What Is Account Takeover Fraud?

Covery Blog / Covery, Fraud prevention, Tips / What Is Account Takeover Fraud?

What Is Account Takeover Fraud?

As a business owner, the security of your customers’ accounts should be one of your biggest priorities. This is why account takeover is among the worst nightmares of any business — and rightly so, as, according to Aite research, the number of account takeover fraud cases rose by more than 65% higher than before the pandemic.

Thus said, in this article, we discuss what ATO is, how does it work, and how to implement a working ATO fraud detection for your business. Without further ado, let’s cover the basics.

How does takeover fraud work?

Account takeover is a fraudulent activity where a hacker gains illegal access to a customer’s account, changes the credentials, and either uses the account in a bigger scheme or simply steals all the money from the cards stored.

There are several ways to get the account credentials needed for achieving this outcome:

  1. Brute force: hackers use millions of email addresses gathered by spamming and millions of passwords discovered by dictionary attacks, where automated scripts use common passwords and dictionary terms to guess the password. You would be surprised how many people still use 123456 or “Password” as their password. Or, if you are long enough in the business, you wouldn’t.
  2. Credential stuffing: once credentials have been picked by hackers, they use these on multiple platforms to see whether they fit anywhere else. Once again, you would be surprised, how many people use the same credentials for their Gmail, Facebook, Paypal, and banking account. Probably, the very same credentials they use on your online store or website.
  3. Phishing: by pretending to be a bank, some government agency, or even the customer’s colleague/boss, hackers try to force them to open a link. It takes users to a page where they should input their credentials in order to unlock their bank account, verify their tax number or participate in a corporate loyalty program. Should your customers do that, their credentials for a real tax account or email address get stolen… and by this point, you should not even be surprised at how many doors a single key can open.
  4. Malware: good old trojans, viruses and malicious scripts like keyloggers can steal your customer’s sensitive data.

What can a hacker do with this information? Well, leaving the obvious money withdrawals aside, there are quite a few applications:

  • bonus and loyalty points abuse schemes
  • fraudulent orders with consequent chargebacks
  • account data resell to other fraudsters, etc.

This can actually be quite profitable for hackers, as banking details or Paypal credentials can cost up to $1000 on the Dark Web, so an account takeover that remains undetected can be quite profitable for fraudsters. Thus, the question — how do you enable account takeover protection for your business?

ATO fraud detection and prevention

The first step along that road is to monitor the normal usage patterns of your customer’s accounts. This is exactly what behavioral analysis at Covery does. The AI-powered system logs all user actions within your platform (which is also useful for chargeback protection), detects and reports even the earliest signs of unusual activity.

The second part of account takeover fraud prevention with Covery is device fingerprinting or building digital profiles of your customer’s devices to know when someone logs in from a different device, IP address, time zone, etc.

The third part is using Trustchain — a global reputational knowledge base, storing more than 400 million reputation records. This way if any of the compromised details are used — an IP address, a device hardware identifier, a unique set of OS and browser versions, a collection of plugins and add-ons, an IBAN, etc. — the transaction is flagged and halted until further investigation — or rejected automatically according to a predefined business risk logic rule.

If a user that is commonly online in the evening logs in the middle of the night and makes 3 incorrect login attempts before succeeding — this is definitely a warning sign. If this is followed by multiple orders to an address different from a billing address on file; a password reset request or transmission of all the bonuses to another account — you see where this is going, don’t you? 

In any of those scenarios, the account should be locked in till further clarification, transactions halted or canceled and your customer contacted immediately through an email or by any other means available within your platform. Well, what can be done for account takeover prevention then?

Some of the actions depicted above apply, but there are measures you can proactively take much before the fraud takes place:

  • Enforce a strong password policy: force the customers to invent COMPLEX and long alphanumerical passwords with special characters, unique to your website. Enable password rotation, so they have to change this password at least once a quarter. 
  • Get clear consent: Expressly explain in advance that such measures are needed to ensure THEIR sensitive data safety and have this clearly stated in the ToS to switch the liability to them, should the litigation take place. Make accepting the ToS an obligatory action during the registration.
  • Enable 3D Secure checks: Follow the Visa and Mastercard best practices by adding a 3 domain secure check of every transaction (the issuer, the recipient, and the infrastructure) to detect any compromises immediately. Have One-Time Passwords in place to confirm any transactions that seem risky.

    For example, ordering outside of usual hours, from another IP address, time zone and geolocation might be caused by a trip to meet the family. So, the need to use an OTP to confirm the purchase will not degrade the user experience with your platform — but your clear explanation of the reason behind sending such a request will show your customers you care about their safety.

Should the worst happen and you know for sure that the ATO took place (due to the results of behavioral analysis, Trustchain check, and device fingerprinting) — the best course of action would be to block access to the account. You then can inform the customer of the need to reset their password with the help of your team and update all his other digital credentials. Helping your customers prevent and/or recover from account takeover fraud is the best way to win their lifetime loyalty and get their brand advocacy through word of mouth — the best form of marketing available to any company.


As you can see, through a combination of strong policies, well-configured risk business logic rules, and in-depth transaction monitoring you can detect account takeover in the making and safeguard your customers. 
Covery would be glad to help you make this happen and secure your business with strong account takeover fraud prevention measures. Contact us to learn how we can do it and what more value we can provide for your business!