--- title: ATO prevention: The new faces of account takeovers source_page: https://www.sardine.ai/media/fraudology/episodes/ato-prevention canonical: https://www.sardine.ai/media/fraudology/episodes/ato-prevention format: text/markdown date: 2022-10-25T00:00:00Z description: Account takeover anatomy reveals how ATO attacks start, what fraudsters want, and how teams can diagnose attack vectors, login abuse, and account-specific risk --- **Quick links:** [Human page](https://www.sardine.ai/media/fraudology/episodes/ato-prevention) · [Home](https://www.sardine.ai) · [Customers](https://www.sardine.ai/customers) · [Blog](https://www.sardine.ai/blog) · [Demo](https://www.sardine.ai/demo) --- # ATO prevention: The new faces of account takeovers **Published:** 2022-10-25T00:00:00Z Account takeover anatomy reveals how ATO attacks start, what fraudsters want, and how teams can diagnose attack vectors, login abuse, and account-specific risk Guest: Mike Lewis and Shawn Colpitts Account takeover is one of those fraud problems that never really goes away. It just changes shape. And that is exactly why I wanted to share this conversation. In this replay of a panel session from the CNP Virtual Summit Series, I talk with Mike Lewis and Shawn Colpitts about how account takeovers have evolved, why they are scaling so quickly, and what smart teams are doing differently now when it comes to ATO prevention. Because this is not just the same old login problem with a few minor updates. The tactics keep shifting. The monetization paths keep changing. And the controls that worked a few years ago do not always hold up the same way now. If you work in fraud, risk, trust and safety, or account security, you have probably felt that already. What I like about this discussion is that it gets practical fast. We talk about how criminals are accessing online accounts, how they are using and monetizing them once they get in, and how companies are responding with better ATO detection methods, stronger account security controls, process changes, and machine learning fraud prevention. We also get into the idea of targeted friction, which I think is one of the more useful concepts in this space. Because the goal is not to create more friction for everyone. It is to apply it carefully, where it actually helps. And that matters. Here is what that ATO prevention approach means in practice: ATO prevention works better when teams adapt as quickly as attackers do Account takeover prevention needs to account for both access and post-login monetization risk Targeted friction can improve customer account protection without creating unnecessary drag for good users Fraud prevention technology is most effective when it is paired with smart operational changes What you’ll hear in this episode: How account takeover attacks have changed in the last few years Why advanced ATO tactics are scaling faster across online businesses What targeted friction looks like in real fraud prevention environments How machine learning fraud prevention supports stronger ATO detection methods Why account abuse detection and process adaptation both matter for online account security You should listen to this episode if you: Work on ATO prevention and want a more current view of how account takeover tactics are evolving Need stronger account takeover prevention tied to real operational fraud challenges Are interested in targeted friction and frictionless fraud prevention strategies Want better login anomaly detection, customer account protection, and identity fraud controls Are evaluating fraud mitigation strategies for online account security and account monetization fraud If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out. Episode notes & key takeaways Why ATO prevention keeps changing Let’s break this down. One of the most important things in this conversation is the reminder that ATO prevention is never static. Criminals do not keep using the same playbook forever. They reuse what works, adjust what gets blocked, and keep looking for weak points in authentication, account recovery, session trust, and post-login flows. That is why account takeover prevention can feel like such a moving target. At first glance, a lot of ATO attacks still look familiar. Stolen credentials. Compromised devices. Social engineering. Suspicious login patterns. But when you look closer, the methods around those basics have evolved. Attackers are moving faster, testing more efficiently, and finding better ways to blend malicious behavior into normal customer activity. We have seen this playbook before. The attack itself may not be brand new. But the scale, speed, and adaptability often are. And that is the part fraud teams need to keep up with. ATO prevention requires teams to expect change, not just react to it Account takeover prevention gets harder when old tactics are repackaged in faster, more scalable ways Login anomaly detection needs to account for both familiar attack signals and newer behavior patterns Online account security depends on recognizing how attackers evolve around existing controls How attackers are accessing and monetizing accounts differently now Here’s what’s actually happening. Getting into an account is only part of the problem. What criminals do after access is what often drives the real damage. That can mean changing account details, using stored payment methods, redeeming loyalty value, placing fraudulent orders, cashing out balances, or setting up future abuse that is harder to detect right away. That is where account monetization fraud becomes such a big issue. A lot of teams still focus heavily on the front door, which makes sense. But if you are not also watching what happens after the login, you are missing part of the picture. And that is often where attackers get the most value. This is why strong ATO detection methods cannot stop at authentication. They need to extend into session behavior, account changes, payout actions, and signals that show whether the person in the account is acting like the legitimate customer or someone using the account as a monetization tool. That is a very different problem than just catching a suspicious password attempt. Account monetization fraud is often the real goal after account access is achieved ATO detection methods should cover login, post-login actions, and suspicious account changes Customer account protection improves when teams monitor what attackers do after entry Account abuse detection is strongest when access risk and monetization risk are connected Why targeted friction is such a useful concept This is where things get interesting. Mike introduces the term targeted friction in this conversation, and I think it is a really important one. Because one of the biggest challenges in fraud prevention is knowing where to place friction without damaging the experience for everyone else. Too much friction applied broadly can hurt conversion, frustrate good customers, and create unnecessary operational drag. Too little friction in the wrong places can leave obvious openings for attackers. So the real question is not whether to use friction. It is how to use it well. Targeted friction is about applying extra verification or controls to the outliers, not the full customer base. Right. That is a much smarter way to think about it. This approach supports ATO prevention because it recognizes that not every login, device, or account event deserves the same response. Some interactions need a closer look. Some need step-up verification. Some need to be monitored further downstream. And some should move through with as little interruption as possible. That balance is hard. But it is where good fraud mitigation strategies usually stand out. Targeted friction helps teams reduce attacker success without overwhelming good users Frictionless fraud prevention does not mean no controls, it means better placement of controls Account security controls should be responsive to risk, not applied uniformly Customer account protection improves when outliers get scrutiny and legitimate users get smoother experiences How machine learning and process changes work together A lot of teams talk about machine learning fraud prevention as if it replaces operational decision-making. It does not. And honestly, that is part of why I liked this panel so much. The conversation does not treat technology like magic. It treats it like one part of a broader fraud defense strategy. Machine learning can be very useful for spotting outliers, surfacing patterns, and improving prioritization. But strong ATO prevention also depends on process adaptations. How teams respond. How they escalate. How they review edge cases. How they tune controls when attacker behavior changes. That is where fraud prevention technology actually becomes useful in practice. Because the best models in the world will not help much if the organization around them cannot act on the signals. And on the other side, even strong teams can struggle if they are working with limited visibility or outdated tooling. The strongest programs usually combine both. Machine learning fraud prevention is most effective when it supports real operational action Fraud prevention technology should strengthen, not replace, strong team processes Identity fraud controls and account security controls work better when teams can adapt them quickly Fraud mitigation strategies hold up better when models and process changes evolve together The big takeaway from this episode is pretty straightforward. ATO prevention is not just about stopping one kind of login attack. It is about understanding how account takeover tactics keep evolving, how criminals monetize access once they get it, and how better decisions around targeted friction, account abuse detection, and machine learning fraud prevention can strengthen customer account protection without creating unnecessary friction for everyone else. That is the kind of balance good teams keep working toward.