Contact us


12 Signs of an Account Takeover Fraud: Detecting ATO attacks

Battling Account takeover fraud is not an easy task, but there are ways to identify potential threats. Fraudsters are continuously evolving and finding new ways to execute their attacks. Although detecting such fraud seems like a daunting task, there are some known best practices regarding account takeover fraud detection.

Battling Account takeover fraud is not an easy task, but there are ways to identify potential threats. Fraudsters are continuously evolving and finding new ways to execute their attacks. Although detecting such fraud seems like a daunting task, there are some known best practices regarding account takeover fraud detection.

Account Takeover Fraud

Account Takeover Fraud (ATO) is happening when a fraudster uses somebody else's credentials in order to gain unauthorized access to an account and uses it to their own advantage. The fraudster monetizes the account by either transferring funds, making unauthorized purchases, or selling the account data elsewhere. The main problem of this particular type of fraud is that the credentials used for taking over one account are usually used to access multiple other accounts and cause that much more damage. This makes it distinct from card-not-present fraud, where only one relationship is endangered. A more detailed overview of account takeover fraud is available in our recent blog post.

How to Spot Account Takeover Fraud?

Account takeover fraud is an emerging type of attack targeting customer's accounts with valuable information such as saved credit card data, personal information, loyalty points, etc. In this way, the fraudster is able to monetize the account by either stealing the funds or the account data and reselling it on the dark web.

Account takeover fraud isextremely harmful to the business. Not only do they cause chargebacks and ruin their chargeback rates, but they have a detrimental effect on the company's reputation and customer loyalty.

Even though we are dealing with a type of fraud that is incredibly hard to detect, we gathered best practices regarding account takeover fraud detection. Watch out for these telltale signs of an ATO attack, and protect your business and your customers.

1. Educate your customers and staff

Users and companies who have account-based websites are the prime targets for fraudsters. A common puzzle piece of an account takeover fraud is phishing. For instance, the victim receives a legitimate-looking email containing a link leading to a familiar site that requires login. The unsuspecting victim enters their credentials, while the fraudster on the other side of the screen harvests their usernames and passwords. Regularly educate both your customers and staff regarding online security threats such as this one. Be proactive about security measures and implement best practices such as regular changes of user passwords and tips on how to protect user credentials.

2. Well-informed customer support staff

Fraudsters are no strangers to contacting the call center of a company directly in order to get more information about sensitive data necessary for login. Train your staff to ask questions that are specific, i.e.,  questions that only a legitimate account holder could know the answers to.

3. Multiple accounts having the same account details

When a fraudster takes over an account, their goal is to keep it. In order to do that, they need to change specific details necessary for the account recovery process, such as email or mobile phone number. If you notice multiple accounts having the same account details listed, e.g., mobile phone number, the chances of an account takeover fraud are pretty high.

4. Monitor customer bahviour for posible account takeover fraud

By observing the account history, you are able to detect certain anomalies in customer behavior. If a user suddenly spends an amount larger than the usual or places a suspicious number of orders in a short period of time, investigate further and see if any of the account details have been recently changed. If yes, that might indicate account takeover fraud.

5. Implement backend monitoring

Another way of protecting your business and your customers is by implementing backend monitoring. Detect fraudulent activity regarding suspicious IP addresses and analyze timestamp data transfers. This enables you to identify whether a fraudster is trying to intercept any communication happening between the site form and the backend of the website.  

6. Multiple accounts – same device

Sometimes, fraudsters tend to be lazy and they don't mask their device data. They carelessly log in to multiple accounts, and the recorded activity shows the same device number, the fraudster's. Keep an eye on this one, but don't act too quickly because family members and work colleagues often share the same device. Look for more clues in order to make sure that you are witnessing legitimate account takeover fraud.


7. Pay attention to device spoofing

Staying on the same topic, there are also fraudsters who mask their device data by using device spoofing. Usually, if they implement device spoofing, the device details show up as ''unknown''. There is a pattern where the victim's accounts are usually connected to more ''unknown'' devices than legitimate ones where you are able to see the exact device model. Look out for this one!

8. Multiple IP address countries

Following a data breach, multiple user credentials are published/purchased on the dark web. That also means that fraudsters are trying to log in to the user account using that fresh information. Since they can't possibly know the exact location of each customer, they also can't match their IP address country to fit the profile. Observe accounts that have an unusually high number of IP address counties connected to them. It is a clear sign of account takeover fraud.

9. Detect credential stuffing

As mentioned earlier, a data breach results in a multitude of user credentials ending up on the dark web. When fraudsters get a hold of those credentials, they use credential stuffing in order to quickly check if any of the purchased usernames and passwords actually work. This is done through checking for both technical and behavioral tracking of bot activity.

10. Fraudster behaviour during account takeover fraud

We mentioned the necessity to track customer behavior, but if an attacker is behind the observed activity, we are talking about fraudster behavior. The (un)fortunate course of events is pretty predictable, and it is the following:

  • Account details have changed (email, mobile phone number, address, etc.)
  • Within 24h of the initial account changes, a login from a new device is visible.
  • The fraudster places an order to a new delivery address.

11. Multiple accounts changing details at once

Upon taking over an account, fraudsters tend to leave the details untouched for some time. They gained access and will take care of the rest later. But if there is a notification sent to the user, alerting them about suspicious activity, fraudsters end up in panic mode. They rush to change details such as email and password in order to keep the stolen account. Track these changes triggered by a security alert. Password reset requests might soar.

12. Look out for suspicious loyalty program activity

Loyalty points are often overlooked by legitimate users and remain untouched. But one man's trash is another man's treasure. Fraudsters often target accounts solely because of loyalty programs. Stay alert and track if there is any sudden activity involving the use of loyalty points.

Acount Takeover Fraud Detection Wrap Up

With Account takeover fraud, timing is crucial. It is extremely important to stop the attack in the earliest stage of the fraud lifecycle. By continuous monitoring of account history and customer behaviour, it is possible to detect anomalies and extract activities that do not match previous patterns. Mentioned best practices, accompanied by Strong Customer Authentication (SCA) and 3D Secure technology, promise the highest level of security.


Need help with 3D Secure? Contact us to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.

Want to learn more about cybersecurity trends and industry news?



chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram