The scale of account takeover fraud has grown dramatically in recent years.
TransUnion’s 2025 Fraud Trends Report found that businesses lost an average of 7.7 percent of annual revenue to fraud. This represents $534 billion across the 1,200 businesses surveyed. Digital account takeover volume also increased by 21 percent from the first half of 2024 to the first half of 2025. The London-based not-for-profit membership organization Cifas recorded 76 percent more account takeover cases in 2024, with nearly half targeting mobile phone accounts. SIM swap fraud alone rose by 1,055 percent. This trend shows that attackers are increasingly bypassing multi-factor authentication (MFA) and that phone-based authentication is becoming less reliable as a defense.
These trends highlight the growing importance of identity in enterprise cybersecurity. This blog article explains what modern account takeover attacks look like, how to recognize early warning signs, and how to prevent them.
What do modern ATOs look like?
Stolen credentials have become the dominant path for breaches. Attackers now exploit every step of the digital identity chain.
One major shift is that ATO attacks occur across multiple channels. A fraudster might begin by testing leaked passwords on a website. If Web controls block them, they pivot to the call center or a mobile carrier. Nearly two-thirds of financial institutions report that most ATOs begin with attackers targeting their call centers. Using personally identifiable information leaked in prior breaches, fraudsters convince customer service agents that they are legitimate users.
Once inside, attackers reset credentials or manipulate support staff to bypass controls. In April 2025, the cybercrime collective Scattered Spider targeted British retailer Marks & Spencer. The attackers impersonated IT help desk personnel to bypass MFA and obtain employee credentials. The resulting system disruptions prevented customers from accessing the online store for nearly seven weeks and contributed to a $400 million decline in the company’s market value.
Modern ATO attacks test enterprise defenses across every channel. If one path is blocked, attackers move to another. In turn, enterprises must build layered defenses that include identity threat detection and risk mitigation across Web, mobile, internal systems, and call centers.
How account takeover attacks happen
Attackers combine multiple techniques to gain initial access. Compromised credentials help them blend in and move laterally. Common tactics include:
Credential stuffing
Attackers use bots to test thousands of stolen credential pairs from prior breaches. This technique works because many users reuse passwords across services.
Phishing
Attackers impersonate trusted brands through email, SMS, or advertisements. Victims are redirected to fake login pages that capture credentials.
Man-in-the-middle attacks
Attackers intercept communication between users and websites to capture sensitive data. These attacks are especially effective on unsecured public Wi-Fi networks.
SIM swap attacks
Attackers convince mobile carriers to transfer a victim’s phone number to a new SIM card. This allows them to intercept MFA codes and reset credentials.
Cross-account lateral movement
Once inside an account, attackers pivot to others. They reset linked email accounts and exploit single sign-on connections.
A major weakness in current defenses is reliance on static verification. When users cannot receive one-time passcodes, organizations often fall back on security questions. After years of data breaches, this information is widely exposed. As a result, security questions are now as vulnerable as passwords. Many call centers still rely on them to verify identity.
Enterprises also struggle with orphaned accounts, outdated phone numbers, weak device verification, and inconsistent authentication policies. MFA provides stronger protection than passwords alone. However, phone-based MFA can still be bypassed through SIM swaps, AI-powered phishing, or social engineering.
Account takeover prevention strategies
The ATO arms race currently favors attackers. They only need one gap, while defenders must secure every entry point. In turn, enterprises must strengthen authentication and continuously monitor identity risk.
Adopt phishing-resistant authentication
Passwords and SMS codes remain the weakest authentication factors. Passkeys offer a stronger alternative. Passkeys bind credentials to a specific device and domain and use hardware-backed cryptography.
The FIDO Alliance reports that over 35 percent of users have experienced account compromise due to password vulnerabilities. In addition, 47 percent of users abandon purchases when they forget passwords. Passkeys improve both security and usability.
Use adaptive, risk-based MFA and continuous identity threat detection
MFA should adapt to risk. Risk-based MFA evaluates device, network, telecom, and behavioral risk signals before allowing access.
Platforms such as ID Dataweb analyze device reputation, phone number history, geolocation, and login velocity. These risk signals help detect SIM swaps, compromised devices, and abnormal access attempts. Modern identity threat detection solutions evaluate multiple risks signals, including:
- Device fingerprint and browser environment
- Phone number reputation and SIM change history
- Geolocation and login velocity
- Behavioral biometrics such as typing cadence
- Account changes, such as rapid password and phone number updates
Individual risk signals may appear normal. However, correlating signals reveals patterns that may indicate account takeover.
Harden call centers against social engineering and deepfakes
Help desks are frequent targets. Attackers impersonate users or employees to reset credentials or bypass MFA. In addition, deepfake voice scams are increasing. Therefore, organizations should implement layered verification that combines:
- Voice biometrics
- Device intelligence
- Network analysis
- Behavioral analytics
This approach makes impersonation significantly more difficult.
Maintain identity data hygiene
Outdated identity data creates security gaps. For example, the Colonial Pipeline breach involved a dormant VPN account that was never decommissioned. Many organizations face similar risks from inactive accounts. Best practices include:
- Disabling orphaned or inactive accounts
- Immediately revoking access during offboarding
- Verifying and updating phone numbers and contact information
- Enforcing credential rotation policies
- Auditing identity records regularly
Clean identity data reduces attack surface and improves detection accuracy.
Implement continuous identity monitoring
Authentication should not be treated as a single checkpoint. Identity must be monitored continuously.
Modern identity security systems dynamically adjust authentication requirements based on risk. Low-risk logins proceed normally. High-risk logins trigger stronger verification.
This approach evaluates identity context continuously rather than relying on static credentials alone.
Conclusion
Account takeover attacks have evolved significantly. Attackers now target identity across Web, mobile, and human support channels. They exploit weak authentication, exposed personal data, and inconsistent identity controls.
Account takeover is no longer a single event. It is an ongoing process that exploits weaknesses across the identity lifecycle.
Organizations must adopt layered, adaptive defenses. These defenses should include phishing-resistant authentication, continuous identity monitoring, and risk-based verification.
Strong identity security is no longer optional. It is essential to protect enterprise systems, customer trust, and business operations.
ID Dataweb’s advanced identity verification solutions help prevent ATO by ensuring only authorized users gain access. But don’t just take our word for it—start a demo and see the value of ID Dataweb’s identity verification workflow for yourself.
