Account takeover fraud occurs when bad actors gain unauthorized account access — and it poses many challenges for financial institutions and their customers. Criminals controlling these accounts can cause significant losses for both victims and financial institutions by withdrawing or transferring funds, making unauthorized purchases or selling account details to other criminals. They also may change the user’s account information (e.g., email address, phone number) or credentials, locking the victim out of the account and hindering the financial institution’s ability to contact them about suspicious activity.
Account takeover fraud resulted in more than $15.6 billion in reported losses in the U.S. in 2024, up from $12.7 billion in 2023, according to one industry study (Off-site).
Reports of account takeover increased by over 36% in 2024 compared to 2023, according to Suspicious Activity Reports (Off-site) filed with the Financial Crimes Enforcement Network (FinCEN). These trends are driven in part by the combination of consumers’ expanded digital footprints, criminals’ wider access to user data, and emerging technologies that can make account takeover easier to automate.
Why Account Takeover Remains So Pervasive
A common method used to take over accounts is credential stuffing, i.e., when criminals systemically test passwords for a given username until the correct combination is identified. Users’ poor password management (Off-site) — including reused and weak passwords — often makes this technique successful. In recent years, increasingly common large-scale data breaches (Off-site) exposed billions of information pairs and sensitive customer information to criminals, fueling credential stuffing attempts. Additionally, criminals may leverage breached data to more convincingly curate targeted phishing messages to deceive victims into sharing their account credentials.
Tools for automating account takeover attacks are now more accessible and easier to use. Originally, criminals worked manually or with simple scripts to carry out credential stuffing. More recently, they are relying on newer technologies to commit fraud with more sophistication and at greater scale. For example, bad actors may leverage machine learning to intelligently pair or infer credentials based on email addresses and personally identifiable information (PII), as illustrated below.
The increased sophistication of scripted attacks also allows bots to perform tasks that emulate human behavior (e.g., mouse movements, typing patterns or browsing behaviors). As a result, traditional bot detection may now be less effective in detecting account takeover.
Generative Artificial Intelligence Increases Ease and Effectiveness of Phishing, Social Engineering and Impersonation
Before the era of generative artificial intelligence (AI), phishing messages often were filled with typos and grammatical errors, or their tone was unusual or strange. With the emergence of generative AI-based tools, criminals can create highly polished content in any language that often is difficult to distinguish from valid correspondence, enabling social engineering techniques.
Generative AI has helped facilitate more effective impersonation of account holders to their financial institutions. Deepfakes, or synthetic media used to convincingly imitate a person’s appearance, voice or mannerisms, have been around for some time and are often used in phishing and social engineering. Today, deepfakes can be produced more quickly and convincingly using generative AI. Furthermore, deepfake technology may improve its effectiveness over time.
Ways to Improve Account Takeover Detection and Prevention
Although account takeover remains challenging and persistent, financial institutions can implement a multi-layered strategy to help prevent and detect this threat.
Educate Customers About Social Engineering and Phishing
Awareness of common scams and red flags can help individuals identify suspicious messages and prevent people from responding to unsolicited requests for personal information that could be used in account takeover attempts.
For example, criminals may use spoofing — a tool that makes phone calls, emails and text messages appear to be from a known or trusted source — to impersonate banks and notify consumers of “fraud” affecting their accounts. Individuals who do not have an account with the financial institution may quickly identify the contact as a scam attempt. However, the scam message may seem more believable when consumers actually have accounts with the financial institution.
Ensuring customers know what distinguishes their financial institution’s legitimate message from a scam message, as well as encouraging them to pause and verify unsolicited requests, could prevent individuals from inadvertently providing personal information to a bad actor.
Enable Robust Multi-factor Authentication (MFA) Capabilities
MFA is a foundational prevention tool for account takeover, and it is important to consider enabling more robust approaches that incorporate non-phishable authentication factors, such as authentication apps, soft/hard tokens, physical/behavioral biometrics or passkeys. Financial institutions also can consider the best ways to encourage their customers to comply with MFA requests, such as by offering engaging educational content about MFA benefits and the risks of non-adoption.
Combine Use of Device-based Risk Signals With Account and Transaction Monitoring
Device-based risk signals include information about the device is being used (e.g., device fingerprint), how the user interacts with that device (e.g., behavioral biometrics) and how that information compares with historical patterns. For more information, read Digital Defenders: Leveraging Risk Signals to Help Combat Fraud and Scams.
Combining device-based risk signals with account and transaction monitoring can provide powerful tools to detect account takeover. For example, if a new device is used to log into an account, and the user then changes the home address associated with the account, these actions could trigger a standard email risk alert from the financial institution to the customer. If the user attempts to transfer half of the account funds to a new receiver account soon after changing the address in the account, this action could also trigger a customized notification to the account holder for additional verification.
Conclusion
The wide availability of PII, new tools to automate account takeover, and the use of generative AI to make phishing and impersonation more convincing undoubtedly have contributed to the persistent threat of account takeover fraud. Given evolving uses for automation and AI in the fraud ecosystem, account takeover is likely to be a continued challenge for financial institutions and their customers for the foreseeable future. To help combat it, financial institutions can implement a layered approach to enhance account takeover detection and prevention.
Stay Connected
Keep informed about the Fed’s efforts to support payment security and mitigate fraud by joining the FedPayments Improvement Community.