close

Request an online demo

Get a personalized online demo of Kount's trust and safety technology at a time and date of your choosing.

hexagonshexagons
Blog / Fraud detection and prevention

What Is Account Takeover Fraud? Expert Prevention Tips and More

Morgan Ackley | Wednesday, January 24th, 2024 | 14 minutes

Account takeover (ATO) fraud is on the rise. Merchants and consumers alike are losing millions of dollars each year to ATO attacks. And the issue is only expected to worsen as fraudsters continue to find new ways to steal and abuse sensitive information.

Fortunately, there are ways to prevent an account takeover attack. Learn all about our expert tips for stopping this threat so you can protect your business and your customers.

Account Takeover Fraud Explained

Account takeover fraud is an attempt to gain unauthorized access to an online account. Once a fraudster gains access to an account, he or she can steal sensitive information about the account holder, make purchases, change account credentials, steal debit and credit card numbers, and more.

Did you know?

Most data breaches are caused by human error or system glitches. That’s why it’s important to regularly give your employees security training, keep all your software up-to-date, and invest in data loss prevention technology.

Types of ATO Attacks

Fraudsters use a number of methods to break into accounts. Most tactics are relatively simple and can be completed in a matter of seconds. We’ll cover the most common types and how to spot them.

Credential stuffing

Credential stuffing is an attack in which a fraudster uses a list of stolen username and password combinations bought on the dark web or obtained through data breaches to log into user accounts. Typically, fraudsters use bots — or software that can run automated tasks like logging into an account — to speed up the process.

What to watch for

  • Multiple failed login attempts from the same IP address.
  • Multiple login attempts for different accounts within a short timeframe.
  • Spike in website traffic (an indication of bot activity).
  • Website experiences sudden downtime.

Brute force attacks

In a brute-force attack, fraudsters attempt to force their way into a user account by testing hundreds or thousands of passwords until the account unlocks. It’s similar to credential stuffing; however, fraudsters do not have any context or clues to help guess passwords.

Fraudsters may use random characters combined with common password suggestions to get into accounts. Typically, during this kind of attack, fraudsters only target one account at a time.

What to watch for

  • Multiple failed login attempts from the same IP address.
  • Multiple logins with different usernames from the same IP address.
  • Logins for one account coming from multiple IP addresses.
  • Failed login attempts from sequential usernames or passwords (ex: password 1234, password 234, password 345, etc.).
  • Logins with a referring URL of someone’s mail or IRC client (an instant messaging chat system).
  • Referring URLs that contain the username and password in the following format: <http://user:password@www.example.com/login.htm&gt;.

Phishing

Phishing is an attempt to get sensitive information by sending messages and emails that appear to be from a trusted source.

Let’s look at an example.

A fraudster sends a text message to Sally posing as a bank representative. The message claims that someone has tried to hack into her bank account and in order to fix the issue, she needs to log in. A link is included to a web page that looks exactly like Sally’s banking site. However, it is a fake site. When Sally logs in, she unknowingly gives her banking credentials to the fraudster.

What to watch for

  • Reports from customers about receiving unsolicited texts or emails containing links from your business.
  • Suspicious emails sent to your employees requesting sensitive information.

Identity theft

Identity theft happens when someone uses another person’s identifying information without permission — like name, address, phone number, and social security number — to commit fraud. Fraudsters often use this kind of information to impersonate a victim and manipulate customer service agents into helping them access the victim’s account.

Identity theft doesn’t just happen to your customers, either. It can happen to your business, too. Fraudsters may pose as employees to steal cash, get credit, or take out loans.

What to watch for

  • Unusual activity in your company’s credit report.
  • Changes in state business filings (like an address change).
  • Influx of calls to customer support staff.
  • Aggressive or manipulative customers contacting customer service agents.
  • Current scams targeting businesses and/or customers.

5 Ways Account Takeover Fraud Can Affect Your Business

ATO fraud can affect any online business. The consequences of just one attack can be severe and long-lasting. We’ve listed out the top five major impacts you should be aware of.

1. Damage your reputation.

Any kind of fraud can spark doubt in your customers, business partners, and payment processors. But account takeover fraud can be incredibly damaging to the trust you’ve spent years cultivating. And that’s because data is extremely valuable. What you do with it has a major impact on your business reputation.

For instance, most consumers hold businesses responsible for protecting their online presence — whether it be the data they provide or the accounts they use to log into a service. And if a data breach happens, those customers will most likely stop engaging with your brand for a long time, possibly forever.

2. Increase your chargeback rate.

An account takeover attack can cause a sudden spike in your chargeback rate. And here’s why. When fraudsters hack into customer accounts, they typically drain the accounts of monetary funds or loyalty points, buy goods, services, and gift cards using payment information stored on the account, transfer funds to another account, or sell account information online.

All of these fraudulent transactions could potentially lead to chargebacks. And if a fraudster launches a mass account takeover attack — affecting thousands of customers at once — you could face a dramatic increase in chargebacks and enrollment in a monitoring program.

Take this scenario for example.

Let's say you usually process around 1,000 transactions a month. And fewer than 1% of those become chargebacks. Your chargeback-to-transaction ratio is well within card brands' limits.

One month, you get hit with an ATO attack and suddenly you now have 1,000 unexpected transactions — all of which are unauthorized and result in chargebacks. Your ratio could shoot up to the double digits, which means you'll automatically be enrolled in a monitoring program.

3. Drain your revenue.

ATO attacks are a huge drain on your hard-earned money. In addition to the cost of chargebacks, you may have other expenses — such as reimbursing customers for services or lost value, repairing software systems, and hiring extra labor to address security issues. All these extra fees can add up quickly.

Plus, if customers no longer trust you, they likely won’t continue to shop with you. In turn, decreasing your customer lifetime value.

4. Cause fines and legal issues.

Some of the most devastating effects of ATO fraud aren’t from chargebacks, lost revenue, or brand damage. State governments are starting to hold businesses accountable for account takeover attacks, leaving businesses with heavy fines and legal fees.

For example, attorney generals have begun to file lawsuits against national corporations that don’t adequately prevent fraud. These lawsuits claim that companies violate consumer protection laws when they fail to prevent cyberattacks. These cases are setting new precedents in consumer protection laws that could deeply affect your business.

5. Open the door for more fraud attacks.

Successful ATO attacks can expose weakness in your security systems and technology. And with that information, fraudsters can further target your business, potentially causing more damage. For example, if a fraudster hacks into your security systems and steals valuable customer data, that same person may come back later and try to hack into executive-level accounts.

How to Prevent Account Takeover Fraud

So what can you do to keep your customers and your business safe? Fortunately, you have options. We’ll cover all the steps you can take to prevent ATO fraud.

Did you know?

In a recent Kount survey, 60% of consumers admitted to reusing passwords across online accounts. As a result, these customers are at higher risk for an account takeover attack.

Simply requiring passwords is not enough to protect user accounts. You need to go a step further to truly give your customers the protection they need.

Boost website security.

Having a secure website is crucial to preventing ATO attacks, as well as other fraud threats. Don’t let your site become a liability. Invest in it.

Use firewalls.

Firewalls give you insight into your web traffic. You can filter out bad traffic — such as traffic from bots used for credential stuffing attacks — and get a better sense of who is visiting your site.

Add CAPTCHAs.

CAPTCHAs are tests to sort humans from bots. These tests typically require users to identify certain components of a picture or copy a string of text. When users sign up for a new account, require them to fill out a CAPTCHA.

Encrypt data.

Make sure your login pages are safe by encrypting passwords so that fraudsters can’t steal the information while it's in transit. Common encryption security protocols include HTTPS, TLS, and SSL.

Essentially, these protocols convert sensitive information — such as card numbers, social security numbers, and login credentials — into a code that is meaningless to anyone who might intercept it.

Use a secure web hosting platform.

When it comes to choosing your web hosting platform, do your research. Make sure you choose a provider that understands the security threats you face and is committed to keeping your site safe.

Clean up your website.

Fraudsters can use any database, application, or plugin on your website to hack into your systems. Delete any files or other items that you no longer use.

Perform regular security checks.

If your website has any vulnerabilities, fraudsters will be quick to find them. Schedule regular web security scans so you can address any issues.

Keep your software up-to-date.

Make sure you always update your software whenever a new patch or feature is released. Fraudsters can easily hack into systems that are outdated.

Limit user access and administrative privileges.

Not everyone takes website security seriously. Limit web admin access to certain employees in your organization and keep track of their responsibilities. Make sure you educate those employees about how to keep the site secure. Additionally, make your site administrators use two-factor authentication to log in.

Monitor account activity.

Subtle changes can often be the first sign of an attack. It’s common for users to forget passwords and change their personal information. However, when this activity happens in quick succession or in excess, it could be an ATO attempt.

Watch for suspicious activity.

Multiple failed login attempts, followed by requests to change personal information or login credentials could be suspicious, especially if these attempts are made from different IP addresses or in new locations.

Limit login attempts.

Don’t give users unlimited attempts to log in. If after 2-3 failed login attempts, deny further attempts for a certain amount of time or lock the account and have the user call a customer service agent to resolve the issue.

Challenge unknown logins.

It’s not uncommon for customers to login to their online accounts from different places. For example, if Jeff goes on vacation in a different country, he may try to login to his streaming account at night. To make sure Jeff is actually the one logging in overseas, you can challenge him with additional security protocols — such as security questions or multi-factor-authentication (MFA).

Communicate regularly with customers and employees.

Awareness is key to preventing security threats. Often, employees and customers are simply unaware of the scams out there or don’t notice small changes to their accounts. Keeping them up-to-date could be what prevents them from becoming a victim of an attack.

Send regular reminders and training.

Keep security top of mind for your employees by sending regular reminders about your web security policies, password requirements, and any other related information.

Additionally, you can send out fake phishing emails to test your employees’ knowledge about your security protocols.

Notify customers of account changes.

Communicate with customers often about their accounts. Send notifications whenever changes happen to their account — whether it’s a new password or address or login from a new location.

Implement strong login protocols.

Most customers fall victim to account takeover because they use weak passwords for their online accounts. But it’s still your responsibility to protect them. So what can you do?

Use authentication protocols.

Implement login protocols such as step-up authentication, MFA, or biometric verification for more secure logins. For example, whenever a user signs up for an account or logs in from a new device or location, you can require the user to provide an additional form of security — like entering a code sent via email or text.

Additionally, you can add biometric verification — face or voice recognition — as an alternative to passwords.

Implement password requirements.

If you’re going to require users to set up an account with a password, make sure they use strong passwords. Typically strong passwords include a combination of lowercase and capital letters, numbers, special characteristics, and a length of 14 characters.

Want Help Fighting Account Takeover Fraud?

There’s only so much you can do on your own to prevent ATO attacks. It’s worth the investment to use fraud prevention technology. And that’s where we can help.

Kount is a leader in trust and safety technology. We’ve helped companies from all over the world stop fraud and prevent account takeover attacks. Our technology works in real time to stop threats as they emerge — which is key to staying ahead of fraud.

If you’re looking for help fighting fraud or developing a risk management strategy, take a look at our account takeover fraud prevention solution.

Related content

See more related content
Related Data report
Digital Fraud Trends 2024
Your business is up against innumerable threats. Discover the top fraud trends in our latest report. Then use those insights to build a better fraud strategy.
Related Testimonial video
MANSCAPED
Learn how MANSCAPED leverages Equifax solutions to protect their customers from financial harm, keep consumer data secure, and preserve their bottom line.
Related Customer Case Study
Oplogic Case Study
Looking for a better way to verify the identity of your customers? Consider our DIT solution — which helped Oplogic achieve a 15% increase in approval rates.
Related Customer Case Study
MANSCAPED Case Study
Learn how MANSCAPED leverages Equifax solutions to save hundreds of thousands of dollars, lower chargeback rates, and increase revenue in this case study.
Related Page
Ecommerce Fraud Prevention
Kount's award-winning ecommerce fraud prevention protects online merchants from credit card fraud, affiliate fraud, chargeback fraud, account takeovers, & more.
Related Customer Case Study
How Kount Helps International Brand Winc Reduce Fraud & Chargebacks
Learn how Australian-based brand, Winc, transforms their fraud prevention strategy with Kount in this case study. Find out how you could achieve similar results.
Related Webinar
The 5 Ways to Block Fraudsters Without Blocking Revenue
Our panelists from Jagex, Kount, and Ekata share their advice for addressing evolving fraud schemes and industry regulations.
Related Testimonial video
Hyatt
Kount helps Hyatt balance guest experiences with fraud prevention to provide safe and efficient check-in and checkout processes.
Related Testimonial video
Sertifi
Kount helps Sertifi provide secure and efficient transactions with proactive fraud prevention. In turn, Sertifi builds better experiences for their customers.
Related Customer Case Study
Sporting Goods Manufacturer Achieves .039% Chargeback Rate with Kount
Trying to grow your business but struggling to keep up with fraud & chargebacks? It’s time to contact an expert. Learn how Kount helped Tactical Craft find success!
Related Page
Find your path
Confused by the different types of fraud? Wondering which solutions you really need — and which are a waste of money? Use our survey to build a custom strategy.
Related Blog Post
Preparing Your Business for the Risks of Real-Time Payments and A2A Transfers
Discover the risks of real-time payments to learn how your business can prevent A2A transfer fraud and protect revenue while maintaining seamless transactions.
Related Blog Post
Preparing for the Holidays: Fraud Tips to Help You Survive the Season
Are you prepared to tackle this season’s biggest fraud threats? If not, check out this guide for tips on preventing holiday fraud and chargebacks.
Related Data report
CBA Fraud Trends
Earlier this year, the Consumer Bankers Association (CBA) surveyed its members to learn how they are handling fraud and chargebacks.
Related Blog Post
Why Your Payment Orchestration Strategy Needs Unified Fraud Protection
Maximize approval rates and reduce fraud costs with a streamlined payment orchestration strategy using a unified fraud solution.
Related Blog Post
Authorized Push Payment (APP) Fraud Threatens Banks and Businesses
Authorized Push Payment fraud scams steal billions annually. Learn about the emerging global threat of APP fraud ahead of new compliance regulations.
Related Page
Ethoca Alerts
Stop more chargebacks with less effort today! Easy to use and proven results to protect your revenue.
Related Data report
QSR Report
The restaurant industry is up against innumerous challenges. But our fraud tool has helped many QSRs find success. Learn more in our 2024 report!
Related Blog Post
Why Restaurants are Experiencing an Increase in Fraud
Restaurants and QSRs have experienced a massive shift in customer buying behaviors – which has brought a lot of new fraud threats. Learn more here.
Related Podcast
Optimize Security to Prevent Fraud and Protect Revenue
In this Podcast, experts discuss proven strategies for retaining revenue and thwarting fraud before it hits the bottom line. Learn how machine learning can boost results.
Related Page
Fraud Detection Software
Kount offers the most accurate risk assessments possible. Our fraud detection software uses machine learning to identify more fraud with fewer false positives.
Related Customer Case Study
How Edward’s eBooks Achieves Maximum Profitability with Kount
Chargeback management is a balancing act between risk and reward. Check this real life story of how Kount's analytics make it easy to find that middle ground.
Related News
Fireside Chat on Post-Transaction Fraud
In this PYMNTS.com interview, Robert Painter talks Visa's CE 3.0 key takeaways and the best strategies for merchants to protect against post-transaction fraud.
Related Blog Post
What Is Chargeback Insurance?
Chargeback insurance sounds great at first. See what a chargeback guarantee actually covers and find a better way to stop loss from fraudulent transactions.
Related Customer Case Study
Jeffers Pet Achieves Immediate Results with Kount’s VTEX Integration
Looking for a fraud solution that can easily integrate with your ecommerce platform? Look no further. Kount helped Jeffers Pet achieve fast results and can help you too!
Related Page
Visa CE 3.0
Everything you need to know about Visa CE 3.0 is right here — in an authoritative, easy-to-understand resource. From questions to implementation, find it here.
Related Analyst report
Liminal Names Kount an Industry Leader in Ecommerce Fraud Prevention
Liminal Strategy recently conducted a report analyzing the top 50 ecommerce vendors. Find out here why Kount was named a leading provider in the space.
Related News
Understanding Customers is More Important Than Ever
Dilip Singh discusses the value of using data science to better understand your consumers. Learn how the data you're collecting can lead to consumer insights.
Related Blog Post
Buy Now, Pay Later: BNPL Risk Management Is Essential
Are you a buy now, pay later service provider? If so, you need to be aware of these BNPL risks -- and know how to manage them. Click here to learn more.
Related Page
Stop Card Testers in Their Tracks
Are card testing criminals attacking your business? Tired of the revenue loss and repetitional damage? Check out Kount's solution for card testing fraud.

AUTHOR

Morgan Ackley

Content Strategist

Morgan has worked in the tech industry for over 5 years. Her breadth of knowledge and curiosity about technology and all things fraud-related drive her to craft compelling, educational pieces for readers seeking answers.