What is Account Takeover Fraud: 6 Strategies to Stop ATO

How account takeover fraud is different from general unauthorized access

Account takeover fraud is unauthorized access with a financial motive. With ATO fraud, a bad actor gains access to a legitimate customer account and uses that access to complete a specific goal: steal value.

When it comes to general unauthorized access, the intrusion may not involve a direct attempt to place orders, drain loyalty points, buy gift cards or otherwise monetize the account. Instead, the attacker may be testing credentials, scraping personal data, observing account activity or probing for weaknesses they can exploit later.

Where does account takeover fraud start and how does it work?

ATO fraud doesn’t start with a breach of your platform. It starts outside of it — a phishing email masquerading as a shipping update, a lookalike domain built to mimic a trusted brand or a credential stuffing attack that capitalizes on the fact that over 75% of consumers in the U.S. alone reuse the same password across multiple accounts.

Fraudsters often build the infrastructure first. That can mean typosquat domains — web addresses that look almost identical to a real brand’s domain but include a small error, like signifyd.com vs. signfyd.com, — phishing-capable email accounts (i.e. [email protected] vs. [email protected]) and fake login pages designed to capture credentials. Once the setup is in place, attackers use phishing, credential stuffing, login API exploitation or credential lists bought and sold in underground marketplaces to capture or test usernames and passwords before the shopper ever reaches your site.

So, by the time a fraudster is placing an order on your site, the hard work is often already done. They’re no longer standing at the front door trying to break in. They’re using valid credentials to enter through a real customer account.

Once inside, the goal is monetization. That effort might look like draining loyalty points through $0 orders, buying gift cards, changing shipping details or sending merchandise through freight-forwarding addresses for resale or export. To a merchant’s systems, the session may still appear familiar because the fraudster is operating inside a legitimate account. But the intent has changed completely.

Why single-signal fraud detection doesn’t work anymore

For years, fraud teams anchored decisions to identity proofing and verification signals: Does this email address match this name? Is the billing address correct? Does the device belong to this account? These checks matter, but trusting any one of them in isolation creates blind spots.

Stolen identity data and login credentials are inexpensive, abundant and often sold together. A fraudster can buy or assemble enough information to look like a real customer: name, email address, phone number, physical address and, in some cases, a working password. Those details can tick many of the boxes a fraud system is trained to trust. The credentials may be valid. The person (or their automated bot) using them is not. But what are the red flags that signal it’s an account takeover?

Signs of account takeover fraud

To identify ATO fraud, first you need to ask: How do we fingerprint this behavior in our own data?

The most useful ATO signals are measurable patterns that fraud teams can search against across login behavior, account changes, order activity, loyalty redemptions and fulfillment details Signifyd ran an analysis using 61,700+ confirmed ATO accounts and found that ATO activity tends to concentrate in the following areas.

Account dormancy period

How long has it been since this account placed an order? Fraudsters preferentially target old, inactive accounts — owners are less likely to notice a sudden change, and the accounts are more likely to have accumulated redeemable loyalty points. Most fraud teams don’t measure this explicitly.

Purchase velocity after password reset

How quickly did a transaction follow a password reset? And who initiated that reset? When a fraudster gains access to an account, one of the first moves is a password change to lock out the legitimate owner. A purchase within minutes or hours of a self-initiated reset, especially from a new device, is a high-confidence ATO signal.

Lie count — device fingerprint discrepancies

A “lie” is any discrepancy between what a device reports and demonstrably what it’s unlikely to be. An Android browser on a desktop OS is a lie. An IP address geo-locating to one country while the browser language and time zone point elsewhere is two lies stacked on top of each other. Individual discrepancies can have innocent explanations but clusters of them rarely do.

Time zone vs. VPN location mismatch

VPNs and proxy services can mask the originating IP address, but they don’t always mask the browser’s reported time zone, language or locale settings. When a session appears to originate from one country through a VPN (like Portugal or Singapore) while the device’s time zone and language settings point to another region (like Germany or Brazil) there’s a measurable gap between the masked location and the device environment.

Presence of a stored payment instrument

A stored payment method can be an important ATO signal when it appears alongside other suspicious account activity. A saved credit card, a PayPal wallet or store credit balance does not prove account takeover on its own, but it can help explain why a compromised account became active.

Address manipulation

ATO orders often involve a shipping address that’s different from the account’s primary or historical address. While not every new shipping address is suspicious — customers ship to workplaces, relatives, gift recipients and vacation rentals all the time — the signal is stronger when:

• The address was added shortly before purchase.
• The address matches one tied to a known freight forwarder, package reshipper or export hub.
• The new address appears alongside other suspicious account changes, like an updated phone number or password reset.
• The order includes other risk signals, like an increase in order value or loyalty point redemption.

Six strategies merchants can use to prevent ATO fraud

Account takeover fraud prevention works well when you treat ATOs as chains of events, and the best practices to follow focus on the places those chains can be interrupted:

• Monitor for typosquat domains weekly. Automate domain monitoring to surface lookalike registrations against your brand and route confirmed threats to the appropriate legal, security or trust and safety team for domain registrar, hosting provider or abuse takedown action.

• Pass pre-discount order amounts to your fraud API. The post-redemption total should never be the only value your fraud system sees. A loyalty-drained $0 order that originated from a $500 cart should be scored with the original cart value in mind. Otherwise, high-risk redemptions can look artificially low value and slip through review.

• Apply IP and account velocity controls with graduated thresholds. Use graduated thresholds that escalate from monitoring to friction to blocking based on the volume, speed and concentration of activity, rather than relying on static rules that can contribute to fraud ruleset bloat. This lets you catch credential stuffing and account testing without overreacting to normal customer behavior.

• Implement address manipulation detection. Normalize incoming addresses against a trusted external source, like a carrier or postal database, then compare the customer-entered version against the standardized format and the account’s historical addresses. Instead of relying on a simple match-or-no-match rule, score the degree of change based on how much the address differs, when it was added and whether it resembles patterns from confirmed ATO cases. This helps fraud teams flag subtle address changes that may be designed to reroute orders, evade filters or disguise repeat abuse.

• Apply strategic friction. SMS one-time passcodes are among the most effective ATO countermeasures because taking over a phone number requires far more effort than compromising an email account. Trigger SMS challenges when multiple ATO signals are present simultaneously, for example: dormant account + address change + loyalty redemption + new device.

• Automate stored payment wipes on suspicious accounts. When an account shows strong ATO indicators, remove or suspend access to stored payment methods until the customer re-verifies their identity. This limits the fraudster’s ability to move from account access to purchase, gift card abuse or loyalty-drain orders. Pair the wipe with a customer notification and a secure re-authentication flow so legitimate customers can recover quickly without leaving saved payment instruments exposed.

Connect the signals before ATO turns into losses

Account takeover fraud is hard to stop when login, order, loyalty and fulfillment signals are evaluated separately. A session might look familiar at login, an order might look low risk after loyalty points are applied and an address change might seem normal on its own. The risk becomes clearer when those signals are connected across the full customer journey.

Signifyd’s Account Protection solution helps brands like yours evaluate account, identity, device, behavioral and order signals together, so fraud teams can better separate legitimate customers from compromised accounts. That broader view helps teams spot ATO patterns earlier, protect stored value and reduce the chance that a valid customer account becomes a path to fraud.

And with every approved order backed by a 100% financial guarantee, Signifyd helps you eliminate ATO losses from chargebacks. That means teams can protect accounts, loyalty value and customer trust without absorbing the cost if an approved order turns out to be fraudulent.

Photo by Getty Images 

Learn how Signifyd helps merchants detect and prevent ATO fraud before compromised accounts turn into losses.