Account Takeover Fraud: Definition and Defenses

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

During account takeover fraud, a hacker gains access to your login credentials. With that information, the hacker can log in just as you might. And once there, the hacker can do anything you are authorized to do.

Account takeover fraud could be used anywhere. But hackers often deploy this attack in banking settings. They'd like to steal your money, and if they have your credentials, they are able to.

Account takeover fraud definition

Account takeover fraud involves credential theft and an attempt to steal money. This attack is sometimes called account takeover identity theft

Almost half of all Americans experienced some kind of account takeover fraud in 2020, and that number might rise. As criminals become adept at using computers to speed up hacking, launching attacks against many people grows easier.

Account takeover fraud follows a familiar process:

  1. Access: The hacker uses one of several available methods to uncover your username and password. With that data, the hacker heads to your account, and the host server has no idea a hacker has connected. 
  2. Alter: The hacker changes your username, password, or notification settings. The attack becomes harder to spot. 
  3. Attempt: The hacker moves a small amount of money or makes a small purchase. If this test is successful, more attacks will follow. If not, the hacker may move to a new target.
  4. Theft: The hacker transfers money, orders new cards, or otherwise attempts to drain your account. 

How much could you lose in an attack like this? Ask a victim in North Carolina. Hackers took about $12,000 from her bank account in just one month.

8 account takeover fraud types

How can someone tap into your account and take your money? Theft starts the process.

These eight methods help attackers log into victim accounts:

  1. Phishing: A hacker sends a fraudulent email, and you're deceived by it. You tap a button and log in with your account information, and the hacker uses the data against you.
  2. Malware: The hacker creates a tiny computer program that aids in the theft. That program appears on a website, in an email, or both. This approach is popular. In 2012, experts identified about 99 million malware threats. In 2021, they found 1,266 million. 
  3. Man-in-the-middle: A hacker listens in on your protected communication with the bank. The hacker might infiltrate your router, breach the bank's firewall, or use some other method to set up the attack.
  4. Credential stuffing: Hackers buy usernames and passwords, and they build programs that can attempt to log in on thousands of websites.
  5. Hacking: Thieves break into bank websites and tap into stored usernames and passwords. 
  6. Mail theft: Hackers break into your mailbox and steal mail from your bank containing your password. 
  7. Wallet theft: Thieves grab your wallet or purse and hope you've written your login data on your credit and debit cards. 
  8. Card skimming: Hackers put a tiny computer chip inside payment tools at grocery stores and gas stations. Thefts like this cost about $1 billion each year.

Some hackers specialize in one form of fraud, and they never attempt secondary versions. But others are willing to try anything and everything to steal your money.

Recovering from debt isn’t easy. You may never know who stole from you, and depending on your bank’s policies, you may not be protected from loss. 

Banks also face significant account takeover fraud risks. Victims may blame their banks for the losses, and if they do, they could tarnish the institution’s brand.

Your account takeover prevention plan

The sooner you spot an attack, the quicker you can act. And the stronger your defenses, the more you can block attackers.

Try these methods:

  1. Invest in automation. Computer programs can spot unusual activity, such as repeated login attempts from far-off locations. Systems like this can lock down bank servers and restrict access until you can authorize the activity. 
  2. Require two-factor authentication. One username/password combination isn't enough to stop persistent hackers. Ensure that all bank clients register a device or some type of biometrics (like a fingerprint) to complete logins.
  3. Beef up customer service. Ensure that customers can report fraudulent activity, including unusual email messages and phone calls. You could spot an attack before it begins.
  4. Watch reports. Bank IT teams must supervise activity around the clock and step in when something seems unusual or wrong. 

We've included a mix of steps for businesses and individuals, and that's intentional. Companies and customers must work together to reduce account takeover fraud risks.

At Okta, we work with customers every day to secure identities and keep users safe. Find out more about the work we do.


Facts + Statistics: Identity Theft and Cybercrime. Insurance Information Institute.

Three Greenville Teens Arrested on Fraud Charges. (September 2021). WNCT9.

Malware. AV Test

Skimming. Federal Bureau of Investigations.