What Is Account Takeover Fraud at a Bank?
Identity theft often brings to mind a stranger opening new accounts under someone else’s name, but a quieter and increasingly common version involves no new account at all — just a criminal slipping into one that already exists.
The short answer
Account takeover fraud happens when someone gains unauthorized access to an existing bank account, typically using stolen login credentials, and then uses that access to move money, change contact details, or lock the real owner out. Unlike identity theft that opens new lines of credit, this targets an account that’s already active, which is part of what makes it fast-moving once access is gained.
How access is typically gained
- Stolen credentials from a data breach. Reused passwords from an unrelated breach can sometimes still unlock a banking login if the same combination wasn’t changed elsewhere.
- Phishing. A deceptive email or message designed to look like it’s from a bank can trick someone into entering login details on a fake page, a tactic explored further in phishing vs. vishing.
- SIM swapping. Taking control of someone’s phone number lets a criminal intercept text-based verification codes, a method covered in how a SIM swap attack works.
- Malware. Software installed on a device, often unknowingly, can capture keystrokes or session information used to log into banking apps.
What happens once access is gained
Once inside an account, the typical goal is to move money out quickly, often through transfers, bill payments to an account the criminal controls, or by adding themselves as an authorized user on connected products. Some takeovers also involve changing the contact email or phone number on file first, which can delay the real account holder from noticing and can interfere with the bank’s ability to reach them about suspicious activity. This is one reason account takeover can escalate faster than other types of fraud — the criminal is often working to lock the real owner out before acting.
Early warning signs
- Unexpected password reset or login alerts. A notification about a password change or login the account holder didn’t initiate is one of the clearest early signals.
- Missing or delayed statements or alerts. If routine account communications suddenly stop arriving, it’s worth checking whether contact information on file has been changed without authorization.
- Small test transactions. Some fraud attempts start with a tiny transaction to confirm access works before a larger transfer follows.
- Unfamiliar devices or locations in login history. Many banking apps show recent login activity, which can reveal access from an unrecognized device.
How liability and recovery generally work
Money moved out through an account takeover is typically treated as an unauthorized electronic transfer, which brings Regulation E protections into play, with liability generally shaped by how quickly the activity is reported. Recovery usually involves securing the account first — resetting credentials, confirming contact information is correct, and reviewing recent activity — before or alongside filing a formal fraud report with the bank.
What to weigh
Account takeover fraud tends to succeed because it exploits a gap between when access is gained and when it’s noticed, so the practices that matter most are the ones that shrink that gap: unique passwords, awareness of phishing tactics, and prompt attention to unexpected account notifications. No system eliminates risk entirely, but recognizing the early signs and knowing how to respond quickly are the most reliable ways to limit the damage if it happens.