All You Need to Know About Preventing Account Takeovers

Tanya Corder, Treasury Prime's Compliance Manager, provided her insights on ATO for Unit21's new Fraud Fighters Manual
June 14, 2023
Account Takeover

This chapter is part of the Fraud Fighters Manual, a collective set of stories from Fintech fraud fighters. Download your copy of the Fraud Fighters Manual here to read the full version.

“Anyone (and everyone) is at risk for account takeover," says Tanya Corder, Compliance Manager at Treasury Prime. "Prevention is key. Look out for red flags, and take action if you have a suspicious inkling.”

In addition to fraudster types, identity fraud, and crypto fraud, another form of fraud that’s growing fast is Account Takeover (ATO).

According to the Q3 2022 Digital Trust & Safety Index by Sift, ATO grew 131% YoY from 2021 to 20221

But there are ways to detect ATO attempts and red flags you can look out for to keep you, your employees, and your users safe from this type of fraud.

We spoke to Tanya Corder, compliance manager at Treasury Prime, a platform that powers fintech organizations by providing tools to build financial services ecosystems fast. Tanya has over 10 years of experience in financial services and compliance, providing insight into suspicious activity and financial fraud.

ATO can result in dire outcomes such as misappropriated finances, reduced customer loyalty, escalated procurement expenses, and, eventually, decreased earnings. Fraud teams must adopt an end-to-end, real-time approach to outpace Account Takeovers.

What is account takeover?

ATO is a type of fraud that occurs when a bad actor gains access to someone else’s account or personal information, often for financial gain. It can happen with any kind of online account but most commonly affects social media, banking, and eCommerce sites. Bad actors are using technology to script attacks using bots. For example, they have a massive database with a combination of credentials and mass-test them across a platform.

What makes ATO particularly tricky is finding the culprits of this form of fraud. The information required to conduct an ATO is most commonly acquired through phishing, malware, data breaches, brute force attacks, or even public information. 

The 4 stages of ATO

An account takeover doesn’t happen all at once; instead, it starts small and progresses. 

Sophisticated fraudsters will be more difficult to detect as they know how to be stealthy and cover their tracks. There are four steps to a typical account takeover. The fraudster first gathers information on the account then gains access and makes small changes before finally taking off with the user’s hard-earned money. Below is a look at each step in detail:

1. Information gathering

This stage is largely invisible. The fraudsters are working behind the scenes using whatever information is available. Tanya points out that fraudsters will “gather information about their target’s email addresses, phone numbers, and social media profiles.” 

This stage can be considerable, in terms of both time and effort, especially for fraudsters working to take over business accounts. 

2. Account access 

Fraudsters often log in and make sure they can really get into the accounts before initiating any big changes. Many individuals and organizations often won’t notice this stage. 

“Fraudsters can use victims’ accounts in ways that appear normal and can get away with things for prolonged periods sometimes,” Tanya says. “It makes it difficult for victims to notice that their account has been compromised because the activity looks so normal.” 

Organizations with any kind of online account feature need to be on the lookout for suspicious account activity that suggests this stage of ATO. For example, you may see a new login from an IP or location that has never logged into that account before. 

There might be other minor signs: you might see many failed login attempts across multiple accounts on your platform, or you might notice accounts that don’t usually log in often are doing so multiple times a day. But the fraudster hasn’t yet made a big move. If users are getting unexpected password reset prompts or other unusual activity, that’s a sign that there may be fraudsters trying to access accounts.

3. Small account changes

Once bad actors know they can access the account, they will often make smaller changes to set up their fraud or cover their tracks. Unless the user on this account is on the lookout for any suspicious activity, this step is easy to miss. 

“Usually, they’ll change login details or add their own contact information,” Tanya says. For instance, fraudsters might quietly add a new person to the account or open new accounts altogether. They might also switch off notification settings so that their changes will go undetected for longer.

It’s important for the platform to keep an eye out for an increase in complaints or strange account behavior that could point toward fraud, Tanya says. “If there’s an increase in customer complaints about unauthorized access or fraudulent activity, it might be a sign that an account takeover is occurring on the platform. If there are multiple instances on the platform, it may be a sign that there’s a vulnerability in the system that is being exploited by fraudsters.”

4. The money grab

The final stage is when many people realize something is wrong after the damage has been done. New lines of credit may appear, money might vanish, or the user may be locked out of their own account entirely. 

At this stage, the victim has to play catch up to figure out what happened and how the fraudster pulled it off. The process of attempting to recover the funds is difficult and time-consuming, and it’s often impossible to recover everything lost. That’s why it’s essential to spot fraudsters before they reach this stage.

When bad actors attack your identity, they are not only after your bank account; they are after everything. They want to know where you buy your prescriptions so they can leverage health issues against you. They want to understand your full travel history so they can mimic you.

They will hack your social media along with your gym and any forums you belong to; this will give them access to more targets that usually interact with you on various platforms.

Who is at risk and why

“I think, essentially, anyone and everyone is at risk for account takeover. Anyone who uses an online account,” notes Tanya. 

That said, individuals and organizations most at risk are:

  • Populations inexperienced with technology—They’re more likely to have poor security hygiene (like using the same password repeatedly), and they’re less likely to know the signs of common forms of online fraud (for instance, suspicious emails phishing for sensitive information).
  • Small businesses—Startups and small businesses often don’t have the resources to invest in sophisticated security tools or hire dedicated security roles. This lack of resources makes business email compromise an even bigger threat for small businesses.
  • High-profile individuals or organizations—Because there’s simply more information (like birthdays) about people and organizations available to the public, there are more opportunities for fraudsters to collect information. “High-profile individuals who are well-known celebrities or public figures, they’re also at higher risk for takeovers,” Tanya says, “because their personal information is more widely available, so their accounts are more attractive targets for fraudsters.”

Tanya stresses that no matter how sophisticated and thorough an organization’s processes are for handling and protecting accounts, there’s always a possibility that ATO could happen. In the same way that security features advance and individuals learn about how to protect themselves from fraudsters, fraudsters continue to develop new schemes to gain access to accounts.

The fraud landscape is always shifting.

While the industry has gotten better, it’s a shifting landscape. Fraud teams must figure out what the next big fraud scheme is and be able to quickly and easily build monitoring rules that address these shifts.

ATO red flags

In order to protect your users and your platform, it’s important to be aware of signs that ATO may be happening. Look out for these red flags:

  • Repeated attempts of 2FA—If a user has attempted 2FA several times in a matter of minutes or seconds, it could be a malicious attempt to gain access to an account.
  • Changes in login patterns—There might be logins from unusual locations or more logins than usual. Any significant change in the patterns of a single user or multiple users could be a sign that fraudsters are gaining access to the account.
  • Disabled security features that were previously enabled—They might turn notifications off so the victim won’t be alerted when the fraudster makes changes to the account.
  • Deleted emails or other missing information—To cover their tracks, fraudsters attempting an ATO might send emails and receive emails from your accounts. 
  • Small, unexplained purchases or withdrawals—This can be a test before larger sums are taken out. If any accounts experience a series of small, unexplained purchases, that could be a fraudster preparing for bigger heists.

Keep an eye out for anything out of the ordinary, and if anything seems like a red flag, act immediately. 

How to prevent ATO

It’s important to remember that ATO is often preventable if organizations and individuals are aware of the ways account takeovers happen and are consistently looking for ways to identify and prevent these instances before they happen. 

  • Double-check any unexpected purchases or invoices with vendors by calling them on the phone instead of relying on email.
  • Stay on the lookout for any unusual account activity, especially the red flags listed above. 
  • Promote the one door, one key approach. Never use the same password for two different accounts.
  • Change passwords regularly on your accounts and encourage any users or customers to do the same.
  • Use a password manager for yourself and your organization to make generating and storing passwords simpler and more secure. 
  • Enable 2FA wherever possible.

Key takeaways

  • ATO is a type of fraud where a bad actor gains access to someone else’s account or personal information, often for financial gain.
  • ATO has four stages: information gathering, account access, small account changes, and the money grab.
  • Red flags of ATO include repeated attempts of 2FA, changes in login patterns, disabled security features, deleted emails, and small, unexplained purchases or withdrawals.
  • To prevent ATO, double-check unexpected purchases, look for unusual account activity, use a password manager, change passwords regularly, and enable 2FA wherever possible.

Anyone with an online account is at risk of account takeover fraud. 

Despite the perceived inconveniences, individuals must take a level of responsibility for following security hygiene best practices like using a password manager and implementing 2FA where possible to keep themselves and others safe from being taken advantage of. 

However, the organizations that collect and store customer information are also at risk of data breaches and can be held liable for damages associated with poor fraud prevention practices, which is why it is critical for these companies to understand how to use security tools effectively. 

This chapter is part of the Fraud Fighters Manual, a collective set of stories from Fintech fraud fighters. Download your copy of the Fraud Fighters Manual here to read the full version.

1"Q3 2022 Digital Trust & Safety Index: Account Takeover Data, Trends, and Insights.” Sift Resources, Sift, 22 Mar. 2023,

← Back to blog