What is Account Takeover?

What Is Account Takeover?

Account takeover, commonly abbreviated as ATO, is a form of fraud where a criminal gains unauthorised access to someone else's account -- whether that is a bank account, an online shopping account, an email account, or any other type of account that holds value or personal information. Once inside, the fraudster can make purchases, transfer funds, change account details, or steal personal data, all while masquerading as the legitimate account holder.

It is one of the fastest-growing types of fraud globally, and it is not limited to online channels. Account takeover can and does happen through telephone interactions, where fraudsters call businesses posing as customers to change account details, request refunds, or make purchases using stolen credentials.

How Account Takeover Happens

There is no single method criminals use to take over accounts. Instead, they employ a range of techniques, often combining several approaches in a single attack. The most common methods include:

Credential Stuffing

When large-scale data breaches happen -- and they happen frequently -- millions of username and password combinations are leaked and sold on the dark web. Many people reuse the same password across multiple accounts. Criminals take advantage of this by using automated tools to try stolen credentials against hundreds of different websites and services. If you used the same email and password for a forum that was breached and for your online shopping account, a fraudster can log into your shopping account without any sophisticated hacking at all.

Phishing and Social Engineering

Phishing emails, text messages, and phone calls trick people into revealing their login credentials, one-time passwords, or personal information. These attacks have become increasingly sophisticated -- gone are the days of obvious misspellings and dodgy formatting. Modern phishing attacks can be nearly indistinguishable from genuine communications, and voice phishing (known as vishing) can be highly convincing, especially when the caller already has some personal information about the target.

SIM Swapping

In a SIM swap attack, the criminal convinces a mobile phone provider to transfer the victim's phone number to a new SIM card. Once they control the phone number, they can intercept one-time passwords sent via text message and use them to bypass two-factor authentication on the victim's accounts. This technique has been used in some high-profile account takeovers targeting significant sums of money.

Malware and Keyloggers

Software installed on a victim's device without their knowledge can capture login credentials as they are typed. This is less common than credential stuffing or phishing, but it remains a real threat, particularly for businesses where employees access sensitive systems from personal devices.

Why Account Takeover Is So Damaging

What makes account takeover particularly harmful is that the fraudster is operating as an authenticated user. From the business's perspective, everything looks legitimate. The login credentials are correct, the account history is real, and the payment methods on file are genuine. This makes ATO fraud extremely difficult to detect using traditional methods.

For the victim, the experience can be devastating. Money is stolen, personal information is exposed, and the process of reclaiming their account and repairing the damage can take weeks or months. For businesses, the costs include direct financial losses from fraudulent transactions, chargeback fees, the expense of investigating and resolving cases, and serious reputational damage when customers lose trust.

Studies consistently show that account takeover is one of the most expensive forms of fraud for businesses to deal with. The average cost of an ATO incident is several times higher than a typical fraudulent transaction because it often involves multiple purchases before the fraud is detected, and the investigation and remediation are more complex.

Account Takeover in Telephone Payments

The telephone channel presents unique vulnerabilities to account takeover. When a customer calls to place an order or manage their account, the agent needs to verify their identity -- but the verification methods available over the phone are limited. Typically, the agent asks for information like the account holder's name, address, date of birth, or the last few digits of a payment card. If a fraudster has obtained this information (which is often available from data breaches or social media), they can pass these checks with ease.

Once they have convinced the agent they are the legitimate customer, they can change the delivery address, update the payment method, make purchases, or request sensitive information. Because the interaction is happening in real time with a human agent, there is often no automated system in place to flag unusual behaviour the way there might be on an online platform.

This is why training contact centre agents to recognise the signs of account takeover is so important. Unusual requests, inconsistencies in the caller's information, hesitation when asked verification questions, and attempts to rush the agent through security checks are all potential warning signs. But relying solely on agent judgement is not enough -- businesses need systematic approaches to identity verification in the telephone channel.

How to Protect Against Account Takeover

Effective ATO prevention requires a layered approach. No single measure is sufficient on its own, but together they make it significantly harder for fraudsters to succeed:

• Multi-factor authentication (MFA) -- require at least two forms of verification for account access and sensitive actions. Push notifications to a mobile app are more secure than SMS codes, which can be intercepted via SIM swapping
• Anomaly detection -- monitor for unusual account behaviour such as login attempts from new locations, changes to account details, or transactions that do not match the customer's normal pattern
• Device recognition -- identify and flag login attempts from unrecognised devices
• Credential monitoring -- proactively check whether your customers' credentials have appeared in known data breaches and prompt affected users to change their passwords
• Rate limiting -- restrict the number of login attempts from a single IP address to make credential stuffing attacks impractical
• Agent training -- for telephone channels, ensure agents are trained to spot social engineering tactics and follow strict verification procedures that cannot be bypassed by a persuasive caller
• Secure telephony solutions -- for phone payments, using systems that keep sensitive data out of the agent's hands reduces the risk even if an account is compromised

The Regulatory Landscape

Account takeover intersects with several regulatory frameworks. Under GDPR (and the UK's Data Protection Act 2018), businesses have obligations to protect personal data, and a successful ATO attack that exposes customer information may constitute a reportable data breach. PSD2's Strong Customer Authentication requirements are partly designed to combat ATO by requiring multi-factor authentication for electronic payments. PCI DSS compliance is also relevant because compromised accounts often lead to unauthorised card transactions.

Businesses that fail to take reasonable steps to prevent account takeover may face regulatory penalties, in addition to the direct costs of the fraud itself. The direction of travel in regulation is clearly toward placing more responsibility on businesses to protect their customers' accounts.