---
title: Six fraud signals to spot account takeover
date: 2019-08-13T09:46:00+01:00
author: Jessica Allen
canonical_url: "https://www.ravelin.com/blog/six-ways-to-spot-account-takeover"
section: Blog
---
Blog /[Account takeover](/resources?search=&category%5B0%5D=134546#resourceContainer "Go to Account takeover"), [Fraud analytics](/resources?search=&category%5B0%5D=134547#resourceContainer "Go to Fraud analytics"), [Link analysis &amp; graph databases](/resources?search=&category%5B0%5D=134548#resourceContainer "Go to Link analysis & graph databases")

# Six fraud signals to spot account takeover

Account takeover happens when fraudsters use genuine customer accounts - which is what makes it so difficult to detect. Here are six things to look for to spot an account takeover attack.

13 August 2019

![Six fraud signals to spot account takeover](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_blogSmall/3474/Blog-image-ATO-shared-device.webp)

Account takeover (ATO) is a growing form of fraud where fraudsters target genuine customers accounts, instead of simply using stolen cards.

A fraudster uses stolen customer credentials to log in and pose as a genuine, existing customer and place orders. As well as the cost of the goods lost, an account takeover incident can put a huge dent in customer loyalty and business reputation.

What makes account takeover successful is also what makes it so hard to detect. A fraudster poses as a real customer with a healthy purchasing history and no indicators of fraud – making it more difficult for systems to spot abnormal behavior and prevent the attack.

So how can you stay on top of the account takeover threat?

[Link analysis using graph networks](https://www.ravelin.com/insights/link-analysis-and-graph-database-for-fraud-detection) is a good starting point, as part of a robust fraud detection solution. Here are six fraud signals to look out for to protect your customer accounts and prevent losses.

### **\#1: Multiple accounts suddenly changing to have shared details**

Some fraudsters want to claim an account, so that no one else can attempt to take it over after them. To do this, they change details on the genuine customer profile. They don’t have to change all details – often, only one field needs to change.

In one case, we noticed a mass change of contact telephone number across a huge number of customer accounts. When we investigated we found all the customers had changed this to exactly the same phone number – likely owned by a fraudster.

![Blog image ATO shared phone](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_1408xAUTO_crop_center-center_100_line_ns/3456/Blog-image-ATO-shared-phone.webp)

### **\#2: New account details, new device and new delivery address**

When there are no links or common details between customers, how can you spot the attack? Even the most sophisticated fraudsters still follow the same behavior patterns. We’ve found a combination of events that show an account has been hacked:

1. The customer has updated a customer detail (telephone, email, name).
2. The customer has had a login from a new device within a 24hour period of that change.
3. After both 1 and 2, the customer has placed an order with a new delivery location.

### \#3: IP addresses in multiple countries

A high number of country IP addresses is a good indicator of account takeover. When a fraudster is doing mass logins in order to check if they can access accounts, they don’t know the location of each customer, so they can’t check they are using the right IP address every time.

Plus, there are often multiple fraudsters trying to access the same accounts, usually soon after a breached account list becomes available online. Even the most well-travelled customers couldn’t manage to span the globe this quickly!

![Blog ATO global IP](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_1408xAUTO_crop_center-center_100_line_ns/3473/Blog-ATO-global-IP.webp)

### **\#4: Lots of customer detail changes happening at once**

We often see a fraudster accessing an account in a takeover, and then doing nothing right away. In this case, we flag the login and the merchant takes precautionary actions to prevent account takeover, such as by sending the customer an alert.

This can trigger the fraudster to panic and try to secure the accounts they have taken over by quickly changing the email and passwords on all their victim accounts. We’ve recorded massive spikes in email changes immediately after precautionary action has been taken.

### **\#5: Ratio of known/unknown device models**

Fraudsters often use software to try and hide what device they’re using with device spoofing, emulators, and so on. Sometimes this means that their devices come up with "unknown" as the model. Victim accounts are usually connected to more "unknown" devices than genuine devices with a known model.

### **\#6: Multiple accounts linked to the same device**

Often, fraudsters don’t mask their device between logging into new accounts. This means all the affected accounts are linked to one device – the fraudster’s. However, it’s important to remember that devices may also be shared by family, friends or work teams so you should also look for other factors to confirm an attack.

![Blog image ATO shared device](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_1408xAUTO_crop_center-center_100_line_ns/3474/Blog-image-ATO-shared-device.webp)If you notice two or more of these signs in your customer data, it could be the sign of an account takeover which you should investigate as soon as possible. If it’s a confirmed attack, the next step is to contain it - stay tuned for our recommendations on how to alert customers and manage the aftermath.

**[To stop account takeovers at scale, consider a sophisticated account protection solution such as Ravelin's.](https://www.ravelin.com/solutions/account-security)**

## Author

![Jessica Allen](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_avatarSmall/3491/Screen-Shot-2019-08-13-at-16.12.52.webp)

Jessica AllenHead of Content (Ravelin alumna)

Jessica previously served as Head of Content at Ravelin.

[More from this author](https://www.ravelin.com/author/jessica-allen)

## Related content

[Blog / Press release

### Driven by AI, customers now rival criminals for ecommerce fraud, say merchants

Global ecommerce fraud enters a new phase as losses continue to climb. Merchants now view criminals and their own customers as presenting a comparable risk, and there's a gap in AI adoption.

![Ravelin Symbol Blue 1](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/187712/Ravelin-Symbol-Blue-1.webp)Ravelin Technology](https://www.ravelin.com/blog/ravelin-fraud-survey-2026-press-release)

[Blog / Payments &amp; payment fraud

### Safeguarding agentic commerce – fraud strategy advice by Ravelin's CPO

"If there’s anything fraudsters like, it’s a new thing." Here's how to protect your online shop from agentic commerce fraud – which can target you no matter whether you're actively adopting AI shopping or not.

![RAVELIN STAFF Mark Barlow Head Of product website](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/175066/RAVELIN_STAFF_Mark_Barlow_Head_Of_product_website.webp)Mark Barlow,Chief Product Officer](https://www.ravelin.com/blog/agentic-commerce-fraud-prevention-strategy-analysis)

[Blog / Ravelin product

### Next-level reporting with Ravelin: Introducing Insights and AI-powered queries

Discover how the new Insights section and AI-powered queries in the Ravelin Dashboard simplify your fraud reporting.

![Ashleigh](https://storage.googleapis.com/ravelin-website-assets-production/assets/images/_33x33_crop_center-center_none_ns/267519/ashleigh.webp)Ashleigh Luccini Gilera,Senior Product Marketing Manager](https://www.ravelin.com/blog/fraud-reporting-insights-ai-queries)
