Your Account Takeover Controls Were Built for a Pre-AI World

Account takeover fraud cost U.S. consumers and institutions $16 billion in 2024 – a 19% increase over the year before. That number is alarming on its own. But the more important story is not how much ATO is costing us. It is why the losses keep growing despite years of investment in fraud controls.

The answer is simple: the threat changed, and most defenses did not change with it.

Artificial intelligence has restructured how account takeover fraud is executed. Fraudsters now have access to tools that automate attacks at scale, generate convincing counterfeit identity documents in minutes, and hold real-time conversations with call center employees to talk their way through verification steps — whether that means updating an email address, triggering a password reset, or requesting a new card. Much of this happens without a physical ID ever entering the picture.Seventy-two percent of business leaders identified AI-generated fraud and deepfakes as their top challenge heading into 2026. That figure reflects a growing recognition that the old playbook no longer covers the actual game being played.

The tools have changed. The attack structure has not.

Account takeover still follows the same basic logic it always has: gain access to an account that belongs to someone else. What AI changed is how easily and cheaply every step of that process can now be executed.

Credential attacks now happen faster and at a far greater scale. Billions of username and password combinations are available from past data breaches. AI-driven automation allows fraudsters to test those combinations across multiple financial institutions simultaneously, at volumes that outpace legacy detection systems. Meanwhile, the craft barrier on counterfeit identity documents has essentially been removed. A few years ago, producing a convincing fake driver's license required skill, equipment, and time. Today, AI tools can generate one with a realistic portrait and surface-level security features in minutes, at minimal cost. And where fraudsters once had to rely on a skilled person to impersonate a customer over the phone, AI systems can now carry on real-time conversations with call center employees, upload documents on demand, and respond to verification questions – running across dozens of targets at once, around the clock.

Each of these capabilities existed in some form before. AI made all of them accessible, scalable, and cheap simultaneously. That combination is what changed the threat calculus.

It is also worth being clear about where most account takeover actually happens. The majority of ATO events do not begin at a teller window or involve a physical ID at all. They begin with a phone call, an online account recovery form, or a chat session — a fraudster requesting a password reset, asking to update the email address on file, or adding a new device to the account. These are the moments where identity is most often assumed rather than verified, and where AI-powered impersonation is most effective. A customer service agent has no reliable way to know that the person on the other end of the call is not who they claim to be.

Why existing controls leave a gap

Most fraud prevention programs in financial institutions today combine credential verification, anomaly detection, and document scanning. Each layer has genuine value. Each was also designed before the capabilities above existed.

Credential controls – password requirements, security questions, SMS-based multi-factor authentication – confirm that someone has the right information. A fraudster with stolen credentials has that information too. Anomaly detection looks for deviations from established patterns, but a fraudster who gains access to an account and behaves like the legitimate customer can operate below the detection threshold for weeks. AI tools built to analyze and replicate behavioral patterns make this increasingly straightforward.

Standard barcode scanning is worth addressing specifically, because many institutions view it as a meaningful security upgrade. When a driver's license barcode is scanned, the system reads the encoded data and confirms it is internally consistent. What it cannot do is verify that the barcode was produced by the issuing DMV. The scan reads the surface. It does not verify the source.

What the data shows

Intellicheck's 2026 North America Identity Verification Threat Report analyzed nearly 100 million anonymized identity verification transactions from 2025, covering roughly half the adult population of the United States and Canada. Across financial services, a consistent share of IDs presented at account opening, account recovery, and in-branch transactions fail authoritative verification.These are IDs that would pass a visual inspection. Most would pass a standard barcode scan.

This matters because fraudsters increasingly pair stolen credentials with fraudulent documents to complete a takeover. The credentials get them to the verification step. The fake ID gets them through it.

Why authoritative verification is different

For more than 25 years, Intellicheck has served as the official testing laboratory for the AAMVA Driver's License/ID Card Verification Program. That relationship gave us access to the hidden, jurisdiction-specific security data format each state and provincial DMV embeds in every credential it issues. It was never published. It is not in the AAMVA specification. When Intellicheck verifies an ID, the system runs a forensic analysis of that hidden authoritative data format against our proprietary database, covering all 50 states, U.S. territories, and Canadian provinces and territories. An AI-generated counterfeit can replicate everything visible on a driver's license. It cannot replicate the format it has never had access to.

That distinction matters strategically. Every credential-based and behavioral control in a fraud prevention stack can, in principle, be studied and countered by a capable AI system. Authoritative barcode verification depends on something that exists only inside legitimate DMV systems. There is no AI attack surface for it.

It’s important to note that this protection is not limited to in-person interactions. Intellicheck deploys across every channel where account takeover occurs – including the phone calls and online sessions where most attacks take place. A verification link sent via text or email during a call center interaction requires the caller to scan their ID in real time, before any account changes are made. The same authoritative check that stops a fraudster at the teller window stops one on the other end of a password reset request.

What this means for institutions

Account takeover in 2026 is an identity problem as much as a credential problem. Fraudsters are acquiring legitimate credentials and pairing them with counterfeit identities to defeat the verification steps that follow. Strengthening the credential side is necessary, but it only addresses part of how these attacks actually work. Without an authoritative identity check at critical moments – account recovery, high-value transactions, in-branch service requests – fraudsters who arrive with the right credentials and a convincing fake ID walk straight through.

The institutions I talk with that are getting ahead of this have stopped treating identity verification as a one-time event at account opening and started treating it as a real-time capability deployed at every point where the account holder's identity needs to be confirmed. AI has made every attack vector faster, cheaper, and easier to execute. Authoritative identity verification is the one control that holds.

‍

_____________________

Bryan Lewis is President & CEO of Intellicheck. To learn more about how authoritative identity verification stops account takeover fraud, contact Intellicheck or explore our ATO prevention solutions.