Account Takeover Scams
Fraudsters gain unauthorised access to your existing accounts — email, banking, social media — using stolen credentials, phishing, or SIM swaps, then exploit or sell the access.
Last reviewed: 1 June 2026
What this scam is
Account takeover (ATO) is a broad category of fraud in which a criminal gains unauthorised access to an existing account belonging to someone else. Unlike identity theft, which typically involves creating new accounts fraudulently, account takeover focuses on hijacking accounts that already exist and have established history, balances, contacts, and trust.
The mechanisms vary. Credential stuffing uses username and password combinations leaked in data breaches and tries them across many services — exploiting the widespread habit of reusing passwords. Phishing captures credentials directly through fake login pages. SIM swaps intercept SMS authentication codes. Malware on a device can log keystrokes or extract saved credentials from a browser.
Once inside an account, the attacker's options depend on what they have accessed. A compromised email account is particularly valuable: it acts as a master key for resetting passwords across any service linked to that address. A banking account enables direct financial fraud. A social media account can be used to run scams targeting the victim's contacts, sell the account, or hold it for ransom. A loyalty or rewards account may have points that can be converted to gift cards or transferred.
Account takeovers have grown in frequency as the volume of data breaches has made credential data widely available and inexpensive. Many people have credentials from old accounts floating in breach databases, and those same credentials unlock more valuable accounts if passwords have been reused.
How it works
The most common pathway begins with a data breach at a service you use. Your email and password combination from that breach enters the criminal marketplace. Automated tools then attempt those credentials across hundreds of popular services to find matches — a technique called credential stuffing. Services that do not require additional verification or where you reused the same password are immediately vulnerable.
Alternatively, phishing delivers a convincing fake login page for a service you use. You enter your credentials, and they are captured. The page may redirect you to the real service to delay discovery.
Once credentials are obtained, the attacker logs in and quickly takes control: changing the recovery email address and phone number, disabling legitimate two-factor authentication and substituting their own, or completing their objective — transferring funds, extracting data — before you notice.
For accounts protected by SMS two-factor authentication, a preceding SIM swap removes that barrier. For accounts protected by app-based authentication, the attacker may instead use a phishing relay that captures the one-time code in real time.
In business contexts, account takeovers of corporate email accounts enable invoice fraud, impersonation of executives, and access to sensitive data.
Why this scam works
Password reuse is exceptionally common, meaning that a single breach can unlock many accounts. Most people use the same password across multiple services, often for years, so old breach data retains value long after the original incident.
SMS two-factor authentication, while better than no two-factor, is vulnerable to SIM swaps and real-time phishing relays. Many accounts use it as the sole additional barrier, providing less protection than users assume.
Account changes — like updating a recovery email — are often not immediately flagged or are easy to miss among routine notification emails, giving attackers time to fully entrench before the owner realises something is wrong.
A typical pattern
A person receives an email notification that their email account password has been changed. They did not make this change. Attempting to log in fails. By the time they contact the service to recover the account, the attacker has used it to request password resets for several linked accounts including an online shopping account with saved card details. The email account's recovery address has been changed to an address they do not recognise. Recovery takes several days and requires identity verification with the email provider.
Common red flags
- Unexpected notification that your password or recovery email has been changed
- Login alert from a device or location you do not recognise
- Unable to log into an account with the correct credentials
- Contacts report receiving messages or requests from your accounts that you did not send
- Unexpected password reset emails arriving that you did not initiate
- Account activity history shows actions you did not take
- Recovery phone number or email has been changed without your knowledge
- Two-factor authentication settings appear modified
- Loyalty points, balance, or settings changed without your action
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your password for [account] was recently changed. If this wasn't you, secure your account at [fake link].
New sign-in detected on your account from [location]. If this wasn't you, click here: [fake link].
Your recovery email has been updated. If you did not make this change, contact support at [fake link].
Your account has been temporarily locked for security. Verify your identity at [fake link] to restore access.
Common variations
- Credential stuffing — automated use of breach data across many services
- Phishing-driven ATO — credentials captured via fake login page
- SIM-swap-enabled ATO — phone number compromised to intercept SMS codes
- Business email compromise — corporate email accounts targeted for financial fraud
- Loyalty account takeover — rewards points drained or transferred
- Social media account hijack — account taken over for scam distribution or ransom
How to verify before you act
The main signals of an account takeover are: unexpected notifications that your password, email address, or phone number has been changed; login alerts from unrecognised devices or locations; being unable to log into an account with your correct credentials; or contacts reporting messages from your accounts that you did not send.
To check whether your email address has appeared in known data breaches, use a reputable breach-checking service. If your credentials appear in a breach, change the password on that service and on any other service where you used the same password.
To prevent takeover, use a unique password for every service managed by a password manager, enable app-based two-factor authentication rather than SMS where possible, and review account recovery options periodically to confirm they still point to you.
Payment methods used
- Direct bank transfer from compromised banking accounts
- Redeeming loyalty points as gift cards
- Selling compromised account access
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Anyone who reuses passwords across services
- People whose credentials have appeared in data breaches
- Holders of high-value accounts — banking, cryptocurrency, loyalty programmes
- Business email account holders
What to do immediately
- If you can still log in, immediately change your password and update recovery details
- Remove any unrecognised devices from your account's trusted device list
- Enable or strengthen two-factor authentication using an authenticator app
- Check for account changes — recovery email, recovery phone, linked accounts, active sessions
- If banking is involved, contact your bank immediately and check for unauthorised transactions
- Change the same password on any other service where you reused it
- Report the takeover to the service provider and to your national fraud body
How to prevent it
- Use a unique, strong password for every account managed by a password manager
- Enable app-based two-factor authentication rather than SMS on all important accounts
- Check a breach-monitoring service and act on any alerts about your email addresses
- Review account recovery options periodically — ensure they point to contact details you still control
- Enable login alerts so you are notified of new device access in real time
- Revoke access for old or unused third-party app connections regularly
- Set a carrier PIN to prevent SIM swaps that could enable SMS code interception
Evidence to preserve
- Screenshots of unauthorised activity notifications
- Login history from the account security settings
- Timestamps of changes made to recovery details
- Any messages sent from your account without your knowledge
- Bank statements if financial access was involved
- Details of any recovery emails or phone numbers added by the attacker
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do attackers know my password if I never told anyone?
Most commonly through data breaches at services you have used. When a company's database is compromised, your stored credentials may be included. These are then sold or published online. Using unique passwords means a breach at one service cannot unlock others.
Does two-factor authentication stop account takeovers?
It significantly raises the barrier. App-based two-factor authentication stops credential-stuffing attacks. SMS two-factor is better than nothing but can be bypassed by SIM swaps or real-time phishing relays. A hardware security key is the strongest available option.
I cannot log into my account — what should I do?
Use the account's official account-recovery process. If the recovery email has also been changed, contact the service's support team and be prepared to verify your identity in detail. Act quickly to prevent further damage.
Should I use the same email and password combination for everything?
No. Using the same credentials across services means a single breach unlocks everything. A password manager makes it practical to use a unique, strong password for every account without needing to remember them.
What is credential stuffing?
Credential stuffing is an automated attack that takes username and password pairs from data breaches and tries them across many websites and apps to find accounts where the same combination works. It is highly effective against password reuse.
How do I find out if my credentials have been breached?
You can check your email addresses against known public breach databases using reputable services widely recommended by cybersecurity organisations. If your email appears in a breach, change the password on that service and any other where you used the same password immediately.
Can I prevent account takeover entirely?
No method is absolute, but unique passwords plus app-based two-factor authentication plus a carrier PIN closes the most common attack paths. Remaining risk comes from highly targeted social engineering or insider threats, which are far less common.