persona-logo
Industry
Published October 24, 2022
Last updated March 07, 2025

What is account takeover, and how can you prevent it?

Account takeover fraud can negatively impact both your customers and business. Learn what it is, how to prevent it, and more.
Jenna Lee
Jenna Lee
10 min
Card showing dangers of online fraud takeovers
Key takeaways
Account takeover (ATO) fraud occurs when a bad actor gains access to an account that doesn’t belong to them — typically because the account’s login credentials have been compromised in some way.
While ATO fraud most commonly targets accounts belonging to individuals, corporate account takeover (CATO) fraud also occurs when a bad actor targets an account belonging to a business or organization.
ATO fraud, whether it targets your business or customers, can lead to financial losses as well as damage to your brand’s reputation and customer trust.
Implementing two-factor or multi-factor authentication, understanding what’s normal for your customers, and leveraging identity verification and reverification can all help you reduce instances of ATO fraud on your platform.

In 2019, the average American had 27 online accounts that required passwords. Today, that number has skyrocketed to 168 passwords — and that doesn’t even count passwords for work use!

The move to digital has made many tasks more convenient. After all, why would anyone want to visit a physical bank branch or grocery store when you can deposit checks online and get groceries delivered straight to your door?

Unfortunately, this shift has also opened up more opportunities for fraud — in particular, account takeover fraud.

Like most types of fraud, account takeover fraud doesn’t just impact your customers — it can also impact your business reputation. And that means you need to have a plan in place for identifying and stopping instances of account takeover fraud if and when it occurs.

Below, we take a look at what account takeover fraud is and how it works. We also explain why it can be such a serious problem and how it can affect your company before providing concrete steps you can take to protect both your business and customers.

What is account takeover fraud?

Account takeover (ATO) fraud is a type of identity theft where a bad actor gains access to (or takes over) a genuine customer’s online account, typically due to compromised login credentials. Once they have control over the account, the bad actor may use it to make unauthorized transactions or withdrawals, change account details, sell the account and its verified credentials, or engage in various other types of fraudulent activity. 

How does account takeover fraud happen?

In order to engage in account takeover fraud, a bad actor must first gain access to an online account. This can happen in a number of different ways, such as:

  • Data breaches: Whenever a data breach occurs, the information that gets stolen — which can include usernames, passwords, and even the answers to security questions — often gets sold on the dark web in bulk to fraudsters, who can use them to conduct account takeover attacks. Some sources estimate that there are 15 billion credentials on the dark web — which makes sense given that 2.9 billion records were exposed in the 2024 National Public Data breach alone.

  • Social engineering attacks: Some bad actors engage in social engineering attacks — like phishing (and its cousins, spear phishing and whaling), business email compromise (BEC), website impersonation, man-in-the-middle attacks, and more — to trick an individual into exposing their login credentials and personal information. 

  • Brute force attacks: Brute force attacks like credential stuffing and password spraying leverage bots and other tools to rapidly try many different combinations of login credentials — upwards of 100 attacks per second — in the hopes of accurately guessing the right combination to gain access to the account.

Once inside the account, bad actors will typically try to reset or change the account’s password in order to prevent the account’s legitimate owner from getting back in. They’ll then engage in whatever type of fraud they originally planned. 

Why is account takeover fraud so serious?

While any fraud is obviously bad for your customers and your business, ATO fraud can be especially nefarious for two key reasons:

ATO fraud is hard to catch.

With credit card fraud, it’s easy to log into your account, notice fraudulent charges, and dispute them. Many credit card companies even keep an eye out and proactively alert you of suspicious charges.

ATO fraud is much trickier because once bad actors log into your account, they often change the account information (username, password, email, etc.) so you won’t be notified and can no longer log in and see what’s going on. Because of this, Javelin reports that it takes the average ATO victim around 16 hours (and $290) to resolve account takeover identity theft.

Account takeover scams are also hard to catch because a lot of the actions bad actors take are often ones legitimate users take. People move and get new phone numbers all the time, so it can be hard to tell when someone malicious has taken control.

ATO fraud can span across multiple accounts.

According to Google, around two-thirds of consumers reuse passwords across accounts. This means once a fraudster gets into one account, they may be able to commit identity theft across other platforms.

For example, if a bad actor takes over your bank account, they may be able to access your email, mobile wallets, airline rewards, government benefits, social media accounts, and more. And if that isn’t scary enough, they may also be able to glean different pieces of information (birthday, address, answer to security questions, etc.) and take over even more accounts or create new accounts as “you.” And just like that, the fraudster now has the keys to dozens more accounts. With just one set of credentials, your entire online persona can be hacked and transformed before you notice there’s anything wrong.

Account takeover identity theft is also common today because virtually every app or website is accessible via the “sign in with Facebook” (or Google, Apple, etc.) button, meaning one username and password combination often unlocks dozens more. And while password managers like 1Password or Okta eliminate the necessity of remembering various passwords, the solution is still, simply, a password — a static identification metric that is easily compromised.

How common is ATO fraud?

People use the internet to do more and more — everything from social media to banking, shopping, learning, and even remote work. This proliferation of accounts has meant that fraudsters have more targets to try and gain access to. It’s little wonder, then, that account takeover fraud has been on the rise in recent years. 

Just how common is it? Here are some statistics to put ATO fraud occurrence into perspective:

  • According to Javelin, ATO fraud losses grew by 15% between 2022 and 2023 after experiencing a meteoric rise of 282% from 2019 to 2020.

  • A recent report by Security.org estimates that 29% of American adults have experienced an account takeover, up 22% from 2021. Social media accounts accounted for 53% of all ATO occurrences.

  • According to Verizon, the number one way criminals gain access to accounts is through stolen credentials, with 29% of all breaches using stolen credentials.

Why does account takeover matter to my business?

When fraudsters perform account takeovers, they usually attack personal — not corporate — accounts. However, ATO fraud could cost your company money as well. For example, if the affected user disputes a fraudulent transaction, you may be held liable. In fact, account takeover fraud resulted in nearly $13 billion in losses in 2023 alone.

Additionally, ATO fraud incidents can damage your reputation and make it hard to attract and retain customers. Trust is arguably the most critical commodity for consumer companies today. If that line of trust is broken, you’re not just losing money — you’re losing future customers and brand loyalty. According to Twilio, 86% of consumers said they’d stop using a business if their account was compromised.

And just because it’s rare doesn’t mean that fraudsters never target corporate accounts for takeover. 

What is corporate account takeover (CATO)?

Corporate account takeover (CATO) is a type of ATO fraud in which a corporate account is inappropriately accessed by a fraudster. In other words, it’s an account takeover where a business or organization is the victim instead of an individual. It can take many different forms, including:

  • Employee account takeover: One or more employee accounts are infiltrated so the bad actor can engage in fraud — for example, stealing sensitive business or customer information, completing an unauthorized transaction, transferring funds, etc.

  • Executive account takeover: An executive’s account is infiltrated, potentially resulting in larger-scale damages due to increased permissions typically associated with such accounts.

  • Brand account takeover: A branded account, such as a social media profile, is infiltrated and vandalized, or otherwise used to engage in fraud, such as when the Twitter accounts of Apple, Wendy’s, and Uber were taken over in 2018.  

Truly any account associated with your business can be the target of a CATO attack. Specific examples might include your financial accounts, CRM systems, email accounts, social media accounts, cloud and data storage accounts, and countless individual business applications (apps, tools, software, etc.).

How can I prevent account takeover fraud?

It’s clear that passwords aren’t enough to secure accounts — and neither is knowledge-based authentication (KBA) for that matter, as answers to security questions are often leaked and/or researchable.

Don’t wait until you see a bunch of chargebacks, transaction disputes, unsuccessful login attempts, password reset requests, and unfamiliar transactions. While account takeover prevention probably isn’t completely possible, there are a few ways you can protect your business and users. The key to account takeover protection is implementing multiple security measures, including:

Practical account protection measures

There are a few practical measures you can enforce, such as:

  • Requiring new users to create strong passwords

  • Offering and encouraging multi-factor authentication

  • Limiting a certain number of login attempts within a set time period

  • Notifying users about account changes and requiring them to verify each change

Establishing a baseline

If you know how your customers usually act, it may be easier to spot abnormalities. Have your system alert you of suspicious activity, such as if multiple accounts suddenly change their details, log in using unknown devices, or begin logging in using the same device.

Of course, this isn’t a foolproof means of protecting your business — someone sending their purchase to another address could just be sending their loved one a gift, and multiple accounts from the same device could indicate a family really loves your company. However, it never hurts to investigate.

Using identity verification to prevent account takeover

The problem with ATO fraud is it’s hard to tell who’s behind the screen; i.e. if the person trying to log in and make changes is really who they say they are. This is why it’s important to verify identities both when someone is opening an account and when they want to take a major action, such as withdrawing money or changing a password.

At Persona, our flexible suite of identity tools empowers you to build an IDV strategy capable of deterring account takeovers and other costly forms of identity fraud. 

Leverage government ID verification, database verification, selfie verification, and more to initially verify the identity of each individual (in both KYC and KYB applications). Then, reverify identities at critical moments to ensure that accounts haven’t been compromised. At each step, you have total control over how much friction the user sees. Scale friction up for high-risk individuals or moments, and scale it down when less risk is present. 

Ready to learn more about how Persona can help you prevent account takeover attacks against both your business and your customers? Request a custom demo today or get in touch with any questions.

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Jenna Lee
Jenna Lee
Jenna leads content marketing at Persona. Despite working in tech her entire career, she has never had a LaCroix.
Continue reading
  • Capture more fraud with less effort using link analysis via Persona Graph
    5 mins

    Capture more fraud with less effort using link analysis via Persona Graph

    Proactively stop hard-to-catch fraud in its tracks with Persona

  • What is identity fraud?
    7 mins

    What is identity fraud?

    When someone uses a different identity to commit a crime, they’re engaging in identity fraud. Learn how to protect your...

  • What will the post-Covid fraud landscape look like?
    10 mins

    What will the post-Covid fraud landscape look like?

    Learn about the risk areas anti-fraud professionals are most concerned about — and how to protect your business.