Account Takeover (ATO) Fraud: Understanding the Impact and How to Protect Your Business

Highlights: 

• Account Takeover (ATO) fraud is a rapidly growing, multi-billion dollar problem with consumer costs reaching $15.6 billion in 2024. Incidents increased 26% from 2022 to 2023, and ATO-related chargeback losses are 76% higher than typical chargebacks, leading to increased losses and significant customer churn.

• Relying only on fraud controls at account opening is insufficient. Businesses must modernize their defenses by implementing a continuous, layered strategy throughout the entire account lifecycle, utilizing automated portfolio monitoring, alternative data, and advanced technologies like AI and machine learning to proactively detect and prevent fraud.

Fraud is like a heavy anvil strapped around the neck of today’s businesses, dragging down progress, performance, and profitability. It diverts precious time, money, and resources away from day-to-day operations. And no company, no industry, no functional team is beyond its reach. 

Today, however, a growing fraud type—account takeover (ATO) fraud—is threatening businesses and consumers to the point that state-level agencies and leaders in New York and Ohio have recently issued formal warnings to consumers.  

Here, we examine the worrisome rise of ATO fraud, including how it’s carried out, its impact on businesses and consumers, and what the latest benchmarks reveal. We also share three high-impact best practices to help businesses reduce fraud losses, modernize their defenses, and better protect their customers.   

The “multi-billion dollar problem you don’t know about.”

ATO fraud is exactly what it sounds like. Fraudsters use a variety of strategies to gain access to an account, lock out the legitimate account owner, and take over the account, making purchases, withdrawing funds, etc. Even the most careful consumers and businesses fall prey to their tactics, which can include: 

• Phishing and social engineering: Account holders are tricked into providing sensitive information and credentials via impersonated emails, texts, phone calls, and websites.

• Business email compromise (BEC): A form of phishing, BEC mimics executive and vendor emails, convincing employees to make fraudulent wire transfers, payments, or reveal sensitive data.

• Credential stuffing: Stolen or leaked credentials and sensitive personal information are used to gain access to accounts. 

• Malware: Account holder credentials are obtained by using malware installed on a mobile device or computer. 

• SIM-swapping: Fraudsters convince a mobile provider to port a victim’s phone to the fraudster’s SIM, thereby giving them access to the victim’s accounts. 

• Session-hijacking: Attackers use specialized malware to steal session cookies, enabling them to bypass multi-factor authentication. 

The issue is so widespread and evolving that The Hacker News recently called ATO fraud, “The Multi-Billion Dollar Problem You Don’t Know About.” It cites a median account takeover exposure rate of 1.4 percent among platforms with 5 million to 300 million users. Translation: a potential minimum of 70,000 accounts exposed per platform. 

A recent Payments Journal article offers a more precise cost calculation, reporting that the consumer cost of ATO fraud hit $15.6 billion in 2024—a $2.9 billion jump since 2023 and more than double the amount of new-account fraud losses.  

Devastating Consequences for Businesses and Consumers 

As today’s ATO attacks become ever more sophisticated, with scammers using advanced software to execute complex, layered schemes and scalable AI assaults that bypass standard digital security measures, the resulting consequences for consumers and businesses can be devastating, including: 

• Increased losses, chargebacks, and write-offs at a time when many consumers and businesses are struggling under tough economic conditions. 

• Elevated consumer distrust as the line between real and fraudulent engagement, transactions, and resources continues to blur. Simply put, when people don’t feel safe, they stop doing business. According to a 2025 Javelin report, 42% of ATO victims closed the accounts where the fraud occurred. 

• Higher rates of account remediation, customer churn, and attrition due to fraud can burden internal resources and subtract from the bottom line. 

• Identity theft issues often associated with ATO fraud can compromise consumer credit scores and financial health for years after the initial incident. 

Incidents are Rising: Practical Benchmarks for Businesses

To help businesses put this fraud trend within the context of their own operations, Equifax recently analyzed its global data network from 2020 to 2023, spanning insights across 65 billion transactions, 16,000 merchants, and 75 industries. 

Our findings regarding ATO fraud are alarming, yet they offer practical benchmarks that businesses can use to inform and enhance their existing fraud mitigation strategies. 

• From 2022 to 2023, ATO fraud increased 26 percent. 

• Across our merchant data, the ATO fraud rate rose 8 percent year over year. 

• Across our merchant data, ATO chargeback losses are 76 percent higher than typical chargebacks—$576 per incident compared to $271.

VIEW FULL DIGITAL FRAUD REPORT

Yesterday’s fraud controls aren’t enough; use this approach instead. 

Companies often rely on a mix of tools to combat fraud, which are frequently stacked at account opening. However, given the interventional nature of ATO fraud—where fraudsters hijack existing accounts—a layered approach is essential moving forward. 

Integrating sophisticated digital and analytic fraud controls throughout the account lifecycle—at account opening and then continuously monitoring account updates, contact data, transactions, devices, and payments—offers dramatically improved fraud visibility across the business, along with actionable, real-time insights that can flag suspicious activity and stop fraud, instantly. 

Beyond account opening, here are three best practices for implementing a layered approach to fraud.

1. Automate portfolio monitoring to continuously scan accounts, spot evolving risks, identify new trends, and prevent losses. Alerts are auto-generated when suspicious activity is flagged to help streamline the investigation of high-risk activities and transactions. 

2. Add alternative data to existing verification protocols to broaden risk visibility across key transaction touchpoints—including updates to contact data and payment accounts—and help identify and block fraud earlier, without disrupting the customer experience.  

3. Adapt to new tactics and outpace fraudsters by integrating advanced technologies, including AI and machine learning, at key transaction points. This could include velocity checks that monitor how many times a user tries to engage with your business within a short period, bot detection, and card testing detection, which identifies when fraudulent cards are being tested with zero-dollar transactions. 

In today’s fast-moving digital economy, ATO fraud is a growing risk that demands immediate attention. By modernizing defenses, layering tech-forward fraud controls across the account lifecycle, and leveraging real-time data and analytic insights, businesses can enhance and streamline their fraud strategies to stay ahead of fraudsters, better protect their customers and bottom line, and strengthen the trust that fuels long-term growth and profitability. 
Discover more on recent fraud trends and learn about innovative fraud solutions that can help protect your business.