Account takeover fraud explained: What it is and how businesses can prevent it


Fight fraud with the strength of the Stripe network.

Learn more 
  1. Introduction
  2. What is account takeover (ATO) fraud?
  3. Types of account takeover fraud
  4. How account takeover fraud hurts businesses
  5. Ways to detect and prevent account takeover fraud

Fraud is a big challenge for business owners. You can offer a highly sought-after product, amass loyal customers and maintain stellar customer service, but none of that will protect your business from fraudulent actors attempting to breach your users’ accounts. Account takeover fraud is one of the most common forms of identity theft, accounting for 53% of all existing account fraud in 2019. This type of fraud is a major liability for businesses. Account takeover fraud cost US businesses $25.6 billion in 2020 – a 500% increase from 2017, according to Juniper Research. These account breaches can damage the reputation of a business as well as the trust it has built with existing customers.

Since the amount of money lost to account takeover fraud grows every year, online businesses need a plan to detect and block fraudulent actors before they strike. Here’s what you need to know to detect and prevent account takeover fraud.

What’s in this article?

  • What is account takeover (ATO) fraud?
  • Types of account takeover fraud
  • How account takeover fraud hurts businesses
  • Ways to detect and prevent account takeover fraud

What is account takeover (ATO) fraud?

Account takeover fraud, also known as account compromise, happens when a fraudulent actor assumes control of the account of a legitimate customer in order to extract account information or withdraw money. This can pertain to any type of online account, from bank accounts to accounts with food delivery businesses. Depending on the type of account that’s compromised, the fraudulent actor can use the extracted information to impersonate the customer and open a new bank account, order a new credit card, redeem rewards points or place orders on shopping or restaurant delivery sites. They can also use the information that they obtain to access other accounts or sell the account information to nefarious parties.

Types of account takeover fraud

A 2020 study by Aite Group found that 38% of consumers said that they had recently been a victim of account takeover fraud. This type of fraud can come in many forms.

  • Phishing
    Phishing scams typically occur over email or text message. The customer will receive a message that asks for donations or personal information, or directs them to click on a link or attachment that automatically installs malware on their device.

  • Malware
    Malicious software, commonly known as malware, is any intrusive software designed to damage or gain unauthorised access to a device. A trojan is a type of malware that takes control of a user’s device, allowing hackers to intercept information, such as bank account or credit card details. Mobile banking trojans are specifically designed to steal from bank accounts, often showing a fake page that mimics a real mobile banking application, which they use to capture the user’s account and authorisation details.

  • Credential stuffing
    Using lists of compromised or stolen user credentials to break into an account is called credential stuffing. This is also referred to as breach replay attacks. Because many people use the same username and password combinations for multiple accounts, uncovering credentials for one account can give hackers access to multiple accounts.

  • Credential cracking
    Plugging in different username and password combinations until one successfully unlocks the account is referred to as credential cracking or brute-force attacks. Scammers often use lists of common passwords created by bots to find a valid password, or they use bots to try different combinations of random characters until they uncover a user’s password.

  • Man-in-the-middle attacks
    A man-in-the-middle (MITM) attack happens when a fraudulent actor finds a way to get in between a user and an application that they’re trying to access, such as an e-commerce site or mobile banking app. A common type of man-in-the-middle attack involves setting up a fraudulent Wi-Fi hotspot and stealing login credentials, account details and credit card numbers from people who attempt to connect to the hotspot.

  • Session hijacking
    Taking control of the session when a user signs in to an online service is considered session hijacking. For example, if a user logs in to their account with an online store in order to make a new purchase, the hijacker could steal all the credit card details needed to make fraudulent charges.

  • SIM card swapping
    SIM card swapping involves a fraudulent actor contacting the victim’s mobile phone operator and impersonating the victim to deceive a call centre employee into moving the victim’s phone number onto another SIM card. Controlling the victim’s phone number allows the fraudulent actor to access bank details or carry out transactions that require text message authentication.

How account takeover fraud hurts businesses

Any type of fraudulent activity poses a serious risk for online businesses, and account takeover fraud is no exception. From customer retention issues to financial penalties, here are the ways that account takeover fraud could hurt your business.

Reputation damage
A business’s reputation can be severely damaged by an account breach. Customers care about keeping their personal details and data safe, and hearing about account takeover fraud on social media or the news could dissuade them from opening an account with that business. Reputational damage can happen quickly but the recovery takes much longer.

Customer retention problems
News of a hack could affect existing customers, too. Those who were unaffected by a breach may get spooked and close their accounts as a precaution. A global Vodafone survey found that 89% of businesses said that improving cybersecurity would enhance customer loyalty and trust.

Financial penalties
The financial penalties associated with account takeover fraud add up. If a hacker makes a fraudulent purchase through a customer’s account, the account owner will typically receive a refund from their credit card issuer after disputing the claim. The business that sold the purchased goods, however, loses that revenue, loses the products shipped to the fraudulent actor and typically owes the payment processor a chargeback fee. It can get even more expensive if the fraud continues to happen. A business that experiences a high rate of fraud could be placed on a network chargeback monitoring programme, charged higher payment processing fees or even completely banned by a payment processor.

On top of chargeback fees, the General Data Protection Regulation (GDPR) and other privacy laws can also result in fines for failure to protect customer data. Under the GDPR, fines are proportionate to the case, but businesses found to have committed less severe violations can be fined millions of pounds.

Ways to detect and prevent account takeover fraud

The key to protecting your business from account takeover fraud is being proactive rather than reactive. This means putting measures in place to detect and block fraudulent actors before they have the chance to execute a breach. Because different types of account takeover fraud manifest in different ways, businesses must remain vigilant when it comes to detection and prevention.

Here are steps that you can take to protect your business:

Monitoring account changes
Some types of fraud come with red flags, such as when different customers’ details change at the same time or when multiple accounts are suddenly updated to have the same customer details. But sophisticated attacks will be more subtle and require noticing a pattern of behaviours, such as when someone updates a customer’s details, quickly logs in from a new device and then orders products to a delivery address that wasn’t previously listed. Machine learning tools, like Stripe Radar, use data to help businesses distinguish fraudulent actors from real customers, with the ability to adapt to new fraud patterns.

Some straightforward changes that you can implement to help detect account takeovers before a fraudulent actor can do real damage include asking users to verify their identity before making changes to account details (using two-factor authentication) and notifying users immediately about any account changes.

Flagging device inconsistencies
Another key aspect of detecting fraud involves keeping an eye out for suspicious devices linked to user accounts. For instance, multiple accounts that are linked to the same device or accounts that have an unusually high number of devices with “unknown” models due to device spoofing – pretending to be a different device to hide your true identity or to deceive a system – are signs of potential breaches. Login IP addresses from multiple countries can also be a sign of unusual activity and using the power of machine learning tools to catch these inconsistencies early saves businesses time and money down the line.

Machine learning tools are available to every Stripe account to enable businesses to grow while protecting themselves from fraud. To better understand how Stripe Radar uses the data from hundreds of billions of pounds in payments each year to accurately detect and prevent account takeover fraud, learn more here.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.