Resources

What is Account Takeover?

Account Takeover (ATO) is a technique covering unauthorized access to bank and payment accounts. Fraud actors use stolen credentials, phishing, MFA bypass, or password reset abuse to take full control.

Arsen Team
3 minutes read
What is Account Takeover?

Account Takeover (ATO) maps to Initial Access in the MITRE F3 Framework. It specifically covers compromise of financial accounts (online banking, card-issuing platforms, digital wallets) rather than general user or application accounts covered by Compromise Accounts.

Sub-techniques

Sub-technique How access is gained
Exposed Login Credential Credential stuffing from breach dumps; keylogger output
Exposed API Key Leaked developer keys from repositories or phishing of technical staff
Password Reset Abuse Intercepting reset links or OTPs; compromising the victim's email first

What do attackers do after account takeover?

Once inside a financial account, fraud actors typically:

  1. Change contact details and security settings to lock out the legitimate user
  2. Add or modify payees for fund transfers
  3. Redirect incoming deposits or payouts
  4. Initiate unauthorised transfers and card-not-present transactions
  5. Harvest additional identity data for downstream fraud

How does social engineering enable ATO?

Phishing and vishing are the primary upstream techniques. A vishing call impersonating a bank ("we've detected suspicious activity") pressures the victim into reading out an OTP; enabling the attacker to complete a password reset or transaction authorisation in real time.

Key takeaways

  • Account Takeover in MITRE F3 targets financial accounts specifically, not general IT accounts.
  • Three sub-techniques: exposed login credentials, exposed API keys, and password reset abuse.
  • Post-compromise actions focus on fund transfer, payee manipulation, and victim lockout.
  • Phishing and vishing are the dominant upstream enablers of ATO.
  • Contact centre staff training is critical: vishing calls targeting OTP extraction are a primary ATO vector.

What is MITRE Fight Fraud Framework™ (F3)?

The MITRE Fight Fraud Framework (F3) is a curated knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud incidents. Developed by MITRE's Center for Threat-Informed Defense in collaboration with FS-ISAC, JPMorganChase, and Lloyds Banking Group, it provides a common language for fraud-fusion teams to describe, detect, and prevent financial fraud. F3 is modeled after MITRE ATT&CK® and focuses on banking institutions as its initial scope.


Book a demo

Discover why Arsen is the go-to platform for helping CISOs, security teams, and IT leaders protect their organizations against social engineering.

Request a demo

Frequently Asked Questions

Attackers impersonate bank staff to call victims, creating urgency around fake fraud alerts. The victim is persuaded to read out an OTP or authorise a transaction; giving the attacker real-time access to complete a password reset or fraudulent transfer.

Attackers compromise the victim's email account first (via phishing), then trigger a password reset on the target financial account. The reset link arrives in the now-controlled email inbox, giving the attacker full account control.

Contact centre agents and branch staff need specific vishing training: recognising spoofed numbers, verifying identity through out-of-band channels, and never accepting an OTP or account change request based on a call alone.

It is an Initial Access technique covering fraud actors gaining unauthorised control of bank or payment accounts using stolen credentials, exposed API keys, or password reset abuse; distinct from the general Compromise Accounts technique.

Continue reading

AI Vishing: Why Finance Teams Are the New Front Line

AI Vishing: Why Finance Teams Are the New Front Line
Alex Beaurepaire
Alex Beaurepaire

AI voice cloning has collapsed the cost of vishing from hundreds of dollars per targeted call to effectively zero at scale. Finance, treasury, and executive assistant teams now face the same volume of voice-based...