On this page
concept

Account Takeover Fraud

Created 2026-06-20 40 connections

Account Takeover Fraud

Account takeover (ATO) fraud occurs when an attacker gains unauthorised control of a legitimate user account and exploits it to steal stored value, commit fraudulent purchases, harvest personal data, or access other services where the victim reuses credentials. In ecommerce, accounts are high-value targets because they combine saved payment cards, delivery addresses, loyalty points, gift card balances, and purchase history — all convertible to cash or goods with minimal friction.


How ATO attacks work

The dominant delivery mechanism for ATO in ecommerce is Credential Stuffing — automated bots submit known stolen username/password pairs against login endpoints at scale, converting breached credentials into hijacked accounts in seconds, per Netacea (2025-08-07).

The credential-washing workflow proceeds in four stages, per Netacea (2025-08-07):

  1. Credentials are breached or harvested (infostealers, phishing, data breaches)
  2. Tested at scale across thousands of sites via automated tools
  3. Valid credentials used for ATO or sold on dark web markets
  4. Failed attempts recycled to grow combo lists — creating a continuous cycle

Beyond credential stuffing, Seon (2026-04-14) identifies additional attack vectors: infostealer malware, phishing, session hijacking, MFA fatigue attacks (which bypass 2FA without needing the password), and deepfake-driven social engineering.

Once an account is taken over, attackers' first move is often to quietly alter notification settings and contact details to obfuscate their presence before the genuine user realises, per Seon (2026-04-14).

Attack tooling

r/fraud participants report that "account checker" tools (OpenBullet, SilverBullet) are freely available and trivially configurable for any ecommerce site with a JSON config file (341 upvotes, 2024-01). Pre-made site-specific configs are distributed on Telegram — "You just load the combolist and hit start."

Sift's Q3 2025 report identifies "Fraud-as-a-service" (FaaS) kits openly promoted on deep web forums and social platforms, including AI agent bots marketed with voice/appearance cloning capabilities — lowering the barrier to large-scale ATO to near-zero technical skill (as-of 2025-09).

31% of consumers surveyed by Sift in July 2025 reported seeing online offers to participate in account fraud; 7% admitted to having taken over someone else's account (Sift, 2025-09, n=1,009 US adults).


Scale and benchmarks

  • ATO fraud losses projected to reach $17 billion in 2025, up from $13 billion the prior year (Sift/VPNRanks — US-centric, as-of 2025-09) (volatile, as-of 2025-09)
  • Javelin Research reported ATO cost above $15 billion in 2025, affecting 6 million US consumers (SecurityBoulevard.com 2026-05 — search snippet only) (volatile, as-of 2026-05)
  • AI-driven identity fraud and ATO-related scams estimated at $20–40 billion globally each year as of 2026 (Seon, citing industry analyses — global scope, broader definition than US-only figures) (volatile, as-of 2026-04-14)
  • The FBI IC3 2024 Annual Report recorded $16.6 billion in cyber-enabled losses to Americans in 2024 — a 33% year-over-year increase; ATO is one component (FBI IC3 cited by Seon, 2025) (volatile, as-of 2025)
  • In the UK, over 78,000 ATO cases were recorded in 2025 — 18% of all fraud-risk filings, up 6% in one year (Cifas Fraudscape 2026, cited by Seon 2026-04-14) (volatile, as-of 2026)
  • Sift's Global Data Network shows overall ATO attack rate rose to 2.5% in Q2 2025 — a 4% year-over-year increase across all industries (Sift, 2025-09) (volatile, as-of 2025-09)
  • 83% of organisations experienced at least one ATO incident in 2024; ATO surpassed ransomware as the top enterprise security concern (Infosecurity Magazine, cited by Sift, 2025-09) (volatile, as-of 2025-09)

ATO loss figure scope disagreement. Sift cites $17 billion in projected 2025 losses (sift.com); Javelin puts the figure above $15 billion; SEON/industry analyses cite $20–40 billion annually as of 2026 (seon.io). The likely explanation: Sift/VPNRanks figures are US-centric; SEON's $20–40B range is global and uses a broader definition that includes AI-driven identity fraud adjacent to strict ATO. Neither source defines scope precisely enough to compare directly.

Sector variation (as-of 2025-09)

Per Sift's Q3 2025 report (volatile):

  • Fintech/finance ATO attacks surged 122% YoY (0.54% → 1.2% attack rate)
  • Travel & ticketing: +56%
  • Internet & software: +17%
  • Retail/ecommerce: approximately +40% in 2024, attributed to AI-driven automation (Thales/Imperva, 2025-11-26)

Ecommerce-specific impacts

Ecommerce accounts are especially high-value targets because they combine saved payment cards, stored delivery addresses, loyalty point balances (with cash equivalence), gift card credits, and wish-list data, per Netacea (2025-08-07).

What attackers do with compromised accounts

r/fraud members report attackers overwhelmingly prefer draining loyalty/rewards points and stored gift cards over placing fraudulent physical orders, because digital value is "instant, untraceable, and doesn't require intercepting a package" (187 upvotes, 2024-02). A recurring theme: "Points are the easiest ATO payout. Most retailers still treat loyalty like it's not real money."

r/shopify merchants describe a physical goods pattern: saved address and payment method are changed seconds after login, then a high-value order placed and shipped before the merchant realises (143 upvotes, 2024-03). "By the time our fraud rules flag the order, it's already in fulfillment. The address swap is the tell, but we catch it too late."

r/shopify participants also note a PII-harvesting use case: attackers access accounts not to buy but to harvest saved payment details and PII for resale — "the account itself becomes the product" (88 upvotes, 2024-01).

r/shopify merchants report gift card and store-credit draining via gift-card-to-gift-card transfer flows or emailing codes to burner accounts is particularly hard to detect: "There's no order, no shipment, no chargeback trigger. The first we hear about it is when the real customer notices their balance is gone" (167 upvotes, 2024-05).

Fashion and apparel exposure

r/fraud posters note fashion and apparel retailers are disproportionately targeted because high-value, easily resellable items (sneakers, designer clothing) have liquid secondary markets (312 upvotes, 2024-03). "Nike, Adidas, Supreme drops are the biggest targets. The bots are there for the same reason as scalping bots — the inventory is worth money immediately."

Kasada observed over 1,100 credential-stuffing incidents across 133 retailers in a single month, compromising an estimated 265,000 accounts (MitekSystems.com — search snippet; source not directly fetched) (volatile, confidence: med).

Platform detection gap

Multiple r/shopify merchants note Shopify's built-in fraud analysis scores are poor at detecting ATO versus new-account fraud, because ATO orders pass the identity check — the account is "real" (201 upvotes, 2024-04). "Shopify fraud score was green. Real customer, real address history. Just not the real customer placing the order."

r/ecommerce merchants report the first visible symptom of a credential-stuffing attack is a spike in failed login attempts, but many platforms give no alert — they only discover the attack after customer service tickets arrive (94 upvotes, 2024-09). "We had 40,000 login attempts in one night. Shopify's default rate limiting did nothing."

Customer and reputational impact

Sift's Q3 2025 consumer survey (n=1,009 US adults, July 2025) found:

  • 14% of consumers self-reported experiencing an ATO in the past year
  • 75% said they would stop using a site after experiencing ATO
  • 87% said they would share the incident with others — amplifying reputational damage

r/ecommerce merchants report the post-ATO customer service burden is significant: "We spend more time on ATO remediation than any other fraud type. Customers are furious, chargebacks come in, and it looks like our fault" (112 upvotes, 2023-08).

Above Reddit finding is from 2023-08. No substantively newer Reddit finding supersedes it; included as directional signal.

Financial scale (case study)

Netacea (2025-08-07) reports a UK loyalty programme client was losing £1.4 million per month to credential-stuffing-related fraud before Netacea's intervention. After deploying server-side, agentless intent detection, 650,000 credential stuffing attempts per week were blocked — invisible to attackers because it operates at the server layer rather than the browser layer. (Vendor case study; single-client result; directional only.)

Holiday peak exposure

DataDome (2026-01-08) observed peak credential stuffing attacks on Christmas Eve and Christmas Day 2025, and recorded a 135% year-over-year surge in malicious bot requests during December 2025 vs December 2024.

Thales/Imperva (2025-11-26) recorded ATO attacks on retail sites surging 283% on Black Friday 2024.

Holiday peaks intensify ATO risk because high traffic provides cover, account values are highest (wish-lists, stored cards, loyalty points accumulated over the year), and security team capacity is stretched, per DataDome (2026-01-08).


Bot traffic and API attack surface

Retail was the second most attacked industry by bad bots in 2024 (15% of all bot attacks); 39% of web traffic to online retail in 2025 was bad bot traffic, and 53% was bots overall, per the 2025 Thales Bad Bot Report (Imperva, 2025-11-26) (volatile, as-of 2025-11-26).

64% of bot attacks on retail sites in 2025 targeted API business logic (up from 44% of advanced bot traffic targeting APIs in 2024), per Thales/Imperva (2025-11-26) (volatile, as-of 2025-11-26).

The "Mother of All Breaches" (MOAB), disclosed June 2025, exposed 16 billion credential pairs compiled from infostealers, browser caches, cloud buckets, and prior breaches — directly fuelling 2025 credential stuffing campaigns (Netacea, 2025-08-07).


AI-driven attack evolution

Advanced AI-driven bots account for nearly 60% of bot traffic per the Imperva 2025 Bad Bot Report; they have learned to mimic mouse movements, vary browsing patterns, and adjust timing to appear human (Imperva, 2025-11-26) (volatile, as-of 2025-11-26).

DataDome (2026-01-08) identified three AI-enabled shifts in holiday 2025 bot attacks:

  1. Human noise mimicry — realistic mouse movement/browsing variation
  2. GenAI-generated synthetic profiles — indistinguishable from real customers at analysis time
  3. Adaptive reconnaissance — AI bots pivot tactics in real time when encountering defensive barriers

Gartner (press release 2025-03-18, cited by Sift 2025-09) predicts that by 2027, AI agents will cut the time it takes attackers to hijack exposed accounts in half by automating credential compromise through deepfake-enabled social engineering.


Detection approaches

Why legacy defences fail

Legacy bot defences — CAPTCHA, rate limiting, device fingerprinting, JavaScript-based detection — are no longer sufficient because modern credential-stuffing bots use residential IPs, replicate real user behaviour, and rotate infrastructure to evade volume-based thresholds, per Netacea (2025-08-07).

r/ecommerce merchants confirm CAPTCHA failure: "We added reCAPTCHA v2 and the stuffing attack didn't even slow down. The solvers are cheap and fast" (94 upvotes, 2024-09).

r/fraud participants explain ATO scripts increasingly use residential proxies to route traffic through real consumer IP addresses, making IP-based blocking ineffective (256 upvotes, 2024-03). "IP blocks are useless against residential proxy networks. The traffic looks like it's coming from suburbs in Ohio."

CAPTCHA efficacy debate. Some r/shopify merchants report reCAPTCHA v3 (invisible, score-based) as "actually helpful" in reducing bot volume (reddit.com); others in the same subreddit report zero impact, attributing the difference to whether attackers have bothered writing a custom config for the site (reddit.com). No consensus on CAPTCHA effectiveness.

Rate limiting efficacy debate. r/cybersecurity practitioners argue aggressive login rate limiting stops low-sophistication stuffers (reddit.com); the attacker-side perspective surfaced in r/fraud is that distributed proxy networks make per-IP rate limits "basically decorative" (reddit.com). Both are directionally correct for different attacker sophistication levels.

Detection signals that work

r/cybersecurity practitioners report device fingerprinting is one of the more reliable ATO signals, because stuffing bots tend to reuse browser/device configurations or rotate through recognisable fingerprint patterns (178 upvotes, 2023-07).

Above Reddit finding is from 2023-07. Included because no newer Reddit source substantively supersedes it; AI-driven bots are noted by Imperva (2025) as having partially neutralised fingerprinting.

Cybersecurity practitioners in r/cybersecurity argue behavioural analytics (typing cadence, mouse movement, time-on-page during login) is the most effective passive ATO signal because it is hardest for bots to spoof convincingly at scale: "Headless browsers can fake a lot, but consistent human-speed typing variation with correct error patterns is hard to replicate across thousands of parallel sessions" (134 upvotes, 2024-08).

Seon (2026-04-14) identifies the recommended prevention stack as: device intelligence (detecting emulators, rotating configs, VPN/proxy tools), behavioural biometrics (typing rhythm, mouse movement, swipe patterns), IP analysis, rate limiting, and step-up/adaptive authentication — used together rather than individually.

Thales/Imperva (2025-11-26) recommends retailers prioritise: (1) full visibility over all automated traffic including APIs; (2) protecting high-value endpoints (login, checkout, loyalty APIs); (3) always-on ATO protection at the edge; (4) securing microservices/APIs with advanced bot and API security combined.

Authentication and 2FA

Sift's Q3 2025 data shows overall 2FA adoption across its network held steady at 13% in Q2 2025; ticketing leads at 21%, digital commerce and fintech at 13%, internet & software at 10% (Sift, 2025-09) (volatile, as-of 2025-09). This suggests significant room for improvement.

r/fraud members note SMS OTP as a second factor offers limited protection because SIM-swapping and SS7 attacks can intercept one-time codes; authenticator-app TOTP or passkeys are considered meaningfully stronger, but "almost no ecommerce site offers them" (298 upvotes, 2023-11).

Above Reddit finding is from 2023-11. Included because passkey adoption in ecommerce remains genuinely low per Sift 2025 data (13% 2FA adoption overall); finding remains directionally current.

Passkeys and device-bound biometrics are identified as the most effective countermeasure to phishing-based ATO; phishing-resistant authentication is tied to a 99% reduction in credential-related ATO across measured deployments (SecurityBoulevard.com 2026-05 — search snippet only, not directly fetched; confidence: low) (volatile).

MFA friction vs. conversion trade-off. r/ecommerce merchants argue mandatory MFA on login would kill conversion ("our customers are 45+ and already drop off at password reset — add an authenticator step and you'll lose 20% of accounts") vs. r/fraud and r/cybersecurity practitioners who say the ATO liability cost far exceeds the conversion dip and that passkeys are low-friction enough to close the gap (reddit.com vs. reddit.com). No resolution reached in threads.


Regulatory and compliance pressure

Regulatory and liability pressure on retailers is increasing: regulators are less willing to accept "customer negligence" as a blanket explanation, and expectations for strong authentication, monitoring, and incident response are rising — making ATO risk as much a compliance priority as a technical one, per Seon (2026-04-14).


Key terms

TermMeaning
ATOAccount Takeover — attacker gains control of a legitimate user account
Credential StuffingAutomated testing of known breached credential pairs against login endpoints
Combo listCompiled file of stolen username:password pairs used as input for stuffing tools
InfostealerMalware that silently extracts credentials, cookies, and browser autofill data
MFA fatigueSocial engineering technique flooding user with authentication push notifications until they approve
SIM swappingFraudster convinces telco to transfer victim's phone number, intercepting SMS OTPs
Bot ManagementDefences distinguishing malicious automated traffic from legitimate bots and humans
Loyalty FraudDraining accumulated loyalty points via ATO — typically the highest-velocity ATO payout
Gift Card FraudConverting gift card balances or credit via ATO, avoiding order-level detection
Residential proxyRoutes attack traffic through genuine consumer IPs to evade IP-based blocking
FaaSFraud-as-a-service — pre-built attack kits sold to low-skill attackers
PasskeyDevice-bound FIDO2 credential replacing passwords; phishing-resistant
Behavioural biometricsPassive signals (typing cadence, mouse movement) distinguishing humans from bots

Benchmarks (as-of 2025–2026)

MetricFigureSourceAs-of
ATO losses (US)$17B projected 2025Sift/VPNRanks2025-09
ATO losses (global, broad)$20–40B/yearSeon / industry2026-04
Overall ATO attack rate2.5% (Q2 2025)Sift Global Data Network2025-09
Retail ATO attack rate increase~40% in 2024Thales/Imperva2025-11
Black Friday 2024 ATO surge+283% on retail sitesThales/Imperva2025-11
Bad bot share of retail traffic39% of web trafficThales/Imperva2025-11
API-targeted bot attacks (retail)64% of bot attacksThales/Imperva2025-11
2FA adoption (digital commerce)13%Sift2025-09
Consumers who'd stop using site post-ATO75%Sift (n=1,009)2025-09
UK ATO cases 202578,000+ (18% of fraud filings)Cifas Fraudscape 20262026

Dangling frontiers created by this harvest

Research agent · 2026-06-20