6 major types of account takeover fraud

The techniques used by fraudsters are becoming increasingly complex. This means that there are now multiple ways a fraudster can take control of an account. The types of account takeover fraud chosen by the attacker will depend on their goal and the resources they have available. 

September 12th, 2022



Love this blog? Why not share it with the world?

Account takeover fraud is one of the greatest threats facing online businesses today. Not only can account takeover fraud cost businesses huge sums of money, but it can also overburden IT and customer services teams, and ruin the reputation of your business.

To help you guard against the threat of this fast-growing form of fraud, in this guide we’ll cover the major types of account takeover fraud and the steps you can take to stop fraudsters in their tracks. 

What is account takeover? (ATO)

Account takeover (ATO) is a form of identity theft. It occurs when a criminal actor  takes control of a user’s account without their permission. The criminal will carry out this action with the aim of committing fraud.

The process of taking over an account includes two steps. Firstly, the fraudster will either steal a user’s credentials or purchase them on the dark web. Once they’ve taken this step, they can then log into a user’s account.

During the second stage of the process, they will then make a series of non-monetary changes to the account, such as changing the password or changing the victim’s personally identifiable information.

Once these two steps are completed, the fraudster has gained complete control of the account and has locked the original user out. At this stage, they will make a series of monetary transactions, or they will sell the account to someone else.

Following this, the fraudster will then attempt to replicate their success by taking control of a user’s other accounts. This becomes possible if they have used the same password and login information for multiple accounts.

Why is it such a threat?

There are several reasons why account takeover fraud is one of the biggest threats facing businesses today. Firstly, we must acknowledge that the methods employed by fraudsters who are attempting to gain control of accounts are becoming increasingly sophisticated and hard to detect. For this reason, businesses that do not take the threat of ATO seriously could soon become the target of fraudsters.

If a fraudster gains access to a user’s account and then uses that account to make purchases, then it’s likely that the customer will blame your business for the security breach (even if the lapse in security was their responsibility). For this reason, an ATO attack can irreparably damage the relationship between a business and its customers, as well as causing wider reputational damage.

But, the cost of account takeover fraud isn’t purely reputational. After all, it’s estimated that each instance of account takeover costs a business $12,000 to rectify.

On top of this, ATO attacks impact almost every department in a business. This is because the consequences of a security breach mean:

  • Your IT team must investigate any hacks and the robustness of your security system
  • Your finance team must fight chargebacks
  • Your customer support team will be overwhelmed by customers who are trying to reclaim their accounts

Types of account takeover

The techniques used by fraudsters are becoming increasingly complex. This means that there are now multiple ways a fraudster can take control of an account. The types of account takeover fraud chosen by the attacker will depend on their goal and the resources they have available. 

Major types of account takeover fraud include:

Credential stuffing

To carry out a credential stuffing attack, a fraudster will usually purchase a list of leaked credentials online. Using this information, they will then test combinations of usernames and passwords across various websites.

Sadly, leaked credentials are widely available on the dark web. Due to the fact that many users either select weak passwords or reuse their passwords, this type of account takeover fraud has a high success rate.

SIM swapping

When a customer buys a new mobile phone, their carrier will offer them a new SIM card. Although this is a legitimate service, it can be abused by fraudsters who use social engineering techniques to transfer the victim’s mobile phone number to a new SIM card.

To achieve this, the fraudster will contact a user’s mobile phone carrier and impersonate the customer. In doing so, they will convince the call center agent that the mobile phone number needs to be ported to a new (and illegal) SIM card.

Once this process is complete, the fraudster can attempt to log into the user’s banking app. If the bank’s authentication processes include text messages as a means of delivering one-time passwords, then the fraudster can access the user’s account and perform fraudulent transactions, add payees, or perform other operations during a banking session.

Phishing scams

Phishing scams take two forms, including:

  • Email account takeover (which is known simply as phishing)
  • Spear phishing

Phishing attacks occur when a fraudster has a list of email addresses but does not have access to the corresponding passwords. The fraudster then sends an email to every account on their list, posing as a credible business in an attempt to get the account owner to click on a fraudulent link.

If the user clicks on the link, they’re taken to a fake login page where they’re asked to enter their credentials. This information is then captured and can be exploited by the fraudster. Phishing scams can be incredibly damaging, as a fraudster can target thousands of users at any one time.

By contrast, spear phishing attacks are much more targeted. Criminals use social engineering and background sleuthing to target a specific individual rather than thousands of people.

For instance, in a spear phishing scenario, a criminal may use a user’s email address to find a linked Facebook account. Using the information on this account, they may find that this user has a sister. Following this, they’ll then create an alias so the spear phishing email appears as a genuine message from the user’s sister who is asking for information.


With a malware attack, a fraudster takes control of a bank account by installing malicious software (known as malware) on the victim’s computer or mobile phone.

This happens when the user downloads an app, a piece of software, or an unverified update from an untrusted source. Some forms of malware, which are known as keyloggers, will then intercept and save everything the user types, including their online banking details.

Man-in-the-middle (MitM) attacks

During a MitM attack, a fraudster will position themselves between the financial institution and the customer. By doing this, the fraudster will gain the ability to intercept, edit, send, and receive communications without being noticed.

To achieve this, a fraudster will usually take over a communications channel between the user’s device and the bank’s server. To do this, they will usually set up a malicious public Wi-Fi network that a user will unwittingly access.

For example, in a coffee shop, they may set up a Wi-Fi network called ‘free coffee shop Wi-Fi’ or similar. A user looking to take advantage of public Wi-Fi will then transfer their payment data through the network, which is controlled by the criminal actor.

Call center fraud

Call center fraud is common in the banking industry. Before they attempt to access a bank account, a fraudster will contact the victim and ask them to verify their PIN, security questions, and multi-factor authentication tests. The victim then unwittingly provides the fraudster with all the information they need to access their account.

Where is your business at risk?

In order to prevent account takeover fraud, businesses must put a series of security measures in place. This is because fraudsters will target businesses that rely on lax security systems and inadequate fraud prevention measures.

These security measures should include both internal security processes and customer-facing security processes. By following cybersecurity and data protection best practices, a business can ensure that it won’t be the cause of a data breach. These processes and best practices should include things like automatic notifications when something changes on a customer’s account, two-step verification, and detection tools.

As a key part of this, businesses should invest in systems that help them accurately verify the identity of users before they’re allowed to gain access to their account. By lessening reliance on static passwords and instead prioritizing biometric identifiers, a business can lock fraudsters out of an account before they can make any changes.

Similarly, businesses should also have systems in place that help them detect suspicious activity, in case a fraudster does successfully take over an account. These suspicious signals include things such as a high number of authentication attempts on different accounts from the same IP address, mass password reset requests, and multiple changes to an account at any one time.

On top of this, businesses should also ensure that their customers are keeping their own data private and secure. To do this, businesses should encourage their users to:

  • Educate themselves on how to beat and detect identity fraud
  • Learn more about the techniques used by fraudsters
  • Create unique passwords for every account they have
  • Never click on suspicious links
  • Upgrade the security of their accounts and passwords
  • Do not give out their data and passwords to others

How does Veriff help?

At Veriff, we’re proud to offer a range of class-leading solutions that can help you secure user accounts and lock out bad actors. While our identity verification solution and our AML and KYC solution can help you verify new users before you onboard them, our biometric authentication software can be used to match returning users and detect account takeover fraud. 

This solution is much more reliable than using passwords and one-time passcodes and is perfect for securing user accounts. Plus, it allows you to lock fraudsters out of an account before they can make changes to a customer’s details or attempt to make a purchase.

Not only is our biometric authentication secure, but it also accelerates the user authentication process. By utilizing facial biometrics (via the use of a selfie) to match the returning user, it compares the image with our existing session data and quickly identifies the user. As a result, it eliminates friction and facilitates a smoother user experience.   

Led by powerful automation, our software can authenticate any user’s identity in only one second. It’s also 99.99% accurate and authenticates 99% of users on their first try.

Speak with the fraud prevention experts at Veriff

In order to prevent fraud from taking place, your business must put the correct fraud detection processes in place. These processes and systems can stop fraudsters before they’re able to access a user’s account, and they can be used to resist all the major types of account takeover fraud.

If you’re interested in discovering more about how our class-leading solutions can help a financial services business like yours, talk to our fraud prevention experts today. We’d love to provide you with a personalized demo that shows exactly how our solutions can help keep your business and its customers safe.  


Stay up to date on Veriff news, product updates, and more

Veriff will only use the information you provide to share blog updates. You can unsubscribe any time. For more details, check out our privacy policy.

Related articles

What is enhanced due diligence (EDD) in banking?


What is enhanced due diligence (EDD) in banking?

EDD in banking involves gathering information in order to verify the identity of customers and calculate the exact level of money laundering risk each customer poses. During the EDD process, the customer is asked for a much greater amount of information than they are during the CDD process, as this information can be used to mitigate the risks involved.

What is due diligence in finance?


What is due diligence in finance?

When carrying out due diligence, a financial institution must determine whether they should perform customer due diligence (CDD) or enhanced due diligence (EDD). This is because FATF guidance suggests that companies should adopt a risk-based approach to due diligence that reflects the specific level of risk that each individual customer presents.

What is synthetic identity theft?


What is synthetic identity theft?

Synthetic fraud is incredibly dangerous and is a major problem facing the financial sector. Unlike third-party fraud, where an entire identity is stolen and used to defraud enterprises and victims, synthetic fraud frequently has no specific consumer victim.