Account Takeover by The Numbers and a Solution You Can Count On

While your team is tightening password policies and rolling out multi-factor authentication, fraudsters are already working around them. Account takeover (ATO) fraud — where criminals hijack a legitimate user's account and drain it before the real owner notices — has become one of the most damaging and fastest-growing threats in financial crime. The numbers are staggering, and they're getting worse every year.

The Scale of the Problem

Account takeover fraud generated $16 billion in losses in 2024 out of the $27 billion in total identity fraud reported by Javelin Strategy & Research — making it the single largest component of the identity fraud crisis. The FBI's Internet Crime Complaint Center received 859,532 cybercrime complaints in 2024, with losses exceeding $16.6 billion overall, up 33% from 2023. That's a record. And it's almost certainly an undercount, since most victims never file a federal complaint.

TransUnion's H2 2025 Fraud Trends Report found that U.S. businesses lost the equivalent of 9.8% of revenue to fraud — 27% above the global average — and that digital ATO volume grew 21% from H1 2024 to H1 2025. Zoom out further, and that growth is 141% since 2021.

Javelin's 2025 Identity Fraud Study found that 39% of ATO victims had their checking accounts compromised and 23% had their email accounts taken over. Afterward, 42% of victims closed the very accounts where the fraud occurred — a
permanent loss of customer trust that no loyalty program can restore.

Why Passwords, MFA, and Security Questions Keep Failing

The uncomfortable truth is that the security tools most organizations rely on were never designed to stop today's ATO attacks. Passwords fall first. In 2025, 62% of Americans still reuse passwords, and 52% of all login attempts involve leaked credentials, according to NordPass. Attackers don't guess passwords anymore — they buy them. Akamai documented 26 billion credential-stuffing attempts per month, with stolen username-password pairs run against login pages at machine speed.

Multi-factor authentication was supposed to be the answer. It isn't enough anymore. The 2025 Verizon Data Breach Investigations Report — which analyzed over 22,000 incidents — documented a surge in MFA bypass techniques, including prompt bombing, Adversary-in-the-Middle (AiTM) attacks, token theft, and SIM swapping. Attackers have built entire service ecosystems around circumventing MFA: platforms like EvilProxy, Tycoon 2FA, and Sneaky 2FA make phishing-as-a-service accessible to anyone with criminal intent and a modest budget. Verizon found that 88% of web application attacks involved stolen credentials — meaning attackers walk straight through the front door.

Knowledge-based authentication (KBA) — questions like your mother's maiden name, your first car, or your childhood street — fares even worse. This information circulates freely in data broker databases, social media profiles, and dark web breach dumps. The same Javelin study found that fraudsters increasingly target PII because it fuels follow-on attacks: stolen email addresses, phone numbers, and banking details become master keys that open multiple accounts simultaneously. Security questions don't slow them down. They escort them in.

Generative AI has accelerated every attack vector simultaneously. Phishing messages are now nearly indistinguishable from legitimate communications. Deepfake audio and video impersonate bank representatives convincingly enough to pass human review. The FBI warned explicitly in 2025 that ATO attackers are posing as bank representatives to extract login credentials and one- time authentication codes — and succeeding.

The Highest Level of Protection Requires Identity Verification

When account security truly matters — especially for banks, credit unions, credit card companies, healthcare platforms, email providers, and social networks — organizations can't just ask if a user knows a shared secret. They must verify the user's identity. Identity document verification (IDV) changes the equation entirely. Instead of validating knowledge that can be stolen, IDV validates identity — the government-issued credential that a real person physically possesses. A fraudster with a full credential dump and a list of bypassed MFA codes still can't produce a valid, matching government ID in real time. That's the protection gap IDV fills, and it's why organizations serious about account security are incorporating it into their high-value and valued-customer authentication and account-recovery workflows.

IDV isn't a one-time tool. Financial institutions use it during account opening to prevent identity fraud. They also apply it during account recovery — the most targeted stage in the customer lifecycle — when a bad actor claims to have forgotten their password and requests a credential reset, a credit card lookup, or an account withdrawal. It's used for high-value transactions, privilege changes, and any situation where the risk of a successful takeover outweighs the brief inconvenience of a verification step. Online workflow, call center agents, and in-person personnel can quickly validate identities. The use cases are varied, and the protection remains reliable.

How Intellicheck Delivers IDV Without Slowing Your Customers Down

At Intellicheck, we've spent decades building IDV technology that financial institutions, retailers, email/social media companies, and government agencies trust at scale. We verify government-issued IDs — driver's licenses, passports, and ID cards — with industry-leading accuracy, authenticating the document itself rather than simply reading what's printed on it. Our platform detects sophisticated fakes, altered documents, and synthetic identities that defeat traditional verification approaches.

We designed our solutions to address the challenge every fraud and risk team faces: verification must be strong enough to prevent fraud but frictionless enough to keep legitimate customers from abandoning the process. Intellicheck's digital IDV is built for exactly that balance. Customers complete identity verification in seconds on their mobile device or desktop — scanning their ID and performing a liveness check without downloads, lengthy forms, or calls to a help desk. The experience is seamless. The protection is world-class.‍

The ATO problem isn't going away. Attackers are industrializing faster than traditional defenses can adapt, and the data from the FBI, the FTC, Javelin, TransUnion, and Verizon all point in the same direction: more volume, higher losses, and more sophisticated bypass techniques every year. The organizations that protect their customers most effectively are those that verify identity rather than rely on information criminals already have. Intellicheck gives your organization the tools to do exactly that — protecting your customers, your accounts, and your reputation with identity verification that fraudsters can't beat, and customers barely notice.

Intellicheck gives your organization the tools to do exactly that — protecting your customers, your accounts, and your reputation with identity verification that fraudsters can't beat, and customers barely notice.

‍

‍