hexagonshexagons
Blog / Fraud detection and prevention

What Is Account Takeover Fraud? Expert Prevention Tips and More

Morgan Ackley | Wednesday, January 24th, 2024 | 14 minutes

Account takeover (ATO) fraud is on the rise. Merchants and consumers alike are losing millions of dollars each year to ATO attacks. And the issue is only expected to worsen as fraudsters continue to find new ways to steal and abuse sensitive information.

Fortunately, there are ways to prevent an account takeover attack. Learn all about our expert tips for stopping this threat so you can protect your business and your customers.

Account Takeover Fraud Explained

Account takeover fraud is an attempt to gain unauthorized access to an online account. Once a fraudster gains access to an account, he or she can steal sensitive information about the account holder, make purchases, change account credentials, steal debit and credit card numbers, and more.

Did you know?

Most data breaches are caused by human error or system glitches. That’s why it’s important to regularly give your employees security training, keep all your software up-to-date, and invest in data loss prevention technology.

Types of ATO Attacks

Fraudsters use a number of methods to break into accounts. Most tactics are relatively simple and can be completed in a matter of seconds. We’ll cover the most common types and how to spot them.

Credential stuffing

Credential stuffing is an attack in which a fraudster uses a list of stolen username and password combinations bought on the dark web or obtained through data breaches to log into user accounts. Typically, fraudsters use bots — or software that can run automated tasks like logging into an account — to speed up the process.

What to watch for

  • Multiple failed login attempts from the same IP address.
  • Multiple login attempts for different accounts within a short timeframe.
  • Spike in website traffic (an indication of bot activity).
  • Website experiences sudden downtime.

Brute force attacks

In a brute-force attack, fraudsters attempt to force their way into a user account by testing hundreds or thousands of passwords until the account unlocks. It’s similar to credential stuffing; however, fraudsters do not have any context or clues to help guess passwords.

Fraudsters may use random characters combined with common password suggestions to get into accounts. Typically, during this kind of attack, fraudsters only target one account at a time.

What to watch for

  • Multiple failed login attempts from the same IP address.
  • Multiple logins with different usernames from the same IP address.
  • Logins for one account coming from multiple IP addresses.
  • Failed login attempts from sequential usernames or passwords (ex: password 1234, password 234, password 345, etc.).
  • Logins with a referring URL of someone’s mail or IRC client (an instant messaging chat system).
  • Referring URLs that contain the username and password in the following format: <http://user:password@www.example.com/login.htm&gt;.

Phishing

Phishing is an attempt to get sensitive information by sending messages and emails that appear to be from a trusted source.

Let’s look at an example.

A fraudster sends a text message to Sally posing as a bank representative. The message claims that someone has tried to hack into her bank account and in order to fix the issue, she needs to log in. A link is included to a web page that looks exactly like Sally’s banking site. However, it is a fake site. When Sally logs in, she unknowingly gives her banking credentials to the fraudster.

What to watch for

  • Reports from customers about receiving unsolicited texts or emails containing links from your business.
  • Suspicious emails sent to your employees requesting sensitive information.

Identity theft

Identity theft happens when someone uses another person’s identifying information without permission — like name, address, phone number, and social security number — to commit fraud. Fraudsters often use this kind of information to impersonate a victim and manipulate customer service agents into helping them access the victim’s account.

Identity theft doesn’t just happen to your customers, either. It can happen to your business, too. Fraudsters may pose as employees to steal cash, get credit, or take out loans.

What to watch for

  • Unusual activity in your company’s credit report.
  • Changes in state business filings (like an address change).
  • Influx of calls to customer support staff.
  • Aggressive or manipulative customers contacting customer service agents.
  • Current scams targeting businesses and/or customers.

5 Ways Account Takeover Fraud Can Affect Your Business

ATO fraud can affect any online business. The consequences of just one attack can be severe and long-lasting. We’ve listed out the top five major impacts you should be aware of.

1. Damage your reputation.

Any kind of fraud can spark doubt in your customers, business partners, and payment processors. But account takeover fraud can be incredibly damaging to the trust you’ve spent years cultivating. And that’s because data is extremely valuable. What you do with it has a major impact on your business reputation.

For instance, most consumers hold businesses responsible for protecting their online presence — whether it be the data they provide or the accounts they use to log into a service. And if a data breach happens, those customers will most likely stop engaging with your brand for a long time, possibly forever.

2. Increase your chargeback rate.

An account takeover attack can cause a sudden spike in your chargeback rate. And here’s why. When fraudsters hack into customer accounts, they typically drain the accounts of monetary funds or loyalty points, buy goods, services, and gift cards using payment information stored on the account, transfer funds to another account, or sell account information online.

All of these fraudulent transactions could potentially lead to chargebacks. And if a fraudster launches a mass account takeover attack — affecting thousands of customers at once — you could face a dramatic increase in chargebacks and enrollment in a monitoring program.

Take this scenario for example.

Let's say you usually process around 1,000 transactions a month. And fewer than 1% of those become chargebacks. Your chargeback-to-transaction ratio is well within card brands' limits.

One month, you get hit with an ATO attack and suddenly you now have 1,000 unexpected transactions — all of which are unauthorized and result in chargebacks. Your ratio could shoot up to the double digits, which means you'll automatically be enrolled in a monitoring program.

3. Drain your revenue.

ATO attacks are a huge drain on your hard-earned money. In addition to the cost of chargebacks, you may have other expenses — such as reimbursing customers for services or lost value, repairing software systems, and hiring extra labor to address security issues. All these extra fees can add up quickly.

Plus, if customers no longer trust you, they likely won’t continue to shop with you. In turn, decreasing your customer lifetime value.

4. Cause fines and legal issues.

Some of the most devastating effects of ATO fraud aren’t from chargebacks, lost revenue, or brand damage. State governments are starting to hold businesses accountable for account takeover attacks, leaving businesses with heavy fines and legal fees.

For example, attorney generals have begun to file lawsuits against national corporations that don’t adequately prevent fraud. These lawsuits claim that companies violate consumer protection laws when they fail to prevent cyberattacks. These cases are setting new precedents in consumer protection laws that could deeply affect your business.

5. Open the door for more fraud attacks.

Successful ATO attacks can expose weakness in your security systems and technology. And with that information, fraudsters can further target your business, potentially causing more damage. For example, if a fraudster hacks into your security systems and steals valuable customer data, that same person may come back later and try to hack into executive-level accounts.

How to Prevent Account Takeover Fraud

So what can you do to keep your customers and your business safe? Fortunately, you have options. We’ll cover all the steps you can take to prevent ATO fraud.

Did you know?

In a recent Kount survey, 60% of consumers admitted to reusing passwords across online accounts. As a result, these customers are at higher risk for an account takeover attack.

Simply requiring passwords is not enough to protect user accounts. You need to go a step further to truly give your customers the protection they need.

Boost website security.

Having a secure website is crucial to preventing ATO attacks, as well as other fraud threats. Don’t let your site become a liability. Invest in it.

Use firewalls.

Firewalls give you insight into your web traffic. You can filter out bad traffic — such as traffic from bots used for credential stuffing attacks — and get a better sense of who is visiting your site.

Add CAPTCHAs.

CAPTCHAs are tests to sort humans from bots. These tests typically require users to identify certain components of a picture or copy a string of text. When users sign up for a new account, require them to fill out a CAPTCHA.

Encrypt data.

Make sure your login pages are safe by encrypting passwords so that fraudsters can’t steal the information while it's in transit. Common encryption security protocols include HTTPS, TLS, and SSL.

Essentially, these protocols convert sensitive information — such as card numbers, social security numbers, and login credentials — into a code that is meaningless to anyone who might intercept it.

Use a secure web hosting platform.

When it comes to choosing your web hosting platform, do your research. Make sure you choose a provider that understands the security threats you face and is committed to keeping your site safe.

Clean up your website.

Fraudsters can use any database, application, or plugin on your website to hack into your systems. Delete any files or other items that you no longer use.

Perform regular security checks.

If your website has any vulnerabilities, fraudsters will be quick to find them. Schedule regular web security scans so you can address any issues.

Keep your software up-to-date.

Make sure you always update your software whenever a new patch or feature is released. Fraudsters can easily hack into systems that are outdated.

Limit user access and administrative privileges.

Not everyone takes website security seriously. Limit web admin access to certain employees in your organization and keep track of their responsibilities. Make sure you educate those employees about how to keep the site secure. Additionally, make your site administrators use two-factor authentication to log in.

Monitor account activity.

Subtle changes can often be the first sign of an attack. It’s common for users to forget passwords and change their personal information. However, when this activity happens in quick succession or in excess, it could be an ATO attempt.

Watch for suspicious activity.

Multiple failed login attempts, followed by requests to change personal information or login credentials could be suspicious, especially if these attempts are made from different IP addresses or in new locations.

Limit login attempts.

Don’t give users unlimited attempts to log in. If after 2-3 failed login attempts, deny further attempts for a certain amount of time or lock the account and have the user call a customer service agent to resolve the issue.

Challenge unknown logins.

It’s not uncommon for customers to login to their online accounts from different places. For example, if Jeff goes on vacation in a different country, he may try to login to his streaming account at night. To make sure Jeff is actually the one logging in overseas, you can challenge him with additional security protocols — such as security questions or multi-factor-authentication (MFA).

Communicate regularly with customers and employees.

Awareness is key to preventing security threats. Often, employees and customers are simply unaware of the scams out there or don’t notice small changes to their accounts. Keeping them up-to-date could be what prevents them from becoming a victim of an attack.

Send regular reminders and training.

Keep security top of mind for your employees by sending regular reminders about your web security policies, password requirements, and any other related information.

Additionally, you can send out fake phishing emails to test your employees’ knowledge about your security protocols.

Notify customers of account changes.

Communicate with customers often about their accounts. Send notifications whenever changes happen to their account — whether it’s a new password or address or login from a new location.

Implement strong login protocols.

Most customers fall victim to account takeover because they use weak passwords for their online accounts. But it’s still your responsibility to protect them. So what can you do?

Use authentication protocols.

Implement login protocols such as step-up authentication, MFA, or biometric verification for more secure logins. For example, whenever a user signs up for an account or logs in from a new device or location, you can require the user to provide an additional form of security — like entering a code sent via email or text.

Additionally, you can add biometric verification — face or voice recognition — as an alternative to passwords.

Implement password requirements.

If you’re going to require users to set up an account with a password, make sure they use strong passwords. Typically strong passwords include a combination of lowercase and capital letters, numbers, special characteristics, and a length of 14 characters.

Want Help Fighting Account Takeover Fraud?

There’s only so much you can do on your own to prevent ATO attacks. It’s worth the investment to use fraud prevention technology. And that’s where we can help.

Kount is a leader in trust and safety technology. We’ve helped companies from all over the world stop fraud and prevent account takeover attacks. Our technology works in real time to stop threats as they emerge — which is key to staying ahead of fraud.

If you’re looking for help fighting fraud or developing a risk management strategy, take a look at our account takeover fraud prevention solution.

Related content

See more related content
Related Blog Post
Buy Now, Pay Later: BNPL Risk Management Is Essential
Are you a buy now, pay later service provider? If so, you need to be aware of these BNPL risks -- and know how to manage them. Click here to learn more.
Related Blog Post
Big opportunities, bigger risks in booming health and beauty market
It’s an exciting time for health and beauty merchants, but they need to know these top fraud issues affecting the market, as the space grows.
Related Blog Post
Why Promo Abuse Fraud Hurts and How to Prevent It
If you aren't accounting for promo abuse, you may experience significant financial losses from decreases in sales and user retention. Find out how to respond.
Related Blog Post
What Is Chargeback Insurance?
Chargeback insurance sounds great at first. See what a chargeback guarantee actually covers and find a better way to stop loss from fraudulent transactions.
Related Blog Post
Precision & Recall: When Conventional Fraud Metrics Fall Short
A lot of businesses turn to conventional fraud metrics to set that all-important approval-decline threshold. But a one-size-fits-all approach is not always the most profitable. Let’s look at how a…
Related Guide
7 Features to Look For When Buying Fraud Technology for Restaurants
It’s important to find fraud protection technology from a provider that truly understands the challenges facing restaurants today.
Related Blog Post
SAFE & TC40 Data: 6 Things You Need to Know
What is TC40 data? How is SAFE data used? Learn more about fraud reporting and how this data can impact chargeback management.
Related News
Fireside Chat on Post-Transaction Fraud
In this PYMNTS.com interview, Robert Painter talks Visa's CE 3.0 key takeaways and the best strategies for merchants to protect against post-transaction fraud.
Related Page
Fraud Detection Software
Kount offers the most accurate risk assessments possible. Our fraud detection software uses machine learning to identify more fraud with fewer false positives.
Related Guide
7 Fraud Schemes Targeting Restaurants and QSRs
Online ordering and delivery services are great ways to boost revenue for QSRs, but some of those sales are likely from restaurant fraudsters.
Related Analyst report
Liminal Names Kount an Industry Leader in Ecommerce Fraud Prevention
Liminal Strategy recently conducted a report analyzing the top 50 ecommerce vendors. Find out here why Kount was named a leading provider in the space.
Related News
Equifax and VTEX Join Forces with Strategic Partnership
Equifax has joined forces with VTEX to enable customers on the VTEX platform to seamlessly integrate with the Kount Payment Fraud solution.
Related News
Adam Gunther feature on The Future of Identity Podcast
In this Future of Identity podcast episode, Adam talks about his journey in the identity space and tactical factors needed for reusable identity adoption.
Related Blog Post
How to Detect and Prevent Social Engineering Attacks
Ever heard of social engineering? It’s the newest threat to your business. Find out what it is, how to detect it, and ways to protect your company.
Related Page
Ethoca Alerts
Stop more chargebacks with less effort today! Easy to use and proven results to protect your revenue.
Related Blog Post
5 Major Fraud Risks Edtech Companies Face and How to Avoid Them
Are you getting chargeback but can’t figure out why? Learn about the 5 major fraud threats that could be hurting your business and how to deal with them.
Related Blog Post
Why Restaurants are Experiencing an Increase in Fraud
Restaurants and QSRs have experienced a massive shift in customer buying behaviors – which has brought a lot of new fraud threats. Learn more here.
Related Blog Post
Best Practices for Manual Fraud Reviews
Are manual reviews weighing down your fraud team? Wondering if there’s a better way to fight fraud but don’t know where to start? Check out this guide.
Related Blog Post
Egift Card Fraud Prevention: The Complete Guide
Egift card fraud can drain revenue and frustrate customers. Check this guide to learn everything you need to know about how it happens and ways to prevent it.
Related Blog Post
Machine Learning Fraud Detection and Prevention Guide
Using machine learning fraud detection can improve business processes and increase revenue. Read more in our detailed guide.
Related Blog Post
Fraud Detection Rules: What They Are & How They Impact Outcomes
Shopping for a fraud prevention vendor? The topic of fraud detection rules will probably come up. Here's what to know - and how to evaluate a solution provider.
Related Blog Post
Online Gaming Fraud Detection: How to Secure Your Online Games
Understand the fraud threats facing your business so you can stay ahead of fraudsters. Check out this blog for prevention tips.
Related Blog Post
Fraud-to-Sales Ratio: Everything You Need to Know
Every merchant is at risk for fraud. Regardless, all fraud claims can negatively affect your fraud-to-sales ratio — which comes with a host of problems.
Related Blog Post
Digital Wallet Fraud: Protect Your Business From Evolving Risks
Digital wallet payments are on the rise, and so are the risks to merchants. Find out how to protect your business from threats that come with new payment types.
Related Blog Post
Digital identity trust solutions can save billions (infographic)
Digital identity trust is the level of risk or trust associated with interactions on digital platforms. The right solution can save billions.
Related Blog Post
Shopify Fraud Prevention: The Complete Guide to Managing Risk
Is fraud an issue for your business? Check our Shopify fraud guide. We have tips, tricks, and technology suggestions that will offer maximum protection.
Related Blog Post
Loyalty Program Fraud Prevention: Everything You Need to Know
Loyalty program fraud happens when fraudsters steal customer loyalty rewards. Find out how to protect your customers and your business.
Related Page
Find your path
Confused by the different types of fraud? Wondering which solutions you really need — and which are a waste of money? Use our survey to build a custom strategy.
Related Blog Post
Card Testing Fraud: Prevent Big Loss From Small Purchases
Card testing fraud can steal revenue and expose your business to other harmful threats. Stop carding before it impacts you. Click here to learn how.
Related Blog Post
Refund Fraud: What It Is and How to Stop It
Refunding fraud is unfairly stealing your revenue. Find out how to stop online return fraud scams and protect your business.

AUTHOR

Morgan Ackley

Content Strategist

Morgan has worked in the tech industry for over 5 years. Her breadth of knowledge and curiosity about technology and all things fraud-related drive her to craft compelling, educational pieces for readers seeking answers.