Skip to content

How can organisations protect consumers from account takeover attacks?

Brett Petersen
Brett Petersen
Executive Vice President, Sales and Client Relations, GIACT, A Refinitiv Company

COVID-19 precipitated an acceleration in the pace of digital transformation, with many consumers adopting mobile banking. However, fraudsters have also adapted to the new environment and have accordingly evolved their tactics in the form of account takeover attacks. What steps can organisations take to thwart financial criminals and protect consumers?

  1. Since April 2020, there has been a huge surge in the use of mobile banking. However, research shows there has been a corresponding rise in account takeover attacks.
  2. Fraudsters use myriad ways to perpetrate account takeover attacks, including brute-force attacks, credential stuffing, phishing and social engineering.
  3. All departments of an organisation must take stringent precautions to mitigate the threat of account takeover attacks to customers and this begins with upgrading and optimising authentication processes.

For more data-driven insights in your Inbox, subscribe to the Refinitiv Perspectives weekly newsletter.

In April 2020, the world’s largest banks experienced a 200 percent jump in new mobile banking registrations. Peer-to-peer payments firms, throughout 2020, celebrated record transactions and dollar volumes across their networks.

Both trends account for a massive uptick in the adoption of digital accounts and payments. More consumers than ever rely on digital accounts to make everyday transactions.

Unfortunately, in parallel, fraud operators have taken notice and have accelerated their attacks against existing accounts in the form of account takeover (ATO) attacks .

Defined as the unauthorised takeover of an existing, legitimate account, account takeover has become increasingly prevalent.

In fact, according to an Aite Group report, “U.S. Identity Theft: The Stark Reality,” underwritten by GIACT (a Refinitiv company), over one-third (38 percent) of U.S. consumers experienced ATO in the past two years.

Account takeover victims in the past two years

Read the white paper: Understanding Account Takeover 2021

Types of ATO attacks

In their attacks, fraud operators take advantage of exposed personally identifiable information (PII) available on the Dark Web, along with the information they can readily find via social media and online search.

Over the years, fraudsters have perfected their craft, deploying both conventional and evolved tactics, including:

  • Brute-force attacks: Cybercriminals use automated scripts that spin through password combinations to validate login credentials.
  • Credential stuffing: Similar to brute-force attacks but conducted through ‘educated guesses’ that leverage exposed and available PII.
  • Phishing: An email tactic used to trick the victim into clicking malware or to socially engineer them into entering PII (including login credentials) on a legitimate-looking domain.
  • Social engineering: This covers a wide-range of tactics — from email, social media, text and calling — where fraudsters socially engineer victims into turning over information or transferring funds. This is usually done by fraudsters posing as a legitimate entity (business or government) and can include threats and even blackmail.
  • Synthetic identity fraud: An identity fraud tactic that uses a combination of real and fictitious PII in order to open or gain access to an account.
  • Friendly/family fraud: An unfortunate but very prevalent tactic behind ATO, family or friendly fraud is when fraud is committed by someone known to the victim.

Watch: Refinitiv acquires GIACT to build end-to-end security

ATO aftermath

Successfully executed, fraudsters can engage in a variety of activities varying by account type.

Aite Group’s report found that following a takeover, fraudsters performed the following activities:


The variety of account types and activities represents how much fraud has migrated beyond traditional bank accounts. As detailed above, P2P apps, bill pay, reward points and even medical insurance is being targeted. Expect this trend to continue.

ATO prevention best practices

Given the growth of digital communication and cloud data storage, fraudsters now have multiple possible entry points to gain access to PII.

It is critical that internal organisational departments such as information technology, human resources, accounting and administration are cognisant of cybersecurity hazards related to company networks and databases containing sensitive employee, payroll and other financial data – all of which are highly valuable to fraud networks.

Any precautions organisations take to mitigate the risk of ATO fraud starts with remaining proactive in upgrading current authentication methods.

Fraudsters increasingly find ways to bypass weak passwords, which have long rewarded hackers and confounded security professionals.

Fraud operators are also increasingly targeting unguarded, non-financial accounts (email, social, mobile) to obtain sensitive data they can parlay into ATOs.

Organisations can mitigate ATO risk by utilising a system that can protect their customers from payments and identity fraud through an integrated, holistic approach.

This holistic approach should include methods to positively identify consumer and business accounts, using multiple traditional and nontraditional data sources to improve underwriting, risk management and the “know your customer” (KYC) process; real-time account verification and authentication of customers and businesses, prior to customer enrolment or ACH payment processing; mobile authentication, identification, and verification in real time across all customer touch points; and real-time identity verification and authentication of scanned IDs and check payments.

Staying proactive with advanced authentication methods such as adoption of single-sign-on (SSO) and password managers allows security administrators to apply some password sanitisation.

Other practices could include using physical and behavioural biometrics, digital identities that include device recognition, geofencing, and other new technologies that help authenticate consumers more reliably than passwords.

These include two-factor authentication (2FA); knowledge-based questions; artificial intelligence based third-party database trackers; and alerting customers and employees about scams, as well as family and friendly fraud.

To learn more about this topic, and how to mitigate ATO and other forms of identity and payments fraud, read GIACT’s latest report, “Understanding Account Takeover 2021,” available here.

Read the white paper: Understanding Account Takeover 2021