Account takeover fraud resulted in $15.6 billion in losses in 2024, a $2.9 billion increase from the prior year (AARP & Javelin). That’s more than double the losses from new-account fraud. The attackers aren’t targeting high-profile celebrities or Fortune 500 executives. They’re targeting your customers.
The business impact extends beyond direct fraud losses. 80% of consumers won’t return to a site after experiencing an account takeover there (Mitek). Every compromised account represents lost customer lifetime value, remediation costs, and reputational damage that compounds long after the incident is resolved.
Account takeover prevention isn’t a security checkbox. It’s revenue protection.
Key takeaways:
- ATO fraud caused $15.6B in losses in 2024; merchants lost $38B in 2023
- 80% of consumers won’t return after an ATO incident (customer churn is the hidden multiplier)
- Tokenization reduces CNP fraud by 26-60%; 3DS shows 45% fraud reduction
- 99% of organizations were targeted in 2024; 62% suffered successful breaches
- Layered defense (MFA + behavioral analytics + tokenization + 3DS) is required
What is account takeover fraud
An account takeover (ATO) occurs when an attacker gains unauthorized access to a legitimate user account. Once inside, they can make purchases with stored payment methods, steal personal data, change account credentials to lock out the real owner, or use the account as a launching point for further attacks.
ATO differs from new-account fraud, where attackers create accounts using stolen identity information. In an account takeover, the attacker compromises an existing account with an established transaction history, stored payment credentials, and trusted status with the merchant. This makes ATO harder to detect and more damaging when successful.
The scale is staggering. 99% of organizations were targeted for ATO in 2024, and 62% suffered at least one successful breach (Mitek). 29% of US adults, roughly 77 million people, have experienced an account takeover. This isn’t a niche problem affecting a few unlucky businesses. It’s an industry-wide challenge.
How ATO attacks work
Attackers use several methods to compromise accounts. Understanding these vectors is the first step toward effective account takeover prevention.
| Attack vector | How it works | Scale |
|---|---|---|
| Credential stuffing | Automated testing of stolen passwords against other sites | 26B attempts/month |
| Phishing | Fake emails/pages trick users into revealing credentials | Up 4,151% since ChatGPT launch |
| SIM swapping | Attacker hijacks phone number to intercept MFA codes | Up 20% YoY |
| Malware/keyloggers | Software captures credentials as users type | Often undetected for months |
| Session hijacking | Stealing active auth tokens to impersonate logged-in users | Bypasses password entirely |
Credential stuffing is the most common attack method. Over 24 billion username/password pairs circulate on cybercrime forums (SpyCloud). Attackers use automated tools to test these stolen credentials against other sites. Because 52% of people reuse passwords across accounts (Mitek), a breach at one site gives attackers access to accounts everywhere.
The success rate of credential stuffing is low, typically 0.1-2% (OWASP). But at scale, it’s devastatingly effective. One million stolen credentials can yield 20,000 compromised accounts. With 26 billion credential stuffing attempts occurring monthly (Mitek), even a low success rate produces massive fraud.
Phishing tricks users into revealing their credentials directly. Attackers send emails or create fake login pages that mimic legitimate sites. Phishing attacks have increased 4,151% since the launch of ChatGPT, as AI makes it easier to generate convincing fake communications (Mitek).
SIM swapping bypasses SMS-based two-factor authentication. Attackers convince mobile carriers to transfer a victim’s phone number to a new SIM card. With control of the phone number, they can intercept one-time passwords and reset account credentials. SIM swap attacks increased 20% year-over-year (Mitek).
Malware and keyloggers capture credentials as users type them. Session hijacking steals active authentication tokens, letting attackers impersonate logged-in users without needing the password at all.
The business cost of account takeovers
The direct fraud losses are substantial, but they understate the true cost. Merchants lost $38 billion to account takeover attacks in 2023 (Juniper Research). That figure is projected to reach $91 billion by 2028.
| Cost category | Impact |
|---|---|
| Direct fraud losses | $15.6B in 2024; $38B to merchants in 2023 |
| Indirect costs | $4.61 lost for every $1 of fraud (chargebacks, remediation) |
| Corporate breaches | $5M average cost per account breach |
| Revenue loss | 7.7% of annual revenue lost to fraud (9.8% for US businesses) |
| Customer churn | 80% won’t return after ATO incident |
The indirect costs multiply the damage. Retailers lose $4.61 for every $1 of ecommerce fraud after accounting for chargebacks, remediation, customer service, and operational disruption (Radial). The average cost of a single account breach reaches $5 million at the corporate level (Mitek).
Key point: 80% of consumers won’t return to a site after an ATO incident. For subscription businesses with high customer lifetime value, losing 80% of affected customers far exceeds the direct fraud loss.
Customer churn is the hidden multiplier. A single successful attack on 1,000 accounts doesn’t just create 1,000 fraud incidents. It potentially eliminates 800 customer relationships.
Companies worldwide lost 7.7% of annual revenue to fraud on average in 2024. US businesses reported losing 9.8% of revenue, a 46% increase from the prior year (TransUnion). Fraud is no longer a cost of doing business. It’s becoming a material threat to margins.
Account takeover accounts for 32% of all ecommerce fraud globally (Statista). Prioritizing ATO prevention addresses nearly a third of the fraud problem.
How to detect account takeover attempts
Detection catches attacks before they result in fraud. The goal is identifying suspicious activity early enough to intervene without adding friction to legitimate customers.
Behavioral analytics establishes a baseline of normal user behavior, then flags anomalies. A customer who always logs in from Chicago at 10 PM suddenly accessing their account from a new country at 3 AM triggers an alert. AI-powered behavioral detection achieves 95% accuracy (SentinelOne) and reduces breach containment time from 322 days to 214 days compared to legacy systems.
Velocity checks identify credential stuffing attacks by monitoring login attempt rates. A surge of failed login attempts from the same IP range, or against the same account, signals an automated attack. Rate limiting and IP blocking can stop these attacks before they succeed.
Device fingerprinting identifies the unique characteristics of a user’s device. When a known account appears on an unknown device, the system can require additional verification before granting access. This works in the background without adding friction to legitimate logins from recognized devices.
Impossible travel detection flags when an account is accessed from geographically distant locations in an impossibly short timeframe. A login from New York followed by a login from Tokyo 30 minutes later indicates either a compromised account or session hijacking.
The key is layering these detection methods. No single technique catches every attack. 65% of US financial institutions now use behavioral AI biometrics (Mitek), and 93% plan increased investment in AI-powered fraud detection.
Prevention strategies that actually work
Detection identifies attacks in progress. Prevention stops them from succeeding.
| Prevention method | Fraud reduction | Adoption rate | Notes |
|---|---|---|---|
| Multi-factor auth | Significant | 87% enterprise | Hardware keys more secure than SMS |
| 3D Secure | 45% | 3% US txns | Also shifts liability to issuer |
| Tokenization | 26-60% | Growing | Removes usable data from breach |
| CAPTCHA/bot detect | Varies | 59% ecommerce | Blocks automated credential stuffing |
| Behavioral analytics | 95% accuracy | 65% finserv | Catches anomalies that rules miss |
Multi-factor authentication (MFA) requires users to verify their identity through a second factor beyond the password. This could be a code sent to their phone, a push notification to an authenticator app, or a hardware security key. 87% of large enterprises now enforce MFA (Mitek).
MFA isn’t foolproof. SMS-based MFA is vulnerable to SIM swapping. Authenticator apps and hardware keys are more secure because they don’t depend on carrier security. The goal is making account compromise significantly harder, not impossible.
Password policies reduce the credential stuffing attack surface. Requiring unique, complex passwords and checking new passwords against known breach databases prevents users from choosing credentials that are already circulating in attacker databases. Password managers make this practical for users who would otherwise reuse passwords.
CAPTCHA and bot detection slow automated attacks. 59% of ecommerce companies use CAPTCHA for ATO prevention (Radial). These measures add friction but block the scripted credential stuffing attempts that account for most ATO attacks.
3D Secure authentication adds a verification step at payment time. Even if an attacker has gained access to a compromised account, 3DS requires them to authenticate as the cardholder before completing a transaction. Visa reports that 3DS shows a 45% reduction in fraud compared to non-authenticated transactions (Visa). One company reported a 90%+ decrease in fraud-related chargebacks after implementing 3DS (FEVO).
The liability shift is equally important. For 3DS-authenticated transactions, the issuing bank, not the merchant, assumes liability for fraud. This protects the merchant’s bottom line even when fraud does occur.
How tokenization reduces ATO risk
Tokenization addresses a critical question: even if attackers get into an account, what can they steal?
When payment credentials are tokenized, the actual card number is replaced with a non-sensitive token. The token can be used to process transactions through the tokenization system, but it’s worthless to anyone who steals it. There’s no usable payment data to extract from a compromised account.
Network tokenization reduces fraud rates by up to 26% compared to traditional card-number-based transactions (Checkout.com). For card-not-present transactions, tokenization reduces fraud risk by as much as 60% (Chargeback Gurus).
Visa reported that issuing 4 billion network tokens led to a 28% drop in fraud rates and a 3% increase in transaction approvals (Mastercard). Tokenization improves both security and authorization rates because tokenized transactions carry more trust signals.
The business case is clear: tokenization doesn’t just prevent ATO fraud. It reduces the damage when account compromise does occur. Attackers who breach a tokenized system find tokens instead of card numbers. Without access to the tokenization vault, the data is useless.
For businesses managing payment security and compliance, compliance outsourcing can simplify the implementation of tokenization alongside other credit card fraud prevention measures.
Building a layered defense
Account takeover prevention works best as a layered system. No single measure stops every attack. The combination of detection, authentication, and data protection creates overlapping barriers that dramatically reduce successful ATO.
Start with what’s already table stakes: MFA, password policies, and basic bot detection. Then add behavioral analytics to catch anomalies that slip through static rules. Implement 3DS for payment authentication to block unauthorized transactions even from compromised accounts. Tokenize payment credentials so successful breaches yield nothing of value.
62% of businesses report that ATO attacks cost more than they did in prior years (Chargebacks911). The attack surface is expanding, not shrinking. The question isn’t whether to invest in prevention, but how much revenue loss you’re willing to accept while you wait.
Frequently asked questions
What is an account takeover attack?
An account takeover (ATO) occurs when an attacker gains unauthorized access to a user’s account, typically through stolen credentials, phishing, or credential stuffing. They then use the account for fraud, theft, or further attacks. ATO differs from identity theft in that attackers compromise existing accounts rather than creating new ones.
How much do account takeover attacks cost businesses?
ATO attacks resulted in $15.6 billion in losses in 2024. Merchants lost $38 billion to ATO in 2023, with projections reaching $91 billion by 2028. Retailers lose $4.61 for every $1 of fraud after indirect costs including chargebacks, remediation, and customer service.
What is credential stuffing?
Credential stuffing is an automated attack where stolen username/password combinations from data breaches are tested against other sites. Because 52% of people reuse passwords, attackers can gain access to multiple accounts with one leaked credential set. Over 24 billion credential pairs circulate on cybercrime forums.
How does tokenization prevent account takeover fraud?
Tokenization replaces sensitive data like card numbers with non-sensitive tokens. Even if attackers compromise an account, they can’t steal usable payment credentials because the actual card data isn’t stored in your systems. Network tokenization reduces fraud by 26-60% in card-not-present transactions.
Does 3D Secure prevent account takeover?
3D Secure adds an authentication step at payment time, requiring the cardholder to verify their identity. This prevents unauthorized transactions even if an attacker has gained access to a user’s account. 3DS shows a 45% fraud reduction compared to non-authenticated transactions and shifts liability to the issuing bank.