This website uses cookies to establish a secure connection and personalize your experience. By continuing you consent to the use of cookies. For more information and instructions on how to opt out of cookies, visit the Online Privacy and Interest-Based Advertising Statement. If you choose to opt out this message will continue to appear.

Online Policy Statement

Account Takeover Fraud 5 min read

What is account takeover fraud and how can you avoid becoming a victim

With ATO fraud on the rise, you need to know how fraudsters can access your accounts and how to protect yourself.

Account takeover (ATO) fraud is one of the fastest growing types of fraud, with an estimated one in five adults having already been a victim. Like with most dangers we face in life, the best way to protect yourself is by learning the facts and staying vigilant. Consider this article your crash course in ATO fraud.


What is account takeover (ATO) fraud?

It’s a form of online identity theft where a fraudster gains unauthorized access to someone’s banking, credit card, or social media accounts. They can then change information like passwords or personal data, make unauthorized transactions, steal funds, and engage in other fraudulent activities. 

Most account takeovers are for financial gain, but other motivations include acquiring sensitive personal data, impersonating the account owner, defrauding the account owner’s contacts, and conducting other fraudulent schemes such as business email compromise fraud.

The devastating effects of account takeover fraud can include:

  • Financial losses can occur when fraudsters access an individual or business financial account to make unauthorized transactions. 
  • Identity theft can lead to serious non-financial problems, including damage to credit scores and professional reputation. 
  • Operational costs can be significant for businesses responding to fraud events and are often far greater than the initial financial loss. 

How is ATO fraud committed?

An account takeover usually begins with a fraudster obtaining the victim’s login credentials through one of the following methods: 

Phishing: Fraudsters use phishing emails containing malicious links to fake websites to lure people into giving up their credentials, or infecting their devices with malware that can be used to hack their devices.

Social engineering: Imposters use phone calls, social media or other means to gain private information, passwords, one-time verification codes for multi-factor authentication (MFA ), etc. With the increasing use of Artificial Intelligence, these methods are becoming harder to detect as fraudulent!

Credential stuffing: Stolen credentials are sold on the dark web after data breaches from organizations like Equifax, then used to gain access to accounts. Use a strong, unique password for every account, or a password generator. Never reuse credentials!

Malware: Malicious software is distributed through phishing emails or fake websites to infect devices and steal account information.

SIM swapping: Fraudsters trick phone service providers into switching a victim's SIM card, hijacking their phone number to circumvent multi-factor authentication and gain access to accounts.

Brute force attacks: Automated scripts are used to rapidly try multiple password combinations until hackers gain access to an account. This is another reason to use complex, unique passwords for all your accounts, or a password generator.

What to look out for?


Warning signs that your account may been taken over include: 

Unfamiliar activity: Review your accounts regularly for any unauthorized transactions.

Unusual login attempts: Be wary if you receive account notifications for logins you didn’t initiate. 

Unexpected notifications: If you receive messages from your financial institution about multi-factor authentication codes or changes to your account that you did not initiate. 

Changes to account information: If you notice changes to your contact information, email address or phone number, a fraudster could be trying to prevent you from receiving notifications about unauthorized activity. 

Missing statements: If you stop receiving statements or other communications from your financial institution, consider it a red flag.

Why is ATO fraud on the rise?


Several factors have led to the rise of account takeover fraud, including:

Increased digitalization
The rise of online banking, e-commerce, and digital payment systems has created more opportunities for fraudsters to exploit vulnerabilities in digital platforms and systems.

Use of technology
Fraudsters are using technologies like generative AI and machine learning to develop more sophisticated techniques, such as phishing, social engineering, and malware to bypass security measures and gain unauthorized access to accounts.

Data breaches
Large-scale data breaches have become more common, resulting in the exposure of sensitive information such as usernames, passwords, and personal identification data.

Emergence of the dark web
The availability of stolen credentials from data breaches on the dark web is equipping fraudsters with automated tools to try these credentials across multiple websites and platforms.

Weak authentication methods
Online platforms and financial institutions that still use single factor authentication methods make it easier for fraudsters to gain access to accounts.

Lack of awareness
People often underestimate the risks of sharing personal information online and fail to identify social engineering techniques – or don’t fully understand fraud prevention tools like multi-factor authentication. Many account takeovers are the result of reusing passwords on multiple sites.

The top 10 ways to protect against account takeover fraud


  1. Educate yourself about the risks. Stay informed about the latest fraud trends and tactics used by cybercriminals, including phishing scams, social engineering techniques, and other fraudulent activities.
  2. Use complex and unique passwords. Create strong, complex passwords for each of your online accounts.
  3. Enable multi-factor authentication (MFA) whenever possible. Do not give out your MFA code (i.e. one time verification code)! CWB will never ask for it. If someone is asking for that code, it means they have already successfully entered your username and password and are one step away from accessing your account.
  4. Regularly monitor account activity. Keep a close eye on your financial and online accounts for suspicious activity. Review your statements regularly and report any unauthorized transactions.
  5. Be wary of phishing attempts. Be cautious of unsolicited emails, messages, or phone calls requesting personal or financial information. Avoid clicking links or downloading attachments from unknown sources.
  6. Limit information shared on social media. Avoid posting sensitive personal information, which can be used by fraudsters to impersonate you or access your accounts.
  7. Keep software and devices updated. Ensure that your operating system, web browsers, antivirus software, and other applications are up to date with the latest security patches and updates.
  8. Use secure Wi-Fi networks. Avoid accessing sensitive accounts or conducting financial transactions over unsecured Wi-Fi networks and public hotspots.
  9. Regularly update privacy settings. Review and update your privacy settings on social media and other online profiles to limit who can see your information and interactions.
  10. Be vigilant and trust your instincts. Trust your instincts and be cautious when interacting online or sharing personal information. If something seems suspicious or too good to be true, it usually is!


How to report suspected fraud

Account takeover fraud is increasing, but you can protect yourself through awareness and vigilance. If you suspect you’ve been the victim of fraud, please contact your relationship manager or local banking centre immediately.