Account takeover fraud is a potentially destructive form of identity theft that’s affected as many as 1 in 5 adults online today, but there are ways you can protect yourself and your customers. 

The way account takeover (ATO) works is that a fraudster gains access to online personal account information and then uses that account for their own purposes. 

Though individuals are the most common victims of account takeover fraud, it can affect businesses too. Essentially any online account of any nature is at risk of being taken over. 

Stolen accounts are most often used to steal funds from customer accounts or make purchases for online goods. They can also be used to steal frequent flyer miles, medicare benefits, store loyalty rewards, or even utilize the victim’s phone plan to make calls and use data. Retail accounts can be used to make purchases and sell goods for personal gain. Other times, the accounts are simply stolen to later be sold on the dark web. 

Furthermore, it’s a particularly difficult crime to prevent. The actual criminals are usually sitting back while bots and proxies do the legwork, making them difficult to track. These bots are often sophisticated enough to get around CAPTCHA challenges. On top of that, companies are usually working to make transactions as simple and smooth as possible for their customers, which means their security checks are generally streamlined. 

However, it is possible to prevent account takeover fraud. First, let’s take a look at how it happens. 

Account Takeover Techniques

The most common technique for account takeover fraud is also the most obvious – weak passwords. The simple fact is that weak passwords make accounts more vulnerable, and a lot of people who regularly use the internet are also using very weak passwords to protect their information. In fact, research shows that 45% of Americans are using passwords that are just eight characters or fewer, which makes hacking incredibly easy. 

Hackers use bots to repeatedly try password combinations to break into an account. The most common password is “123456,” and can be cracked instantly. Even less obvious short passwords can be cracked in a matter of seconds. 

Card cracking, or credential stuffing, is another common fraudster technique. This simply involves using lists of leaked usernames and passwords to test combinations of credentials on multiple sites until they find success. These lists are usually purchased on the dark web. 

Phishing is one of the most common threats on the internet today, something which we’ve all likely encountered at one point or another. Emails or text messages are sent to potential victims from accounts which, at first glance, seem to represent legitimate organizations such as PayPal, Netflix, or Google. The messages will prompt the victim to sign into their account using the included link. However, the link leads to a fake landing page, and the credentials are recorded and later used to steal the account. 

Basic Account Takeover Prevention Techniques

Now that we understand the primary methods used to perpetrate account takeover fraud, we can devise ways to defend against them. 

For instance, the most obvious response to hackers taking advantage of weak passwords is simply to make stronger passwords, right? For some reason, there are millions of people out there who simply don’t bother taking that crucial step. Some companies, like Apple, will offer automatic password generation for passwords created on their devices, which can make it less cumbersome for users to ditch their weak passwords. 

Whatever the method, it’s of the utmost importance that passwords are as long and complex as possible. Try using entire phrases for your passwords, including capital letters, numbers, and symbols, rather than a single word or 8-digit number. 

Preventing card cracking is a little more complex. While there is no way to clean up the dark web of illicit user information, there is another measure that can be taken. Frequently changing passwords can make any leaked password information obsolete before it can be used for harm. It’s also important to stay current on any large data leaks that get reported in the news. If you have an account with the associated website or organization that experienced a leak, it’s vital to change your credentials as soon as possible. 

When it comes to phishing attempts, the best defense is education about the nature of the attacks. Being aware of what to look for means being able to spot a phishing attack when it happens. A good rule of thumb is to look at the subject line or sender account before clicking anything inside of an email. The subject lines of phishing emails will often include a “re:” at the beginning to try and trick your email provider into thinking it’s a reply so that it doesn’t get sorted into the spam folder. Additionally, the sender will almost never be from a domain that’s associated with the institution they’re claiming to represent. 

Third-Party ATO Protection

Best practices and awareness won’t stop all account takeover fraud, especially within a business or organization where multiple people are being targeted at a time. In these cases, it’s best to use a good third party fraud prevention service

At, we’re experienced in protecting against fraud in all its forms. Our machine learning, anomaly detection, geolocation, and behavioral analyses can all be combined to detect high-risk sessions on your site and prevent most fraudulent logins, stopping hacked accounts in their tracks before any damage can be done. Just as importantly, we can accomplish this without affecting the user experience of your real customers. 

Furthermore, our cybersecurity experts are well-versed in dark web intelligence and able to help you prevent your accounts from being taken over as well. 

When it comes to preventing account takeover fraud, Having the best tools on your side can be the difference that counts. Sign up for a free demo to learn more about how our solution can help you.