What is Account Takeover Fraud?


Over the years, fraudsters have devised various techniques to exploit the vulnerabilities in companies to take over the accounts. They are adaptive, creative, and organized. Using bots and botnets, criminals can target hundreds of accounts at once. The rate at which the bots work and their ability to operate in stealth mode magnifies the complexity of the attack. It makes them virtually undetectable. Account takeover refers to the act by which fraudsters steal sensitive information and assume control of an account. According to a study conducted by Forter, account takeover increased by 31% year-on-year in the third quarter of 2017. With the account takeover ever-growing, it leaves one asking, which methods do they use to carry out these account takeover attacks?

Account Takeover Scenarios

Credential stuffing

In most cases, account takeovers take place after a data breach happens. This is because extensive lists of usernames, passwords, and other credentials are dumped in the dark web marketplaces. Cybercriminals freely purchase using cryptocurrencies. These criminals then try all the usernames, passwords, and other login credentials to check which combinations are working. They do this with the help of a script (bot) or manually. Bots are preferred because they work at a faster rate compared to human beings. We refer to this process as credential stuffing. Although there are low success rates in credential stuffing attacks, all a fraudster needs are access to one account.

So, how can you protect your clients from credential stuffing attacks? To keep their data and credentials safe, regularly check if their credentials on data leak databases like HaveIbeenPwned. Ensure that your users have enabled Multi-Factor Authentication and they routinely change their passwords.

Password spraying

A cybercriminal can target a specific account using passwords that are commonly found. To date, many manufacturers and companies still rely on default passwords like 0000, admin, 12345, and other strings that are non-secure. We can easily guess these, and it makes the malicious actors attempt account takeover very easy. To protect your customers from password spraying, check if user credentials were in a leak before by just entering the email. If a user is to use a leaked password, the system warns them. It may also trigger email verifications on login to ensure the user is not the victim of an account takeover attack. To avoid this as much as possible, companies should use software that provides password management for business.

Brute force attack or credential cracking

Instead of having the whole account details, sometimes an attacker may have a part of the details of the account. In most cases, they may have the email but do not have the password. The quickest way to figure it is by guessing. They use bots and scripts for guessing the password. Similar protection measures as in credential stuffing also apply to Brute force attacks.

Man In The Middle attack (MITM)

In this account takeover scenario, as the name suggests, a third party (bot) is used for intercepting the data between the user and your company. Man In The Middle attacks are like eavesdropping on a conversation online while waiting for a person to reveal their login credentials. It has a close relationship to espionage. These are sophisticated attacks that involve a broad range of techniques, including:

  • Evil Twin attack: It Mirrors Wi-Fi access points that are legitimate but controlled by a cybercriminal.
  • SSL Stripping: in this case, attackers make an HTTPS connection between the server and the cybercriminal.

To protect yourself from MITM attacks, ensure that only unaffected traffic comes to your site. Multifactor authentication (MFAs) and the use of encryption passwords can help mitigate MITM attacks. Immediately notify your users when you have been given a notice of a MITM attack.


To get your account details, cybercriminals ask for them. They do this by presenting themselves as other persons. A phishing activity can be;

  1. An email that asks you to enter your password
  2. An SMS directing you to log into a copy of a legitimate-looking website
  3. A link to a key-capturing script(keylogger)

To get access to the user accounts, cybercriminals leave no stone unturned. By going to such lengths and exhibiting such profound creativity, it serves to show how valuable that data is. To protect yourself against account takeover through phishing, educate your users about phishing, its effects, and its forms. Also, educate them on how they can remain safe. You can promote a culture of double-checking the URL of your website.

Sim Swapping/ jacking

This scenario of account takeover uses multifactor authentication like 2FA to prevent account takeover. In addition, a user’s identity is confirmed by linking their account to something that they have, like an account, biometrics, or a device. Phone verification using OTP has become very common. This has given the cybercriminals time to craft ways of exploiting it. They are now involved in techniques for swapping and jacking the SIM cards. To do this, they contact the operator and request to move the number to a new SIM card they are in control of. By doing this, the attackers now have control over a user’s social media, emails, and SMS that they used to check for verification messages. To protect your users, ensure that they know of any changes that may affect their accounts. To register a new number or change your email address should be confirmed through various channels. You should assess all the updated information for risks.

SSRF vulnerability attack

SSRF is an acronym for Server-Side Request Forgery, also known as CSRF. SSRF is another way for mishandling inputs from the user. Without proper validation, the attacker can force the server to make connections to arbitrary domains of their choice. It can grant them access to the organizational data, which includes a user’s login credentials. The only way to prevent this is by ensuring that the server validates all the incoming requests.

The other Scenario for account takeovers includes XSS, session sniffing, session fixation, and social engineering.


To prevent account takeover, deploy high-quality data protection practices, educate the users, and secure the code for the website. This is a multi-step and collaborative process between the users and the business to weed out the cybercriminals. You should promptly notify the affected customers when you see such signs. Unfortunately, many merchants attempt to handle the situation and rarely alert their customers about data breaches or account takeovers.


Please enter your comment!
Please enter your name here