Of all the tactics used by cybercriminals seeking financial gain, one that’s growing rapidly in popularity is account takeover (ATO) fraud. ATO fraud is a form of identity theft where a criminal overtakes a legitimate online account and poses as a real user. They are then able to undertake fraudulent transactions and potentially steal personal details.

The techniques used to undertake ATO fraud are many and varied. They include the use of credential-stuffing and password-cracking tools, phishing emails, and social engineering schemes. When combined with personally identifiable information (PII) available on the dark web, these techniques can be alarmingly effective.

Recent research conducted by digital fraud management company Sift found ATO attacks increased by more than 350% in 2023 on a year-by-year basis. Nearly a fifth (18%) of those surveyed said they had experienced at least one ATO attack. The research also found that a majority of consumers (73%) believe the brand with which they are interacting is accountable for ATO attacks and responsible for protecting their account credentials. Concerningly, less than half (43%) of ATO victims said they had been notified by the company that their information had been compromised.

The progression of an attack

ATO attacks typically follow a series of three steps. Initially, the cybercriminal gains access to a victim's account, typically by using compromised credentials. These could be obtained through a phishing campaign or through techniques such as credential stuffing.

The criminal is then likely to begin with small, non-monetary changes to account details. These might include things such as requesting a new debit or credit card, adding an additional authorised user, or simply changing the password.

Once these changes have been completed successfully, the cybercriminal is then free to continue with financial and other transactions. Victims' accounts may include saved payment information, additional PII or rewards points that provide useful data for money transfers, large purchases, taking out loans in victims' names and taking over more accounts.

Because attacks can go undetected for months, cybercriminals are able to remain active. If the target is a bank account, funds can be transferred to other accounts or used to make purchases on e-commerce sites.

As well as the motive of financial gain, other motivations for ATO attacks include the collection of data about family, friends and colleagues to aid in additional attacks. Criminals may also look to obtain healthcare and other sensitive information for extortion or creating reputational damage.
 
Increasing use of AI

Recent developments in artificial intelligence (AI) are rapidly changing the fraud landscape, as both attackers and those who fight to stop them are using AI tools to be more effective.

Cybercriminals are using generative AI to create more accurate and convincing social engineering campaigns at a large scale by developing phishing emails, scam texts, and scripts. Generative AI can also be used to create realistic voice and video fakes and may be utilised to fake identities and identity documents in an attempt to bypass identity proofing.

At the same time, security teams are also leveraging AI tools to create more accurate AI models to aid in the fraud detection process using recent technological breakthroughs and leveraging LLMs as part of the fraud analytics process.

Achieving effective ATO fraud protection

Protecting personal data and accounts from cybercriminals requires a joint effort by both individuals and businesses. 

Individuals need to be aware of the threat and take steps to reduce the chances of becoming a victim. This can include carefully guarding personal credentials from phishing attacks, phone scams and other cyberattacks.

It is important to use unique, complex passwords for each online service or resource used. It’s also prudent to check that Wi-Fi networks are secure and that public networks are avoided when accessing business and personal accounts.
 
At the same time, businesses need to be proactive in their efforts to reduce account takeovers while also making sure they don't frustrate legitimate users with endless verification steps. A strategy of combining identity and access management (IAM) solutions with fraud detection tools can stop criminals before they can access user accounts.
 
Additionally, adding two-factor authentication (2FA) or multi-factor authentication (MFA) will give businesses an added layer of security to prevent cybercriminals from using compromised credentials to access accounts. MFA and 2FA require users to provide additional forms of authentication to prove their identity, which fraudsters do not possess, and so access to accounts is denied.

Identity verification or proofing is another security tool that businesses can deploy to ensure a user's digital identity is tied to their real-life identity. Businesses can choose to deploy an identity verification step for high-risk or high-value transactions to further reduce the chance of fraud.
 
The threat of ATO fraud is real and growing. For this reason, it is important that both individuals and businesses take all steps possible to strengthen their resiliency.