As cybercriminals continue to leverage stolen identity information and login credentials, account takeover (ATO) fraud remains a serious threat to consumers. Having someone hijack any of your accounts — including credit cards, social media profiles, online gaming, ecommerce, digital banking and investments — is a real risk if your usernames and passwords are compromised.

Let’s look at the latest trends and updates regarding this threat so you know the risks and how to safeguard your accounts against abuse.

What is account takeover fraud?

Account takeover fraud happens when a bad actor gains unauthorized access to a victim’s personal digital or online accounts. Typically, the fraudster will use credentials stolen during a data breach or social engineering attack like phishing, imposter fraud or business email compromise (BEC), or some form of cyber extortion, such as a ransomware attack.

After gaining access, the criminal can take control of the account — changing details like billing addresses for credit cards, conducting fraudulent transactions, withdrawing money from financial institutions, exploiting friends or family members in the victim’s social media network, etc. The criminal can also profit by selling the account details to other criminals via the dark web.

As you might imagine, the financial, reputational and emotional damage caused by ATO can be significant. In 2023, incidents of account takeover caused approximately $13 billion in losses.

Are incidences of account takeover fraud increasing?

Given the increasing severity of data breaches, it’s not surprising the data stolen in these events is powering a rise in account takeover incidents. Reports of ATO has grown 18% annually surpassing credit card fraud as the most frequently reported to TransUnion by its customers.

It also seems anyone can be targeted, with 29% of internet users (which equates to about 77 million adults) experiencing account takeover. One in five of those victims reported it happened within the past year.

How does account takeover fraud occur?

The key to ATO fraud is user credential data, which criminals use to bypass an account’s security. The kind of data elements often used includes:

• Login credentials: Usernames and passwords are the most sought-after items because the criminal doesn’t need to break in… they simply log on.
• Personal details: Any details that can help an attacker bypass the security questions protecting the account are useful. The victim’s full name, date of birth, hometown, employer, etc. can all be used. Attackers can also track a victim’s social media profile for the kind of intimate details they can use to guess passwords or answers to security questions.
• Contact information: Criminals may try to intercept the authentication messages sent to a victim’s email or phone by compromising those channels.
• Financial information: Knowing where you bank or shop can give a fraudster a new target with a potentially big payday if they have your credentials or personal details.

It’s worth noting credential stuffing is one of the most common tactics used in account takeover. This is when a fraudster uses stolen login credentials from one account and attempts to access a different account using the same username and password. With 70% of ATO victims admitting their compromised accounts didn’t have unique passwords, it’s no wonder criminals continue to rely on this tactic.

How to protect against account takeover fraud

Given the number of data breaches that expose the personal data of consumers to bad actors, one can assume the threat of account takeover fraud will remain for now. That said, there are a few proactive steps you can take to safeguard your accounts.

1. Use strong, unique passwords: To reduce the risk of a credential stuffing attack, strengthen your logins. Passwords or passphrases that are at least 12 characters long and include a mix of upper- and lower-case letters, numbers and symbols are more secure. Ensure every account you have has a completely unique password (not just variations of the same password).
2. Enable multi-factor authentication (MFA): Also known as two-factor authentication, this adds an extra layer of security to your online accounts. In addition to a password, it requires an additional verification step before granting access to your account, such as a one-time code sent to your phone, an email confirmation, SMS text, physical MFA key authentication, or biometric checks. The additional step helps deter attackers who may have your username and password from accessing your account.
3. Monitor your accounts: It’s always a good idea to review financial and credit card statements for suspicious activity or unauthorized transactions. If you see any you don’t recognize, reporting it to your bank, credit union or credit card issuer immediately can help reduce the potential damage and start the process of regaining control of your account.

Today’s threat landscape requires everyone to be on guard to protect our digital, financial and identity information. Since account takeover fraud continues to gain favor with criminals, we must actively protect the information they seek to take control of our accounts. Understanding the risks and knowing how to avoid them is the first step to safeguarding your accounts.