Account takeovers (ATOs) are exploding across financial services, with fraudsters increasingly targeting banks and credit unions. In 2024, ATO attacks surged 457% year-over-year for community banks and regional banks, and 285% for credit unions. 

Fueled by AI-driven scams, bot attacks, and social engineering, ATOs are not just growing - they're evolving faster than legacy fraud systems can handle. That’s because the barrier to entry for fraud has collapsed: what once required sophisticated technical knowledge can now be accomplished with free AI tools or farmed out to Fraud-as-a-Service platforms for as little as $10 per week.

Many banks are unprepared for the speed, volume, and complexity of these attacks due to three critical gaps with legacy vendors:

1. Analyzing risk in silos rather than across the customer journey
2. Using static databases with low match rates and stale data
3. Relying on historical analysis when there’s no baseline to compare against

Each of these gaps creates vulnerabilities that fraudsters can use to take over your valuable customer accounts. This not only presents financial risk to banks and their customers, but also reputational damage that can drive customers away.

This is why leading financial institutions are shifting toward zero-day protection to detect and stop fraud in real-time, even during a user’s first interaction.

Zero-day signals: detect fraud without historical baselines

Traditional fraud prevention systems depend on historical user behavior to identify risk. This approach breaks down when attackers exploit zero-day scenarios, or situations where there is no prior user baseline. These include account takeovers on dormant accounts, first-time logins from new or repurposed devices, automated bot attacks, and coordinated fraud across multiple accounts or channels. In these cases, relying on historical patterns or static rules alone is insufficient.

Zero-day signals fill this gap by looking at what's actually happening in the moment. For example, is the user copying and pasting their password instead of typing it? Is someone remotely controlling their screen with TeamViewer? Is their device supposedly logging into a bank account while face-down on a table? These signals analyze real-time device attributes and user behavior that don't require any prior knowledge of the user.

Key components of modern ATO protection software

How leading financial institutions use zero-day signals to stop account takeovers

Here are real examples of how Sardine’s zero-day signals have helped detect and prevent account takeovers that traditional fraud systems miss:‍

First-time takeovers using fraudulent accounts

Challenge: Fraudsters target dormant or digitally inactive accounts, where the lack of recent user activity and behavioral baselines makes traditional detection ineffective. These accounts are at risk because customers are unlikely to notice unauthorized access in a timely manner.

Detection signals:

• Device velocity (reuse across accounts)
• Emulator or script usage
• Proxy or VPN (geo-mismatch with KYC location)
• Risky IP/device reputation
• SIM swap status and eSIM usage
• Remote screen sharing indicators (TeamViewer, AnyDesk)
• Zero-day signals from Sardine’s login_zero_day_signals checkpoint

Customer results: The world's largest cryptocurrency exchange used Sardine to analyze behavioral signals during signup including user interactions, proxy usage, remote access software detection, and precise IP geolocation. This prevented both onboarding fraud and account takeovers, blocking $650K in annual fraud losses while protecting customers from $10M in potential theft.

Account takeover protection (baseline + zero-day)

Challenge: Attackers may compromise account credentials and bypass detection if risk controls rely solely on previously observed patterns. Protection must account for both known baselines and zero-day signals to identify deviations without delaying legitimate user access.

Detection signals:

• New/unseen login attributes
• Untrusted device or IP
• Known trusted device/IP baselines for user
• Workflow: ato_baseline_user_and_zero_day_attacker

Customer results: A large Japanese neobank prevented ATOs using Sardine’s device and behavior signals to detect suspicious activity, such as abnormal copy/paste behavior, unknown devices, and new IP addresses. These real-time signals flagged high-risk sessions during login and card linking, reducing fraud across onboarding, login, and wallet top-ups.

Cross-channel proximity check

Challenge: Fraudulent activity often spans across channels—for example, an attacker might access internet banking via a script while the legitimate user interacts via mobile. Lack of correlation between channels increases the risk of overlooking coordinated or anomalous behaviors.

Detection signals:

• Geolocation mismatch between internet and mobile banking
• IP reputation and trust score
• MCC, MNC, SIM country inconsistency
• Impossible travel scenarios via login_geolocation checkpoint

Customer results: The second-largest European neobank used Sardine’s device intelligence and graph analysis to detect fraudsters creating multiple accounts across multiple channels. By linking accounts across a global network of over 1 billion devices, they identified and stopped a large-scale fraud ring in real time, while also alerting potential victims whose phone numbers had been targeted.

Existing customers logging in with a new device

Challenge: Fraudsters attempt account access using new or repurposed devices that have not previously been associated with the user. Without robust device fingerprinting and trust evaluation, these logins may appear legitimate and evade detection.

Detection signals:

• New device fingerprint not seen for user
• Shared device ID/fingerprint across multiple accounts
• Trusted residential IP check
• Evaluated using login_new_attributes and login_zero_day_signals checkpoints

Customer results: Mexico’s leading “Buy Now, Pay Later” platform used zero-day signals – like typing speed, time spent in the login flow, IP address variations – to detect and block high-risk users during login, significantly reducing account takeovers and delivering a 2.8X return on investment.

Bot and automated attack prevention

Challenge: Banks and fintechs face frequent automated attacks that attempt credential stuffing or brute force login attempts across customer accounts. These attacks can bypass basic rate limiting and require detection based on behavior and device characteristics.

Detection Signals:

• Rare screen resolution
• No mouse movement or unnatural patterns
• Suspicious phone orientation
• Remote control activity
• Velocity of access patterns across accounts

Customer results: A large U.S. commercial neobank cut account takeovers by 35% after integrating Sardine’s Device and Behavior SDK. By detecting signals like password copy/paste, proxy or VPN usage, and remote access tools, they stopped ATO attempts across phishing, bot-driven credential stuffing, and social engineering attacks.

Multi-account fraud detection

Challenge: Fraud operations often involve use of the same infrastructure (device, IP, session patterns) across many fake or compromised accounts. Identifying these patterns is critical to prevent scalable attacks that abuse the onboarding or login process.

Detection signals:

• Device ID or fingerprint seen across many accounts
• Anomalous access patterns or login attempts
• Login and transaction clustering

Customer results: A leading fashion marketplace used Sardine to detect device sharing and multi-account abuse during seller onboarding, stopping fraud rings that created duplicate accounts from the same device. Sardine’s network link analysis and behavior signals flagged risky sellers in real time, helping protect the platform’s integrity and keep legitimate users safe.

SIM swap detection

Overview: We recently released new SIM swap detection capabilities to address this critical ATO vector. SIM swap fraud is a known precursor to ATOs and typically goes undetected by systems lacking telco integration. Without SIM swap signals, banks cannot assess whether a phone number used for 2FA or recovery has been compromised.

Detection signals:

• SIM card swap events
• eSIM identification
• Risk rules tied to these events via Sardine's engine

Account takeover protection - why banks trust Sardine

Sardine's approach goes beyond legacy systems that analyze risk in silos or rely solely on historical patterns. We monitor risk across the customer journey and combine our proprietary zero-day signals with data from 40+ fully integrated vendors to detect and stop fraud in real-time, even when there's no behavioral baseline to compare against.

Our platform leverages the fastest-growing global Device Intelligence Network with over 2.7 billion profiled devices across 135 countries, giving us unmatched visibility into device reputation and fraud patterns worldwide. Custom machine learning models trained specifically to detect account takeovers, bots, and scams analyze this data to accurately identify high-risk events - all within sub-100 millisecond latency for inline authentication decisions.

Whether it's detecting first-contact fraud, spotting activity from compromised devices, or identifying anomalies across login channels, Sardine helps leading banks and fintechs stop account takeovers without impacting legitimate users.

Contact us to schedule a demo and learn more about our zero-day attack protection solutions.