• Why Plaid
  • Pricing
  • OverviewExplore payments solutions
  • AuthVerified account and routing numbers
  • IdentityBank account-holder information
  • BalanceReal-time balance checks
  • SignalACH risk assessment and scoring
  • TransferACH, RTP, and FedNow payment processing
  • OverviewExplore fraud and risk solution
  • Identity VerificationGlobal KYC and anti-fraud
  • BeaconAnti-fraud network
  • MonitorAML watchlist screening
  • SignalACH risk assessment and scoring
  • IdentityBank account-holder information
  • OverviewExplore the personal finance insights solution
  • TransactionsUp to 24 months of categorized data
  • InvestmentsRetirement, brokerage, and crypto data
  • LiabilitiesCredit card and mortgage data
  • EnrichCleanse and categorize internal transactions
  • OverviewExplore the credit underwriting insights solution
  • Consumer ReportCash flow insights powered by Plaid Check
  • AssetsPoint-in-time snapshots of users' finances
  • IncomeIncome and employment verification
  • OverviewExplore open finance solution
  • Core ExchangeIndustry-aligned API connectivity
  • Permissions ManagerEmbeddable consumer permissions management
  • App DirectoryApp insights to help manage risk and compliance
  • LinkLinkIndustry-leading bank connections for +12,000 institutions
  • LayerLayerCapture identity, contact and bank info in a single click.
  • Lending
  • Wealth
  • Pay by bank
  • Banks & credit unions
  • Business finances
  • Crypto
  • Property management
  • Quickstart
  • API documentation
  • Libraries
  • Github
  • Link demo
For builders
  • What’s new
  • Blog
  • Library
  • Industry resources
  • Customer Stories
  • Annual conference
  • What is Plaid
For users
  • Troubleshoot account connection
  • Trust and safety
  • Control your data with Plaid Portal
Log inContact sales
  • Why Plaid
      • OverviewExplore payments solutions
      • AuthVerified account and routing numbers
      • IdentityBank account-holder information
      • BalanceReal-time balance checks
      • SignalACH risk assessment and scoring
      • TransferACH, RTP, and FedNow payment processing
      • OverviewExplore fraud and risk solution
      • Identity VerificationGlobal KYC and anti-fraud
      • BeaconAnti-fraud network
      • MonitorAML watchlist screening
      • SignalACH risk assessment and scoring
      • IdentityBank account-holder information
      • OverviewExplore the personal finance insights solution
      • TransactionsUp to 24 months of categorized data
      • InvestmentsRetirement, brokerage, and crypto data
      • LiabilitiesCredit card and mortgage data
      • EnrichCleanse and categorize internal transactions
      • OverviewExplore the credit underwriting insights solution
      • Consumer ReportCash flow insights powered by Plaid Check
      • AssetsPoint-in-time snapshots of users' finances
      • IncomeIncome and employment verification
      • OverviewExplore open finance solution
      • Core ExchangeIndustry-aligned API connectivity
      • Permissions ManagerEmbeddable consumer permissions management
      • App DirectoryApp insights to help manage risk and compliance
      • Link
      • Layer
    • Lending
    • Wealth
    • Pay by bank
    • Banks & credit unions
    • Business finances
    • Crypto
    • Property management
    • Quickstart
    • API documentation
    • Libraries
    • Github
    • Link demo
      • What’s new
      • Blog
      • Library
      • Industry resources
      • Customer Stories
      • Annual conference
      • What is Plaid
      • Troubleshoot account connection
      • Trust and safety
      • Control your data with Plaid Portal
  • Pricing
Log inContact sales
  1. Resources
  2. >
  3. Fraud
  4. >
  5. Account takeover: what it is and how fintechs can stop it

Account takeover: what it is and how fintechs can stop it

Account takeover—where fraudsters use stolen credentials to seize control of financial accounts in an attempt to steal money—is a growing threat. Here’s what fintechs and consumers can do to prevent it.

February 12, 2024

Tom Sullivan Pic
Tom Sullivan

Tom is a fintech industry writer who has written whitepapers and articles for Plaid since 2021. His work has been featured in publications like Forbes, Fortune, and Inc. He's passionate about the freedom that financial services and technology can create and is currently a Content Strategist at Plaid.

Table of Contents
  • What is account takeover fraud?
  • Account takeover fraud examples
  • Account takeover vs identity theft
  • Account takeover fraud statistics
  • How to prevent account takeover fraud as a business
  • When should identity re-verification be used?
  • What can consumers do to prevent account takeover fraud?

Account takeover fraud, or the use of stolen login credentials to seize control of financial accounts, has become a major concern for businesses and consumers alike, with a 354% increase in attacks year-over-year in the second quarter of 2023. Fintechs—particularly vulnerable by their very nature—saw an even more alarming 808% increase during the same period.

This prevalence is due, in part, to the high number of usernames and passwords (known as credentials) that have been exposed in data breaches over the years. These breaches have produced vast databases of compromised credentials that fraudsters can use in an attempt to gain unauthorized access to protected accounts. 

In this article, we’ll look closely at how account takeover fraud is threatening fintech companies, and what they can do to prevent it.

What is account takeover fraud?

Account takeover fraud happens when a bad actor uses stolen credentials to gain access to a user’s account—most often through a process known as credential stuffing (more on that below). Online banking accounts and fintech platforms that hold money are frequent targets, as fraudsters are ultimately after financial gain. This makes it doubly important for companies to do everything they can to prevent fraudulent logins while communicating their efforts to keep customers’ funds safe. 

The account takeover cycle typically follows the following three stages:

  1. Compromise: The fraudster first gains access to a person’s account credentials. This most often happens from data breaches in which usernames, passwords, and other personal information are exposed. 

  2. Validation: The compromised credentials are then used by the fraudster over a multitude of accounts in hopes of finding one that works. This is known as credential stuffing and is carried out at scale through the use of bots. When a match is found, the stolen credentials are validated.

  3. Exploitation: If the fraudster succeeds in taking over an account using the validated credentials, they will then try to exploit the account by moving money or committing some other type of financial crime. That’s why most fintechs and financial service providers employ two-factor authentication (2FA) to prevent account takeover and exploitation, even after an eventual validation.

While fintech companies can’t prevent compromise, they can take steps to prevent validation and exploitation. Using Plaid for account connection, for example, reduces the chances of stolen credentials being validated and linked to third-party applications. It does so through internal defensive services built into Plaid Link. Check out our safety page to learn more about how Plaid keeps consumers safe. 

Account takeover fraud examples

In addition to credential stuffing, fraudsters can employ several other means to gain access to sensitive account information. Here are a few account takeover examples:

  • Phishing. Attackers send fraudulent emails, messages, or communications that appear to be from legitimate sources, such as banks or other online services, and which often create a sense of urgency to prompt immediate action from the victim. Included are links to fake login pages that mimic the appearance of genuine websites. When victims click on these links and enter their login credentials, they unwittingly hand over their sensitive data directly to the fraudsters.

  • Social engineering. These attacks use human psychology to deceive individuals and gain unauthorized access to their accounts. This might be done through methods known as pretexting, impersonation, or baiting. In pretexting or impersonation, attackers pose as colleagues, customer support representatives, or authority figures to gain the victim's trust and manipulate them into revealing sensitive data. In baiting, attackers lure their victims with tempting offers like free downloads or gifts, prompting them to download malware or disclose login credentials unknowingly.

  • Man in the middle. Man-in-the-middle attacks gain access to the communication channel between the user's device and the intended website or service. This is often accomplished by setting up rogue Wi-Fi hotspots or exploiting vulnerabilities in public Wi-Fi networks that lack proper security measures. Upon inserting themselves into the communication flow, fraudsters can silently capture and record all the data transmitted between the user and the legitimate server.

Account takeover vs identity theft: What’s the difference?

Account takeover fraud, though it can be equally as devastating, is different from identity theft. Identity theft involves using personally identifiable information such as names, social security numbers, phone numbers, and addresses to create fake financial accounts or apply for loans. Once the fraudster gets past a financial company’s Know Your Customer (KYC) processes, they typically open a line of credit and max it out or use the account to launder money.

Using a digital identity verification tool is the most effective way to prevent this type of identity fraud. Such tools use several data checks to determine if a user is who they claim. However, a verification that’s overly disruptive to the account onboarding process can cause some users to abandon the process altogether. That’s why it’s important to choose a robust, yet seamless tool that can verify identity with high accuracy but low friction. 

→ Want to reduce fraud during new customer onboarding without sacrificing conversion rates? Plaid Identity Verification is the lowest friction identity verification experience available.

Find out how much identity verification is worth to your organization

Prevent fraud, win users, and protect your bottom line

Account takeover fraud statistics and prevalence

Account takeover fraud has become increasingly popular with hackers in recent years due to the multitude of stolen credentials available from numerous data breaches. As of September 2023, there had been a total of 2,116 data compromises for the year—a 17% increase over the total number in 2022—with over 233.9 million victims. 

This, combined with the fact that 50% of people worldwide re-use their passwords, makes account takeover fraud a worthwhile endeavor for attackers. 

2,116
Data breach compromises during the first three quarters of 2023

233.9 million
People affected by data breaches during the first three quarters of 2023

50%
Percentage of people who re-use their password for multiple accounts

Source: Identity Theft Center, Business Wire

At the same time, bots are getting more advanced. Most companies use application logic that stops users from attempting to log in to multiple accounts from the same device or session repeatedly in a short period—an indication of attempted fraud. But bad actors skirt this by using technology that masks their device fingerprints and true session details, distributing their traffic across a large number of IP addresses and device types to mimic real users. 

Companies suffering an advanced attack like this might not know it, as the only indicator is an increased number of login attempts that otherwise appear normal. If they do become aware, they most likely won’t be able to stop the attacks without disrupting service for their customers. 

How to prevent account takeover fraud as a business

While only a tiny percentage of attacks actually work, fintechs should assume their customers’ credentials have at some point been stolen from a data breach and are likely to have been reused. They should also take every available precaution to prevent stolen credentials from being used on their apps. Fintechs, especially, must prove users can trust them with their funds by safeguarding them as much as possible. 

Here are some critical actions fintechs can take to help stop an account takeover from succeeding:

Two-factor authentication (2FA)

Using 2FA to send a one-time passcode (OTP) to a user's email or phone before logging in is a highly effective way to reduce account takeover. While it’s possible for a hacker to skirt this safeguard (they could use the same stolen credentials to access a user’s email address and obtain the OTP), it greatly reduces their chances of success.

IP address checks

IP addresses can be checked for other factors that may indicate fraudulent activity or the presence of a bot. These include the use of a VPN, which can represent a slightly elevated risk, or the Tor browser, which signals a high risk. Other IP address checks include the association with a data center, mismatched geolocation between the IP address and the home address provided, and a timezone mismatch. 

Behavioral analytics

Bots and fraudsters behave differently than humans. Activities that can reveal their behavior include the speed with which personal information is entered, the error rate of the entry, the use of copy and paste, and the order in which the data is entered.

Identity re-verification

When suspicious activity is suspected, companies can use tools like live video verification to ensure the user’s face matches the image on file. Essentially, this is a selfie re-check done when an account takeover is suspected. In serious cases, users can also be prompted to resubmit document ID verification as well. Customers likely won’t mind the added step if it ensures their account stays safe—especially if the messaging around the reason is clear.

When should identity re-verification be used to stop account takeover attacks?

The same tools used for verifying new customer identity during the onboarding process can be used to prevent account takeover attacks through ‘identity re-verification’, which we outline above. However, the trick is for companies to launch re-verification fast enough to stop account takeover fraudsters from moving funds out of stolen accounts. 

To know when it’s appropriate to re-verify identity, companies need to track three kinds of risk:

Identity risk

Typically identity verification is done only at the onboarding stage, but signals that an identity has been compromised may pop up later on. For example, if a customer wants to change their password, this could be an appropriate time to re-verify their identity using a quick selfie check to make sure they aren’t a fraudster. 

Transaction risk

Reviewing the risk of customer transactions is important for preventing returned payments due to account takeover, because a fraudster typically attempts to withdraw the majority of funds from a stolen or compromised account in one fell swoop. Using a tool like Plaid Signal, which uses machine learning algorithms to calculate transaction risk, companies can review the risk of return for transactions from an account and require users to re-verify their identity when there is an indication of fraud or other risk of returned payments.

Fraud risk

Fraudsters might gain access to another customer’s account on your app using a synthetic or stolen identity. They could be attempting to launder money or move stolen funds into their account from an account they took over.

To help prevent this, Plaid Beacon offers a network-based solution. When a fraudulent user is detected on any of the apps on the Beacon network, it sends an alert to all of the other apps to let them know an identity is associated with stolen ID, synthetic, or account takeover fraud. Fintechs can use this to stop the chain reaction of fraud, as fraudsters will try to use the same stolen and synthetic IDs across multiple apps.

What can consumers do to prevent account takeover fraud? 

Consumers, too, can take many precautions to reduce the risk of an account takeover. These include:

Ensuring MFA is turned on

While it’s possible to hack multi-factor authentication (MFA) by logging into a victim’s email with stolen credentials, it’s much harder to do so. It’s also more difficult to hack a phone than an email, so using MFA on the phone is preferable. 

Eliminating password reuse

As previously mentioned, password reuse is what allows credential stuffing to work. Avoiding password reuse—especially for financial accounts—is one of the best ways to protect against these attacks. 

Looking up data breach exposure

Numerous databases make it quick and easy for people to find out if their email address or phone number has been compromised. Websites like haveibeenpwned.com show all data breach exposures in seconds. Some of these sites offer notifications as well, enabling users to instantly change their password shortly after a breach occurs.   

Keeping devices updated

Operating system updates most often include patches that prevent malware from affecting a device. Keeping up with the latest updates on phones and computers helps ensure a device stays one step ahead of any vulnerabilities that hackers might exploit to steal credentials and other personal information. 

Never connecting to personal accounts from external devices

Logging in to a personal account on a computer that’s infected with malware is a surefire way for credentials to be stolen. If it’s unknown whether a public computer or a friend’s device is infected, it’s best not to log in at all.

Expanding account takeover fraud prevention

In a world where financial services have become predominantly digital, bad actors continue to find clever new ways to take advantage of consumers. Account takeovers, along with other types of fraud, are at an all-time high—an issue that will only be compounded by the rapidly expanding use of artificial intelligence.

Plaid Beacon is an anti-fraud network designed to go beyond individual fraud attacks by stopping the chain reaction and preventing fraud from spreading across the digital ecosystem. It does so by helping detect data associated with account takeover and other fraud.

→ Learn more about how Plaid’s robust fraud and compliance solutions can help prevent account takeover and other types of fraud. 

Learn more

Recommended reading

How digital identity verification works: 7 vital data checks

Read article

Selfie identity verification: A key part of fraud prevention

Read article

Digital identity verification for lending: less fraud, more approvals

Read article

Find out how Plaid can help your business grow

By submitting this form, I confirm that I have read and understood Plaid’s Privacy Statement.

This form goes to our sales team. If you have questions about connecting your financial accounts to a Plaid-powered app, visit our consumer help center for more information.

  • Products
  • Auth
  • Identity
  • Balance
  • Signal
  • Transfer
  • Identity Verification
  • Beacon
  • Monitor
  • Transactions
  • Investments
  • Liabilities
  • Enrich
  • Assets
  • Income
  • Plaid Link
  • Consumer Report
  • Layer
  • Use Cases
  • Personal finances
  • Lending
  • Wealth
  • Pay by bank
  • Banks & credit unions
  • Business finances
  • Crypto
  • Property management
  • Developers
  • Quickstart
  • API documentation
  • Libraries
  • GitHub
  • Link Demo
  • About us
  • Company
  • Careers
  • Contact
  • Partners
  • Press
  • Safety
  • Legal
  • Why Plaid
  • Resources
  • Pricing
  • Global coverage
  • Plaid Blog
  • Industry resources
  • Annual conference
  • Customer stories
  • About us
  • Company
  • Careers
  • Contact
  • Partners
  • Press
  • Safety
  • Legal
  • Why Plaid
  • Resources
  • Pricing
  • Global coverage
  • Plaid Blog
  • Industry resources
  • Annual conference
  • Customer stories
  • Use Cases
  • Personal finances
  • Lending
  • Wealth
  • Pay by bank
  • Banks & credit unions
  • Business finances
  • Crypto
  • Property management
  • Developers
  • Quickstart
  • API documentation
  • Libraries
  • GitHub
  • Link Demo
  • For consumers
  • Troubleshoot account connection
  • Trust and safety
  • How it works
  • Plaid Portal
  • Delete my data
  • End User Privacy Policy
  • FAQs
  • Plaid Consumer Reporting Agency, Inc.
  • For financial institutions
  • Open Finance Solution
  • Core Exchange
  • Permissions Manager
  • App Directory

© 2025 Plaid Inc.