22 Jun, 2026
Account takeover fraud doesn't work the way most people imagine it. The core challenge for financial institutions isn't just stopping a suspicious login. It's recognizing that fraud is not a single event—it's a sequence. And attackers who gets blocked at one step don't give up. They adapt, try a different channel, and keep going.
That persistent, adaptive nature is what makes account takeover one of the most challenging fraud types facing financial institutions today. At CONNECT 26, Q2 dedicated a full breakout session to the threat and the coordinated platform approach they’ve developed to combat it. Led by Product Manager Molly Overton and Senior Product Managers Angelica Gascon and Kristina Wingers, the session walked through a realistic account takeover attack scenario from first suspicious signal to final resolution.
But first they got things started with a humorous video that used AI to produce a fictional movie trailer about Q2’s account takeover solution.
A framework for fighting back: The Fraud Intelligence life cycle
Q2's approach to account takeover starts from a clear premise: You can't stop a sequential, multi-channel attacker with a single-point solution. What you need is a closed-loop system, where the signals flow in continuously, the platform responds in real time, and every resolved incident makes the next defense smarter.
Q2 calls this the Fraud Intelligence life cycle. It connects Q2 apps, partners, and financial institutions into a single defense network built around four interconnected stages:
• Detect: Recognize attacks in progress by correlating cross-network signals for earlier detection.
• Intercept: Orchestrate real-time, graduated actions.
• Resolve: Restore the account and secure access across the channels.
• Learn: Feed every signal detected, every interception made, and every case resolved back into the models, making them sharper over time.
The life cycle was brough to life by walking through a realistic account takeover scenario in three phases. Each phase featured a different Q2 capability at its center: A fraudster logs in with stolen credentials, behaves suspiciously in-session, gets blocked from moving money, and then tries to route around the institution through a third-party app.
First phase: Catch it before it happens with User Activity Monitoring
The scenario opens with what looks, at first, like a normal login. The credentials check out. Nothing is technically broken. But the behavior is off. There’s a password update, but that doesn’t tell the whole story. The activity leading up to it looks more like someone exploring and testing the waters than a legitimate user who already knows where they’re going.
"When somebody steals the keys to your house, they're not going to just enter the house and sit on the couch and watch TV,” Gascon explained. “They came in there to do something. They're going to check out all the rooms to try to find that safe.”
This is where User Activity Monitoring comes in. Unlike tools that focus on the login event or the transaction, User Activity Monitoring watches the session itself, continuously analyzing behavior in real time to determine whether actions align with confirmed account takeover patterns we have observed across a data set of ~200 financial institutions. A legitimate customer behaves one way; someone using stolen credentials tends to behave very differently. User Activity Monitoring is built to see that difference, and to flag it before a transaction ever happens.
"A single suspicious click or a single action is not going to tell you enough,” Gascon said. “Having that session level context is really going to tell you the whole story.”
The goal isn't to create friction for legitimate users. It's to identify the specific signals that distinguish a real customer from someone impersonating them. User Activity Monitoring is designed for a world where fraud happens before money moves, not after. And as the session noted: an external signal can sharpen this picture even further.
Contain the Risk With Restricted Entitlements Mode
The fraudster, now flagged as high risk, starts trying to take action inside the account.
This is where Restricted Entitlements Mode takes over. When signals from User Activity Monitoring (or other triggers) indicate a threat, Restricted Entitlements Mode enables the financial institution to take targeted, proportional action without necessarily locking the account holder out entirely: limiting what functions are available in a session, restricting specific transaction types, or blocking movement of funds.
That distinction matters. A blanket account lockout is disruptive to legitimate customers and can erode trust, especially when fraud is only suspected. Restricted Entitlements Mode is designed for a more surgical response, containing the risk at the right moment, with the right level of intervention.
"When you disable a user, when you lock somebody out, you're not just preventing the fraud or the compromise, you're also affecting treasury operations,” Wingers said. “The question shifted from, ‘How do we stop something entirely?’ to, ‘How do we maintain as much of the true customer experience as possible while also limiting our risk?’"
No back doors: Detecting fraud off platform
Here's where the scenario takes its sharpest turn and where many point solutions would lose the thread entirely.
A fraudster who gets blocked inside a digital banking platform doesn't stop. They pivot. They try a third-party app and attempt to link the account through something like Venmo and route the money out through a channel the institution's fraud tools don't see. Traditional fraud detection tied to the digital banking session is blind to that move. The attacker has simply left the building.
Q2's answer to this problem is the ability to ingest external signals, so the platform stays aware even when the attacker leaves the session. The vision is a fraud defense that isn't bounded by the edges of your digital banking platform, but can pull in signals from across the financial ecosystem to track suspicious activity wherever it goes.
Right now, the clearest example of this is Q2's integration with Plaid. When a fraudster attempts to link an account or initiate a transfer through a third-party connection, those signals flow into Q2's Fraud Intelligence Platform and the same defenses apply. The account holder gets notified. Q2 ingests the signal. Action is taken.
Think of it this way: If someone is trying to break into a building and gets stopped on the first and second floors, they'll look for the stairs. The goal is to catch them at the stairs, wherever those stairs happen to be.
Built for what's coming: Agentic AI in the fraud workflow
Q2 is being deliberate about how AI gets incorporated rather than rushing to label existing technology as "AI-powered" and calling it a day.
The Fraud Pattern Discovery Agent analyzes confirmed fraud cases across financial institutions to identify repeatable attack patterns and rapidly convert them into new fraud detectors. Its automated pattern discovery dramatically reduces the time to identify emerging fraud tactics and scale protections across institutions, strengthening the collective defense of the network. Each confirmed fraud case makes the next detection sharper across the financial institution’s ecosystem.
The Case Explainability Agent focuses on the investigation side. Instead of fraud analysts manually reviewing entire user activity logs, the agent transforms raw activity data into a clear, natural-language narrative of the suspected attack along with a filtered timeline that surfaces only the events relevant to that fraud pattern. The result: faster, more confident decisions with full transparency into why a case was flagged.
The goal is a platform in which financial institutions are managing an AI approach to fraud. It’s one in which the institution stays in control, the technology handles more of the detection and decision-making, and the whole system gets smarter over time.
What's next
To learn more about Q2's Continuous Account Takeover solutions, including User Activity Monitoring and Restricted Entitlements Mode, check out the resources below, or reach out directly to start a conversation.
• Q2 Account Takeover Protection
• Q2 Risk & Fraud Management Overview