What is account takeover fraud?
Account takeover (ATO) fraud occurs when a criminal gains unauthorised access to one of your online accounts and uses it to steal money, make purchases, or harvest personal information.
Last reviewed: 10 June 2026
Explanation
Account takeover is typically enabled by credential theft — your username and password obtained through a data breach, phishing, malware, or credential stuffing (automated testing of leaked credentials from one breach against other services, relying on password reuse). Once inside, attackers move quickly, changing contact details to prevent recovery alerts, then extracting value.
For financial accounts, this means authorising transfers or purchases. For email accounts, it means accessing other linked accounts through password reset flows. For social media, it means impersonating you to scam your contacts or selling the account. For business email, it enables BEC fraud.
Multi-factor authentication (MFA) is the single most effective defence. Even with your password, an attacker without access to your second factor (authenticator app, hardware key) cannot complete the takeover. SMS-based MFA is better than none but can be bypassed by SIM swapping; authenticator apps and hardware keys are more robust.
Password managers solve the password reuse problem by generating unique, complex passwords for every service. A breach at one service then cannot cascade to others. Regularly reviewing your accounts for unfamiliar login activity allows early detection before significant damage occurs.
Common red flags
- Login alerts for accounts you did not access, from unfamiliar locations or devices
- Password reset emails you did not request
- Your email or phone number on an account has been changed without your action
- Friends or contacts report unusual messages from your accounts
- Unexpected charges or transfers on financial accounts
- You are locked out of an account you were recently using normally
What to do now
- Attempt to recover the account through official account recovery channels immediately
- Contact the platform's support team if standard recovery is unavailable
- Change the passwords of any linked accounts that share the same password
- Enable MFA on all accounts, prioritising email and financial services
- Review and revoke any third-party applications connected to the compromised account
- Report to the platform and to your national fraud authority if money was lost
Frequently asked questions
How do attackers access so many accounts so quickly after a breach?
Automated credential-stuffing tools can test millions of username/password combinations per hour across hundreds of services. Reusing the same password across multiple sites means a single breach can unlock many accounts. Unique passwords per site are the direct countermeasure.
Is SMS two-factor authentication enough?
SMS MFA is significantly better than no MFA and will block most automated credential-stuffing attacks. However, it can be bypassed by SIM swapping or real-time phishing. For accounts holding significant financial value, an authenticator app or hardware security key provides stronger protection.