Date: 21 July 2025
Account takeover fraud, or ATO, is a rising problem for banks and financial services companies. Over the last few years, both the number of successful ATO attacks and total losses have climbed steadily, with the percentage of the US population affected by ATO fraud increasing from 22% in 2021 to 29% in 2024.
ATO fraud is a form of identity theft in which criminals gain access to an account to steal sensitive information and/or use that account for unauthorised transactions. Bank accounts were once the primary focus of ATO fraudsters, but recently, they’ve realised that other online platforms host valuable accounts that they can leverage as well. Social media accounts, e-commerce marketplaces, and ticket websites are now juicy targets for ATO attacks.
As both the scope and scale of ATO attacks rise, it’s clear that financial services providers — both traditional institutions and cutting-edge fintech startups — lack the tools and tactics needed to combat them successfully.
But there are legitimate reasons why this type of financial fraud is so difficult to handle. Financial services organisations need to recognise the fundamental issues that permit ATO attacks to occur and continue, and adopt new ways to fight them.
ATO Attacks: The Highly Sophisticated Nemesis of Financial Services Providers
ATO attacks today leverage many different modes of attack, making them extremely difficult for financial services providers to spot. For example, it used to be relatively easy to weed out brute force bot attacks by checking IP addresses. But now, bots and human fraudsters can fake IP addresses and/or use advanced software to spoof device fingerprints.
Furthermore, GenerativeAI has enabled fraudsters to up the ante with sophisticated and convincing phishing and social engineering attacks, with 42.5% of detected fraud scams being AI-driven, with a 29% success rate. Fraudsters use GenAI to gain access to the legitimate user’s passwords and/or device, using credential stuffing to infiltrate the account. This makes it challenging to distinguish between legitimate and fraudulent account activity.
Memcyco, a preemptive cybersecurity firm, believes the solution to successfully combatting ATO attacks is by zooming out and viewing the fraud timeline as a whole, defending at each critical touchpoint. For example, a fraudster could clone a company’s website to dupe their customers, or employees, into inputting their sensitive information, only for it to be stolen and eventually used in an ATO attack.
Memcyco offers a real-time solution to combat a wide range of phishing, digital impersonation, and ATO attacks by infiltrating them at their inception and closely monitoring them if they manage to make it to subsequent stages of the attack timeline.
If, say, a bank has installed Memcyco, then any of its customers that visit a spoofed site of the bank are protected. Memcyco does this by scrambling the provided information, sending the fraudster decoy data instead, that can be used in turn to expose the fraudster. It uses proprietary “nano defenders” to achieve this, which identify spoofing and site-code reconnaissance attempts in real time. By approaching the problem from its source - spoofed websites - ATO attacks can be mitigated before they prevent serious damage.
User Behaviour & Associated Vulnerabilities
Humans are the weakest link in any security chain. As long as access depends on human-generated passwords and PIN codes that people must remember, the risk remains. Too many consumers use weak passwords and/or reuse their credentials. This makes it easier for them to remember their log-in details, but it also makes them easy targets for ATO attacks.
What’s more, customers might not notice suspicious activity in their account until it’s been going on for some time. That’s especially true for secondary bank accounts, or an account with an online marketplace that they don’t use frequently. The delay in reporting hampers ATO prevention efforts.
One solution is to use biometric data instead of passwords. Fingerprint scans, iris scans, and facial recognition technology offer more secure identification methods that are harder for fraudsters to crack. It’s also important to educate customers to regularly check their accounts for unexpected transactions or entry attempts.
Why Authentication Isn’t Sufficient
Few financial service businesses have proper authentication systems in place. This means that once a fraudster guesses weak passwords or acquires user credentials, they can easily bypass additional authentication processes.
Multi-factor authentication (MFA) and two-factor authentication (2FA) are frequently touted as solutions, but they aren’t as effective as you might expect. Fraudsters can intercept email or text messages with account verification codes and change MFA settings so that they can recover a victim’s account. Even security questions, such as “what is your mother’s maiden name?”, are of limited use because so much information is exposed on social media.
Secure link authentication, or SLA, offers a better alternative. Netcetera enables companies to send a secure link instead of a code, which can only be used on the device where the login attempt was made. It’s a complex URL that’s difficult to copy or share and is only valid for a short period, which helps reduce the risk of fraudulent entry.
Third-party Risks on the Rise
Like businesses in every vertical, financial services companies have extended digital supply chains. With more vendors come more potential entry points into your business systems, and more opportunities for malicious actors to exploit vulnerabilities and steal user credentials.
All it takes is for one vendor to have weak security that allows hackers to move laterally until they infiltrate your systems. Just one third-party data breach that reveals usernames, passwords, or personal information can help fraudsters to guess user credentials and craft more convincing phishing attempts.
It’s vital for financial institutions to tighten their third-party cybersecurity. That includes writing strong and specific security requirements into their contracts, and implementing third-party risk monitoring tools to track security and data privacy among third-party vendors.
Balancing CX Concerns with Security
In theory, continuous monitoring for account activity should be able to flag anomalies that indicate possible ATO attacks. But setting the threshold is extremely difficult. If your security levels are too high, you’ll delay or cancel too many legitimate transactions, causing friction and frustration for customers. Large transaction volumes also make it hard to monitor every account.
This leaves banks walking a fine line between security and seamless user experience, driving many to dial down security controls. Combining continuous monitoring with risk management frameworks can help flag transactions based on the level of risk they pose, without creating too much friction or letting ATO fraud slip through the net.
ATO fraud can be solved
Although ATO attacks are very sophisticated and take advantage of many weaknesses in fraud detection, user behaviour, and third-party security, they can be mitigated and even prevented with the approaches detailed above. Financial services providers need to reset the playing field with new tactics that help them spot and neutralise ATO fraud, equipping them to protect user data and funds and improve customer experience.
