Account takeover is big, big business in the fraud world, and fraudsters treat it that way. This isn’t the domain of lone-wolf, hoodie-wearing hackers typing away on keyboards in their basement. It’s much more corporate now, with an organized, systemic approach and end-to-end ecosystems that exploit human trust, digital access, and the financial system itself.
To combat it, banks and credit unions need to understand the threat and adopt strategies that match and exceed the speed and sophistication of the fraudsters.
Account Takeover: When Identity Becomes the Entry Point
First, a little background.
Account Takeover (ATO) occurs when a fraudster gains unauthorized access to a legitimate user’s account, often by stealing login credentials through phishing, malware, credential stuffing, or SIM swapping. Once inside, attackers can quietly update contact details, disable alerts, and move funds without immediate detection.
What makes ATO so dangerous is that it mimics legitimate user behavior. Because these transactions come from familiar devices or trusted logins, they often pass traditional authentication checks.
Mule Accounts: The Hidden Engine of the Fraud Economy
No fraud scheme succeeds without a mechanism to move and disguise the stolen funds. This is where mule accounts come in.
A mule account is either a legitimate or fraudulent account used to receive and launder stolen money. Some mules knowingly participate in return for a commission. Others are deceived through fake job offers or scams into unknowingly becoming part of the laundering process. Think of these like the international traveler who’s asked to carry a bag on the plane for a stranger, not realizing they’re helping them smuggle drugs.
These mule networks are what make ATO schemes financially viable. Hundreds of accounts across banks and jurisdictions are used to layer transactions and obscure the money trail.
Account Takeover in Action
Here’s a step-by-step example of how an ATO attempt can be carried out, countless times, every day.
Step 1: Social engineering setup
The fraudster contacts the account holder (via email, text, phone call, social media DM), pretending to be someone else. Popular choices include: a trusted merchant; tech support for one of their software applications; or most insidiously, the fraud department at the account holder’s bank.
Step 2: Creating urgency
The target receives a message urging them to take immediate action to, ironically, protect themselves from fraud. “We detected suspicious activity and need to verify your account immediately.” If the account holder takes the bait, they end up handing over their login credentials to the fraudster
Step 3: The legitimate login attempt by the fraudster
The fraudster enters the user’s real username and password. The bank then sends a secure access code, to the user’s phone or email.
Step 4: Account holder provides the SAC
The fraudster, still posing as a helpful bank employee/merchant/IT person, asks the account holder to “forward the code we just sent you,” acting as if they’re verifying the account holder when in reality they’re stealing the SAC.
Step 5: Fraudster completes multi-factor authentication (MFA)
The fraudsters enters in the SAC to pass through the bank’s traditional authentication controls and access the victim’s accounts.
That’s just one of many ways fraudsters perpetrate account takeover, but when successful it creates two massive conundrums for financial institutions in the digital age.
1) How do we stop fraudsters when all the required information they’re submitting (username, password, SAC code, etc.) indicates they’re a legitimate user?
2) Even if we’re not certain they’re legitimate, how do we make that determination quickly enough to stop them from moving money rapidly out of the account?
Building a better account takeover detection strategy
It’s about knowing what to look for and then knowing what to do when you see it ... or think you’re seeing it.
While it would be nice to find that one “smoking gun,” a lot of times you’ll need to comb through multiple signals at multiple points in the user journey to determine whether you have an account takeover on your hands.
Here are just a few:
• Did the user log in and then quickly change their account settings?
• Are there multiple login accounts from different locations, at the same time?
• Are there overlapping sessions on the same account from different geographic locations that are far apart from each other?
• Did the user add a new number for the SAC code and then conduct multiple transactions in quick succession?
• Is a single user rapidly switching between IP addresses?
• Is the user now using remote deposit capture with no previous history of doing this on their device? Is this happening during overlapping sessions from different locations? (This is a telltale sign of mule account activity)
Taking a holistic approach
Again, those are just a few of the potential signals. To compete with and surpass the fraudsters, you need to pull in dozens of these signals, at various steps along the journey, from before the log-in occurs, through to the moment of transaction.
You also need to be able to get this information and detect these potential anomalies in real-time. And you need to pull it into a centralized location for investigation and reporting.
It’s Not Always Black and White
When reading through those potential ATO signals, a few “innocent misunderstanding” situations may have sprung to mind. Maybe you and your spouse were both trying to access your joint account, from different parts of the country, at the same time. Or maybe you started up a side hustle and took in a few remote deposit captures quickly after having never previously used that technology.
In those situations, or also in situations where you’re fairly certainly it’s an ATO attempt but you need to do a bit more investigation, you need a middle path, between “Let the user operate fully” and “Lock the user out of the account.” This third option should give legitimate users access to base functionality they would need while keeping fraudsters out of the areas where they can do damage and gives you the time you need to make a final determination on the user’s true status.
A significant but surmountable challenge
Fraud prevention today is not about stopping one scheme. It’s about anticipating the next move in a highly connected web of threats. Account takeover schemes illustrate the coordinated, adaptive, and identity-driven nature of today’s financial crime landscape. Institutions that treat these events as isolated will always be reacting to threats rather than preventing them.
That may seem a little scary and perhaps a bit overwhelming, but creating comprehensive, continuous account takeover protection for your account holders is doable. It requires a shift in mindset, a thoughtful strategy that accounts for your institution’s goals and your account holder’s needs, and then, the right technology to make it all happen.