Account takeover (ATO) fraud has evolved into one of the most pervasive and costly threats facing businesses today. Organized fraudsters execute coordinated attacks designed to exploit login defenses. They’re leveraging readily available tools to infiltrate accounts at scale, and following detailed attack plans to maximize efficiency and effectiveness.

From bot-led credential stuffing to advanced multi-factor authentication (MFA) bypass techniques, attackers have refined their playbooks to outsmart traditional security measures. Let’s break down how ATO attacks work, what fraudsters do to execute them and the ways businesses can stay ahead of evolving threats.

What is account takeover fraud?

ATO fraud happens when fraudsters gain unauthorized access to legitimate user accounts. Once inside, they can change profile information, steal sensitive data and commit fraudulent transactions. These attacks are costly and growing fast: ATO losses hit $16 billion in 2024, up 24% year-over-year.

Fraud rings are behind many of these attacks. They operate like businesses, using detailed playbooks purchased on the dark web that outline every step — from credential theft to bypassing MFA and, ultimately, monetizing successful takeovers. These playbooks can cost as little as $50, making ATO tools accessible to anyone — whether it’s a coordinated ring or an individual attacker — with malicious intent.

How do fraudsters take over accounts?

ATOs often begin with compromised credentials. Fraudsters obtain valid usernames and passwords through phishing, data breaches or dark web purchases — for as little as $30 — giving them a direct path into accounts. In some cases, fraudsters verify credentials themselves through large-scale credential stuffing; login attempts are automated using stolen credential pairs across multiple sites, exploiting password reuse and scaling attacks with scripts to maximize success.

At many businesses, compromised credentials are enough for fraudsters to execute attacks. But for targets whose login processes require additional authentication — a one-time passcode or biometric, for example — fraudsters leverage advanced tools or scams to gain access to accounts. Attackers hijack sessions, steal tokens and deploy MFA fatigue attacks, or use hyper-targeted social engineering tactics to manipulate account owners into verifying fraudulent logins and transactions or granting remote access.

Once authenticated, fraudsters can take further steps to cement control over the accounts they access. They often log in repeatedly to establish trust between their device and the account. They can create or reset existing biometric authentication, or add their device as the one-time passcode (OTP) recipient, allowing them to successfully verify their “ownership” of the account when facing step-up authentication (see what this looks like in our latest report).

Preventing account takeover fraud

Despite their vulnerabilities, OTPs, biometrics and other MFA forms remain common methods to secure accounts. Businesses rely on them to protect accounts, but also use them to build customer confidence by providing tangible, trusted authentication. As a result, these solutions are a crucial line of defense for many businesses’ accounts, even though fraudsters are capable of bypassing them.

The more glaring weaknesses in most MFA-based approaches is strategic. These defenses treat each login attempt as an isolated event. This means that these defenses can stop individual attackers, but miss the bigger, more dangerous picture: coordinated attacks potentially impacting thousands of accounts.

Stopping coordinated, large-scale ATO attacks requires a more holistic, multi-dimensional approach. NeuroID’s Account Defense solution combines behavioral analytics with 99.5% accurate persistent device recognition and IP Intelligence. This allows not only for the detection of individual ATO attempts, but the ability to connect fraudsters’ devices across accounts to reveal coordinated rings, understand the strategies they’re using and stop them in their entirety.

Want to see how NeuroID uncovered and stopped a real-world ATO attack? Check out the first edition of our ATO Report Series to see how behavior, device and network data revealed a fraud ring in action.