Account takeover fraud statistics

Account takeover fraud (ATO) occurs when a fraudster gains access to a customer’s account. Any online account can be taken over by a fraudster, and the criminal involved can cause a huge amount of financial damage. 

But, what do account takeover statistics tell us about how common this form of fraud is? In this guide, we’ll take a detailed look. As well as providing you with a summary of what account takeover fraud involves, we’ll take a deep dive into the latest account takeover fraud statistics. We’ll then conclude by explaining how your business can prevent ATO fraud.

What is account takeover fraud? 

Account takeover fraud is a form of identity theft. It involves a criminal taking over a customer’s account without their permission. 

In committing ATO fraud, a criminal actor will go through two steps. First of all, the fraudster will gain access to the victim’s account. They will usually achieve this by using stolen account information or information that has been sold to them.

Once a fraudster has gained access to an account, they will then make a series of non-monetary changes to the account. These include:

• Changing the victim’s personally identifiable information
• Requesting a new card
• Adding an authorized user
• Changing the password

After the fraudster has completed these steps, they are then able to make a series of unauthorized transactions that appear legitimate. Alternatively, they may sell the confirmed account or the customer’s data to someone else.

When ATO fraud has occured, it can be difficult for the customer to reclaim the account without suffering a financial loss. The relationship between the customer and the business involved may also be irrevocably damaged.

Types of vulnerable accounts

Account takeover fraud is growing at a rapid rate. This is partly due to the fact that this type of fraud can be committed on almost any account, including:

• Bank accounts
• Credit cards
• Savings accounts
• Government benefits accounts
• Social media accounts
• Store loyalty accounts
• E-commerce accounts

The latest account takeover fraud statistics and facts

To discover more about the prevalence of account takeover fraud, we’ve taken a deep dive into the latest account takeover fraud statistics. Sadly, they show us just how common this type of fraud has become.

Online fraud attacks are growing at a faster rate than valid online financial transactions

According to recent reports, the number of online fraud attacks worldwide is growing at a more rapid rate than the number of valid online financial transactions. It’s estimated that in the first quarter of 2022, online fraud attacks rose by 233% worldwide. During the same period, the number of online transactions only increased by 65%.

Account takeover fraud is on the rise

According to a recent report, account takeover fraud increased by 90% between 2020 and 2021. Now, account takeover fraud costs an estimated $11.4 billion annually. 

Almost 1 in 4 Americans are ATO fraud victims

Almost a quarter of the American population has now experienced account takeover fraud first hand. 

At present, 22% of US adults have been victims of account takeover fraud. This equates to more than 24 million households.

Members of the public remain relatively unaware about the perils of ATO

On top of this, although account takeover attacks are now common, there are concerns that members of the public remain unaware of the threat and do not understand what it involves.

Research has shown that although 74% of individuals are aware of account takeover fraud as a potential threat, 18% are totally in the dark about what it involves, and another 9% are unsure if they have heard of it. This suggests that proper security awareness is not as prevalent as it should be.

Account takeover fraud costs huge sums of money

Estimates suggest that the average account breach costs $12,000. However, once they’ve successfully taken over an account, criminals will do everything they can to extract as much money as possible from the person involved before the breach is detected. For this reason, some account breaches cost much more. 

Repeat passwords make accounts vulnerable

60% of ATO cases now involve the use of a compromised password that has been used to protect multiple accounts.

The majority of ATO attacks originate on social media

Social media is a great tool for connecting people. However, social media accounts need to be properly protected and users must put adequate security precautions in place. Estimates now suggest that 51% of all account takeover attacks originate via social media. This is followed by bank accounts (32%), which are the second-highest reported takeover targets.

Almost one third of customers would stop using a website if their account was hacked

28% of customers say that if their account was successfully hacked then they would close their account. This means that if your business allows ATOs to occur, then the damage to your bottom line could be catastrophic.

Added to this, when news about the ATO leaks, it’s likely that this will cost your company future customers. This is because the stigma of a successful hack will push people towards your competitors instead.

More than 60% of ATO attacks target e-commerce accounts

Although ATOs can affect a wide variety of accounts, the majority of attacks target e-commerce accounts. This is because these accounts present cybercriminals with the opportunity to quickly profit.

In a survey of people who had their e-commerce account hacked, 37% of people said that money was extracted from their account following a successful hack. Meanwhile another 37% saw their account’s rewards and credits siphoned off through illegitimate purchases or other means. For many others, sensitive payment information was taken and leveraged for purchases either on the same website or elsewhere.

Account takeover attacks will soon overtake malware attacks as the number one concern for businesses

Account takeover and credential stuffing attacks rose significantly in both 2020 and 2021. Due to this, concern surrounding account takeover has also increased. As a result, ATO attacks are poised to overtake malware as the number one concern for businesses and customers.

The top five areas of concern are currently:  

1. Malware (viruses, worms, and Trojans)
2. Account takeover/credential abuse attacks
3. Ransomware
4. Phishing/spear-phishing attacks
5. Attacks on brand and reputation in social media and on the web

Personally identifiable information harvesting is the number one threat faced by web apps

Personally identifiable information (PII) harvesting is now the number one threat faced by web apps. This method involves embedding malicious code in vulnerable JavaScript that captures personal data when users fill out a form.

As criminals have become more sophisticated, they have been able to run PII harvesting attacks without detection. Using these methods, they can now access user accounts, strengthen phishing attacks, steal identities, and perform other malicious activities.

As a result, 46.6% of those in the space believe that PII harvesting is the number one threat facing cyber apps. This is a 7% increase when compared with 2021.  

COVID-19 has created more opportunities for fraud

COVID-19 has fundamentally impacted the way that customers interact with businesses. The pandemic forced a number of businesses to move online, and now customers are demanding a seamless experience from these companies.

Due to this, these businesses have adopted digital wallets, contactless payment options, and new payment methods. However, because many of these businesses were unprepared for these changes, they’ve inadvertently left vulnerabilities in the system that are easy for fraudsters to exploit.

Now, 81% of fraud professionals feel that digital transformation efforts that were introduced in response to COVID-19 have created vulnerabilities that fraudsters can exploit.

Customer identity is the number one target for cyber attackers

Unsurprisingly, the latest account takeover fraud statistics also show that the percentage of people who are concerned about PII harvesting, credential stuffing, and ATO have all increased since 2021. This is because these attacks all have something in common: they involve the theft and fraudulent use of identity.

Smart criminals are carrying out attacks while hiding behind a legitimate identity as this provides them with numerous opportunities to commit fraud. Due to this, customer identity is now the number one target for cyber attackers.

Companies are slow to adapt to emerging risks

As organizations continue to grow and more of the world moves online, each organization’s attack surface continues to expand. However, research shows that although businesses are aware of the risks posed by moving online and the fact that malware, PII harvesting, credential stuffing, and ATO are areas for concern, the adoption of security tools to manage these risks remains low.

However, the good news is that website decision makers say that they’re trying to get their security infrastructure back on track. According to the data, 39.8% of organizations are considering purchasing a bot management solution. These solutions help defend web and mobile apps and APIs from the many types of attacks that utilize bot networks, including ATO, content scraping, and inventory hoarding.

How can you prevent account takeover fraud?

For businesses, preventing account takeover fraud can be tricky. This is because the activities that are associated with account takeover fraud occur hundreds of times a day and the vast majority of these customer-initiated account management actions are legitimate. The challenge for businesses is to work out which of these actions aren’t legitimate and are instead linked to account takeover fraud.

To do this, businesses must put the right processes and tools in place. These can help them differentiate between real customers and fraudsters. After all, if a business is unable to identify fraudsters in real time, the losses can quickly mount. This is because when a customer experiences account takeover fraud, they usually hold the company responsible for any lenient security measures that allowed the fraudster to access their account. However, at the same time, customers are easily frustrated when small requested changes result in excess scrutiny and become a hassle.

Due to this, businesses must find a balance between implementing adequate security and providing a seamless customer experience. The best way of achieving this is by verifying the identity of a user before they’re allowed to create an account and then authenticating a user each time they wish to make a change to their account.

By employing the use of identity verification software to help onboard a customer, a business can make the verification process swift, efficient, and accurate. In fact, with a piece of software like ours, a customer’s identity can be verified in as little as six seconds.

Then, when the customer wishes to make a change to their account, you can employ the use of a biometric authentication solution. This way, you can secure accounts, data access, and transactions.

The process is as fast and easy as taking a selfie. Thanks to powerful automation, a customer’s identity can be authenticated in as little as one second. Plus, we offer 99.99% accuracy and 99% of users are authenticated on their first try. This means that as well as keeping a customer’s data safe, you can also make the authentication process simple and seamless.

Speak with the fraud prevention experts at Veriff

As the latest account takeover fraud statistics show, crime is on the rise. The quicker your business responds to the associated threats and secures its accounts, the more trust it will build with its customers. So, take a step beyond passwords and one-time passcodes to secure your customer accounts today.

Speak with the fraud prevention experts at Veriff to discover how our class-leading solutions can help your business prevent account takeover fraud. We’d love to provide you with a personalized demonstration that shows exactly how we can help you.