It’s no secret that account takeover (ATO) is a serious problem for businesses. In fact, it’s become so common that 27% of the businesses that participated in the 2022 Global Payments and Fraud Report suffered from a form of ATO fraud.

Unfortunately, many account takeover attacks go unnoticed until it’s too late and the damage has already been done. It’s baffling to think that a major attack could be so discreet—but the truth is that there are many ways cybercriminals remain undetected during an ATO attack.

So, how do fraudsters take over accounts without being noticed? Here are six methods they use to fly under the radar:

1. Credential stuffing

Credential stuffing is a type of attack in which the fraudster uses a list of stolen username and password combinations to try to log in to multiple accounts. They often use automated software that can try hundreds or even thousands of combinations very quickly.

These lists of stolen data are available for purchase on the dark web. Once the fraudster has a list of credentials, they’ll start testing the login information.

If they’re successful in getting into an account, they’ll then have access to all of the information and data associated with that account. They can also use that account to conduct further attacks, such as phishing or malware infections.

Types of bots fraudsters use for credential stuffing

There are multiple types of bots that fraudsters can use for credential stuffing attacks. Some of these include:

  • OpenBullet: Used by website developers for legitimate purposes, but also abused by malicious actors to execute credential stuffing attacks
  • Sentry MBA: Designed for credential stuffing and is one of the most popular choices among fraudsters
  • Storm: Created to conduct distributed denial of service (DDoS) attacks, but can also be used for credential stuffing
  • UBO: Another popular choice for credential stuffing attacks

How cybercriminals conduct credential stuffing discreetly

To avoid detection, fraudsters will often use what’s known as a “slow” or “low and slow” approach when conducting credential stuffing attacks. They’ll try a small number of credentials at first and then gradually increase the number as they get closer to their target.

This approach allows criminals to avoid setting off any alarms that may tip off the account owner that an attack is taking place.

Keepcoding Kasada

2. Social engineering

In this type of attack, the fraudster uses deception to trick someone into giving them information or access to an account.

For example, they may pose as a customer service representative and call a business to pry for information. Alternatively, they may send an email impersonating a company executive to ask for sensitive information.

Types of social engineering tactics fraudsters often use

Social engineering is sneaky, and it can occur on the Internet, over the phone, or seemingly in plain sight.

Here are a few of the most common social engineering strategies criminals rely on:


The fraudster sends an email or text message that appears to be from a legitimate source, such as a bank or credit card company. The message will often try to trick the recipient into clicking on a link or attachment that will install malware or take them to a fake website.


The attacker leaves a USB drive or other storage device in a public place, hoping that someone will find it and plug it into their computer. Once the device is plugged in, it can install malware or give the fraudster access to the computer.


This is a type of attack in which the fraudster creates a false story or scenario in order to get someone to give them information or access to something. For example, they may pose as a police officer or an employee of a business.

How cybercriminals social engineer discreetly

Fraudsters will often use public information to their advantage when conducting social engineering attacks. For example, they may look up an employee’s name on a company website and then use that information to create a believable pretext.

They may also use social media to gather info. For example, they might look for posts about upcoming vacations or other events that will be attended by company employees. This can give them an idea of who to target and when.

3. Malware

Malware is a type of software that’s designed to cause damage or allow unauthorized access to a computer. It can be used to steal information, lock files, or even take over a whole system.

Fraudsters will often use malware to infect a victim’s computer and access their accounts or steal their information. They may also use it to send spam or phishing emails to other people.

Types of malware fraudsters often use

There are too many types of malware to list all of them, but here are the most common ones fraudsters use:


Trojans are designed to look like a legitimate program or file, but they are actually malicious. Once installed, a trojan can give the fraudster access to the victim’s computer.


Viruses are meant to multiply. A virus will replicate itself and spread to other computers. It can damage files or programs and even render a computer unusable.


A worm is a type of malware that’s designed to spread itself from one computer to another without the need for user interaction. It can cause damage to systems and networks, and it can be very difficult to remove.

How cybercriminals use malware discreetly

Fraudsters will often use email attachments or links in phishing emails to deliver malware to their victims. They may also use social engineering tactics to trick people into downloading and installing it. Once it’s on a victim’s computer, fraudsters can use it to steal information or conduct other attacks.

4. DNS hijacking

DNS hijacking is a type of attack in which the fraudster redirects traffic from a legitimate website to a fake one. This strategy can be used to steal login credentials, spread malware, or even redirect people to a dangerous version of a website.

Businesses at risk of DNS hijacking

Fraudsters will often target businesses that use DNS servers that are not properly configured. This can allow them to redirect traffic to a fake website easily.

Criminals may also target businesses that use third-party DNS providers, especially ones that do not have adequate security measures in place.

Examples of DNS hijacking

One common example of DNS hijacking is when a user tries to visit a website but is instead redirected to a fake version of that site. The fake site may look identical to the real one, but it is designed to steal the user’s login credentials.

Another example is when a user tries to download a legitimate piece of software but ends up downloading a malicious version of that software instead. The fake software may be infected with malware, or it may be designed to steal the user’s information.

How cybercriminals use DNS hijacking discreetly

Often, fraudsters can easily set up redirects and fake websites that look identical to real ones. This can make it very difficult for users to tell the difference.

If fraudsters use malware to conduct DNS hijacking, they may be able to remain undetected for a longer period of time. The malware can allow them to remotely control the DNS settings on a victim’s computer.

5. Keylogging

In a keylogging attack, a fraudster uses software to record everything the victim types on their computer, including login information, passwords, and other sensitive data. The fraudster can then use that information to log in to the victim’s accounts or steal their identity.

Businesses at risk of keylogging attacks

Keylogging can be used to target any type of business, but there are some that are at a higher risk. Businesses that deal with customers’ financial information, such as banks and credit card companies, are especially vulnerable.

Examples of keylogging

One common example of keylogging is when a user types their login information into a fake website. The fraudster can then use that information to log in to the victim’s account and steal their information.

How cybercriminals use keylogging discreetly

Fraudsters will often use malware to infect a victim’s computer and then use that to record their keystrokes. This can be done without the victim’s knowledge, and the fraudster can then access their sensitive information.

Victims end up with malware by downloading contaminated email attachments or clicking on malicious links. Once the malware is installed, it’s difficult to detect and remove.

6. SQL injection

SQL injection is a type of attack in which the fraudster inserts bad code into a database. The code can be used to steal data, delete information, or even take over the entire database.

Fraudsters will often use SQL injection to target websites that use vulnerable forms or input fields. Then, they can insert their own code into the database, which can be used to steal information or conduct other attacks.

How cybercriminals use SQL injection discreetly

Fraudsters will often use automated tools to find websites that are vulnerable to SQL injection. These automated tools can insert the fraudster’s code into the database without the need for any interaction from the victim.

Often, the code is designed to be concealed, so it can be difficult for victims to detect it. Only a trained eye will be able to spot the malicious code.

How to notice the signs of an account takeover (ATO) attack on your business

ATO attacks can be devastating for businesses, so it’s crucial to know what the signs of an attack are. Here are some red flags to watch out for:

1. Unexpected changes in account activity

One of the first signs that something is wrong is when you see unexpected changes in account activity. These changes can include new or unauthorized transactions, withdrawals, or charges.

2. Strange or suspicious activity on your computer

If you notice strange or suspicious activity on your computer, it’s possible that your system has been infected with malware. For example, new program installations, unusual pop-ups, or unexpected redirects to websites could be signs that an ATO attack is underway.

3. Emails or messages from unknown senders

If you receive emails or messages from unknown senders, be wary of them. These could be phishing attempts to steal your login information or install malware on your computer.

4. Unusual account access from new or unknown devices

Account activity from new or unknown devices could signal that your account has been compromised. The unusual activity could be someone trying to access your account from a different location, or even a fraudster who has stolen your login credentials.

5. Changes in password or security settings

If you notice changes in your password or security settings, it’s possible that someone has accessed your account and changed them. Fraudsters could attempt to lock you out of your account or make it easier for them to access your sensitive information.

6. Spike in traffic

Random and sporadic spikes in traffic are a telling sign that your site may be under attack. In 2021, bots were responsible for 42.3% of activity on the Internet—and most of them were bad bots, too. Keep an eye on your analytics so you can spot a bot attack before it causes damage.

What to do if you think your business is under attack

Fortunately, there are steps you can take to prevent the damage of account takeover even if an attack is underway. Here are a few actions you should take:

1. Change your passwords

If you think your business accounts have been compromised, the first thing you should do is change your passwords. This will help to prevent the attacker from being able to access your accounts.

2. Update your security settings

Make it more difficult for attackers to gain access to your accounts. Updating your security settings can include enabling two-factor authentication or using a password manager.

3. Monitor your account activity

Watch for any unusual or suspicious activity. This can help you to spot an attack early and take steps to prevent it from causing further damage.

4. Invest in a bot mitigation solution

If you’re not sure how to protect your business from an attack, seek professional help. A cutting-edge cybersecurity solution will help you stay one step ahead of bad actors.

At Kasada, we specialize in bot detection and mitigation. We help online businesses protect themselves from automated attacks by identifying and stopping malicious bots and online fraud.

If you’d like to fight bad bots and strengthen your defenses against automated attacks, contact us to schedule a demo.

Want to learn more?

  • Why CAPTCHAs Are Not the Future of Bot Detection

    I’m not a robot” tests are definitely getting harder. But does that mean more complex CAPTCHAs are the right path forward to outsmart advancing AI and adversarial technologies?

  • The New Mandate for Bot Detection – Ensuring Data Authenticity

    Can the data collected by an anti-bot system be trusted? Kasada's latest platform enhancements include securing the authenticity of web traffic data.

Beat the bots without bothering your customers — see how.