How to prevent account takeover fraud: 7 strategies that work

Account takeover (ATO) incidents have surged, posing a significant threat to companies across all industries, with sixty-two percent of businesses reporting that they’re losing more money to ATO fraud than in the past — and by 2028, an estimated $91 billion will be lost to ATO fraud.     

ATO fraud leads to financial losses and damages a company's reputation, eroding customer trust. Businesses must consider implementing a fraud prevention solution to detect and prevent account takeover attacks. In this post, I'll cover what account takeover fraud is, how it works, and ways businesses can detect and prevent ATO attempts. 

What is account takeover fraud?

Account takeover (ATO) fraud occurs when an unauthorized party gains access to a user's online account, often through stolen login credentials. This breach compromises personal and financial information, enabling the attacker to conduct fraudulent activities under the guise of the legitimate account holder.

How fraudsters take over accounts

Understanding fraudsters' sophisticated strategies to execute account takeovers is crucial for developing an effective defense. Let's take a step-by-step look at how they execute a successful ATO attempt.

Gaining access to login credentials

Attackers use a variety of methods to trick victims into revealing personal information. Some examples include: 

• Brute force attacks, which is when fraudsters use automated programs to try numerous passwords in a short period of time, with the hopes of finding the right one. This approach is especially effective against accounts with weak passwords and re-used passwords, and against businesses that don’t implement additional security measures like account lockout policies or multifactor authentication (MFA). 
• Phishing for information through deceptive emails or text messages that send users to fake websites, where they then enter in their login credentials. 
• Credential stuffing, where fraudsters take stolen login details from a data breach and try accessing other websites using the information. (This is another reason why you should never re-use passwords across different services.)
• Malware that can spy on your computer activity, including keystrokes, to steal passwords or even gain total control of your system. 
• Social engineering to manipulate people into spilling secrets or breaking security rules. (One example is SIM swapping, where fraudsters trick customer service representatives into transferring your number to a SIM card they control.)
• Exploiting data breaches to access vast amounts of login details exposed from insecure databases, which sets the stage for widespread account takeover fraud. 

Maintaining control & covering tracks

Once an account takeover attack is successful, fraudsters often change account passwords and security questions to lock out the legitimate user while evading detection  through methods such as using a VPN. They may also use sophisticated browser tampering techniques that make the attacker appear identical to the authentic user from the site’s perspective. These techniques ensure they can continue exploiting the compromised accounts undetected.

How do account takeover attacks impact business?

For customers, dealing with an ATO attack is incredibly stressful and can be time-consuming. It could be days or weeks before they get refunded for unauthorized purchases or regain access to their compromised accounts. But repercussions extend beyond just individual victims. 

Compromised accounts damage brand reputation & impacts the bottom line

Financial loss is just one negative fallout of ATO fraud. Companies that fail to protect their customers also suffer from reputational damage and broken customer trust, which can take a long time to recover from, potentially further impacting future revenues. 

As we covered in a previous blog post, the financial and legal consequences of an account takeover attack can be substantial. For example: 

• Marriott, which suffered an undetected data breach from 2014-2018, unknowingly exposed the personal and payment details of up to 500 million guests. The attack led to multiple lawsuits, on top of a $23.8 million GDPR fine. 
• More recently, Snowflake made the news when the company shared that data from roughly 400 organizations had been compromised. At the time of this writing, Snowflake is facing an ongoing class-action lawsuit. Customers affected include well-known names like AT&T, Santander Bank, and Ticketmaster.
• MGM lost an estimated $84 million in revenue and spent an additional $10 million in consulting and legal fees after attackers managed to obtain employee credentials that allowed them to obtain widespread access to MGM systems, where they were able to tamper with resort operations for several days before MGM regained access.

How to spot signs of ATO fraud

Being able to quickly identify account takeover attempts is critical for businesses to prevent or mitigate potential damage. Some red flags to keep an eye out for include: 

• Unusual account activity. Unusual activity that may indicate an account takeover attempt includes multiple failed login attempts, dozens of login attempts per second for different accounts, sudden changes to account details, and login attempts from another location far from a user’s typical IP address. 
• Abnormal transaction patterns. Transactions that significantly deviate from a user’s typical behavior, such as a number of high-value transactions in a short period of time or making purchases in unusual locations, can indicate that an account may be compromised. 
• Multiple account lockouts. When a large number of users report being locked out of their accounts within a short timeframe, it could be a sign of a large-scale ATO attack attempt.
• Impossible travel. If a user logs in from one country and then logs in from another country thousands of miles away just minutes later, it could indicate VPN usage — or unauthorized access.
• Bot activity. Bot-driven ATO attacks are on the rise, with a 10% year-over-year increase in 2023. Look for anomalies like spikes in traffic, high bounce rates and short sessions, or strange patterns in your analytics. 

Why is account takeover protection important?

ATO attacks are a major issue that is growing worse every year — and it will likely accelerate as AI-powered tools make ATO attacks easier to attempt and scale, even with little hacking knowledge. According to Abnormal Security's 2024 State of Cloud Account Takeover Attacks report, 83% of businesses suffered account takeover attacks in the year prior. Per Javelin Strategy & Research, account takeover attacks cost consumers $13 billion in 2023.

By implementing account takeover detection and prevention measures, businesses protect their reputation and maintain customer trust and loyalty, in addition to avoiding potential financial losses and expensive lawsuits.

7 ways to prevent account takeover fraud

Preventing account takeover fraud requires a multi-faceted approach. Here are seven suggested prevention strategies that, when used together, can be very effective in reducing successful ATO attacks. 

1. Implement strong password policies

Enforcing robust password policies, including mandating complex passwords that combine letters, numbers, and symbols, and require regular updates, significantly reduces the risk of unauthorized access by making it more challenging for attackers to guess or crack passwords. Even better, use password breach checks to block credentials known to have been compromised elsewhere.

2. Set rate limits on login attempts

Implementing rate limiting on login attempts restricts the number of guesses an attacker can make within a given timeframe, significantly reducing the effectiveness of brute force attacks to crack passwords. This security measure deters attackers by increasing the time and effort required to breach accounts, protecting user accounts from being compromised.

3. Use advanced authentication methods

Advanced authentication methods, such as multi-factor authentication (MFA), hardware security keys push notifications, and app-based authentication, introduce an additional layer of security by requiring users to provide two or more verification factors to gain access. 

This significantly reduces the risk of account takeovers, even if a password is compromised, by ensuring only the legitimate user can authenticate through something they know, have, or are. 

4. Set up multi-layered authentication controls

• Step-up authentication: Require extra checks, like email verification or biometric approval, for high-risk actions or when a new device is detected.
• Device binding: Associate user accounts with specific trusted devices and require extra verification for new devices.
• Geolocation verification: Flag authentication attempts from unusual locations, especially when combined with device changes.

5. Sandboxing

Sandboxing isolates potentially malicious activities within a secure, controlled environment, preventing attackers from accessing or compromising critical systems and sensitive data during an account takeover attempt. This containment strategy ensures that any threat posed by suspicious code or applications is neutralized before it can inflict damage or breach security parameters.

6. Give users more transparency into account security

Giving users visibility into account security events helps catch suspicious activity before it escalates, reducing the risk of full-blown fraud cases. For instance, you can show them recently used devices that have accessed their account, making it easy to spot an intruder. It’s also recommended to  keep them updated on account activity like new device logins, failed MFA attempts, or security settings changes.

7. Implement a device intelligence solution 

A device intelligence  platform like Fingerprint analyzes 100+ browser, network, and device signals to generate a persistent identifier for every visitor. This visitor ID remains stable even if the SIM card changes, cookies are cleared, or a VPN or private browser is used.

When credentials are already compromised in an ATO attack, device identification is one way of spotting a suspicious login. For example, device intelligence helps you identify when a login attempt comes from an unfamiliar or high-risk device, signaling that additional verification should be required before giving access. It can also provide an additional line of defense against advanced fraud techniques like SIM swapping

Prevent ATO attacks while ensuring a seamless user experience with Fingerprint

Fingerprint’s device intelligence stands as a crucial barrier against account takeover (ATO) attacks by providing a highly stable and accurate visitor identifier. Its sophisticated device intelligence platform offers businesses an unparalleled layer of protection, minimizing the risk of fraud while enhancing user trust. Additionally, Fingerprint provides actionable insights into users’ behavior. With our Smart Signals you can detect potential bot activity, geolocation changes, jailbroken devices, and more.