Account Takeover

In this article, we'll explain how account takeover happens and what to do to prevent it.

Account Takeover

Account takeover is an occasion when fraudsters get access to the real owner’s account. Criminals can take over any account, including credit cards, subscriptions, bank details, email, and more. In this article, we’ll explain how this happens and what to do to prevent it.

Types of criminals actions after the takeover:

  • Placing fraudulent orders using stolen data
  • Using accrued loyalty points or credit funds
  • Selling a hacked account
  • Selling data from the account

To clearly show how fraudsters can monetize account data, we analyzed fraudulent attacks on food delivery companies.

We saw the next statistics:

Fraudsters placed orders by a hacked account in more than 70% of cases

Nothing is surprising here because the criminals also eat. Average statistics say that fraudsters make from 3 to 5 orders with a success rate of about 50%. A third of the orders were not completed because something has stopped them. For example, a real customer could find that account information has been changed and contacted the merchant directly. There may also be another reason − the attacker could just sell the data from the account.

Almost half of the orders were made not in the city of the house of real customers

Of course, this does not necessarily mean that the account has been hacked. But, customers rarely order food from other addresses. This fact gives rise to thinking about strange behavior. And, in turn, to check the accuracy of the data. It also shows that the actions of criminals are very difficult to distinguish from the behavior of real customers.

Almost half of the attackers change the phone number, about 10% of the criminals change the email

Statistics show that there is a high probability that fraudsters will change the phone number rather than the email address. Probably, the main reason is that shipping services often send a message to the cell phone to confirm the order. So, the criminal needs to change the phone number in the profile for the real owner of the account could not suspect anything after receiving a message from the delivery. We also all know that the customer often gets a one-time password for authentication on the phone upon delivery. This is the reason too. Also, drivers need a real phone number to contact customers for delivery.

Interesting facts

  • Criminals often write their fake address in order not to be blacklisted.
  • About a quarter of fraudsters can change their phone number two times or more. It shows that they can use temporary numbers.

What are the consequences for the business?

They are really huge. Let’s look at them in detail:

Loss of reputation, customer loyalty, and extra financial losses

This kind of fraud is very damaging. Still, it is not the same as chargeback fraud, for example. But, the merchants suffer losses. It is very common for customers who complain on social networks after their accounts were hacked. If a business is not responsive to these complaints, it risks losing customer loyalty as well as company reputation.

Rapid growth in attacks

As of 2017, the number of hacked accounts increased by as much as 45%. A year later, in 2018, the losses tripled and amounted to $ 5.1 billion.

The main reason for this rapid growth is that online sellers started to understand how to recognize fraudulent attacks better. So, criminals had to come up with new ways of working.

Simple implementation and difficult to detect

Takeover fraud is not particularly risky because it is very easy to do. It is hard to detect because the criminal has direct access to the data of the real client. Thus, he can fake the client’s behavior. For example, many companies do their best to encourage their regular customers. Because of this, they do not pay much attention to changes in clients’ behavior.

What actions create the perfect environment for fraudsters?

Data leak

By attacking various services, fraudsters get a large amount of personal data of people, which they used to hack their accounts. They can get real names, passwords, and even answers to a secret question. The danger is that not all data leaks are disclosed to the general public. There are many more.

Multiple-use of the same password

According to statistics, each person has about a hundred accounts. Each of these entries requires the creation of its special password. Since so many passwords are unreal to remember, people often use the same password across all their accounts. A huge number of people still use very simple passwords, such as “12345678”, which makes the task even easier.

How do secret data fall into fraudsters’ hands?

The most sophisticated and difficult methods are scumware or phishing. Since such actions are quite hard, criminals mainly use them for more serious hacking. For example, to hack a bank or corporate accounts. In short, in cases where the likely amount of money will be greater.

Speaking about hacking the accounts of ordinary users, everything is quite simpler. The practice of buying data through the Darknet is quite popular. This is a very simple scheme: the fraudster has a list of accounts, which he checks by filling them manually. Thus, he can immediately understand which of them works and which does not.

Credential stuffing

This method is often used in online sales because it is quick and easy. The fraudster only needs to install a special program or write a script that will execute login requests using stolen credentials. The execution speed is quite impressive: hundreds or even thousands of entries per minute. Fraudsters use names and passwords here. This method is very effective because many users use to log in with the same password several times.

What are the consequences after takeover fraud?


Often the first person who guesses that an account has been hacked is the client. He can understand it by detecting charge-off the money from the credit card. Or by receiving a message from the seller about the order that he did not make. After that, usually, the client already calls the bank or the seller to check the situation. On average, such occasion costs about $ 300 and takes about 15 hours to fix the problem. This affects the client because he is very upset and stressed.


Disputes, commissions, and the risk of loss of reputation

Unfortunately, sellers and various companies can only realize the attacks when they see an increase in disputes and chargebacks. Chargebacks are expensive, so the company loses a lot of money. Moreover, due to frequent procedures, the merchant may get in sight of the chargeback management program and incur huge fines.

Loss of customer loyalty

Customers often blame the seller for not providing enough security. Because of this, many customers can lose confidence in the seller and stop working with him. Such customers can write angry reviews on social media, which is very bad for the brand’s reputation.

The extra workload on task forces

A large number of companies still do not have the resources to manage such hacker attacks, since this is a rather new problem for them. It significantly slows down the reaction of the business and has negative consequences. The most convenient way for such companies to solve such problems is to contact the client instead of a chargeback. In such cases, the support teams that work with customers are under extra pressure. This immediately affects the quality of the service.

Case Studies

The only thing worse than takeover fraud is a slow or inadequate reaction of companies to it. Below you can see are some examples of such situations.


Brad Bourque’s story, whose PlayStation account was hacked with adding a new device to it after, received quite a lot of publicity on social media. It happened because he asked Sony to pay damages. In response, Sony forced him to pay the costs. Otherwise, they promised to block his account. After that, Brad wrote a post about this occasion on Twitter. Only after that, he was able to get his money back.


It is a food delivery company in the United States of America. At some point, a large number of clients of this company were exposed to fraudulent attacks. It was immediately reported on social networks such as Twitter and Reddit. This did a great deal of damage to the company’s reputation, as many customers complained that they were unable to get compensation. Moreover, the company had been confirming orders in the farthest States from it. And it did not even need confirmation of the identity of who exactly picks up the order.

What allows fraudsters to be unnoticed for so long?

Good spending history of regular customers

Loyal customers often place orders, due to which they have a positive history. So, at first, a big number of orders does not surprise the company. The fraudster is simply hiding behind this story. The best way to detect a takeover is to log into the account. That is the reason criminals try to create plugins that will be as accurate as possible.

Simulating real customer behaviour

Fraudsters can use proxies or botnets that help them pretend that they are logging into the system from different sources. For example, to mimic regular traffic, they can target mealtime to visit a food delivery service.

Knowledge sharing between criminals

Nowadays, it’s enough just to go to YouTube and find a video that will tell you how to hack some account. Also, fraudsters constantly communicate on various forums and exchange tips, or credential files, as well as tools that help develop and improve ways to capture accounts.

Slow response of companies

Still that the number of such hacker attacks is growing, many companies do nothing to combat this.

This happens for two reasons:

  • Companies do not create departments that work specifically with this problem

Takeover fraud is a relatively new problem for businesses compared to credit card fraud. This is why it affects different teams. An extra complication arises in the fact that hacker attacks do not occur on one account, but on several, or even hundreds of accounts at once. And while the team detects unusual activity with one account, several more fall under the hacker attack, and this cannot be prevented.

  • Mismatch of priorities

Such fraudulence should be equally important not only for the department that deals with fraud and payments but also for those teams that work with marketing and security. It becomes difficult because marketers often pay more attention to ease of ordering rather than verification of authentication. That is why it is very hard to convince the owners of the company that they need to give an extra budget to end fraud problems.

What you can do to raise the level of understanding of the importance of the problem?

Show the real price your company will have to pay for takeover fraud

To begin with, you can show statistics: the number of attacks increased 3 times from 2016 to 2017. Also, the increase in mobile account takeover attacks skyrocketed in 2018. Remember, that chargebacks are not the only thing you have to pay for. If take into account privacy laws such as GDPR, penalties for leaking customer data can go up to millions in dollars.

Show how takeover fraud can affect your business

You will have to do an analysis and consider all fraud cases. You can also find complaints from real people on social media. Read the complaints that came by email. Analyze how long it took your team to solve the problem. Show the relation between these units.

Explain how fraudulence can damage business reputation

Unfortunately, recurring fraudulence negatively impacts customer brand loyalty. If you do not respond in time, the news will spread through social media very fast. It can not only destroy reputation but also destroy the brand itself. Customers won’t want to work with an unreliable company anymore. Privacy and security are key aspects of today’s clients. That is why many merchants, when advertising, emphasize that they can provide security. This is another benefit for attracting new clients.

Create a separate team with representatives from different departments

Explain to everyone exactly how takeover fraud can affect their department to convey the importance of the problem.

How to understand that an account is being attacked? 6 main tips

The abrupt appearance of the same data on many accounts at once

The fraudster wants to have complete control over the account. To do this, he can change the data in just one line. For example, he can change the phone number on several accounts. In this case, you can notice a massive change in phones of different accounts to the same number.

Changes in a large amount of data in the account

Fraudsters are very successful at posing as real customers. But, pay attention to this sequence of actions

  1. Replacement of all contact details including phone number, email, and address
  2. Within 24 hours after the change, the client logged in to another device
  3. After that, there was an order for a new place of delivery

If you see this combination, it seems like the work of fraudsters

IP-addresses are in different countries

When a criminal performs massive logins to an account, to check the access, he does not know the country of their location. This is because most likely this data was purchased from the Darknet. So, he does not know if he is using the correct IP-addresses. It often happens that several fraudsters try to get access to the same accounts at once. Considering the IP-addresses of these inputs, it immediately becomes clear that they are in different countries. Thus it is an indicator of fraudulent hacking.

One-time change of user data in the profile

It can often happen that a fraudster gains access to accounts, and then does nothing. If you noticed such activity, you have to take special precautions to protect against capture. For example, to send an alert. In this case, a fraudster can try to secure the accounts by very quickly changing information in them. After such security messages, you can often notice a massive change of email address.

Known and unknown device models

Quite often, criminals use software which can hide their device. If you find that a large number of accounts are connected from the “unknown” one, you can be sure that it is a fraudulent attack.

One device is linked to several accounts at once

Everything is clear here. You need to check such entries. Since, for example, a family of several people can often log in from one account, it is easy to confuse such situations. Learn to see the difference.

If you find one or two items, you need to react to it as soon as possible. Also, watch all the data listed above. For example, changing contact information, passwords, or payment methods.

How to prevent or limit a fraudulent attack?

Limited login speed

Set a limit based on your production requirements as well as customer behavior. You can set restrictions, for example, on the use of proxies.

Cross-reference between login data and existing data

Put together the data about the client itself and the IP-address and the device from which he or she logins in. It will help you spot the inconsistency.

Using a hacked account database to identify fraudsters

How does it work? Using such a database, you will be able to check with data of the registration of a new user. If you find them in a hacked database, you can block registration. You can also warn your customers about hacking their accounts in advance and ask them to change their passwords.

Define the identity of the client at the time of making changes

Just submit an authentication request. Real customers will be able to pass it.

Send messages about changing data in the account

Even if the client makes the changes himself, send the notifications by e-mail. Such manipulations will also help if the account was hacked by a fraudster who managed to bypass two-phase authentication. In this case, the client will be able to react.

How to deal with the aftermath of hacked accounts?

Develop an account recovery system

When you receive messages from a client about changes in credentials, which he did not do, develop some kind of process that will ensure the security of his data. Write about how you can ensure customer account recovery.

It might look like this:

  • establishing a temporary account blocking so that an attacker could not buy anything
  • send instructions to reset change password

Be sure to stay in touch with the client

Make sure your support team can keep in touch with the customers, calm them down, and be consistent in their correspondence. Also, try to get away from the concept of blocking. Mention, for example, that the page is not locked, but frozen until restored.

The efficiency of machine learning in blocking fraudulent attacks

Machine learning can to detect all account hacking signals much faster than company teams can do. Besides the fact that the company may not take any action to protect against hacking. For example, do not form departments dealing with this problem. Also, machine learning is faster than rules. This means that you can react quickly at the time of the attack on the account.