The Large and Growing Threat of Account Takeover

Account Takeover (ATO) represented one-in-four identity fraud losses in 2021 growing 90 percent year-over-year to an $11.4 billion dollar problem, according to a recent study by Javelin. Several other studies and surveys have found equally as staggering statistics showing the growth of ATO.


The aforementioned Javelin study found account takeover to be the second-fastest growing type of fraud attack, not far behind new account fraud which increased by 109 percent from 2020 to 2021. Other studies found ATO to be the fastest growing form of fraud, such as a report from Feedzai which saw ATO jump into the top position of most seen fraud attacks across their network in 2021, up from the fourth most prevalent attack in 2020.


Account takeover is a difficult issue for organizations who often have to fight it on multiple fronts. While fraudsters are able to leverage data compromised in third party data breaches and take advantage of consumers who reuse email and password combinations, merchants also have to be concerned with alternative payment accounts that have been taken over and used to make fraudulent purchases.


It’s no surprise that a survey of 1,200 IT security professionals found ATO to be the second most pervasive and expanding threat behind malware, with CyberEdge Group, the group behind the survey, predicting that “ATO will take over the top spot in the next year or two.”

Most organizations have realized that simply validating the correct password is provided is not enough to curb ATO, but fraudsters are also compromising one of the most common forms of two factor authentication (2FA) with SIM swap schemes.


SIM swapping enables fraudsters to spoof a mobile number, thus receiving the dynamic 2FA code intended to verify the account holder at time of log-in. This typically starts with account takeover on a consumer’s mobile phone account login information, and maybe a bit of social engineering to get full access and control of the mobile number. According to the FBI, SIM swap scams resulted in $68 million for fraudsters stemming from about 1,600 reported complaints, which is very likely an underrepresentation of the scope of the problem.


Meanwhile, merchants need to be concerned with account takeover on the user accounts they provide customers, ATO on alternative payment methods used to purchase from their apps or sites, and whether or not their 2FA protocols are sufficient given the growing proliferation of SIM swap to beget further ATO.


For more information:


Account takeover poised to surpass malware as the No. 1 security concern


Feedzai’s Financial Crime Report: 223% Increase in Online Fraud Attack Rates


'SIM swap' scams netted $68 million in 2021: FBI

41 views0 comments