How to spot and prevent account takeover fraud

Saturday, January 03, 2015

Ecommerce is exploding in popularity as a way to shop. As technology advances, shoppers turn to apps, online stores, online delivery services, and more to buy products from groceries to clothes to home decor and beyond. Because the online marketplace is relatively new and constantly developing, there are increasing security risks that both consumers and businesses need to be aware of in order to protect against them.

What is account takeover fraud?

Account takeover (ATO) fraud is when a hacker obtains and uses sensitive data in order to take over existing and legitimate accounts and use them for their own purposes. Unfortunately, ATO fraud goes beyond a stolen credit card and can become an issue of identity theft. In this case, a victim of ATO may be removed and separated from their personal accounts, whether those are bank accounts, social media accounts, or others. The accounts can then be reused to make purchases or scam others for profit, all without the consent of the lawful owner.

Accounts and information that are at risk of ATO include, but are not limited to:

  • Social security numbers
  • Checking account information
  • Savings account information
  • Social media profiles
  • Tax documents

How does account takeover fraud work?

There are a number of ways for cybercriminals and hackers to gain access to personal data, including through financial institutions, which is a massive risk for customers and businesses where hackers are shopping. The majority of ATO occurrences are due to weak security practices on the customer’s end, which makes it difficult for business owners to ensure safety and security. This is also useful for businesses to recognize when purchases made on their sites are not authentic, which can result in lost money, products, or chargebacks.

How do criminals get access to all of this data?

In order to hack someone, a fraudster needs to equip themselves with sensitive data such as name, birthdate, social security, or other information – all known as Personal Identification Information (PII).

Once the information that they need is gathered, ATO can occur in any of the following ways:

  • Brute force
  • Phishing
  • Malware
  • Credential stuffing
  • Social engineering

Each method of theft involves or requires poor credit card fraud detection and/or weak security to be able to catch fraudulent activity at the POS. Here is more detail on what each of these methods entail.

Brute force

Brute force attacks involve a hacker guessing the password to different user accounts by trying various combinations of one known password or trying what is called “dictionary attacks”. Dictionary attacks use many popular words and number combinations to attempt to break into someone’s account. Without having at least one known password on hand (from a leak or otherwise), these cyberattacks are difficult to pull-off and therefore are not as common.


Credential phishing attacks occur when a hacker tricks a user, often via spam email, to insert login credentials. This can be done using a download link. From there, the hacker can reuse those credentials on other sites and get access to otherwise secure information.

In a corporate setting, supply chain phishing can also occur. In this case, a fraudster is able to get into the victim’s corporate email and scam others within the company.

At this point, data exfiltration can also occur, meaning that once the hacker has access to an email, they also have access to calendars, contacts, and more, giving them a broad range of hacking and scamming opportunities.

Social engineering

Phishing is a form of social engineering which requires deception to gain access to others’ personal, secure data. Once an individual has been tricked into sharing information, that data is compromised and used for fraudulent activity.


Malware attacks involve different technologies (such as keyloggers) to reveal and steal user credentials in order to get into their accounts for ATO. The dark web can also be used to gather “cracked” passwords for malware attacks.

Credential stuffing

Credential stuffing, or breach replay attacks, happen when one password is leaked in a data breach and the user of that password has it set for more than one site. Once the password is compromised, all of the accounts using the same password are at risk.

It is also possible for sophisticated bots to use passwords leaked in a data breach to credential stuff and get into accounts; so one of the smartest ways to prevent this from happening is encouraging shoppers to use a new password on your site.

Why is ATO so hard to prevent?

ATO relies on the weakness of account users rather than the security measures that a business takes, which is why it is so hard to prevent. There are countless ways for a hacker to attempt to steal information and take over personal accounts. Although this is the case, and there is never a perfect system to avoid ATO from happening, there are ways to make it harder for hackers and fraudsters to access customer information.

How does ATO impact merchants?

Risk for fraud and chargebacks

ATO is bad news for any merchant; not only because it affects the trust built with customers, but also because in cases of theft and fraudulent purchases, a customer can use chargebacks to get their money back.

In 2021, fraudulent activity (or cybercrime) accounted for approximately 6 trillion USD in costs around the world. This is a huge price tag that impacts the global economy, so ATO is ultimately a bad situation for everyone, not only the customer and the business owner.

How can merchants spot ATO?

There are a few ways for merchants to spot and prevent ATO from happening in the first place. Here, we will walk you through some of the main warning signs and best ways to arm your business and your customers against vulnerabilities.

Have strong security for online signups

The first way of preventing ATO is by creating strong security for online signups, which includes accounts made on your site. Here are some ideas for how to attain stronger security at login:

  • Set a limit for login attempts

The less times a customer attempts to log in, the less likely the account will be hacked. For example, if a user tries 3 email/password combinations but still can’t get in, the account can be frozen.

  • Give strong password recommendations

Nowadays, there are ways for computers to save (and encrypt) passwords for various sites so that a user no longer needs to remember or write down all of the different passwords they use for different accounts. If your site automatically recommends a strong password for a new account, that user will likely be able to save that password in their computer. This is an easy way for customers to stay protected.

  • Enable multi-factor authentication

There is also an option to enable two-factor authentication (or multi-factor authentication/mfa), meaning a customer needs to use more than an email account and password to gain access. Often, the second factor is a phone number or a security question.

  • Send notifications for login credential changes

If an account user’s information changes, it’s good practice to have an automatic notification system in place so that they are notified of any changes that occur on their account. In the event that their data is changed without their permission, this is a fast way to notice suspicious activity and secure the account before it is too late.

Protect your customer data

High security measures and systems in place are always smart ways of ensuring that user data cannot be hacked or compromised from the outside. Make sure that as a business owner, you are staying on top of the most current fraud prevention and security measures available. Online security is a booming industry and new innovations for preventing ATO and other types of fraud are constantly evolving.

Cybersecurity is advanced enough to be able to find the right security needs for your industry and tackle issues specific to your business, so no amount of research is too much to ensure that your customers’ data is safe.

Know your customer

It may sound daunting to consider each of your customers’ personal shopping habits, but certain activities will stick out as abnormal, and they are important to pay attention to. Here are some ways to know your customer and recognize a potentially fraudulent transaction:

  • Look for out of location activity (e.g. billing address in California but shipping to New York)
  • Similarly, geolocation for login attempts (several attempts for an account from out of the country is unusual)
  • Out of character purchases for customers – this can also be helpful in identifying bots
  • Bulk or repeated purchases

Contact customers or law enforcement if transactions seem suspicious

Finally, if anything on a customer’s account or transaction seems suspicious, it is always good practice to contact the customer directly, or go to law enforcement to assist in handling the situation.

Law enforcement is a good resource for businesses to stay privy on best cybersecurity practices and recognizing threats. This includes government institutions, which can share information between businesses regarding safety strategies and current cyber threats. The best part is that all of this information can remain anonymous, so a business owner is able to access and share information without jeopardizing or compromising their reputation or private information.

Keep your business secure with a payment processor you can trust

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at