Account Takeovers: Addressing Today’s Fraud Challenges

Virtually all the payments innovation over the past decade has resulted from the need to better authenticate. These innovations have aimed to either directly prevent account takeovers (ATO) or minimize friction from risk mitigation efforts.

But as with a balloon, risk tends to shift when you squeeze. In recent years, that shift has seen fraudsters turn away from targeting payment credentials toward targeting account sign-in information.

The numbers tell it all. In its 2022 Trends in Identity Report, the Identity Theft Resource Center (ITCR) revealed that the majority of reported identity misuse resulted in existing account takeover (61%), followed by new account creation (32%). And more than half of the new accounts created by criminals were financial accounts.

In addition to these alarming numbers, emerging threats like automated botnet attacks and the rise of ecommerce make fraud mitigation strategies and authentication more critical than ever.

Want to take a deep dive into fraud and its far-reaching effects? Read our white paper, The Fraud Hits Keep Coming from Every Direction.

What is Account Takeover Fraud (ATO)?

A common form of identity theft, account takeover fraud occurs when a cyber criminal obtains credentials to online accounts, including online banking accounts, social media or email. For years, ATO fraud has haunted digital channels, whether by phishing attacks going after digital credentials, brute force attacks or other methods. The fraud market continues to shift toward ATO, now making it a primary concern.

How Does Account Takeover Happen?

As customers use digital banking and payments more, bad actors aim to infiltrate those digital channels.

The ATO process typically includes these techniques:

  • Credential Stuffing: Botnet attacks identify and compromise accounts based on reused or common passwords. This method pulls information from numerous libraries and checks tens of thousands of password variations in minutes.
  • Account Takeover: A bad actor who has purchased or solicited information assumes an existing account to defraud a consumer.
  • New Account Fraud: The fraudster opens a new line of credit or creates a fraudulent user account for an existing user.
  • Exfiltration: Once accounts are created and controlled, the fraudster begins to move money via P2P, ACH, Wire or RTP.


As customers increasingly use digital banking and payments, more bad actors will aim to infiltrate those digital channels.

This sequence begins with one or multiple events, such as sophisticated social engineering techniques. Sometimes, the opportunity results from simple mistakes like reused usernames and passwords across various channels and accounts.

Fraud as a Service (FaaS) Continues to Grow

Meanwhile, it’s never been easier for inexperienced bad actors to target individuals or institutions. While it’s been happening for years, full-featured illicit marketplaces that package curated personal information for a price continue to grow. Inexperienced fraudsters can purchase information and utilize open-sourced tools to review leaked passwords and check thousands of combinations in minutes.

Surprisingly, these parasitic Fraud as a Service (FaaS) markets can offer 24/7 chat support, how-to guides, complete warranty services and money-back guarantees. These sites provide a range of personal information such as account info, usernames, passwords, SSNs, contact info (for phishing) and sometimes, answers to common security questions. Some can even index search options by channel, geographic location and institution and notify fraudsters when specific criteria emerge.

If a bad actor has successfully defrauded your bank once, they can make you a “favorite” and receive updates when sellers have more information from your customers. Also, when banks publicly post messages on their sites about blocking a particular transaction type or geographic region, that information populates their profiles.

As threats continue to grow, preventing fraud requires a level of sophistication that can keep up with and exceed what the fraudsters themselves employ.

Account Takeover Risk Factors

Some of the best weapons against fraud remain knowledge and basic cybersecurity practices. But financial institutions, and society overall, still have a great deal to learn to make it more difficult for bad actors to steal personal information or purchase it from an illicit marketplace. When it comes to passwords, here are two areas where consumers often fall short:

  • Static Information in Passwords: All too often, consumers rely on static passwords that include easily guessable components like pet names, birth dates, hometowns or some variation thereof.
  • Password Reuse: Even if consumers use a more complex password, reuse of passwords remains a primary threat. A single breach, in turn, puts an individual’s numerous accounts at risk: a breach at one vendor can severely affect numerous others. Most know that the best passwords are long, complex and not overused.

However, many customers still fail to meet basic practices. In fact, more than 80% of confirmed breaches result from reused, stolen or weak passwords.

Most know that the best passwords are long, complex and not overused. However, many customers still fail to meet this basic practice.

The National Cybersecurity Alliance included some alarming statistics in its 2023 research report:

  • Only 16% of respondents created passwords over 12 characters long.
  • 36% reported using unique passwords half the time or less.
  • Less than 20% reported they had downloaded a stand-alone password manager.

In today’s digital world, keeping up with dozens of passwords can be challenging. But institutions must partner with their customers to reinforce the importance of complex, long passwords. For more information about password best practices, check out our blog.

How Financial Institutions Can Fight Account Takeover

Financial institutions have a unique opportunity to be the vault in which identity information, however complex, is stored and protected. Fraud costs us all directly but also erodes trust and undermines consumer confidence. As a result, expectations from regulators to monitor such risks as internal fraud and authenticate customers are also rising. Financial institutions can fight ATO fraud using several tactics, including:

  • Using Risk-Based Solutions and Processes: An approach to preventing fraud must account for human nature and unavoidable risk unavoidable. So, designing solutions and processes with risk in mind must be fundamental to banking. Dynamic data, tokenization, limiting exposure and prescriptive recommendations can all play a role in preventing fraud.
  • Embracing Tokenization and Cryptography: With the expansion of tokenization and cryptography, the rate of counterfeit fraud endemic to magstripes has steadily declined. As these tokens continue to proliferate through physical plastics, wearables, digital wallets and more, the potential impact of a merchant breach will continue to fall.
  • Enhancing Authentication: Similarly, a shift to an enterprise management perspective and a continuous drive to better authenticate will make account takeovers far more difficult for bad actors. Fraud and risk management solutions also help you authenticate your customers by capturing behavior and notifying security teams when something is out of character.

Shifting to an Enterprise Fraud Management Perspective

While existing fraud solutions will help in this “infinite game,” the industry must also embrace an enterprise management perspective and start approaching fraud from a complete view of the customer, including:

  • Single, holistic customer identities that connect customer identity data, biometrics, behavior, device information and external data
  • Unified identity proofing that collects information from tenured sources with passive monitoring at each interaction or transaction
  • Continuous authentication – the best type of authentication at the best time in the customer journey, promoting a consistent and seamless experience
  • Proactive, personalized interdiction – risk-based, preference-driven customer interaction when necessary within the flow of interaction or transaction
  • Behavioral analytics that understand known customer patterns and changes to distinguish between suspect and non-suspect anomalies
  • A list of rules to help detect anomalies related to customer or transactional activity

Unifying customer data from siloed channels can be a massive undertaking. But with so much on the line, from your customers’ accounts to your institution’s reputation, it’s well worth the effort.

A holistic view of your customers requires a balance of behavioral and biometric data.

As fraud threats grow, leveraging the latest technology—including machine learning—can strengthen your prevention efforts. A comprehensive fraud solution that leverages machine learning takes historical customer data and uses it to identify unknown connections. Further, your institution can elevate fraud detection by deploying a solution that monitors transactions for suspicious activity across all channels and payment methods, resulting in real-time detection.

Prescriptive Solutions to Combat Fraud Today

Securing digital channels is a balancing act, as you should strive for zero or minimal new user friction. Fortunately, digital channels allow more passive controls such as alerts and card controls. Specific solutions, like push provisioning, can both mitigate fraud risk and remove friction.

Additionally, it’s wise to embrace EMV encryption and encourage its use through contactless cards, digital wallets, and other payment methods. Information sharing initiatives between issuers and merchants provide further safeguards with improved, more secure authentication.

Banks should also continuously focus on layering digital security efforts to protect against fraudulent enrollment, logins and behavior within digital banking. Protective features like password security checks, out-of-band authentication and fraud anomaly detection aim to secure those digital accounts and channels that fraudsters increasingly go after.

Moving forward, combatting account takeover will employ:

  • Consortium trend data that provides a holistic view of banks’ data
  • More advanced user metrics such as facial recognition and more advanced government ID scanning
  • Behavioral biometrics, including the way users type or hold their phone
  • Device profiling that detects new devices
  • Bot identification to prevent credential stuffing attacks

Shore Up Authentication Weaknesses Now

The industry will continue to make great strides in fraud prevention by tearing down siloes and looking more holistically at customers across channels. By combining those methods with security baked into the design, you’ll have a clear roadmap to drive away bad actors over the next decade.

For additional insight into how your organization can fight fraud, read our white paper.

Read the white paper

Get In Touch

Are you looking for the edge to outperform the competition? CSI is a full-service technology and compliance partner.

Let’s talk