Account takeover fraud (ATO fraud) goes beyond stolen credit cards. In today’s tech-driven society, organisations and individuals are at risk of having their identity stolen – and becoming victim to money loss, reputation damage and more. Today, account takeover attacks can even be automated, making it easier and faster than ever for scammers to cause huge levels of damage to their victims.


What is account takeover fraud?


ATO is a type of online theft that happens when criminals steal a target’s personally identifiable information (PII). Once they have this information – which could encompass things like passport numbers, passwords, addresses and bank details – they can use it to commit fraud.



Once the attacker is armed with the details they need, the account takeover scam could look like any of the following:


  • Internal phishing – with access to an employee’s corporate account, attackers send emails to other employees posing as a trusted individual. This might compromise the individual or company’s reputation, or convince recipients to share sensitive information.
  • Supply chain phishing – attackers use access to an employee’s corporate account to manipulate suppliers and partners.
  • Data exfiltration – access to someone’s email account means a scammer can also access their calendar and contact list, for more ways to commit fraud.
  • Financial fraud – this involves using access to a person’s bank account to steal money in the form of transfers or purchases.


How does ATO fraud happen?

There are some key ways attackers might make account takeover attempts. We’ll take a look at the most common:


  • Social engineering – tricking victims into giving up specific information, through persuasive techniques and research.
  • Phishing – sending out dangerous downloads and links to fraudulent websites to access information, such as passwords and banking details.
  • Credential stuffing – using stolen or leaked log-in details to gain access to accounts across other websites where passwords are the same.
  • Bot attacks – sophisticated bots can now take over a number of accounts at once, leaning on automation to gather reused passwords stolen in breaches.


Account takeover scams can happen to individuals, but can also put executive organisations at risk of impersonation. The bleak reality of our more tech-focused lifestyle is that there are even more vulnerabilities for criminals to take exploit. It’s normal for people to re-use the same password for multiple websites, and since people do more digital transactions (banking, shopping, etc.), there are more accounts to steal and impersonate.


In order to continue enjoying the benefits that digital does offer, it’s important to know how to prevent account takeover attempts from happening in the first place.


How to prevent account takeover fraud


Account takeover protection for your organisation starts with establishing measures across every system associated with the business. Keep anti-virus software updated and invest in digital brand protection. Most of all – don’t ignore the warning signs and alerts that your account may be compromised.


Monitor compromised credentials


A key part of account takeover protection is to regularly check your database for breached credentials, so you can notify users as soon as their accounts are compromised. A proactive approach is best here – the sooner breaches are caught, the better.


Set a limit to log-in attempts


Set rate limits whenever someone tries to log in using the same username, device and IP address. A rate limit is the number of login attempts in a set period of time and helps to minimise the risk of ATO fraud.


Send user notifications when accounts are updated


Whenever a user makes a change to their account, send a notification or email to let them know. This way, it’s clear whether an update was authenticated or whether it could be an account takeover attempt.


Give strong password recommendations


It’s easier for users to use the same password across multiple websites, but this just makes an account takeover scam more straightforward. Organisations should make it mandatory to use strong passwords, such as those with a character limit and a requirement for numbers and special symbols. Setting up two-factor authentication is also helpful.


ATO fraud could affect your organisation financially – and seriously impact its reputation. Talk to FraudWatch about account takeover protection by sending us a message online.