DataDome

Account Takeover Prevention: How to Prevent ATO & Mitigate Fraud

Table of contents
Account Takeover
Paige Tester, Director of Content Marketing
24 Nov, 2025
|
min

Key takeaways

  • Account takeover attacks increased 24% year-over-year in 2024, with 29% of US adults (77 million people) experiencing ATO fraud
  • Account takeover prevention requires multi-layered defense: credential monitoring, rate limiting, MFA, and AI-based detection software
  • Credential stuffing and brute force bot attacks are the most common ATO methods, driven by password reuse and leaked credentials
  • Financial impact: Account takeover fraud cost merchants $38 billion in 2023, expected to reach $91 billion by 2028
  • DataDome Account Protect uses intent-based detection to block account takeover attempts in under 2 milliseconds with 99% reduction in ATOs
  • AI agents will reduce time to exploit account exposures by 50% by 2027, requiring more sophisticated cyberfraud protection
  • Best prevention: Use AI-powered detection software that analyzes behavioral patterns, device fingerprinting, and compromised credentials databases

Why is account takeover prevention critical for businesses?

Account takeover (ATO) is a form of online identity theft in which attackers steal account credentials or personal identifiable information (PII), such as social security numbers, addresses, and banking details, and use them for fraudulent purposes. In 2024, account takeover attacks surged 24% year-over-year, affecting 29% of US adults—approximately 77 million people. With account takeover fraud costing merchants $38 billion in 2023 and projected to reach $91 billion by 2028, ATO prevention has become a business-critical priority for e-commerce, financial services, and any organization managing customer accounts.

In an account takeover attack, the perpetrator often uses bad bots to gain access to a real person’s online account, often an e-commerce account that includes financial details. Gartner predicts that by 2027, AI agents will reduce the time it takes to exploit account exposures by 50%, making sophisticated cyberfraud protection more essential than ever.

The Damages: What happens to your business during an account takeover?

Attackers hijack user accounts via account takeover to execute all sorts of fraudulent activities, typically changing the account password (rendering it inaccessible by the owner), as well as the shipping address to make fraudulent purchases and/or withdraw money from the account if possible.

For an e-commerce site, there can be various negative impacts from account takeovers (especially repeated ATO attacks), such as:

  • Increased Transaction Disputes
  • Increased Chargebacks
  • High Customer Churn
  • Loss of Trust in Your Business
  • Damage to Your Brand’s Reputation

Real-world impact: How ATO affects businesses

“The number of fraudulent orders and cyberattacks have gone up like crazy since the pandemic, and it’s impossible to ignore bot threats. DataDome takes the pressure off and I can sleep better at night,” says Andrei Rebrov, CTO & Co-Founder of Scentbird, who faced increasing ATO attempts targeting their e-commerce platform.

Another Director of Marketing and Technology at a leading e-commerce company reported: “Thanks to DataDome, bot traffic decreased to the point where it’s negligible for us. Now, attacks are stopped in their tracks before they become a real problem.”

One of the worst things about ATO attacks is that the owner of the website is usually unable to detect the presence of an attack without a customer claim (or proper bot and online fraud protection).

Chargebacks are a huge cost for e-commerce websites, especially those using a third-party payment gateway. When your chargeback rate is high (meaning you process a lot of chargebacks compared to your total number of sales), your payment gateway company might raise your transaction fees, which can translate to very significant losses. As a result, credit card chargeback prevention is vital.

Ultimately, account takeover attacks can be very damaging—not only to your brand image and customer trust in the long term, but also more directly to your bottom line.

Pro Tip

Account farming fuels large-scale fraud by using mass-created accounts to exploit promotions, fake identities, and online wallets—costing businesses billions annually. Detecting and blocking farmed accounts early is essential to reduce exposure to identity theft, phishing, and e-commerce abuse.

Attack Techniques: How does account takeover happen?

Perpetrators may use various techniques to attempt an account takeover. Here are some common ones:

Phishing

The attacker tricks potential victims into revealing their information voluntarily, using a fake login page, emails pretending to be someone the victim knows, etc. Phishing attacks can be very deceptive and specifically targeted (spear phishing).

Phishing attacks continue to evolve with AI technology. Since the launch of ChatGPT, phishing attacks increased by 4,151%, with security firm Barracuda recording over one million phishing attacks in just the first two months of 2025. Generative AI makes phishing more convincing by creating natural-sounding text, voice, and even video that mimics human behavior.

Credential Stuffing

Using stolen or leaked credentials from one website or platform to try and access various other website accounts (in hopes the victim has reused their login credentials) is credential stuffing, one of the most common ways to initiate ATO.

Brute Force Bot Attack

The attacker deploys bad bots to perform a rapid, high-volume brute force attack on your website or app. Sophisticated bots can take over a significant number of accounts before getting caught, and they can rotate between thousands or millions of IP addresses. It is important to prevent brute force attacks as much as possible.

What are the most effective account takeover prevention methods?

1. Check for Compromised Credentials

A key step in account takeover prevention and e-commerce fraud prevention is to compare new user credentials with a breached credentials database so you can know when a user is signing up with known breached credentials. We recommend checking your user database regularly too, so you can catch when existing users’ information becomes compromised and notify the users immediately. Be proactive, and alert users and new sign-ups immediately when their credentials have been breached.

2. Set Rate Limits on Login Attempts

You can set rate limits on login attempts based on username, device, and IP address based on your users’ usual behavior to help prevent account takeover. You can also incorporate limits on the use of proxies, VPNs, and other factors.

3. Send Notifications of Account Changes

Always send your users a notification of any change made to their account. That way, they can notice right away if their account is compromised, ensuring that even if an attacker is able to overcome your authentication measures, you are helping to minimize risk and even prevent further damage.

4. Prevent Account Takeover With ATO Prevention Software

Because ATO attacks give themselves away through a myriad of small hints (such as login attempts from different devices and multiple failed login attempts), the easiest way to prevent them is by using a specialized account fraud protection software. Look for a cybersecurity software that reviews all of the small signals in each request to your website, app, or API to root out suspicious behavior on autopilot. DataDome Account Protect uses multiple layers of machine learning to analyze requests to detect malicious user behavior within milliseconds.

How do you detect account takeover attacks in real time?

Here are some important key signs you can use to detect ATO attempts on your website:

IP Addresses From Unusual Countries

A sudden rise of IP addresses from one or more countries outside the usual access locations can be a good indicator of account takeover. The perpetrator might not know the account owner’s original location to mimic the right IP address. Pay extra attention when an account alters access locations before or after changing account credentials.

Several Accounts Changing to Shared Details

When an ATO attacker successfully claims an account, they typically change details like email address and password, so the original owner can’t access their account anymore. When similar changes to a shared detail (e.g. a same email address) are applied across more than one account, it is a huge sign there’s likely an ATO attack on your site.

Unknown Device Models

Cybercriminals often hide what device they are using through device spoofing to make it harder for you to detect the same device attempting to access multiple accounts. Your system will detect spoofed devices as “unknown”. If you have a higher ratio of unknown devices than usual, it’s a common sign of an incoming ATO attack.

Multiple Accounts Accessed by the Same Device

Sometimes, attackers do not spoof or mask their device between logging into different accounts. Therefore, if they steal and access more than one account, they will all be linked to one device. The catch is, sometimes devices are legitimately shared by authentic users with their friends or family members, so you should always double-check other factors to confirm if it is an ATO attack.

What are the best practices to mitigate account takeover risks?

Improve your ATO protection by encouraging your users (including customers and employees) to use strong, secure passwords—and not to use previously compromised credentials. When it comes to passwords, longer is stronger (but longer passwords are also harder for users to remember). Require users to incorporate a mix of lowercase and uppercase letters, special characters, numbers, and symbols, and remind them not to use personal information like name or birthday.

Here are some solid corporate account takeover prevention measures for your business to consider:

Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

You can incorporate 2FA or MFA on your website to strengthen your account takeover protection by asking users to provide another method, besides their password, for authentication. Best practices include using one or more of the following:

  1. Information they know (that is not common/public knowledge), such as answers to security questions.
  2. A proprietary object they possess, such as a dongle, token, or card you have provided that can be recognized by your system.
  3. A unique physical characteristic, such as their fingerprint, face ID, or iris scan.

You don’t need to ask for 2FA every time. You can make it adaptive according to the perceived risk (risk-based authentication). For example, you can ask for 2FA only after a user attempts to access the account with a different login device or from a different location than usual.

Tracking System

When an account has been compromised, you need a measure in place to prevent further attacks. By sandboxing a suspicious account effectively, you can track all activities related to the account and block it if necessary.

Web Application Firewall (WAF)

Although not specifically designed for account takeover detection, WAFs can be configured to help identify and block account takeover attacks via targeted policies. WAFs might help identify signs of brute force attacks (commonly used for ATO) and other bad bot activities.

AI-Based Detection With Threat Expert Oversight

AI-based account takeover protection and detection software is the best way to identify and stop sophisticated ATO attempts in real time, whether they’re perpetrated by human fraudsters or bots. Advanced AI and machine learning (ML)-based technologies are necessary for behavior-based detection that will identify complex ATO attempts and effectively monitor your website, mobile app, and/or API for suspicious activity.

How DataDome Account Protect Prevents Account Takeover

DataDome Account Protect goes beyond traditional identity verification to focus on intent, because it’s not about knowing who’s real, it’s about what they intend to do. Our multi-layered AI engine analyzes thousands of signals to detect and block account takeover attempts in under 2 milliseconds, ensuring zero impact on legitimate user experience.

Proven results for cyberfraud protection

  • 99% reduction in account takeovers across customer implementations
  • 95% time saved on online fraud disputes, freeing security teams to focus on strategic priorities
  • Millions saved in fraudulent charges, chargebacks, and dispute costs

“What a time saver not to have to spend hours in meetings checking each event one by one as soon as you had a doubt!” Senior Security Engineer at a leading benefits provider who implemented DataDome to fight account takeovers.

Conclusion

Detecting account takeover attempts and effectively preventing them is very important for any website and company that provides credential-protected accounts. When your website is compromised, it can lead to a loss of consumer trust and permanent damage to your brand’s reputation.

From large enterprise websites and organizations to smaller companies—no online business or account holder is safe from being targeted with ATO. It is business-critical that you proactively secure your account takeover prevention, detection, and protection today (if not sooner). To see how your business could benefit from ATO protection, book an Account Protect demo today.

FAQ

What is the average cost of an account takeover attack?

Account takeover fraud cost merchants $38 billion in 2023, with individual businesses experiencing an average loss of $5 million per account breach, according to Security.org. Individual victims lose an average of $180, though losses can reach up to $85,000. By 2028, merchants are expected to lose $91 billion annually to account takeover fraud. Credential stuffing attacks specifically cause an average of $4.81 million in damage per breach, according to IBM’s 2024 Cost of a Data Breach report.

How effective is multi-factor authentication (MFA) in preventing account takeover?

Multi-factor authentication significantly improves account security but isn’t foolproof. While 87% of large enterprises enforce MFA, attackers can bypass it through SIM swaps (which increased 20% year-over-year), phishing-as-a-service platforms, and AI-generated social engineering attacks. For best protection, combine MFA with AI-powered account takeover detection software that analyzes behavioral patterns and intent, not just identity credentials.

How does AI impact account takeover attacks?

AI is accelerating account takeover attacks. Gartner predicts that by 2027, AI agents will reduce the time it takes to exploit account exposures by 50%. Attackers use AI to create more convincing phishing attempts with deepfake voices and videos, automate credential testing at massive scale, and bypass traditional security measures. Since ChatGPT launched, phishing attacks increased 4,151%. Organizations need AI-powered cyberfraud protection that can detect and block AI-driven fraud in real time to stay ahead of these evolving threats.

What is account takeover protection?

Account takeover protection is any software specifically designed to locate account takeover attempts and prevent them from succeeding, thus protecting users from having their accounts stolen. Account takeover protections tend to focus on identifying suspicious user behavior through a variety of signals like geolocation, time stamps, session history, and even usernames and email addresses.

What causes account takeover?

Account takeover happens when a malicious actor gains access to user account credentials. When they have the full set of credentials, they can use credential stuffing to try them on several websites. With partial credentials, they can use credential cracking to test possible answers for the missing piece(s).

What are some common indicators of account takeover?

Look for a sudden rise of IP addresses from one or more unusual countries, several accounts changing to shared details, unknown device models, and multiple accounts accessed by the same device. In e-commerce, you might see an increased rate of chargebacks as users with stolen accounts notice fraudulent transactions.

What’s the difference between identity theft and account takeover?

ATO is a form of online identity theft, and both activities can be used for fraudulent purposes, but there are some differences in account takeover vs. identity theft. For instance, instead of attempting to steal someone’s identity (social security numbers, addresses, banking details) physically or on paper, the objective of ATO is to steal access to another person’s online account(s) for fraudulent purposes, so the “identity” being stolen in ATO is a person’s online persona on a specific account.

References

 

  • https://www.miteksystems.com/blog/account-takeover-fraud-statistics
  • https://chargebacks911.com/ecommerce-fraud/account-takeover-fraud/account-takeover-fraud-statistics/
  • https://www.gartner.com/en/newsroom/press-releases/2025-03-18-gartner-predicts-ai-agents-will-reduce-the-time-it-takes-to-exploit-account-exposures-by-50-percent-by-202
DataDome
Paige Tester
Director of Content Marketing
Paige is the Director of Content Marketing for DataDome. With over a decade of expertise in content creation, she leads the development of in-depth, strategic content that highlights advanced bot detection and online fraud prevention techniques. Her work empowers cybersecurity professionals with actionable insights and cutting-edge knowledge, ensuring they stay ahead of emerging threats.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo