30 Alarming account takeover fraud statistics you can’t ignore

Over 1.1 million identity theft reports were filed in 2024 — translating to approximately one every 28 seconds. While not all involve ATOs, a growing proportion do, making account takeover one of the fastest-rising forms of identity crime. These attacks aren’t just statistics — they reflect the scale and urgency of the threat. This is an opportunity for your company to prepare and respond more effectively. By the time you finish reading this blog, that number will have grown by approximately 32 people. 

Account takeover (ATO) fraud occurs when a cybercriminal gains unauthorized access to a person’s account by stealing their login credentials. These credentials are often obtained through phishing scams, malware, data breaches (either at the targeted institution or elsewhere, via reused passwords), or social engineering tactics. Once inside the account, fraudsters can reset passwords, alter personal information, transfer funds, and impersonate the real user to commit further fraud. 

As a leader in identity verification and digital fraud prevention, Mitek brings deep expertise in helping businesses detect and prevent ATO using advanced biometrics and fraud detection. 

While losses from ATO fraud continue to pose a significant risk to financial institutions like banks, credit unions, FinTech's, and brokerages, the threat now extends well beyond finance. It affects sectors including telecommunications, energy, ecommerce, and even enterprise workforces. 

Account takeover fraud statistics 

Here are 30 alarming account takeover fraud statistics that reveal just how widespread and damaging these attacks have become. 

Let’s start by looking at how frequently these attacks occur — and who they’re targeting. 

The frequency of account takeovers 

1. In 2024, nearly 29% of adults in the US - about 77 million people - have experienced an account takeover, making it one of the most common types of identity fraud in the country. as reported by security.org. 

2. On the corporate level, a whopping 83% of organizations surveyed by Abnormal Security reported being impacted by at least one account takeover attack, with 5% of organizations reporting it happening over 25 times. 

3. Abnormal Security’s data shows that 26% of companies faced an ATO attempt every single week, underscoring how frequent and persistent these attacks have become. 

4. Account takeover attacks increased 24% year-over-year in 2024, according to SpyCloud’s cybersecurity industry statistics report. This highlights the growing scale and persistence of ATO as a major identity fraud threat. 

The costs of ATO extend far beyond inconvenience. Losses are climbing for individuals, institutions, and even entire industries. 

Financial impact of account takeovers 

5. Javelin Strategy identified ATO as the “greatest risk” facing financial institutions, citing a 13% year-over-year increase in losses in 2024, even as the number of incidents dropped. 

6. The FTC shows similar data, with losses in 2024 increasing to $12.5 billion, even without an increase in fraud reports. 

7. SEON projects that global losses from account takeover fraud could reach $17 billion in 2025, up from nearly $13 billion in 2023, highlighting the growing scale and sophistication of these attacks. 

8. At the corporate level, security.org found that an account breach can cost a company an average of $5 million. 

9. On the individual level, the same security.org study found an average loss of $180, with individual losses up to $85,000.  

10. According to Javelin 2025 Identity Fraud Study: Breaking Barriers to Innovation, ATO fraud has become the fastest-growing fraud type, reaching $2.9 billion in losses. Fraudsters increasingly target accounts that have already completed Know Your Customer (KYC) verification, allowing them to bypass onboarding controls and extract larger sums. 

Industries targeted by account takeovers 

11. ATO attacks target a wide range of industries where financial gain is possible. According to Sift’s Q3 2024 Digital Trust Index, consumers most often reported ATO incidents on the following types of websites and apps: 

• 35% – Bank or credit card accounts 
• 22% – Online shopping platforms 
• 15% – Online gaming platforms 
• 13% – Food delivery services 
• 11% – Online gambling sites 
• 9% – Cryptocurrency platforms or exchanges 

12. Hacker News put together a chart showing the average dollar amount lost to various types of account takeovers. These ranged from a few dollars when entertainment or streaming service credentials were used illicitly, to thousands of dollars per day for unauthorized use of cloud computing accounts or ecommerce.  

ATO attack vectors 

13. Credential stuffing, which occurs when bots use username and password combinations from unrelated breaches on a new site to find instances of password re-use and access customer accounts, is a top threat vector, with Akamai’s 2024 Securing Apps report counting a whopping 26 billion credential stuffing attempts every month. 

14. Password reuse continues to pose a major security risk. In 2025, 62% of Americans reported reusing passwords, and 52% of login attempts involve leaked credentials, according to NordPass and Cloudflare. Together, these trends fuel credential stuffing and account takeover attacks at scale. 

15. Phishing attacks are another common attack vector, with platforms that facilitate “phishing as a service” (PhaaS) like Sneaky 2FA, Tycoon 2FA and EvilProxy giving phishers easy-to-use tools. Security firm Barracuda recorded over a million phishing attacks in the first two months of 2025. 

16. Generative AI is also fueling new attack vectors by making phishing attempts more convincing. It can generate text, voice, images, and even video that appear natural, transcend language barriers, and mimic human behavior. These AI-generated attacks can also incorporate publicly available information about individuals or organizations, adding a layer of personalization that increases the effectiveness of spear phishing campaigns. While the growth is not specifically attributable to generative AI tools, Adaptive Security noted a 4,151% increase in phishing attacks since the launch of ChatGPT. 

17. SIM swaps are also continuing to increase. A ThreatMark report showed a 20% year-over-year increase in this type of attack, which is used by criminals to gain control of the victim’s phone number and intercept SMS one-time passwords used for account 2-factor authentication or password resets.  

Consumer behavior and impact 

18. There is widespread awareness of the problem, with security.org finding that 79% of people know what an account takeover is. 

19. Consumers are continuing to engage in risky behaviors; NordPass found that a third of Americans are “overwhelmed” by the number of services they must maintain passwords for, and surprisingly, 11% see no significant risk in password reuse. 

20. ATO fraud also has long-term consequences for businesses. According to Sift, 80% of consumers say they would not continue shopping on a site where they had experienced an account takeover. A single attack can damage brand trust and lead to lasting customer loss. 

21. Proofpoint’s latest research shows that 99% of monitored organizations were targeted for account takeover attempts in 2024, and 62% experienced at least one successful incident. These numbers reflect how prevalent and impactful ATOs have become for consumers and businesses alike. 

22. According to SEON’s Global ATO Statistics Report, 22% of U.S. adults experienced an account takeover in the past year, impacting approximately 24 million households and resulting in an estimated $288 billion in total losses. 

23. The Identity Theft Resource Center reported that account takeover attacks increased by 254% in 2023 compared to the previous year, largely driven by credential stuffing and phishing attacks targeting online accounts. 

Organizational response to account takeovers 

24. Consumers may be overwhelmed, but financial institutions are aware of the need to take ATOs seriously. Two-thirds of Cloud Security Alliance survey respondents ranked account takeovers as one of the top four cybersecurity threats of concern.   

25. Recent research from Mastercard shows that 93% of institutions plan to invest more in AI for transaction fraud detection over the next 2 to 5 years. 

26. Implementation of multi-factor authentication (MFA) varies widely. JumpCloud found that 87% of large enterprises (over 10,000 employees) are enforcing MFA, with much lower rates at smaller and medium-sized organizations. 

27. Facial recognition is on the rise: Juniper Research predicts that over 80% of financial institutions will adopt face-based biometric verification by 2025, driven by the need to strengthen digital onboarding and meet evolving regulatory requirements. 

28. Customer education has been identified as a gap and an opportunity. The Payments Association found that 41% of financial institutions had implemented customer education programs. 

29. Biometric solutions are becoming increasingly common. This Global Growth Insights research found that 65% of financial institutions in the US are leveraging behavioral AI biometrics to analyze unique user patterns. 

30. Recent research from Goode Intelligence forecasts that by 2029, more than 760 million people will use biometrics to secure payment accounts and support fraud detection and prevention. The report outlines how financial institutions and payment providers are adopting biometric technologies such as face liveness detection, voice authentication, and behavioral analytics as part of a modern, multi-layered defense against AI-driven fraud, including deepfakes, injection attacks, and synthetic identities. 

How to respond to the growing ATO threat 

Understanding the scale of account takeover fraud is only the first step. These statistics underscore the urgent need for businesses to implement proactive defenses that can detect and stop fraud before damage is done. 

Here are a few ways to strengthen your defenses: 

• Use biometric authentication to ensure only legitimate users gain access 
• Leverage AI-powered fraud detection to flag high-risk activity in real time 
• Educate your users about phishing, social engineering, and secure password practices 

To dive deeper into these strategies and how they work in practice, explore our guide to account takeover fraud prevention. 

Is your business prepared to stop account takeover fraud? 

These 30 statistics paint a clear picture: account takeover fraud is widespread, deeply damaging, and increasingly difficult to detect. Attackers are leveraging advanced tactics, from AI-generated phishing content to phishing-as-a-service platforms, while password reuse continues to expose users despite growing awareness. 

But ATO is not unstoppable. Organizations are responding with AI-powered fraud detection, biometric authentication, and adaptive layered defenses to proactively detect and prevent account takeovers. The result is stronger protection against evolving threats and greater trust with every customer interaction. 

Looking to protect your users from account takeover fraud? Schedule a 30-minute discovery session to see how Mitek’s 4-dimensional biometric authentication can safeguard your customers and business. 

About Carmel Maher - Director of Market Strategy and Intelligence at Mitek