See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
Oops! Something went wrong while submitting the form.

What is Account Takeover Fraud (ATO)?

What is account takeover fraud (ATO)?

Account takeover (ATO): Account takeover fraud, or account compromise refers to a cyber-criminal gaining control of a legitimate account. This can happen when a threat actor successfully obtains an individual’s login credentials. Account takeover can be detrimental to business operations at any organization because with a legitimate account, attackers can operate covertly, have a stamp of credibility, and authority depending on who’s account is compromised.

Microsoft account login and details

How does account takeover happen?

There are many ways an attacker can compromise an account. Most of the time the attacker gains access to an account by soliciting or forcefully obtaining account information.


The process of sending fraudulent emails, while posing as legitimate sender, to convince people to reveal sensitive information such as passwords, social security numbers, bank account information, and more. 

Spear phishing

Spear phishing is a type of phishing cyber-attack that targets a specific individual or organization rather than a broad audience. This usually involves an attacker conducting a significant amount of research on an organization or individual to make their attack seem more credible by contextualizing their message with relevant information. These attacks usually come in the form of email messages but is more specifically a way to describe a socially engineered phishing attempt that is targeted. 

CEO fraud

This is a form of impersonation where a threat actor will research a CEO at an organization and attempt to communicate with other employees, such as the finance department, and trick them using a falsified version of their credentials. Often urgently requesting the transfer of money. These attacks are specifically focused on financial gain.


Whaling is a heavily targeted phishing attack in which an attacker attempts to phish a high ranking official, often chief executives. These social engineering cyber-attacks contain information that is highly personalized to the intended target to encourage them to click a link that will download malware, transfer funds to the attacker, or share details that can facilitate further attacks. The effects of a successful whaling attack can be devastating, including data loss, financial loss, and reputational damage.

Email spam

Email spam includes unwanted or unsolicited emails that arrive in a user’s inbox. Usually, email spam is sent to a large number of recipients. Spam can be sent automatically by a botnet or by human senders.


Malware is a malicious software designed by a cyber-criminal attempting to infiltrate a device and disrupt a system or steal information. There are many types of malware and each involve a different method of exploitation. However, in most cases the cyber-criminal wants to gain access to information that could harm the user to either financially benefit themselves through the form of a ransom or identity theft.

Business email compromise (BEC)

BEC is a type of email cyber-attack where a threat actor attempts to trick someone into sending them money or valuable information by impersonating a valuable or high-ranking individual within a business. In this scenario the goal is to compromise an account so that the attacker can continue to conduct malicious activity through legitimate account credentials.

Brute force attack

Brute force is a type of cyber-attack that attempts to guess the correct login information for an account. This is done with an automated software that can guess a variety of combinations until the correct one is reached. This is effective against weak or simple passwords.

How to prevent account takeover?

Account takeover can be harmful to any organization. To prevent account takeover from happening, set rate limits on login attempts, send alert notifications on changes in account information, and always check for compromised credentials with a breached credentials database. You can also take more proactive measures to ensure account takeover does not happen like fortifying your passwords and purchasing a security solution that offers complete visibility of your digital assets including user accounts.

Monitor account activity

Security teams can monitor all accounts active for unusual or suspicious behavior. Suspicious behavior can be anything from a strange login location, unusual purchases or transactions, or varying communication patterns. For example, if someone does not usually talk to the finance department but is now trying to frequently get credit card information, this can be seen as suspicious.

Two factor authentication

This is the process by which a user needs to verify that they are logging into their account with multiple devices. For example, a user will have to verify through their mobile phone that they are attempting to login on their desktop device. This will reduce the chances of any account compromise successfully being able to login with just access to one device. 

Strong passwords

Having strong passwords will successfully stop most brute force attacks that attempt to compromise accounts and should be a given when it comes to account security. 

Advanced security solutions

Advanced security solutions like Darktrace provide organizations with automated detection and response security systems that can detect and alert the security team to any account activity that deviates from a particular user’s normal behavior and isolate any accounts indicative of compromise, neutralizing evolving threats before they spread.

A table illustrating the long-term impact of attacks on email security.

Challenges preventing account takeover?

It is common for account takeover/compromise to start as an email. By using social engineering tactics, threat actors can bypass traditional email security systems and find themselves in an employee’s inbox. A highly targeted attack can identify common communication patterns and build trust between an employee and cyber-criminal, tricking the employee into divulging sensitive account information. 

Organization will find it difficult to identify compromised accounts because the attacker is using legitimate credentials. Without advanced detection systems in place, security teams will have a tough time accounting for all the activity across their networks and identifying if this behavior deviates from the end user's normal activity. 

Once the attacker has taken over the account, they can then continue to operate maliciously, but now with legitimate credentials. While some will opt to ask for money right away, others will plan a larger, wide-spread attack that can cause even more damage to the organization. 

Incident response for account takeover

How can organizations identify and protect against account takeover fraud?

Suspend the account: Suspending or isolating the account will stop any further damage and prevent any unauthorized access to sensitive information.

Change the password: Changing the password will override the attacker’s access to the account, only if they were able to access the account with a brute force attempt at guessing the correct account password. If they were able to access the account by different means, such as an exploiting a vulnerability, this might not be a sufficient mitigation tactic on its own.

Notify affected parties: Provide guidance and support for any parties that might be affected by the account takeover. This can include guidance on how to protect their sensitive information.

Account takeover solutions

Advanced security solutions like Darktrace provide organizations with automated detection and response security systems that can autonomously identify and stop potential threats. In instances of account takeover, Darktrace can isolate any suspicious accounts neutralizing evolving threats before they spread.

Darktrace uses Self-Learning AI model to understand each bespoke business from the inside out. That way when activity within the business deviates from ‘normal’ the AI can identify this behavior and alert the security team.

AI can also use real-time data to identify and respond to threats quickly, minimizing the potential damage and saving time for security teams. Darktrace analyzes account activity across the entire digital estate, leveraging data from device and cloud activity to understand every user.

The email landscape is a heavily targeted attack vector facing a multitude of threats. Darktrace’s email security can defend against:

  • Account takeover
  • Phishing
  • Spear phishing
  • Supply chain/vendor email compromise
  • Data loss
  • CEO fraud
  • Invoice fraud
  • Social engineering
  • Extortion
  • Ransomware/Malware
  • Impersonation & Spoofing

Related glossary terms