How to Recognize and Prevent Account Takeover Fraud Attempts

5 Tactics in Account Takeover Fraud and How to Help Prevent Them

Fraudsters are constantly developing methods to try and take over your customers’ accounts. Ensure you are prepared to fight back against fraud, while preserving a positive customer experience.

5 Tactics In Account Takeover Fraud And How To Help Prevent Them

Criminals continuously develop new tactics and methods to thwart fraud-prevention measures to gain unauthorized access to customer accounts to commit potential fraud. Accertify has outlined several of these key tactics, some of them used in combination, that are increasingly used to execute account takeover schemes:

1. Brute Force Attacks

What’s old is new. “Brute force” attacks, sometimes referred to as credential cracking, is an old attack method designed to crack a username or password using a trial and error approach and hoping, eventually, to guess correctly.

However, manually trying to guess a password could take a long time and therefore fraudsters have developed automated software to assist. They may begin with a random dictionary search and augment words with special characters or numbers. In other instances, they may begin with an unsuspecting target and run possible passwords against their username. While brute force attacks can be slow to carry out, and given enough time, and if there are limited security barriers in place (e.g. locking an account after three unsuccessful attempts) they will often succeed.

2. Credential Stuffing

Credential stuffing is a large-scale automated attack using compromised usernames and passwords to gain unauthorized access to an account. Unlike a brute force attack that uses trial and error to find the combination of usernames and passwords, credential stuffing uses lists of known valid credentials often obtained from a data breach or purchased via the dark web.

Credential stuffing makes attacks easier to execute due to free downloadable software and online tutorials. These attacks have also increased success rates because many individuals continue to reuse their passwords across many different websites.

As a result, credentials “stolen” from a low risk website have an increased chance of working on high risk websites (banks and financial institutions) that hold more sensitive data.

3. Malware

Malware (malicious software) is a common term to many of us. Often it is used to target corporate applications, infecting hard drives and servers, searching for company secrets or sensitive data. But, equally common, it is being used to target individual users computers and mobile devices.

Malware can spread in many different ways, the most common is through phishing emails. The email will instruct the target to click a link or open an attachment, perhaps to verify their account information or confirm other personal details. Opening the attachment or clicking the link installs the malware or redirects to a malicious website where individuals unknowingly divulge passwords or other sensitive personal information that criminals can use to commit fraud.

4. Social Engineering

This tried-and-true tactic utilizes the art of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Social engineering can comprise a number of different tactics. One of the most popular is called phishing, a tactic by which the phisher sends an e-mail that appears to come from a reputable organization requesting “verification” of information and a strong call to action (sometimes warning of dire consequences if it is not provided). The e-mail usually contains a link to a fraudulent web page that seems legitimate with company logos and content and has a form requesting the user to enter personal data or account information.

Alternatively, the phishing email may contain an attachment that when opened installs malware on their device. In both cases, personally identifiable information is captured and then used for malicious purposes.

5. Subscriber Identity Module (SIM) Swaps

The SIM card inside your phone is a small plastic chip that tells your mobile device which cellular network to connect to, and which phone number to use. On a day-to-day basis we rarely talk about SIM cards, except perhaps when purchasing a new phone. A SIM swap scam begins with the fraudster contacting your mobile carrier and convincing the customer service representative that they are speaking with you, the legitimate account holder. They can do this by using social engineering tactics, information compromised in data breaches, or harvesting public information from your social media accounts. Once your phone number is assigned to the new SIM card (controlled by the fraudster), all of your incoming calls and text messages (SMS) will be routed to their phone.

At this point, the fraudster can intercept any one-time SMS passcodes or telephone calls made to the victim, thereby circumventing key security features of accounts (bank accounts, email accounts, social media accounts, etc.) that rely on text messages or calls as the second factor of authentication.


As outlined above, account takeover schemes take many forms, are extremely complex and can cost you in lost funds and frustrated customers. While many businesses utilize a number of solutions to help prevent these attacks, juggling multiple vendors can present a fragmented risk picture and introduce unwelcome friction for your best customers. Businesses need to partner that provides end-to-end protection across the entire customer digital journey. From the moment a customer enters your digital environment, it is important to distinguish the good from the bad, in real time. Accertify Digital Identity to help detect fraudsters in real time.

Accertify Digital Identity provides end-to-end insight to distinguish good from bad activity with minimal impact to customer experience. By analyzing thousands of pieces of data, we can understand the full picture of who is attempting to access an account.

Accertify Digital Identity is built on pillars of information that is needed to understand every online interation, by helping to answer the following questions:



What is the user’s



How does the user connect to the site?



What is the user’s location?



How is the user interacting with the site?



Has the user completed a transaction before?

1. What device are they using?

Have you seen this device before? Are the settings on the device consistent with the other data entered, i.e. language, time zone, etc.? Has this device been used to access other accounts?

2. How is the user connecting to your site?

Are they using suspicious means, such as a TOR or dark web network?

3. What is the users location?

Can we look beyond the IP address to understand where they truly are located? Is their location consistent with where the valid customer should be coming from?

4. How is the user interacting with your site?

Are the mouse movements consistent with typical or atypical users? Could this user be a bot versus a real live human?

5. Have you seen this customer before?

While this may be the first time a customer visits a website, we may know more about their previous behaviors and what’s typical or not typical, even if the merchant does not yet. We understand typical vs atypical behavior even if an organization has not seen them before. By understanding valid customer behaviors and how they typically transact, it can help detect and prevent account takeover attempts.

If you are looking for help in identifying and preventing account takeovers, we are here to help.

To learn how we can help you breathe easy, visit our Digital Identity overview.