sudden shift to remote work coupled with dramatically increased eCommerce activity left many businesses scrambling to build out new digital infrastructure, and previously planned cybersecurity programs were often left on the backburner even as cybercriminals redoubled efforts to hijack accounts.

The result: some kinds of identity theft have increased 40-fold since the start of the pandemic. Businesses of all kinds — both large and small — are reporting a significant increase in cyberattacks and related security threats. With up to 10% of the U.S. population experiencing identity theft in any given year, and rates of ATO fraud expected to continue rising in months and years to come, account takeovers are now a critical threat to organizations of all kinds.

Fortunately, you don’t have to deal with this threat on your own. Get in touch to learn how Deduce can help you prevent ATO fraud by leveraging security intelligence gleaned from a network of over 150,000 websites.

What kinds of organizations suffer from ATO fraud?

Account takeover fraud isn’t restricted to a single industry or type of organization. Virtually any business or entity that uses secure accounts to control users’ access to information, goods, money, or services is potentially a target for ATO fraud.


Financial companies

Financial companies are a major target of ATO fraud, with nine out of 10 financial institutions naming ATO fraud as their main cause of losses via digital platforms. Successful ATO can lead to account draining attacks, in which all money is withdrawn, or more sophisticated forms of fraud in which accounts are used for money laundering or to file bogus credit applications.


E-commerce brands

E-commerce brands are key targets for ATO fraudsters, with one in three online sellers saying that more than 10% of their total accounts had been hijacked in the past year. Fraudsters typically use accounts to put through bogus orders, claim refunds, or make purchases using stolen credit cards.


Media organizations

Media organizations are increasingly being targeted by fraudsters who collect and resell credentials to allow access to streaming services. In one recent case, a fraudster compromised over 1 million accounts and accumulated more than 100,000 paying customers who were willing to pay for shady subscriptions to streaming services.


Travel brands

Travel brands are an increasingly common target of ATO attacks, with fraudsters hacking into loyalty programs and frequent-flyer accounts to book hotels, buy products, or transfer points and miles to secondary accounts.


Government agencies

Government agencies are commonly targeted, with fraudsters seeking access to benefits or cash. COVID relief funding and business loans are a common target, but even before the pandemic, ATO attackers were targeting student loans, disability and Social Security payouts, and Medicare or Medicaid acc

Cybercriminals don’t just target accounts to use them directly. Because so many people reuse their passwords across multiple sites, hackers see every account breach as an opportunity to harvest email and password combinations for use in other attacks.

The bottom line: virtually any entity with password-secured user accounts is a potential target for an ATO attack. Click here for additional insights about how ATO fraud could impact your business.

Who commits ATO fraud?

Research shows that the bulk of account takeover fraud is carried out not by lone hackers but by well-connected and well-resourced criminal organizations. In fact, the increasingly industrialized ATO process means that a single attack may involve multiple different groups: one to obtain account details, another to check stolen login details against higher-value targets, a third to take control of and monetize compromised accounts, and perhaps additional groups to launder stolen cash or utilize stolen credit card information.

Fraudsters also share or sell data-dumps containing huge numbers of stolen login and password credential pairs, which can then be used to break into other accounts if passwords are reused across multiple sites.

With 15 billion logins from 100,000 separate data breaches now circulating online, even the smallest ATO gangs can access vast troves of stolen data to support their efforts to hijack accounts.

In other words, ATO fraud takes place within a highly developed ecosystem, with criminal groups trading information and selling scripts and services on the dark web. This ensures that successful tactics are quickly replicated, and methods for foiling security countermeasures quickly become common knowledge.

Still, while it’s easy for fraud rings to share information, research shows that the overwhelming majority of successful attacks are carried out by a relatively small number of elite criminal groups, pointing to the increasing professionalism and efficiency of ATO fraudsters.

How ATO attackers use botnets

By using botnets — vast networks of compromised computers, distributed all over the world and controlled using malware — fraudsters can launch enormous numbers of near-simultaneous attacks on countless targets. Many ATO assaults fail, but by launching their attacks in high volumes, fraudsters only need a small proportion to succeed in order to stay ahead of the game.

Criminal gangs are located all over the world, with fraud rings in Russia, Brazil, Nigeria, and China all linked to sophisticated ATO attacks. Some cybercriminal networks are known for particular kinds of ATO attacks: Russian hackers, for instance, were found to be behind attacks on social media accounts, while African and Chinese fraudsters were linked to a campaign of email takeover attacks.

Because attacks are channeled through diffuse networks of computers scattered all over the world, though, it’s difficult for any individual attack to be traced back to particular criminal groups. Only when you look at the data in aggregate, reviewing user behavior and security intelligence from tens or hundreds of thousands of websites at a time, does the full picture begin to emerge.

When you partner with Deduce, you can leverage our identity network to get the rapid, actionable intel you need. Check out our one-page guide for more tips on using collective intelligence to keep your customers safe.

What kinds of ATO fraud are there?

ATO fraud isn’t a single kind of attack. Cybercriminals are always innovating and testing new strategies for stealing account details and gaining control of users’ money and information. Some specialize in targeting financial institutions; others target e-commerce sites or specialize in identifying and monetizing high-value targets.


Credential cracking

Credential cracking, in which hackers force entry by simply guessing users’ login details. This is easily defeated by the use of secure passwords — but since many users still use dictionary words or simply number chains as their passwords, a high-volume brute-force attack can still yield results.


Credential stuffing

Credential stuffing, or using stolen credentials from one site to gain access to other accounts. This is a successful strategy since few account holders bother checking to see if their email addresses and passwords have been disclosed online, and many reuse the same details across multiple sites.


Account creation attacks

Account creation attacks, in which new accounts are set up and used later for fraudulent purposes. Compromised accounts can be saved for later use in money laundering schemes, used for bogus credit applications, or used in conjunction with stolen credit cards to make purchases.



Malware, in which malicious code such as keystroke loggers are used to silently capture a user’s login details across a range of high-value websites, or even to take control of a computer directly.


Mobile banking trojans

Mobile banking trojans, in which a fake screen is layered over a legitimate app to trick users into providing their login information.

phising and social engineering


Phishing, in which bogus emails or texts lure users into either installing malware or providing their login details directly. Preventing such attacks requires not just better security tech, but also user education.


Sim card swapping

Sim card swapping, in which a phone number is ported to a new device to gain access to mobile accounts, especially mobile banking apps or other fintech services

Both business accounts and individual accounts are potential targets for ATO attacks, with businesses often seen as high-value targets for potential account draining attacks. For both consumer and business attacks, fraudsters often combine high-tech methods with social engineering, using telephone support services to reset passwords, change contact information, or gain full control of a compromised account.

To fend off increasingly sophisticated ATO attacks, you need broad-spectrum security intelligence and specialized support. Learn more about Deduce’s approach to defeating ATO attacks, or request a free demo today to see how Deduce puts you back in control of account security.

What do fraudsters do with hacked accounts?

Once a fraudster has gained access to an account, they typically make apparently inconsequential changes such as entering new contact information, changing the account password or PIN, or adding new authorized users. In doing so, the attacker can simultaneously deny access to the legitimate account owner, while cementing their control over the hijacked account.

Once the fraudster has established complete control over a compromised account, they can use it in whatever way they wish. It’s important to remember that cybercriminals are experienced professionals, and they know how to move quickly to monetize a compromised account. In fact, many hijacked accounts are used for fraudulent purposes within hours of being compromised.

Still, not all compromised accounts are used immediately by cybercriminals. Some are used for longer-term fraudulent activity, such as supporting ongoing money laundering projects or credit application scams, or are used in conjunction with stolen credit cards over longer periods of time.

Among the key ways that fraudsters use compromised accounts:


Draining the account

If a fraudster gains access to a well-padded bank account or a loyalty account with frequent-flyer miles or loyalty points, they may choose simply to empty the account, often by making transfers to a string of other hijacked accounts.


Money laundering

Fraudsters can use stolen accounts to channel transactions, helping to launder stolen money and conceal other fraudulent or criminal activity.


Bogus purchases

Once a hacker controls an account, they can make purchases freely. Digital goods and gift cards offer an easy way for criminals to monetize these purchases.


Reselling accounts

Stolen accounts for gaming or media services can be repackaged and sold as cut-price subscriptions.


Credit fraud

Accounts can be used to support bogus credit applications or can be used to make purchases with stolen credit cards.

How does ATO fraud hurt your customers?

According to Javelin, one in 20 U.S. consumers was affected by identity theft in 2019, leading to losses totaling almost $17 billion. But for consumers just as for businesses, the financial impact doesn’t capture the full cost of ATO fraud.

The majority of ATO fraud is first detected by consumers, not host organizations. That means individual consumers are left to deal with the shock and stress of spotting unauthorized account activity, potentially including large withdrawals from their accounts. It also forces consumers to spend significant amounts of time figuring out what’s happening, calling customer service agents, handling insurance claims, or documenting bogus transactions.

The cost of a successful ATO attack

Many ATO victims wind up having to change security settings and passwords on dozens of other accounts, and to carefully scrutinize their other accounts for bogus activity in the wake of a successful attack. Some spend significant sums on identity theft remediation services, even if their direct losses are covered by the business with which they hold an account.

In fact, research shows that consumers pay an average of $290 for every successful ATO attack, and also spend between 15 and 16 hours personally trying to resolve problems stemming from each attack.

Read more here about how your users think about ATO fraud — and how Deduce can help to keep them safe.

How does ATO fraud impact your brand?

Every successful ATO attack has a direct bottom-line impact in terms of the cost of remediation, with customers typically expecting to be made whole for any losses they incur and businesses often having to swallow the cost of bogus transactions conducted using compromised accounts.

Unfortunately, though, the direct costs are just the tip of the iceberg. With 19 out of 20 online brands reporting fraud, and almost two-thirds of consumers say they won’t use a brand again following a successful ATO attack on their account, account takeovers are now a major source of reputational harm for today’s businesses. Brands that suffer ATO attacks pay a continuing cost through negative word-of-mouth, bad online reviews, and social media chatter.

It’s important to take such factors into account when weighing the true cost of ATO fraud. If your security doesn’t pass muster, you’ll have to invest more to acquire and retain wary or disgruntled customers. You’ll also potentially see churn increase and customer LTV decline as more of your users look elsewhere in the wake of an attack.

The regulatory consequences of ATO

To add insult to injury, organizations should also be prepared for regulatory blowback in the face of ATO-related data breaches. Under new data privacy statutes, regulators in Europe and elsewhere are now able to levy multimillion-dollar fines following data breaches. Besides putting a dent in your bottom line, such fines often attract media attention, potentially amplifying the reputational impact of a successful ATO attack.

With three-quarters of consumers saying security considerations are front-of-mind when they’re deciding which brands to do business with, even minor security breaches can have a big impact on perceptions of your organization. It’s important to invest in proper security infrastructure before you’re targeted in order to both meet your regulatory obligations and minimize the reputational fallout from potential ATO attacks.

The bottom line: ATO fraud is expensive. In fact, for a company with 500,000 users, direct and indirect losses from ATO can exceed $2.5 millionClick here to read more about the threats you face — and how Deduce can help you comply with regulations and minimize your risk exposure.

How can you detect ATO fraud?

Identifying ATO fraud isn’t easy. Cybercriminals put enormous effort into developing and sharing scripts that simulate ordinary user behaviors, making it hard to programmatically detect and fend off automated attacks. In fact, the majority of ATO fraud is first spotted by ordinary users who notice suspicious transactions on their account — and by then, of course, the attack has already succeeded.

To detect ATO fraud, it’s important to focus on identifying suspicious behavior both before and after an account is compromised. In other words, it’s important to detect both attempted ATO fraud (before an account is taken over, so you can prevent the ATO) and ongoing ATO fraud (after an account is hijacked, so you can prevent or mitigate fraudulent use of the account).

How automated ATO attacks simulate human behavior?

The key challenge for creating effective ATO countermeasures is detecting whether an account login and post-login account usage are being carried out by legitimate users, or by either automated botnets or human bad actors.

This is complicated, however, by the increasing sophistication of ATO attackers, who use ever-more-advanced scripts and software tools to make each attempted login or other interaction appear to come from a legitimate human user. Some of the methods used by attackers include:

  • Entering keystrokes individually rather than copying blocks of text, to simulate a human typist
  • Responding slowly, to suggest a flesh-and-blood actor rather than a silicon one
  • Moving the mouse cursor to an answer field before entering a response
  • Using new IP addresses and hardware IDs to circumvent detection systems
  • Automatically rerouting CAPTCHA challenges for completion by human agents

To detect such sophisticated attacks requires the ability to detect both subtle nuances in human behavior, and the minute variances that creep in when an automated system or human bad actor attempts to pass themselves off as a legitimate user.

Individual businesses don’t have visibility into those processes at the scale that’s needed — but by joining Deduce’s identity network, you can get the security intelligence you need to rapidly and effectively detect bogus logins and other ATO behaviors.

What should you do if you suffer ATO fraud?

If an ATO attack is currently underway, then speed is of the essence. Most compromised accounts are monetized within hours of their penetration, so it’s vital to put automated processes in place to identify potential attacks, flag suspect transactions or withdrawals, and rapidly freeze accounts that appear to have been breached.

Once you’ve put out the initial fire, though, more work remains: you’ll need to proactively manage customer relationships and potential PR blowback from the attack, address potential data leakage, and move quickly to put tougher cybersecurity practices in place.

How to communicate about ATO fraud and identity theft?

When ATO fraudsters strike, it’s important to realize that in most cases the real harm being done to your business is reputational, not financial. To minimize the impact, it’s important to have a clear plan in place to communicate proactively with affected customers.

First, it’s important to explain clearly how their account was affected, what was accessed or stolen, and how you’ll make them whole. It’s also important to provide reassurance that the ATO attack won’t be repeated. Explain any new security measures you’ve implemented as a result of the attack, to rebuild trust and ensure your users can feel confident that their data and money are safe in your hands.

How to conduct an ATO security postmortem?

When your organization is affected by an ATO attack, it’s important to conduct an honest assessment to determine where things went wrong. If social engineering played a part in the breach, you may need to put new training processes in place to ensure customer support agents understand the threat. If customers put themselves at risk by reusing passwords across multiple sites, you could consider putting better customer outreach and education processes in place.

Oftentimes, though, the biggest vulnerabilities can be traced back not to individuals, but rather to infrastructure. If identity thieves can gain access to and misuse your users’ accounts, it’s a sign that you need better technologies in place to rapidly detect fraudulent account logins, and elevate account security dynamically in response to specific threats. Get in touch today to learn how Deduce can help you level up your ATO countermeasures and give your customers peace of mind.

What strategies are there to prevent ATO attacks?

The most obvious way to prevent account takeovers is to deploy pre-authentication security measures that block fraudsters from gaining access to accounts in the first place. But it’s also important to acknowledge that no matter how good your perimeter security, some fraudulent account access is likely to take place. That means that it’s also important to deploy post-authentication security measures that can detect fraudulent activity and prevent ATO attackers from accessing sensitive information, placing bogus orders, or withdrawing money from hijacked accounts.

How consumers can help prevent ATO fraud

Of course, consumers have an important part to play in preventing ATO fraud. According to NordPass, more than 2.5 million people still use “123456” as their password, while more than 360,000 people use the word “password.” Both can be cracked in less than a second; collectively, they have been exposed online more than 27 million times.

Using more secure passwords, and ideally a password manager that generates unique passwords for each site that’s visited, can significantly reduce the risk of ATO fraud. Still, with two-thirds of consumers failing to take basic precautions to protect their passwords, businesses can’t rely on their users to practice good password hygiene. It’s up to organizations, not end-users, to take decisive action to defend themselves from ATO fraudsters.

How to stop fraudsters from accessing your users’ accounts

To prevent fraudsters from breaking into an account, you need to be able to detect a bogus login while it’s still in progress. That requires a deep understanding of the varied and rapidly evolving ways in which fraudsters try to gain access to online accounts, and an equally deep understanding of how such efforts differ from the ordinary behaviors of regular human account users.

At Deduce, we leverage an identity network of over 150,000 member websites to help businesses stop ATO fraud before an account is compromised. Using AI tools trained on billions of historical interactions, we rapidly detect anomalous behavior — such as a login from an unusual geographic location — and automatically deploy appropriate security measures to prevent attacks before they begin. Click here to learn more about Deduce’s frictionless approach to pre-authentication security.

How to detect and defeat an ongoing ATO attack

Of course, no security perimeter is 100% effective, so you also need tools to detect attackers who get past your first line of defenses and gain access to a user’s account. This is a subtler process than simply preventing unauthorized access: it demands a clear understanding of how legitimate users behave on your website, and how that differs from unauthorized or automated account use.

Deduce’s identity network gives you the intelligence you need to halt an ongoing ATO attack. By analyzing data from 200 million web users, we can quickly identify the telltale behaviors that betray even the most sophisticated ATO fraudster.

That allows you to rapidly alert users to suspicious activity, and move quickly to freeze compromised accounts before they’re used for fraudulent purposes, protecting your customers and sharply reducing both the direct costs and reputational impact of ATO fraud.

Want to find out more? Read Deduce’s one-page guide to protecting your users, or request a free demo today.

Can you prevent ATO fraud without damaging the customer experience?

Efforts to improve cybersecurity and prevent ATO fraud often negatively impact the customer experience. Think about it this way: you could eliminate ATO fraud altogether if you required your users to complete a retina scan and email in a photo of themselves holding up today’s newspaper in order to access the website. But in doing so, of course, you’d make it impossibly burdensome for legitimate customers to actually sign into their accounts.

The key, as always, is to strike a reasonable balance between rigorous security and a seamless user experience. That means tailoring your ATO countermeasures to the risk of an attack — but that’s easier said than done. While most organizations make some effort to detect large-scale, automated ATO assaults, cybercriminals are increasingly adept at using well-honed scripts to deflect attention from their efforts by simulated human account behaviors.

Too often, that means that organizations err on the side of increased security, defaulting to the use of CAPTCHA tools, two-factor authentication, and other potentially cumbersome countermeasures. In effect, such strategies force legitimate users to jump through additional hoops in a bid to trip up a larger subset of ATO fraudsters.

How to determine the risk of ATO fraud

There’s a better way, of course. Instead of increasing security across the board, businesses need to use a more granular approach and increase their security measures only when there’s a heightened risk of fraudulent activity.

At Deduce, we enable that using the Identity Risk Index — a powerful AI-enabled tool that leverages the real-world behavior of more than 200 million website users to identify the kinds of behaviors associated with bogus logins and fraudulent account usage. The result: a far more responsive approach to risk that allows you to serve up additional security when it’s needed, without forcing legitimate users to put up with intrusive security processes every single time they log on to your site.

A user who’s logging on from their home IP address at their usual time might be waved through with a simple password check, for instance. A user who’s vacationing abroad might be flagged for two-factor authentication. And an attempted login from a known bad actor might be rejected outright and escalated for review by your customer support and cybersecurity teams.

Click here to learn more about Deduce’s approach to risk-based security, or request a free demo today.

How does data democratization reduce ATO fraud?

In today’s world, fraudsters aren’t simply lone hackers working out of their parents’ basements. They are well-resourced and well-connected criminal organizations, using networked hardware and advanced software to launch ATO attacks on a previously unprecedented scale. To defeat these fraud rings, businesses need access to large, rich, up-to-date data sets that capture the full variety of ATO fraud across multiple geographies, industries, and types of organizations.A handful of giant companies — such as Facebook, Google, or Amazon — have the global reach needed to harvest such insights from their user data. But most organizations simply don’t have the scale that’s needed to identify ATO fraud before it’s too late.At Deduce, we believe it’s time to change that. We’re committed to democratizing security data and giving all organizations access to the same rich data intelligence that the world’s biggest tech giants use to keep accounts safe from harm.

How an identity network can defeat ATO

To achieve that, we’ve built an identity network that gathers together security intelligence from 150,000 member websites. That allows our network partners to benefit from data gleaned from 200 million users and billions of historical account interactions — an incredibly rich window onto the different ways in which real account users behave, and the telltale signs that betray bad actors.

By democratizing that data, we’re leveling the playing field and allowing organizations of all sizes to police their account activity with the same efficiency as tech giants. Our analysts, data scientists, and cybersecurity specialists handle the complex process of identifying new threats or problematic behavior patterns, allowing your team to stay laser-focused on providing value for your customers.

It’s important not to underestimate the threat that ATO poses to modern businesses. But it’s also important not to despair. With democratized data and the right security infrastructure, we have the tools we need to defeat ATO fraud and keep your users and your business safe from harm.

Together, we’re democratizing security data and beating ATO fraud. Click here to learn more about our mission, or get in touch to find out how to get involved.