What is Account Takeover Fraud (ATO)?

Learn about account takeover fraud, how it occurs, and detection and prevention strategies from F5.

Account takeover (ATO) is the most prevalent and expensive attack targeting financial institutions, e-commerce, and other online digital services. Using automated bots and other cybercrime methods, criminals use stolen credentials to gain access and control user accounts for monetary gain or to commit fraud. The impacts of account takeover fraud are real: According to the Javelin 2022 ID Fraud Study, 22% of U.S. adults have been victims of ATO.

How it Works: Account Takeover Fraud Techniques

Account takeover fraud is the culmination of a series of cybercriminal activities, usually beginning with stolen or compromised credentials, which lead to credential stuffing attacks, which can result in the takeover of a customer’s online accounts. Once in charge, the criminal can drain the account of funds, monetize stored value, and use the account for further fraud.  

The most basic form of credential stuffing involves bot-driven brute force attacks, which submit random combinations of characters to login forms until attackers find a match for an account’s credentials.

How are credentials stolen?

More advanced credential stuffing attacks begin with valid username and password pairs that have been stolen or compromised during data breaches. Stolen credentials are easily purchased on dark web marketplaces (according to Cyber Security Hub, 22 billion data records were exposed in 2022 alone).

Credentials can also be stolen through an array of cyberattacks and other cybercrime techniques including:

  • Phishing attacks, a kind of social engineering exploit in which criminals use email, texts, or social media messages to trick people into revealing private information such as login credentials, bank account information, social security numbers, or other sensitive data.
  • Keylogging, Magecart, skimming, and other forms of client-side malware, in which bad actors steal credentials by injecting malicious scripts into online checkout forms. As the victim keys in credentials and credit card information, the script transmits the data to the attacker, who can use the information for fraud or sell it to other criminals.
  • Man in the Middle (MitM) attacks, in which attackers intercept messages or data transactions by inserting themselves as proxies between two legitimate parties engaged in data communication. This enables the attacker to “eavesdrop” on the transfer of information and data from both parties and harvest login credentials or other personal information.

Once cybercriminals have accumulated a stash of valid credentials, they can begin the credential stuffing process, often at massive scale. Because around two-thirds of consumers reuse the same usernames and passwords across multiple websites, these recycled credentials are easily exploited by cybercriminals and their armies of automated bots: A significant fraction of breached credentials will also work to gain access to accounts at other sites. Once attackers take over accounts, they can change credentials to lock out the legitimate account owner, drain the assets, and use the accounts to commit additional acts of fraud

Impacts of Account Takeover Fraud

Digital fraud losses from attacks such as ATO are anticipated to surpass $343 billion globally between 2023 and 2027, according to reports in American Banker

Account takeover also has effects beyond the financial realm. An organization’s brand and reputation may also suffer, leading to lost business and negative publicity regarding perceived weakness in security. Long-term brand damage may result, and it can take years to rebuild a positive reputation.

Organizations can also lose customer trust and loyalty, leading to termination of commercial relationships. Customers are understandably unhappy if a company’s inadequate security measures result in account takeover and costly fraudulent activity.

Organizations may also face compliance and legal consequences for failure to protect consumer data. Legislation and standards such as the General Data Protection Regulation (GDPR) in the EU, the California Consumer Protection Act (CCPA), and the Payment Card Industry Data Security Standard (PCI-DSS) are designed to ensure consumer data privacy and impose large monetary penalties in the event of data breaches. These include ATO attacks that expose private data to bots.

Detecting Account Takeover Fraud

It is important to monitor user accounts and activities to detect signs of ATO.

  • Watch for unexpected changes in account activity. These changes can include new or unauthorized transactions, large withdrawals, random and sporadic spikes in traffic, or requests to change passwords, address, or payment beneficiary. These anomalous activities may be a sign that the account is under attack. In these cases, check the account to discover if any of the user details, such as password or phone number, has also changed, which could indicate that the account has been hijacked.
  • Watch for unrecognized login attempts. A series of failed login attempts may indicate that a bad actor is attempting to breach an account using credential stuffing methods. Be particularly alert if the login attempts are from an unusual location, or occur at a time of day when the account is usually inactive. 
  • Pay attention to new or unrecognized devices accessing an account. Activity from new or unknown devices can indicate that an account has been compromised, or that a fraudster is attempting to login with stolen credentials. Similarly, multiple devices logging in to a single account can also signal that the account is under attack by criminals.
  • Suspicious email or text messages. An increase in phishing emails and emails may indicate that users are being targeted by scammers. Remind customers to never click on attachments or live links in a digital message from an unknown sender, and never provide usernames, passwords, or personal or financial information to anyone over the phone or Internet. Legitimate companies will not ask for account information by email or text.

Preventing Account Takeover Fraud

A proactive approach to preventing ATO involves multiple levels of protections and strategies. These include best practices methodologies, a focus on user education, real-time infrastructure monitoring, and strong authentication protections.

User education and awareness

One of the most effective ways to prevent account takeover is through educational programs that train users to identify and resist risk. ATO attacks often begin with phishing, when a bad actor attempts to trick users into revealing their account credentials or clicking on malicious links. Phishing emails and texts can be very convincing, especially when the communication features personal details that criminals can collect from social media. Also make sure that users understand the importance of good password hygiene and enforce use of strong password protocols.

Strong authentication measures

Strong authentication requires users to present two or more verification factors, beyond a username and password, during a login attempt. There are several approaches to strong authentication.

  • Two-factor authentication (2FA) is an identity and access management security method that requires two verification factors to establish one's identity to access resources and data. In common practice, this often involves entering a one-time passcode from an email or text into a known device such as a smart phone or browser on a home computer.
  • Multi-factor authentication (MFA) is similar to 2FA, except that at least three verification factors must be provided for a successful login. In most cases, this involves receiving a one-time code on a known device, plus providing a form of biometrics, such as a fingerprint reading, retina scan, or voice recognition. It should be noted that while both 2FA and MFA remain valuable tools to enhance the security of online accounts, they are no longer sufficient as the final defense against ATO attacks, as they can easily be bypassed by criminal attacks and diminish the use experience.
  • Risk-based authentication is an access management method that adjusts the requirements of the authentication process to the level of risk presented by the login attempt. For instance, a login to simply check an account balance would require a less restrictive authentication process than a login to change passwords or transfer funds to a new account. Essentially, as the level of risk increases, the authentication process becomes more stringent, requiring additional factors and oversight.

Monitoring and auditing accounts

Both consumers and businesses should regularly monitor and audit accounts for suspicious activity. For consumers, this includes regularly logging into financial accounts and other accounts with stored value (including loyalty programs and gift cards) to keep an eye on balances and account activity.

Businesses and organizations can employ a range of technologies to automate the continuous monitoring and auditing of accounts, including account tracking systems that use machine learning and AI-based detection to help prevent fraud by identifying anomalous activities that don’t match the user’s usual behavior.

Web application firewall (WAF)

A WAF protects web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. A WAF acts as an intermediary that protects the web app server from a potentially malicious client.

Although not specifically designed to detect ATO activity, WAF policies can be targeted to help identify and block account takeover attacks. WAFs can also help identify malicious bot activities, which often precede brute force credential stuffing attacks.

Add bot detection and mitigation to networks

Armies of bots allow criminals to scale their attacks, bypass MFA controls, and enable fraud. Automation means that bots can be massively deployed in pursuit of their assigned task, whether that is credential stuffing or phishing attacks. Bot detection solutions provide visibility into malicious activities such as fake account creation, inventory hoarding, scraping, and digital skimming of credential information. Bot detection solutions can also provide alerts for client-side attacks, such as formjacking, digital skimming, Magecart, and other browser-based JavaScript vulnerabilities.

Responding to Account Takeover Fraud

Because of the multitude of stolen and compromised credentials readily available on the dark web, it is increasingly likely that organizations will experience a cyberattack, sooner or later. It is imperative that organizations prepare robust responses and processes in advance to address the impact of a cyberattack on both the institution and its customers.

Incident response plan

An incident response plan defines the active steps, available resources, and communication strategies that will be put into place upon identification of a threat event. An incident response plan should define the protocols for responding to the event and identify an incident response team that has been trained to operationalize the plan.

Customer notification and support

It’s critical that the incident response team directly notify impacted customers and explain what has happened, let them know what steps are being taken to protect them, and urge them to change the compromised password if it is used on other accounts. Staying in contact with affected customers is important for rebuilding trust.

Investigation and remediation

After an attack is detected, it is crucial to assess and contain the incident, and identify the nature and scope of the incident and the systems affected. Once the access point is identified, the organization should eliminate the attacker’s unauthorized access to impacted accounts, and remediate compromised accounts to ensure that they can no longer be used maliciously. As part of the fraud recovery review, analyze how to prevent such an attack from happening again.

Communication and transparency

It’s important to communicate about security breaches and attacks with transparency, as holding back information can be perceived by regulators, the media, or consumers as concealment, and can significantly compound the financial impact of the attack.


Today, any organization issuing or accepting digital payments is an ATO target, and the threat of attack continues to grow. This places online merchants, financial institutions, and service organizations in a paradox: As they embrace customers’ preference for more convenient online services and apps, they open themselves up to increased risk of fraud and other forms of cybercrime.  Once an account is compromised, a fraudster may drain funds, steal goods or services, or access payment information to use on other sites—alienating customers and eroding revenue.

Conventional 2FA and MFA controls are no longer sufficient to stop cybercriminals who launch increasingly sophisticated ATO attacks. To prevent ATO requires an end-to-end approach to security and fraud prevention that assesses intent, streamlines digital experiences, and halts ATO by identifying fraud patterns and risky transactions before they take place.

How F5 Can Help

F5 security and fraud prevention solutions offer the industry’s most comprehensive account takeover protection on a single platform. Using sophisticated technologies such as threat intelligence modeling and machine learning to detect attacker techniques, Distributed Cloud Bot Defense deploys appropriate countermeasures in real time to counter bot-driven fraud and ATO with maximum effectiveness. Distributed Cloud Authentication Intelligence recognizes legitimate users throughout the customer journey, and Distributed Cloud Client-Side Defense provides real-time insight into client-side digital skimming attacks.

Coupled with the rapid removal of post-login fraud via Distributed Cloud Account Protection, the F5 Distributed Cloud security and fraud prevention platform provides an end-to-end approach that assesses intent, streamlines digital experiences, and stops ATO attempts that otherwise lead to fraud, lost revenue, and reduced customer loyalty.