LibraryFraud centerFraud NewsDeep dive: exploring the latest account takeover fraud statistics [2024]

Deep dive: exploring the latest account takeover fraud statistics [2024]

Account takeover fraud can cause serious problems, making it difficult for customers to reclaim their accounts without suffering a financial loss. To make matters worse, the relationship between the customer and the business could be irrevocably damaged. 

Header image
Chris Hooper
Director of Content at
March 20, 2024
Fraud Prevention
On this page
What is account takeover fraud?
Types of vulnerable accounts
The latest account takeover fraud statistics and facts
Customer identity is the number one target for cyber attackers
Companies are slow to adapt to emerging risks
Taking action against account takeover fraud
How Veriff helps with recovery from ATO fraud

What is account takeover fraud?

Account takeover fraud (ATO) is when fraudsters gain access to a customer’s account without their permission, a type of identity theft. Any online account can be targeted, with the potential for huge financial damage. 

In committing ATO fraud, a criminal actor will go through two steps. First, the fraudster gains access to the victim’s account by deploying stolen account information or information they’ve bought.

Once a fraudster has gained access, they will make non-monetary changes to the account. These include:

  • Changing the victim’s personally identifiable information,
  • Requesting a new card
  • Adding an authorized user
  • Changing the password

The fraudsters can then make a series of unauthorized transactions that appear legitimate. Alternatively, they may sell the confirmed account or the customer’s data to someone else.

Utilizing these illicitly obtained credentials on a large scale constitutes credential stuffing. Credential stuffing is one of the most common techniques for taking over user accounts. Credential stuffing is dangerous to consumers and enterprises because of the ripple effects of these breaches. One of the other challenges is the common practice of users utilizing identical passwords and usernames/emails across multiple platforms. If these credentials are compromised through means such as a database breach or phishing scheme, inputting these stolen credentials into numerous other websites can potentially grant an attacker access to those accounts as well.

Types of vulnerable accounts

Account takeover attacks are growing at a rapid rate. This is partly because this type of fraud can be committed on most types of accounts, such as: 

1) Checking or current accounts

2) Credit cards

3) Deposit or savings accounts

4) Government benefits accounts

5) Social media accounts

6) Store loyalty accounts

7) Ecommerce accounts

8) Gaming accounts

Some of these account types are a growing focus for fraudsters for obvious reasons, notably the potential for financial gain. Take ecommerce, for instance: the Veriff Identity Fraud Report 2024 recorded a 40% increase in net fraud in 2023 compared to 2022, rising from 12.4% to 17.4%. Or look at bank accounts, credit cards, and store loyalty accounts. According to the report, the payments area generally saw a rise from a 4.07% net fraud rate in 2022 to 6.28% in 2023, a leap of 54%.

The latest account takeover fraud statistics and facts

To discover more about the prevalence of account takeover fraud, we’ve taken a deep dive into the latest account takeover fraud statistics. Sadly, they show us just how common this type of fraud has become.

Online fraud attacks are growing at a faster rate than valid online financial transactions

According to recent reports, the number of online fraud attacks worldwide is growing at a faster rate than the number of valid online financial transactions. It’s estimated in the Cybersecurity Market Review that in the first quarter of 2022, online fraud attacks rose by 233% worldwide. During the same period, the number of online transactions only increased by 65%.

Account takeover fraud is on the rise

In 2024, the payments sector will face elevated levels of risk, increased regulatory oversight, and substantial shifts in international standards. According to the Federal Trade Commission data, instances of fraud and scams, including account takeover (ATO) scams, rose by 49 percent compared to 2021, resulting in consumers losing nearly $8.8 billion. Concurrently, consumers anticipate that payment service providers will safeguard them and provide reimbursement in case of fraud. Consequently, safeguarding against fraud has become imperative for maintaining the integrity of payment systems, enhancing the customer experience, and shielding companies from reputational harm.

But what do account takeover statistics tell us about this type of fraud? And how common is the crime? A study by Javelin Strategy & Research reveals a significant surge in traditional identity fraud losses in 2021, reaching $24 billion USD, a 79% increase over 2020. This resulted in over 15 million adults in the United States being impacted. The study highlights criminals' use of virtual attack vectors such as bots and malware. Identity fraud scams added another $28 billion in losses, victimizing an additional 27 million U.S. adults. Major shifts in fraud tactics were observed, including a 109% increase in new account fraud and a 90% rise in account takeover losses. The average per-victim loss from traditional identity fraud increased to $1,551, with victims spending an average of nine hours resolving issues. Consumers expressed significant expectations for anti-fraud measures from financial institutions. Experts stress the need for institutions to adapt and enhance fraud prevention efforts to combat the evolving landscape of identity fraud.

Almost 1 in 4 Americans are victims of ATO fraud

According to the latest cybersecurity statistics by Spy Cloud, 22% of US adults have been victims of account takeover fraud. This equates to more than 24 million households.

How much does an account takeover cost? 

News about the ATO leaks will likely cost your company future customers, with the stigma pushing people towards your competitors. Account takeover assaults can incur substantial expenses. In a survey of 100 IT executives conducted by Arkose Labs, most indicated that ATO attacks could result in expenses ranging from $50 to over $200 per occurrence. Multiplying into the thousands represents a significant financial burden for companies.

ATO attacks target ecommerce accounts

Although ATOs can affect various accounts, most attacks target ecommerce accounts. This is because these accounts present cybercriminals with the opportunity to profit quickly. According to the ATO in Retail Report, a higher % of retail businesses, at 29%, consider ATO their primary risk, with 72% placing it within their top three concerns compared to other industries. Despite experiencing fewer average attacks than different groups, ATO remains the leading risk for a significant percentage of fashion retailers, with 32% ranking it at the top, nearly 10% above the survey's overall average.

Key ATO attack vectors to watch in 2024

ATO attacks are poised to overtake malware as the number one concern for businesses and customers. Research from Sift's Q3 2023 Digital Safety and Trust Index indicates a significant increase in Account Takeover (ATO) attacks, surging by a staggering 354% compared to the previous year. Nearly one-fifth (18%) of respondents reported being victims of ATO attacks, with 62% of these incidents occurring within the past year. Moreover, over 34% of those affected encountered fraud multiple times, often while engaging in digital subscriptions, online shopping, and financial services. Adding to the concern, global fraud losses are forecasted to rise by 20% compared to the previous year, posing substantial economic consequences for merchants and consumers by the end of 2023.

According to the statistics by Auth Signal, the top three areas of concern are currently:  

Session hijacking

In the past year, session hijacking has emerged as one of the most widespread attacks, impacting numerous prominent platforms. The method is straightforward: the session appears highly trustworthy after a legitimate user authenticates with an application and obtains a session token or cookie, which may involve two-factor or multi-factor authentication for added security. This privileged and often enduring session becomes a valuable target for cybercriminals to seize and exploit. By gaining control, they obtain unfettered access to sensitive data or the ability to initiate a bank withdrawal or extract personally identifiable information (PII) like birthdates, addresses, and transaction histories.

Credential stuffing / Password cracking

Credential stuffing refers to the automated insertion of pilfered username and password combinations ("credentials") into website login portals with the intention of illicitly accessing user accounts. This well-established ATO attack method remains cost-effective and continues to achieve high success rates. These attacks have swiftly evolved to bypass security measures such as bot protection CAPTCHAs by utilizing advanced credential-stuffing bots.

These newer bots capitalize on the user-unfriendly experience caused by challenging CAPTCHA puzzles. In specific scenarios, they orchestrate attacks that subject all users, including legitimate ones, to endless CAPTCHA challenges, compelling platforms to lower their security thresholds to mitigate the impact on genuine customers. Other tactics involve effortlessly solving CAPTCHAs using generative AI and executing gradual, inconspicuous attacks that remain below the thresholds, triggering security countermeasures.

One-time password (OTP) code phishing

OTP code phishing is an advanced type of phishing that involves attempts by hackers to acquire the temporary authentication codes commonly utilized in two-factor authentication (2FA) systems. In contrast to conventional phishing, which usually targets login credentials like usernames and passwords, OTP phishing centers on intercepting or tricking users into disclosing their time-limited codes.

Customer identity is the number one target for cyber attackers

Unsurprisingly, the latest account takeover fraud statistics show that the percentage of people concerned about PII harvesting, credential stuffing, and ATO have all increased since 2021. These attacks all have something in common: they involve the theft and fraudulent use of identity.

Smart criminals carry out attacks while hiding behind a legitimate identity, providing numerous opportunities to commit fraud. This means customer identity is now the number one target for cyber attackers.

Companies are slow to adapt to emerging risks

As organizations grow and more of the world moves online, each organization’s attack surface continues to expand. However, research shows that although businesses are aware of the risks posed by moving online and that malware, PII harvesting, credential stuffing, and ATO are areas for concern, the adoption of security tools to manage these risks remains low.

However, the good news is that website decision-makers say they’re trying to get their security infrastructure back on track. According to the data, 39.8% of organizations are considering purchasing a bot management solution. These solutions help defend web and mobile apps and APIs from the many attacks that utilize bot networks, including ATO, content scraping, and inventory hoarding.

Taking action against account takeover fraud

For businesses, preventing account takeover fraud can be tricky. This is because the activities that are associated with account takeover fraud occur hundreds of times a day, and the vast majority of these customer-initiated account management actions are legitimate. The challenge for businesses is to work out which of these actions aren’t legitimate and are instead linked to account takeover fraud.

To do this, businesses must put the right processes and tools in place. These can help them differentiate between real customers and fraudsters. After all, if a business is unable to identify fraudsters in real time, the losses can quickly mount. This is because when a customer experiences account takeover fraud, they usually hold the company responsible for any lenient security measures that allow the fraudster to access their account. However, at the same time, customers are easily frustrated when minor requested changes result in excess scrutiny and become a hassle.

Businesses must find a balance between implementing adequate security and providing a seamless customer experience. The best way to achieve this is by verifying the identity of a user before they’re allowed to create an account and then authenticating a user each time they wish to make a change to their account.

By employing the use of identity verification software to help onboard a customer, a business can make the verification process swift, efficient, and accurate. In fact, with a piece of software like ours, a customer’s identity can be verified in as little as six seconds.

When the customer wishes to make a change to their account, you can employ a biometric authentication solution. This way, you can secure accounts, data access, and transactions. The process is as fast and easy as taking a selfie. Thanks to powerful automation, a customer’s identity can be authenticated in as little as one second. In addition to keeping a customer’s data safe, you can also make the authentication process simple and seamless.

How Veriff helps with recovery from ATO fraud

Stopping ATO fraud means both preventing it from happening and detecting suspicious activity so that you can intervene before a criminal takes hold of an account.

With the help of our solutions, you can manage user access and keep your business safe without damaging customer retention. You can also ensure that you know your customers are who they say they are.

When it comes to customer onboarding, our identity verification platform helps you meet your regulatory compliance requirements. 

Once your customer has created their account, you can secure it with the help of our biometric authentication solution. This solution uses powerful automation to verify customers and ensures your business is no longer reliant on passwords and one-time passcodes, which can be intercepted by fraudsters.

Instead, it confirms that a returning user is who they’re claiming to be with the use of a selfie, which is compared to a previously verified biometric template. It is checked for liveness and realness. The solution is fully automated and a decision is provided in less than 1 second.

By replacing passwords with biometric authentication processes, Veriff can help prevent a fraudster using stolen/compromised information from accessing a customer's account. you can stop hackers from stealing customer information and ensure that even if a customer’s data is compromised, a fraudster cannot access their account. Veriff’s Biometric Authentication solution uses advanced AI and facial biometric analysis to swiftly and securely authenticate users, granting instant access to products and services. This fast and fully automated process can be integrated into any stage of the user journey, such as account access, high-risk activities, or account recovery.

Download report now

Get all the latest global identity fraud data and insights you need to keep your business safe