Account Takeover Fraud: What It Is and How to Stop It

May 2, 2022

Subscribe to our Blog!

Please fill out the form below:

Information is something that is inherently valuable. And when having access to certain types of information—such as credit card numbers, online passwords, social security numbers, and more—can be sold or used to make money, the marketplace for malicious actors to target and steal this information will inevitably emerge.

Account Takeover (ATO) Fraud is a type of malicious identity theft that creates immediate harm for holders of all kinds of accounts every day. To make matters worse, the use of ATO fraud has been significantly increasing and has been up by more than 300% since 2019. 

This has made it even more urgent for businesses and consumers to protect all account-related information and carefully monitor for signs of ATO fraud.

Download ACH Fraud eBook

What is Account Takeover (ATO) Fraud?

Account Takeover (ATO) Fraud is a common form of fraud in which a malicious party will use stolen credentials to access and control various accounts. This method of fraud can happen to both individuals and businesses. 

Many different types of accounts might be targeted by ATO fraud schemes, including credit card accounts, bank accounts, government benefit accounts, and more.

According to a study published by Aite Group, “over one-third (38%) of consumers experienced account takeover (i.e., unauthorized access to a consumer’s existing account) over the past two years.” 

When left unaddressed, ATO fraud can cost both consumers and businesses significant amounts of money and time—though there are ways to reconcile accounts that have become victims of ATO fraud schemes, the best thing to do to remain safe is to take proactive measures.

How Account Takeover Fraud Happens

Account Takeover Fraud schemes are usually initiated by cybercriminals, though information can also be acquired from unauthorized paper documents and other non-digital means. The first part begins with the act of accessing unauthorized information. This information might include passwords for critical accounts, credit card numbers, checking numbers, and more.

Once the necessary information has been acquired, the person committing the fraud will then seek to access the victim’s accounts. In many cases, the fraudster will conduct a “test purchase,” usually just a few dollars or less, to see if their unauthorized activity is being monitored or detected. 

Once they have confidence that they can easily make purchases or transfers as desired, they will likely escalate their criminal efforts. Unauthorized activities might include making purchases via credit card and transferring funds to their account.

It is not uncommon for ATO criminals to conduct multiple fraud attempts at once and execute their campaigns over an extensive period (possibly just making one purchase per month through each account they have access to). 

Unfortunately, if businesses or consumers aren’t carefully monitoring their finances, these schemes will often go completely unnoticed.

Account Takeover Fraud vs. Identity Theft

Identity Theft is a broad, umbrella term that can describe any activity where a malicious party pretends to be someone else. Account Takeover Fraud is a specific type of identity fraud, though one of just many types that businesses and consumers could be exposed to.

Businesses Susceptible to ATO Fraud

Any business dealing with sensitive financial information could fall victim to account takeover fraud. However, there are clearly a few types of businesses that are more likely to be targeted and victimized than others:

  • Financial Services: the motivation behind most ATO fraud campaigns is financial gain, which is why banks, credit unions, credit card companies, and other financial enterprises are often among the first to be targeted. Payroll data and tax data will often be targets of attack.
  • Social Media: with billions of users worldwide, social media contains a nearly bottomless amount of personal information—both financial and otherwise. And because social media accounts are often connected to email addresses and other accounts, the consequences of these attacks can be ruthless.
  • Retail and eCommerce: recent data suggests that the retail and eCommerce industries experience the “highest raw number of malicious attempts,” with accounts linked to credit cards and virtual gift cards experiencing greater exposure to risk.
  • Higher Education: the combination of the high volume of student loans and low IT budgets at many institutions makes higher education a particularly vulnerable sector to ATO fraud attacks.
  • Healthcare: medical records—which can potentially be sold for large amounts of money—are not immune to ATO attacks. Some ATO fraudsters will even use other people’s records to get access to “free” healthcare services.

In general, the more personal information involved in an industry, the more cyber risk both businesses and consumers will be exposed to.

Account Takeover Fraud Examples

Millions of ATO attempts will occur every day, often conducted through automated sources. 

Even though just a small fraction of these attacks will be successful, it is clear that the consequences can be extreme. Some of the most notable ATO fraud attacks of all time include:

1. TurboTax

As a platform containing tax records, social security numbers, and bank account numbers of millions of Americans, TurboTax (and other tax services) has always been a prime target for fraud campaigns. 

In 2021, the TurboTax information for millions of users was leaked (the exact number is not clear). A significant portion of this ATO activity came from poor password management skills, with many users relying on passwords they use on other sites.

2. Dunkin Donuts

In 2018, “tens of thousands” Dunkin Donuts users—particularly those who use in-store “DD Cards”—had their information stolen and accounts compromised due to a sustained ATO fraud campaign. 

As a result, in addition to spending millions on legal fees and new digital infrastructure, Dunkin was also slapped with a $650,000 fine.

3. Basecamp

In 2019, Basecamp—a software company—experienced a global ATO fraud attack, which consisted of more than 30,000 login attempts and the compromising of hundreds of accounts. The company believes that, like the TurboTax breach, many of these successful ATO efforts came from using passwords utilized across multiple accounts.

The faster someone can react to an ATO attack, the less damaging that attack will ultimately be. Still, especially when executed at scale, these attacks can undoubtedly create a lasting impact.

5 Best Practices for Detecting and Preventing ATO Fraud

Both businesses and consumers can take multiple actions that will help significantly reduce the likelihood of falling victim to an ATO Fraud attempt. Even small accounts or rarely used platforms should implement the following five best practices.

1. Use Different Passwords—and Change Them Frequently

Any password you use will be at risk of, someday, getting stolen. And while nobody wants to have to remember 50 different passwords, diversifying these passwords can make a world of difference. 

As seen in the TurboTax and Dunkin Donuts cases, people who used different passwords and changed them often were less likely to become victims of fraud. Additionally, using randomly generated passwords (rather than ones using actual words like basbeball23) will also decrease the likelihood of a malicious party accessing your accounts.

2. Thoroughly Monitor All Accounts and Statements

As suggested, many ATO fraudsters will begin by making a small purchase to test what they can get away with. By taking the time to regularly review all accounts—especially bank accounts and other financial resources—you may be able to identify and respond to the attack before it gets out of hand.

3. Utilize Software to Detect Fraud

Today, the best way to identify fraud is to use robust and dynamic software. And thanks to the proliferation of no-code development, accessing this software has become easier and more affordable. 

Unit21, for example, is a reliable fraud detection software that has helped customers reduce false positives by more than 85% and reduce instances of fraud by more than 50%.

4. Be Wary of Giving Out Information

Information is something that both consumers and businesses should carefully guard. There are a lot of online spaces that will ask for personal or financial information, but that doesn’t mean you should necessarily just hand it over—even if the platforms themselves are legitimate, increasing the number of places this information is stored will inevitably increase your risk exposure.

5. Take Advantage of Multi-Factor Authentication

Multi-factor authentication is a great way to prevent malicious parties from taking over an account. Even if they can access an account-specific password, adding another source for authentication will significantly decrease the likelihood of a successful breach occurring. Just be sure to keep the passwords for authentication sources in different places. 

Download Transaction Monitoring Product Guide

Account Takeover Fraud Prevention: Key Takeaways

ATO fraud is on the rise, and it is necessary to be proactive about preventing it. Fortunately, their are strategies you can use to increase the accuracy of ATO fraud detection. By adhering to best practices, utilizing fraud detection resources, and being diligent about monitoring, the likelihood and consequences of an ATO fraud attack can be significantly reduced.

Account takeover fraud isn't your only threat. Find out how to combat check despoit fraud affecting your Fintech.

Interested in discovering how Unit21 can help with fraud detection and prevention? Schedule a demo to see the platform in action.

Getting started is easy

See first-hand how Unit21
can help bolster your risk & compliance operations
Close Subscribe Window

Subscribe to our Blog!

Please fill out the form below: