Download the PDF version

What is Account Takeover fraud and how to avoid it


In 2023, Account Takeover was confirmed to be among the most harmful types of fraud for online banking customers. 

At Cleafy, we have seen that 90% of fraud attempts are still conducted via Account Takeover, and our forecasts expect this number to stay flat in 2024. 

Banks and financial institutions have always been the highest priority target of ATO attacks, as cybercriminals’ goal is to make immediate financial gains out of their illegal activities.

As there is still a bit of confusion in the market about the many different ways Account Takeover can be performed, in this article, we aim to share some clarifications and help you understand how to protect your online customers better.

What is Account Takeover

An Account Takeover (ATO) happens every time a cybercriminal takes over an online account to steal information or money. The most commonly targeted online accounts are bank accounts, social media profiles, and email addresses. In the first case, we talk about Bank Account Takeover.

Account Takeover is the most common technique used by cybercriminals to perpetrate online banking fraud.

The first step to accessing a person’s account is stealing the personal credentials used for logging in to the banking app or web app.

To do so, fraudsters either leverage social engineering and user manipulation techniques alone, such as phishing, smishing, or vishing, or manage to install malware on the victim’s device.

What Account Takeover is not

At this point, we need to dissipate any doubts you might have about Account Takeover by comparing it with other types of fraud attempts that can be easily confused with the subject of our article. 

Account Takeover is not Scam

When cybercriminals manipulate the victims, usually through the phone, to convince them to perform an action (like a payment on an illegitimate account), we talk about scam. This is not an Account Takeover, as cybercriminals do not take over the victim’s account themselves. All activities are performed by the victim itself. 

Scam is also known as Authorised Push Payment fraud

Account Takeover is not Automated Transfer System

When cybercriminals manage to install advanced malware on your customers’ devices that can tamper with the victim’s transaction and direct it to an illegitimate bank account, we talk about Automated Transfer System (ATS, in short). This is not an Account Takeover, as cybercriminals do not take over the victim’s account themselves. All activities are performed by the victim itself. 

A real-life example is Sharkbot, a banking malware discovered by the Cleafy Threat Intelligence team in 2021. 

How does Account Takeover happen

As cybercriminals develop every day new advanced fraud techniques, it is important to understand how ATO can be performed and what to do to prevent your banking customers from falling into these traps. 

Cybercriminals can complete an Account Takeover via their own devices, with or without the help of malware, or by taking over the victim’s device to perform illicit activities, such as accessing banking accounts or stealing sensitive data. In this second case, we talk about Device Takeover (DTO), and it requires the use of advanced malware that can perform remote device control. 

In both cases, cybercriminals use social engineering techniques to trick customers into performing activities that give access to sensitive information or downloading a malicious app.

ATO via a new device

To access an account from a new device, most of the security systems ask customers to complete SCA, by sending OTP or other in-app codes. This might be tricky for hackers unless they don’t collect the credentials directly from the chosen victim. And how to do that? 

The evolution of Artificial Intelligence is pushing social engineering towards more advanced techniques that can easily elude fraud management solutions. Learn more in our previous article: “Social engineering attacks in online banking: how to identify and fight them”.
Social Engineering only

Phishing, smishing, and vishing are the usual examples of how cybercriminals collect authentication credentials to attempt ATO from their device.

Fraudsters can trick customers directly via voice calls (vishing) and convince them to provide the OTP message to let them access the victim's account from another device and finalize the fraud whilst keeping the victim on call.

Social Engineering and Malware

In other scenarios, cybercriminals spread infectious malware on the victim’s devices. This can happen via clickable links contained in an e-mail (phishing) or SMS (smishing) that looks 100% legitimate. A very common practice is the so-called spoofing, which consists of sending an SMS with a trusted entity’s name as the sender (e.g., the bank)

Often, these links direct the victim toward downloading malicious apps that open the doors to perform ATO. Once the application is installed, the hidden malware gains access to the victim’s device and lets the fraudster read OTP’s sent either in-app or via SMS. 

To do that, the installed malware leverages mainly two capabilities: 

  • Overlay is a technique that imposes a layer on top of specific pages of the app (or web app) to intercept private information.
  • SMS Sniffers capture SMS messages to steal personal data or read OTP to bypass Multi-factor Authentication procedures.  

How does phishing happen? | Cleafy
How does phishing happen?
Sim Swap 

SIM Swap is a fraudulent activity that consists of transferring the victim’s phone number to another SIM. To do so, fraudsters impersonate the victim and trick the mobile provider’s operators into releasing a new SIM card for the same phone number.

Then, they use the new SIM to receive OTP messages and bypass Multi-Factor Authentication procedures to access any account connected to that number.

"What is SIM Swap and how to prevent it?". Get a deep dive in our article.

ATO via Device Takeover 

As mentioned above, Account Takeover can also be performed directly from the victim’s device (that’s why we talk about on-device fraud). 

Even though on-device fraud are operatively more difficult to conduct, they represent higher chances for cybercriminals to complete their fraud successfully. This is particularly true in the online banking industry, where every new device enrollment is carefully controlled and, if considered risky, blocked. 

Over 80% of modern Android Banking Trojan have integrated modules to enable RAT functionalities and take complete control of the device. 

To complete Device Takeover, cybercriminals leverage a type of malware called Remote Access Trojans (RATs), which are designed to remotely control an infected device, sending commands and receiving data back in response. 

In 2021, our TI team discovered Teabot, a mobile malware used to perpetrate fraud directly from the victim’s device through smishing campaigns and the abuse of Accessibility Services for remote interaction and key-logging. 

Talking about web apps, a less known but highly dangerous technique to complete Account Takeover fraud is the abuse of legitimate Remote Access tools, like, for example, Team Viewer. These tools, also known as Remote Monitoring & Management (RMM), are usually used to work remotely and do not pose a danger to security systems per se. Cybercriminals spread infected versions of those tools so that they can remotely control everything that happens on the device the tool is installed on.

ATO via on-device fraud is expected to grow exponentially in the coming months. 

How does ATO via new-generation malware, like TeaBot, work? Download our infographic to find out.

Prevent Account Takeover fraud 

Our decades of experience in cybersecurity taught us that Account Takeover attacks are the most complex to stop, as they leverage social engineering techniques that directly target people’s minds

Education and Awareness

As a bank, you cannot prevent a customer from falling into cyber traps, but what you can certainly do is work on educating your customers about the potential threats they are exposed to every day. 

Education and awareness to protect from ATO | Cleafy

Moreover, you can ensure that your security systems are strong enough to shield you from the consequences of a successful Account Takeover. Whenever your customers are not able to protect themselves, make sure to be there for them.

Secure your systems with the right fraud management solution

​​As ATO can be performed in different ways, there are different capabilities that your fraud management systems must provide to enable effective detection of ATO attempts.

Granular visibility

You must be able to access all the details regarding the current session even before the log-in phase, from geo-localization to behavioral anomalies concerning the user profile, to the presence of malware and what type of malware, to the presence of an incoming call parallel to the session. Device intelligence data, together with user prediction indicators are also key in the quest to clearly understand what’s going on. Seeing all is the key.

Dynamic pattern characterization

You must be able to characterize an attack in a simple and fast way, starting from the atomic blocks of the previous point. With dynamic pattern characterization, you can identify an attack with extreme precision, even before it starts. This will help you avoid false positives, send unnecessary SCA, or block legitimate users.

Automated response at scale

To ensure protection at scale, you should be able to automate pattern-based decisions rather than base your decisions on generic risk scores.

Real-time operability

From detection to response, protection must happen as things happen, without delays.

Banks must rely on the right fraud management solution to monitor what’s happening across all digital channels throughout the user’s journey, even before the authentication phase occurs. Cyberattacks will be then stopped way before they hit. 

Cleafy against Account Takeover

The Cleafy platform is a real-time, end-to-end detection & response system that can shield your digital services against ATO. 

Cleafy provides you with the best set of capabilities to detect any ATO attempts, which means preventing ATO from happening and not just detecting it. 

By combining a myriad of advanced monitoring technologies (40+ international patents) with the continuous characterization of new patterns of attack provided by C-labs, our Threat Intelligence team, our AI-driven engine, supports you to understand what’s happening and automate the best set of actions to keep your customers protected. All from your Cleafy dashboard.

But how do we ensure your systems are always protected from Account Takeover? Book a free consultation to speak directly with our fraud experts. 

Protect against Account Takeover fraud | Cleafy

Read more articles